Defense Information Systems Agency
General Fund
Agency Financial Report
Fiscal Year 2023
Message From the Defense Information Systems Agency
As the Defense Information Systems Agency (DISA) Director, I am presenting the Agency
Financial Report (AFR) for the DISA General Fund (GF), as of Sept. 30, 2023. These statements and
accompanying footnotes incorporate management discussion and analysis, performance, and financial
sections that include the auditor’s signed report. The AFR is prepared as directed by the Office of
Management and Budget Circular A-136, Financial Reporting Requirements, to incorporate necessary
operational and financial reporting process changes that validate our financial statements are complete,
accurate, and reliable.
Among DISA’s FY23 highlights, we continued to lead the Department’s transition to a cloud
environment and enhanced cybersecurity architecture, including deployment of a classified DoD365
tenant for consistent communication, collaboration, and productivity capabilities across networks;
investing in enhanced MS365 licensing for improved zero trust; and implementation o the Joint
Warfighting Cloud Capability. DISA plays a role in nearly every combat engagement and aids
humanitarian assistance, disaster relief, and intelligence and special operations activities, including
support in Ukraine’s conflict.
DISA’s actions in support of our Strategic Plan FY 2024-2026 will continue to implement,
sustain, and evolve the global network infrastructure and unified capabilities to provide information
superiority to the President; the Secretary of Defense; combatant commanders; senior leadership; military
services; defense agencies; and the warfighter. Key focus areas throughout these LOEs include delivering
the right capability at the right time, improving efficiency and effectiveness; reducing time to deliver
solutions; standardizing services; and delivering best value capabilities both internally and for our mission
partners. Sound financial processes and practices and reliable data are foundational to meeting our
strategic objectives.
This year, we have continued to make improvements in our financial processes based on feedback
by our independent public accounting firm Kearney & Company. DISA can provide reasonable assurance
that internal controls over financial reporting, operations, and compliance are operating effectively as of
Sept. 30, 2023. We continued progress addressing significant deficiencies and material weaknesses on
DISA’s GF financial statements. Information obtained through this year’s report and continued
improvements leverage our ongoing efforts to improve all aspects of DISA’s GF. DISA continues to
evolve our financial processes, improving accuracy and efficiency for better decision making. DISA will
continue to gain efficiencies by expanding our usage of robotic process automation. The agency continues
to improve its posture with a sound internal control environment to execute our strategy effectively while
prioritizing command and control, driving force readiness through innovation, and improving cost
management.
Robert J. Skinner
Lieutenant General, USAF
Director
Table of Contents
Management’s Discussion and Analysis…………………………….…………....1
Context for the Financial Information in the MD&A………………………….......2
Analysis of Financial Statements………………………………………………….11
Analysis of Systems, Controls, and Legal Compliance………………….………..21
Forward-Looking Information……...………………………………….……...…..33
Principal Statements………………………………………………………….......34
Notes to the Principal Statements……………………………………….……….39
Required Supplementary Information…………….…………………………....58
Deferred Maintenance and Repairs Disclosures………………………………….58
Other Information……………………………………………………………......60
Management Challenges.....................…………………………………………....63
Payment Integrity………………………………………………………………....73
DOD Office of Inspector General (OIG) Audit Report Transmittal Letter…...74
Independent Auditor’s Report…………………………………………………....78
DISA Management Comments to Auditors Report ……………………..………130
Appendix A………………………………………………………………………...132
1
DISA General Fund Fiscal Year 2023
Management’s Discussion and Analysis
2
The Defense Information Systems Agency (DISA) is pleased to present a Management Discussion and
Analysis (MD&A) to accompany its fiscal year (FY) 2023 financial statements and footnotes. The key
sections within this MD&A include the following:
1. Context for the Financial Information in the MD&A
2. Analysis of Financial Statements
3. Analysis of Systems, Controls, and Legal Compliance
4. Forward-Looking Information
1. Context for the Financial Information in the MD&A
History and Enabling Legislation
DISA, a combat support agency, provides, operates, and assures command and control, information
sharing capabilities, and a globally accessible enterprise information infrastructure in direct support to
joint warfighters, national level leaders, and other mission and coalition partners across the full spectrum
of operations. DISA implements the Secretary of Defense’s Defense Strategic Guidance and reflects the
Department of Defense (DOD) Chief Information Officer’s (CIO) Capability Planning Guidance. The
DOD CIO vision is “to be the trusted provider to connect and protect the warfighter in cyberspace.”
DISA serves the needs of the president, vice president, secretary of defense, Joint Chiefs of Staff (JCS),
combatant commands, and other DOD components during peace and war. In short, DISA provides global
net-centric solutions in the form of networks, computing infrastructure, and enterprise services to support
information sharing and decision-making for the nation’s warfighters and those who support them in
defense of the nation. DISA is charged with connecting the force by linking processes, systems, and
infrastructure to people.
In FY 2018, the organization that came to be known as the Joint Service Provider (JSP) declared full
operational capability and moved into its new place in the Defense Department’s organizational chart as a
subcomponent of DISA. It marked a major expansion of mission and budget authority for DISA, which
now controls the funding and personnel that provide most information technology (IT) services for the
Pentagon and other DOD headquarters functions in the National Capital Region. DISA continues to offer
DOD information systems support, taking data services to the forward deployed warfighter.
3
Organization
To fulfill its mission and meet strategic plan objectives, DISA operates under the direction of the DOD
CIO, who reports directly to the secretary of defense. The organizational structure for DISA as of July
2023 is depicted below:
4
The agency is budgeted to support the IT needs and requirements of the entire Defense Department,
including the offices of the secretary of defense and of the chairman and vice chairman of the Joint Chiefs
of Staff, the Joint Staff, military services, combatant commands, and defense agencies. DISA also
provides support to the White House and many federal agencies through a number of capabilities and
initiatives.
DISA's Appropriated Budget
Through its appropriated budget, DISA is funded by Congress through the National Defense
Authorization Act, the U.S. federal law specifying the budget and expenditures for DOD, and defense
appropriations bills authorizing DOD to spend money. This budget enables the agency to implement the
White House's national security strategy, the secretary's planning and programming guidance, and the
initiatives of the DOD CIO. DISA receives four categories of appropriations: Operations and
Maintenance (O&M); Procurement; Research, Development, Test, and Evaluation (RDT&E); and
Military Construction (MILCON). Refer to the Combining Statement of Budgetary Resources (SBR) and
Consolidating Statement of Net Cost charts in the Required Supplemental Information section of this
document for a breakout of DISA GF's budgetary resources and costs for each appropriation category.
These appropriations fund DISA’s six mission areas, which reflect DOD’s goals and allow DISA to
execute its core missions and functions.
1. "Transition to the Net-Centric Environment" funds capabilities and services that transform the
way that DOD shares information by making data continuously available in a trusted
environment. This mission area includes enterprise services, engineering services, and technical
strategies developed by DISA's chief technology officer.
5
2. "Eliminate Bandwidth Constraints" focuses on capabilities and services that build and sustain the
Global Information Grid (GIG) transport infrastructure, while eliminating bandwidth constraints
and rapidly surging to meet demands. Capabilities funded in this category include the Pathways
program, DOD teleport program, Defense Spectrum Organization activities, and Defense
Information Systems Network (DISN) enterprise activities, such as non-recurring costs for
commercial circuits, commercial satellites, and special communications requirements.
3. "GIG Network Operations and Defense" funds the operation, protection, defense, and sustainment
of the enterprise infrastructure and information-sharing services, as well as enabling command
and control. This mission area includes funding for network operations; the information
assurance/public key infrastructure program; cybersecurity initiatives; and budgets for DISA's
field offices, which support the Combatant Commands, and for the Joint Staff Support Center,
which supports the chairman, vice chairman, and Joint Chiefs of Staff in the Pentagon.
4. "Exploit the GIG for Improved Decision-Making" focuses on transitioning to DOD enterprise-
wide capabilities for communities of interest, such as command and control, and combat support
that exploit the GIG for improved decision-making. This mission area funds the Global
Command and Control System-Joint program, Global Combat Support System-Joint program,
and senior leader and coalition information-sharing activities.
5. "Deliver Capabilities Effectively/Efficiently" finances the means by which the agency effectively,
efficiently, and economically delivers capabilities based on established requirements. This area
funds the command staff and the personnel costs for DISA's shared service units.
6. "Special Mission Areas" enables the agency to execute special missions to provide the
communications support required by the president as commander-in-chief, including day-to-day
management, fielding, operation, and maintenance of communications and information
technology. The White House Communications Agency (WHCA) and the Communications
Management Control Activity in the Network Services Directorate are budgeted out of this
mission area.
Resources: DISA is a combat support agency of the DOD with a $11.9 billion annual budget.
Global Presence
DISA is a global organization of approximately 7,500 civilian employees; 1,700 active-duty military
personnel from the Army, Air Force, Navy, and Marine Corps; and over 11,000 defense contractors. This
data is as of Sept. 2023. DISA’s headquarters is at Fort Meade, Maryland, and has a presence in 25 states
and the District of Columbia within the United States, and in seven countries, and Guam (U.S. territory),
6
with 53 percent of its people based at Fort Meade and the National Capital Region, and 47 percent based
in field locations.
In addition, the following organizations are a part of DISA: Office of the Chief Financial Officer,
Component and Acquisition Executive, Chief of Staff, Inspector General, Joint Force Headquarters-
Department of Defense Information Network, Operations and Infrastructure Center, Procurement Services
Directorate, Risk Management Executive, White House Communications Agency, and Workforce
Services and Development Directorate. DISA provides a core enterprise infrastructure of networks,
computing centers, and enterprise services (internet-like information services) that connect 4,300
locations, reaching 90 nations supporting DOD and national interests.
DISA is charged with the responsibility for planning, engineering, acquiring, testing, fielding, and
supporting global net-centric information and communications solutions to serve the needs of the
president, the vice president, the secretary of defense, and the DOD components under all conditions of
peace and war.
Through actions in support of our lines of effort (LOEs), DISA will implement, sustain, and evolve the
global network infrastructure and unified capabilities to provide information superiority to the president,
the secretary of defense, combatant commanders, senior leadership, military services, defense agencies,
and the warfighter.
The challenges posed in DISA’s strategic objectives are addressed through our LOEs: prioritize command
and control, drive force readiness through innovation, leverage data as a center of gravity, harmonize
cybersecurity and the user experience, and empower the workforce. Key focus areas throughout these
LOEs include improving efficiency and effectiveness, reducing time to deliver solutions, cutting costs,
standardizing services, and implementing capability both internally and for our mission partners. New
LOEs or actions may be added when necessary to support an agile approach and to achieve our shared
vision.
7
DISA Lines of Effort as outlined in the FY 2022-2024 Strategic Plan include:
T
he framework addressed through our LOEs prioritize command and control, drive force readiness
through innovation, leverage data as a center of gravity, harmonize cybersecurity and the user experience,
and empower the workforce articulates our vision of a combat support agency that is the nation’s
trusted provider to connect and protect the warfighter in cyberspace. We look forward to working with
our mission partners, industry, and academia as we continue to strengthen our capabilities and achieve
velocity of action to win.
Program Performance
DISA’s information services play a key role in supporting the DOD’s operating forces. As a result, DISA
is held to high performance standards. In many cases, performance measures are detailed in service-level
agreements with individual customers that exceed the general performance measures discussed in the
following paragraphs.
DISA Working Capital Fund (WCF) Performance Measures
The table below represents the increased demand for DISA’s server and storage computing services,
which has grown significantly since FY 2006. Since that year, the number of customer-driven server
operating environments has increased by 327 percent, and total storage gigabytes have increased by 1,789
percent. Over the same timeframe, the cost to deliver all computing services has increased by only 36
percent. In short, customers are demanding considerably more services and are at the same time
benefiting from DISA’s unique ability to leverage robust computing capacity at DISA data centers.
8
The Computing Services business area tracks its performance and results through the agency director’s
Quarterly Performance Reviews. There are two key operational metrics that are presented to the DISA
director in conjunction with regular, recurring Quarterly Program Reviews. These two metrics depicted in
the following tables reflect the availability of critical applications in the Core Data Centers.
The first metric, “Core Data Center Availability,” expressed in minutes per year, represents application
availability from the end user’s perspective and includes all outages or downtime regardless of root cause
or problem ownership. Tier II requires achieving 99.75 percent availability, which limits downtime to
approximately 1,361 minutes per year. Tier III, the standard for all DOD-designated Core Data Centers,
requires achieving 99.98 percent availability, which limits downtime to approximately 95 minutes per
year.
Core Data Center Availability
The second metric, “Capacity Service Contract Equipment Availability,” represents DISA’s equipment
availability by technology, i.e., how well DISA is executing its responsibilities exclusive of factors
outside the agency's control such as last-mile communications issues, base power outages, or the like. The
“threshold” refers to system uptime and capacity availability for intended use; this is the level required by
contract. The “objective” is the value agreed on by the vendor and the government to be an ideal target,
and the vendor reports the actual value on a monthly basis.
9
Figure 1- Capacity Service Contract Equipment Availability
Threshold
Objective
Actual
99.95%
99.99%
100%
99.95%
99.99%
100%
99.95%
99.99%
100%
99.95%
99.99%
100%
99.95%
99.99%
99.999%
99.95%
>99.95%
99.999%
99.95%
>99.95%
99.999%
99.95%
>99.95%
99.999%
The Telecommunications Services business area provides a set of high quality, reliable, survivable, and
secure telecommunications services to meet the department’s command and control requirements. The
major component of Telecommunications Services is the DISN, a critical element of the DODIN that
provides the warfighter with essential access to timely, secure, and operationally relevant information to
ensure the success of military operations. The DISN is a collection of robust, interrelated
telecommunications networks that provide assured, secure, and interoperable connectivity for the DOD,
coalition partners, national senior leaders, combatant commands, and other federal agencies. Specifically,
the DISN provides dynamic routing of voice, data, text, imagery (both still and full motion), and
bandwidth services. The robustness of this telecommunications infrastructure has been demonstrated by
DISA’s repeated ability to meet terrestrial and satellite surge requirements in southwest Asia while
supporting disaster relief and recovery efforts throughout the world. Overall, the DISN provides a lower
customer price through bulk quantity purchases, economies of scale, and reengineering of current
communication services. In spite of this continuing upward trend in demand, DISA has delivered
transport services at an overall cost decrease to mission partners, as shown in the subsequent chart:
The previous chart compares the bandwidth delivery, including multiprotocol label switching
connections, with transport costs. Since FY 2015, DISA has increased transport bandwidth delivery
capacity 262.4 percent to meet customer demand. The increase is driven by internet traffic, DOD
Enterprise Services, full motion video collaboration, and intelligence, surveillance, and reconnaissance
requirements. Over the same timeframe, transport costs associated with the physical connections between
sites have decreased by 15.3 percent. Additionally, DISA has been able to keep these costs down without
any degradation in service. The DISN continues to meet or exceed network performance goals for circuit
availability and latency, two key performance metrics.
The DISN has operating metrics tied to the department’s strategic goal of information dominance. These
10
operational metrics include the cycle time for delivery of data and satellite services as well as service
performance objectives, such as availability, quality of service, and security measures. These categories
of metrics have guided the development of the Telecommunication Services budget submission.
Figure 2- Major Performance and Performance Improvement Measures
FY 2022
ACTUAL
FY 2023
Operational
Goal
FY 2024
Operational
Goal
99.78%
98.50%
98.50%
latency (measurement of network delay) in
40.31
Milliseconds
<= 100
milliseconds
<= 100
milliseconds
99.66%
99.50%
99.50%
The Enterprise Acquisition Services (EAS) business area is the department’s ideal source for procurement
of best-value and commercially competitive IT. EAS provides contracting services for IT and
telecommunications acquisitions from the commercial sector and contracting support to the DISN
programs, as well as to other DISA, DOD, and authorized non-defense customers. These contracting
services are provided through DISA’s Defense Information Technology Contracting Organization
(DITCO) and include acquisition planning, procurement, tariff surveillance, cost and price analyses, and
contract administration. These services provide end-to-end support for the mission partner.
Figure 3-EAS Performance Measures
FY 2022
ACTUAL
FY 2023
Operational
Goal
FY 2024
Operational
Goal
85.60%
73.00%
73.00%
25.29%
25.00%
25.00%
*FY 2023 and FY 2024 goals for percent of total eligible contract dollars competed are estimates based on the released FY 2022
goal. The goals have not yet been released by the Defense Procurement Acquisition Policy (DPAP).
In addition to the program performance measures outlined above, DISA has increased accountability of
its assets by linking performance standards to internal control standards. Each Senior Executive Service
member at DISA has included in their performance appraisal a standard to achieve accountability of
property. This standard has filtered down to managers across the agency. This increased focus on
accountability for managers has had a significant impact on the critical area of safeguarding assets.
DISA’s AFR will be published at https://comptroller.defense.gov/ODCFO/afr/ by Dec. 21, 2023.
11
2. Analysis of Financial Statements
Background
Defense Information Systems Agency (DISA) prepares annual financial statements in conformity with
accounting principles generally accepted in the United States. The accompanying financial statements and
footnotes are prepared in accordance with Office of Management and Budget (OMB) Circular A-136,
Financial Reporting Requirements. DISA records accounting transactions on both an accrual and
budgetary basis of accounting. Under the accrual method, revenue is recognized when earned and
costs/expenses are recognized and incurred, without regard to receipt or payment of cash. Budgetary
accounting facilitates compliance with legal constraints and controls over the use of federal funds.
Since FY 2005, DISA has had an established audit committee to oversee progress towards financial
management reform and audit readiness. DISA leadership participates in audit committee meetings to
fully support the audit and maintain senior leader tone-at-the-top. The DISA Audit Committee is
composed of three members who are not part of DISA. The current mission of the DISA Audit
Committee is to serve in an advisory role to DISA senior managers. The committee is tasked with
developing, raising, and resolving matters of financial compliance and internal controls with the purpose
of ensuring DISA’s consistent demonstration of accurate and supportable financial reports. The
committee develops and enforces guidance established for this purpose.
DISA General Fund (GF) did not receive a significant amount of COVID related budgetary resources in
fiscal year (FY) 2023. DISA GF does not have any existing indefinite resources associated with COVID
requirements. In FY 2023, there was no additional impact to financial reporting for DISA GF assets,
liabilities, cost, revenue, or net position. See FY 2022 Note 13 for information related to FY 2022 COVID
activity.
Defense General Fund Financial Highlights
The following section provides an executive summary and brief description of the nature of each General
Fund (GF) financial statement, significant fluctuations, and significant balances to help clarify their link
to DISA operations.
Executive Summary
The DISA GF financial statements for the quarter ended Sept. 30, 2023, reflect a fund that had an increase
in overall appropriations in FY 2023 compared with FY 2022. See the table below for comparative data
for appropriations received between these two fiscal years.
Figure 4-Executive Summary
(thousands)
DISA GF
9/30/2023
9/30/2022
Inc/Dec
% Chg.
O&M (0100)
$ 2,950,595
$ 2,665,112
$ 285,483
11%
PROC (0300)
517,416
447,299
70,117
16%
RD&E (0400)
286,328
375,042
(88,714)
-24%
Consolidated Balance
$ 3,754,339
$ 3,487,453
$ 266,886
8%
All general ledger subsidiary details have been reconciled to the field level accounting system trial
balances, and all journal vouchers posted to the Defense Departmental Reporting System-Budgetary
(DDRS-B) and Defense Departmental Reporting System-Audited Financial Statements (DDRS-AFS)
have been reconciled to ensure that the DDRS-AFS trial balance is 100 percent supported by transaction
details. All journal vouchers posted in DDRS-B and DDRS-AFS by the Defense Finance and Accounting
Service (DFAS) have been reviewed and approved by DISA staff.
12
The following financial statement highlights an explanation of amounts reported in significant financial
statement line items and/or financial notes, and variances between the fourth quarter of FY 2023 reported
balances and those in the fourth quarter of FY 2022. Additionally, as required by the recent Office of the
Secretary of Defense (OSD) guidance for variance analysis, the comparison of the balance sheet between
current period and prior year-end will also be addressed. Balances that have the same underlying
explanation between budgetary and proprietary accounts are explained from the proprietary perspective
and referenced from the budgetary perspective. Due to rounding, tables in this document may not add to
overall totals.
CONSOLIDATED BALANCE SHEET
Assets
Fund Balance with Treasury - The following chart displays fiscal year-to-date net cash flow from current
year operations (collections less disbursements) reported to the Department of the Treasury for FY 2023
and FY 2022 by appropriation presented in a comparative manner:
Figure 5- Fund Balance with Treasury
(thousands)
DISA GF
9/30/2023
9/30/2022
Inc/Dec
% Chg.
O&M (0100)
$ 1,479,505
$ 1,369,840
$ 109,665
8%
PROC (0300)
871,569
849,384
22,185
3%
RD&E (0400)
292,216
399,173
(106,957)
-27%
MILCON (0500)
25,336
39,700
(14,364)
-36%
Consolidated Balance
$ 2,668,626
$ 2,658,097
$ 10,528
0%
Amounts recorded in the general ledger for Fund Balance with Treasury (FBWT) have been 100 percent
reconciled to amounts reported in the DFAS Cash Management Report, representing DISA GF’s portion
of the TI97 appropriated account balances reported by the Treasury. All reconciling differences (i.e.,
undistributed) have been identified at the voucher level. The consolidated undistributed balance as of
Sept. 30, 2023, is $6.9 million, compared with $22.1 million on Sept. 30, 2022.
Accounts Receivables, Net - Accounts receivables balances by appropriation as of Sept. 30, 2023, and
Sept. 30, 2022, are as follows:
13
Figure 6-Accounts Receivable, Net
(thousands)
DISA GF
9/30/2023
9/30/2022
Inc/Dec
% Chg.
O&M (0100)
Intragov.
$ 25,859
$ 32,448
$ (6,589)
-20%
Public
1,039
591
448
76%
PROC (0300)
Intragov.
1,942
1,589
353
22%
Public
31
33
(2)
-6%
RDT&E (0400)
Intragov.
3,337
5,392
(2,055)
-38%
Public
374
123
251
204%
Consolidated
Intragov.
31,138
39,429
(8,291)
-21%
Public
1,444
747
697
93%
Total Consolidated
$ 32,582
$ 40,176
$ (7,594)
-19%
The decrease in Operations & Maintenance (O&M) (0100) intragovernmental accounts
receivable is attributable to the net of a $7 million decrease in overall accounts receivable,
and a $0.5 million decrease in undistributed collections, which increases the total AR
balance.
The increase in Procurement (PROC) (0300) intragovernmental accounts receivable is
attributable to a $0.3 million increase in overall accounts receivable.
The decrease in Research, Development, Test, and Evaluation (RDT&E) (0400)
intragovernmental accounts receivable is attributable to the net of a $2.2 million decrease in
overall accounts receivable, and a $0.2 million decrease in undistributed collections, which
increases the total AR balance.
General Property, Plant, and Equipment, Net - General property, plant, and equipment (PP&E) balances
by appropriation as of Sept. 30, 2023, and Sept. 30, 2022, are as follows:
Figure 7-General PP&E, Net
(thousands)
DISA GF
9/30/2023
9/30/2022
Inc/Dec
% Chg.
O&M (0100)
$ 38,197
$ 12,007
$ 26,190
218%
PROC (0300)
261,417
289,465
(28,048)
-10%
RDT&E (0400)
4,756
4,265
491
12%
MILCON (0500)
20,775
20,627
148
1%
Consolidated
$ 325,145
$ 326,364
$ (1,219)
0%
The 218 percent increase in O&M (0100) general PP&E was driven by:
o A $7.9 million increase in equipment purchases from DISA WCF for the DISA IT
Transport Services Branch and a $2.6 million increase in accumulated depreciation on
equipment, which draws down O&M PP&E
o A $23.1 million increase to Construction In Progress (CIP) for new funded capital
projects.
14
o A $1.7 million increase in accumulated amortization of internal-use software, which
draws down O&M PP&E.
The 10 percent decrease in PROC (0300) general PP&E was driven by:
o A $9.4 million decrease to CIP related to equipment received and not placed into use.
o A $38.7 million increase in equipment placed in service and a $35 million increase in
accumulated depreciation on equipment, which draws down PROC PP&E.
o A $61.9 million decrease in leasehold improvements and a $40 million decrease in
accumulated amortization on leasehold improvements, which increases PROC PP&E.
These decreases are due to a policy change for which leasehold improvements are to be
transferred to the hosting installation.
The 1 percent increase in Military Construction (MILCON) (0500) general PP&E was driven by:
o A $13.5 million increase in CIP to construct an RDT&E facility for the Joint
Interoperability Test Command at Fort Huachuca, Arizona.
o A $13.6 million decrease in leasehold improvements and a $9 million decrease in
accumulated amortization on leasehold improvements, which increases MILCON PP&E.
These decreases are due to a policy change for which leasehold improvements are to be
transferred to the hosting installation.
o A $10 million decrease in buildings, improvements, and renovations and a $1.2 million
decrease in accumulated depreciation on buildings, improvements and renovations, which
increases MILCON PP&E. These decreases are due to the transfer out of the Geraldton
building to the Navy.
Liabilities
Total Liabilities Not Covered by Budgetary Resources - Total liabilities not covered by budgetary
resources are primarily composed of two types of liabilities: accounts payable balances associated with
cancelled appropriations and unfunded annual leave and Federal Employees’ Compensation Act (FECA)
balances. If an accounts payable balance remains when an appropriation is cancelled, it is re-established.
This would primarily occur if there were an accrual recorded that is still anticipated or invoiced or the
contract closeout has not occurred. If the amount is ever invoiced, it would be paid from current year
appropriations. Unfunded annual leave and FECA balances accrue in the current period and will be
funded when they come due in future years.
Figure 8-Total Liabilities Not Covered by Budgetary Resources
(thousands)
DISA GF
9/30/2023
9/30/2022
Inc/Dec
% Chg.
O&M (0100)
Intragov.
$ 771
$ 854
$ (83)
-10%
Public
48,321
45,928
2,393
5%
PROC (0300)
Public
1
1
0
0%
Consolidated
Intragov.
771
854
(83)
-10%
Public
48,322
45,929
2,393
5%
Consolidated
$ 49,093
$ 46,783
$ 2,310
5%
Non-federal liabilities O&M increased by 5 percent driven by:
o A $1.7 million increase in legal contingent liabilities for future funded expenses,
o A $0.8 million increase in actuarial FECA liability, and
15
o A $0.2 million decrease in unfunded annual leave.
Total Liabilities Covered by Budgetary Resources - Total liabilities covered by budgetary resources are
made up of four types of liabilities:
1. Accounts payable balances are recorded in various ways based on the underlying transaction.
DISA staff evaluate purchases recorded, accrued cost, and accounts payable for service-based
orders as applicable. Accounts payable for goods is based on receipt of invoice. DISA continues
to refine the accrual methodology processes to match the recording of cost more accurately with
the period of performance or estimated delivery date.
2. Accrued funded payroll and leave.
3. Employer contributions and payroll taxes.
4. Liabilities of advances and prepayments.
Balances reported as of Sept. 30, 2023, and Sept. 30, 2022, consist of the following:
Figure 9-Total Liabilities Covered by Budgetary Resources
(thousands)
DISA GF
9/30/2023
9/30/2022
Inc/Dec
% Chg.
O&M (0100)
Intragov.
$ 256,644
$ 222,514
$ 34,130
15%
Public
17,033
31,882
(14,849)
-47%
PROC (0300)
Intragov.
57,419
42,999
14,420
34%
Public
3,040
2,609
431
17%
RDT&E (0400)
Intragov.
38,878
51,372
(12,494)
-24%
Public
3,885
3,266
619
19%
MILCON (0500)
Intragov.
856
881
(25)
-3%
Public
63
63
0
0%
Consolidated
Intragov.
353,797
317,766
36,031
11%
Public
24,021
37,820
(13,799)
-36%
Consolidated
$ 377,818
$ 355,586
$ 22,232
6%
The O&M (0100) intragovernmental increase was driven by a $18.1 million increase in normal
accounts payable, and a $15.9 million decrease in abnormal undistributed accounts payable
disbursements which increases overall accounts payable. The public decrease was driven by a
$3.8 million decrease in normal accounts payable, a $9 million increase undistributed accounts
payable disbursements, $0.4 million increase in accrued funded payroll and leave-salaries and
wages, a $2.4 million decrease in liability for advances and prepayments, a $0.2 million increase
in employer contributions and payroll taxes payable.
The PROC (0300) intragovernmental increase was driven by a $9.3 million increase in normal
accounts payable, and a $5 million increase in abnormal undistributed accounts payable
disbursements which increases overall accounts payable. The public increase is due to a $2
million increase in normal accounts payable, and a $1.6 million increase in abnormal
undistributed accounts payable disbursements which draws down accounts payable.
16
The RDT&E (0400) intragovernmental decrease was driven by a $12.8 million decrease in
normal accounts payable, and a $0.3 million decrease in normal undistributed accounts payable
disbursements which increases overall accounts payable. The public increase was driven by a
$1.4 million increase in normal accounts payable, a $1.1 million increase in normal undistributed
accounts payable disbursements, a $0.2 million increase in liability for advances and
prepayments, and a $0.1 million increase in accrued funded payroll and leave-salaries and wages.
Other Liabilities - Other liabilities primarily comprise five types of liabilities:
1. Unfunded FECA balances. These liabilities are accrued in the current period and will be funded
when they come due in future years.
2. Accrued funded payroll and leave.
3. Employer contribution and payroll taxes payable (health benefits, life insurance, and retirement).
4. Liability for advances and prepayments.
5. Other post-employment benefits due and payable.
Figure 10-Other Liabilities
(thousands)
DISA GF
9/30/2023
9/30/2022
Inc/Dec
% Chg.
O&M (0100)
Intragov.
$ 2,646
$ 2,655
$ (9)
0%
Public
7,104
4,992
2,112
42%
RDT&E (0400)
Public
637
539
98
18%
Consolidated
Intragov.
2,646
2,655
(9)
0%
Public
7,741
5,531
2,210
40%
Consolidated
$ 10,387
$ 8,186
$ 2,201
27%
Figure 11-Other Liabilities: Advances from Others and Deferred Revenue
(thousands)
DISA GF
9/30/2023
9/30/2022
Inc/Dec
% Chg.
O&M (0100)
Public
$ 2,782
$ 5,274
$ (2,492)
-47%
RDT&E (0400)
Public
2,611
2,380
231
10%
Consolidated
$ 5,393
$ 7,654
$ (2,261)
-30%
Other liabilities had no change overall attributed to a $1.7 million increase in non-federal
contingent liabilities (0100), a $0.4 million increase in non-federal accrued funded payroll and
leave-salaries and wages (0100), a $2.4 million decrease in non-federal liability for advances and
prepayments (0100), and a $0.2 million increase in non-federal liability for advances and
prepayments (0300).
CONSOLIDATED STATEMENT OF NET COST
Net cost of operations increased by $85.5 million, or 2 percent, between the fourth quarter of FY 2022
and the fourth quarter of FY 2023. The change in net cost of operations comprises of an increase in gross
costs of $76.3 million and a decrease in earned revenue of $9.2 million.
17
Figure 12-Consolidated Statement of Net Cost
(thousands)
DISA GF
9/30/2023
9/30/2022
Inc/Dec
% Chg.
O&M (0100)
$ 2,852,585
$ 2,656,831
$ 195,754
7%
PROC (0300)
372,183
459,698
(87,515)
-19%
RDT&E (0400)
358,607
379,295
(20,688)
-5%
MILCON (0500)
1,175
3,208
(2,033)
-63%
Consolidated
$ 3,584,550
$ 3,499,032
$ 85,518
2%
The increase in O&M (0100) is attributable to
o A $185.7 million increase in operating expenses/program costs.
$115.3 million increase in other contractual services, including $63.1 million for
advisory and assistance services and $40.1 million for O&M of equipment.
$49.2 million increase in equipment.
o A $10.1 million increase in imputed costs for retirement.
o A $5.7 million decrease in revenue from services provided.
o A $2.2 million decrease in imputed costs for real property not executed under WCF
budget authority.
The decrease in PROC (0300) is attributable to
o A $102.5 million increase in operating expenses/program costs.
$40.8 million increase in equipment.
$56.4 million increase in contractual services for O&M of equipment.
$6.4 million increase in rent, communications, utilities, and miscellaneous
charges.
o A $184.1 million decrease in cost capitalization offset-general PP&E
o A $2.3 million increase in revenue from services provided.
The decrease in RDT&E (0400) is attributable to
o A $25.9 million decrease in operating expenses/program costs.
$27.9 million increase in contractual services for research and development.
$51.7 million decrease in contractual services for O&M of equipment.
$3.5 million decrease in contractual services for advisory and assistance services.
$3 million increase in equipment.
o A $5.8 million decrease in revenue from services provided.
The decrease in MILCON (0500) is attributable to
o A $11.9 million increase in operating expenses/program costs.
$2.2 million decrease in contractual services for O&M of facilities.
$14 million increase in equipment.
o A $14 million decrease in cost capitalization offset-general PP&E.
STATEMENT OF CHANGES IN NET POSITION
Other financing sources: Transfers-in/out without reimbursement decreased $41 million
(20 percent) overall. The change is attributed to a decrease of $35.1 million in 0300 related to
projects completed and moved from GF CIP and transferred to WCF, a $28 million decrease in
0400 driven by an on-the-top Journal Voucher (JV) posted in FY 2022 to correct an FY 2021
posting (increase of $28.5 million from 0300 to 0400), an increase of $12.7 million related to CIP
for construction of a RDT&E facility at Fort Huachuca (0500), and an increase of $9.1 million
related to equipment purchased and not yet placed in service (0100).
18
Other financing sources: Imputed financing from costs absorbed by others increased by $9.5
million (13 percent) overall. This is attributable to an increase of $10.1 million in the imputed
cost for retirement, a decrease of $2.2 million in the imputed costs of real property not executed
under WCF budget authority, and an increase of $1.4 million in the imputed cost for health.
STATEMENT OF BUDGETARY RESOURCES
Statement of Budgetary Resources (SBR) net outlays, reimbursements earned (receivable and delivered
orders), and delivered orders unpaid
1
(obligations) are reconciled with their proprietary account
counterparts (FBWT, account receivable, and account payable) respectively, and those variances are
consistent with the variances described above. The results and variances of other key amounts reported in
the SBR are as follows:
Figure 13-Statement of Budgetary Resources
(thousands)
DISA GF
9/30/2023
9/30/2022
Inc/Dec
% Chg.
O&M (0100)
Obligations Incurred
$ 3,354,090
$ 3,023,848
$ 330,242
11%
Unobligated Balances
265,420
270,336
(4,916)
-2%
Undelivered Orders
1,030,565
949,368
81,197
9%
Unfilled Customer Orders
(63,731)
(71,561)
7,830
-11%
PROC (0300)
Obligations Incurred
650,399
516,978
133,421
26%
Unobligated Balances
214,721
296,692
(81,971)
-28%
Undelivered Orders
600,897
520,480
80,417
15%
Unfilled Customer Orders
(2,566)
(11,807)
9,241
-78%
RD&E (0400)
Obligations Incurred
287,006
495,516
(208,510)
-42%
Unobligated Balances
157,498
97,918
59,580
61%
Undelivered Orders
138,455
284,099
(145,644)
-51%
Unfilled Customer Orders
(43,724)
(32,321)
(11,403)
35%
MILCON (0500)
Obligations Incurred
1,467
371
1,096
295%
Unobligated Balances
15,940
17,042
(1,102)
-6%
Undelivered Orders
8,478
21,714
(13,236)
-61%
Consolidated
Obligations Incurred
$ 4,292,962
$ 4,036,713
$ 256,249
6%
Unobligated Balances
$ 653,579
$ 681,988
$ (28,409)
-4%
Undelivered Orders
$ 1,778,395
$ 1,775,661
$ 2,734
0%
Unfilled Customer Orders
$ (110,021)
$ (115,689)
$ 5,668
-5%
*Totals represent unfilled customer orders with and without advance
1
Net outlays will impact the following lines on the SBR: 1890 Spending Authority from Offsetting Collections,
3020 Outlays, Gross; 3090, Uncollected Payments End of Year; 4178 Change in Uncollected Payments; 4185
Outlays, Gross; 4187 Offsetting Collections; and 4190/4210 Net Outlays. Reimbursements Earned Receivable
will impact the following lines on the SBR: 3060 Uncollected Payments Brought Forward and 3072 Change in
Uncollected Payments. Delivered Orders Unpaid impacts the following lines on the SBR: 3050 Unpaid
Obligations End of Year.
19
Obligations Incurred
O&M (0100) increase in obligations was driven by
o A $190.6 million increase in contractual services for O&M of equipment.
o A $60.8 million increase in total obligations, including a $48.2 million increase in unpaid
delivered orders.
o A $46.9 million increase in contractual advisory and assistance services.
o A $18.9 million increase for contractual services for O&M of facilities.
o A $12.1 million increase in travel and transportation of persons.
PROC (0300) increase in obligations was driven by
o A $115.6 million increase in equipment.
o A $62.8 million increase in contractual advisory and assistance services.
o A $55 million decrease in contractual services for O&M of equipment.
o A $22 million increase in total obligations, including a $30.5 million increase in unpaid
delivered orders and a $7.2 million decrease in paid delivered orders.
o A $9.2 million decrease in rent, communications, utilities and miscellaneous charges.
o A $4.5 million decrease in contractual services from non-federal sources.
RDT&E (0400) decrease in obligations was driven by
o A $109.9 million decrease in contractual services for O&M of equipment.
o A $91.7 million decrease in contractual services for research and development.
o A $6.9 million decrease in contractual advisory and assistance services.
o A $1.3 million increase in total obligations, including a $1.1 million increase in paid
delivered orders.
MILCON (0500) increase in obligations was driven by
o A $0.6 million increase in contractual services of O&M facilities
o A $0.3 million increase in total obligations, including a $1.1 million increase in unpaid
undelivered orders, and a $0.9 million decrease to unpaid delivered orders.
Unobligated Balances
O&M (0100) unobligated balance decrease is driven by an $14.9 million decrease in allotments
expired authority, and a $9.9 million increase in allotments-realized resources.
PROC (0300) unobligated balance decrease is driven by a $60.5 million decrease in allotments-
realized resources, a $27.3 million decrease in allotments-expired authority, and a $5.9 million
increase in commitments-programs subject to apportionment.
RDT&E (0400) unobligated balance increase is driven by a $60.2 million increase in allotments-
realized resources, a $5.7 million decrease in commitments-programs subject to apportionment,
and a $5 million increase in allotments expired authority.
MILCON (0500) unobligated balance decrease is driven by a $0.8 million decrease in allotments
realized resources, and a $0.2 million decrease in allotments- expired authority.
RECONCILIATION OF NET COST TO NET OUTLAYS
The reconciliation of net cost to net outlays demonstrates the relationship between the DISA GF’s net cost
of operations, reported on an accrual basis of the statement of net cost (SNC) and net outlays, reported on
a budgetary basis of the SBR. While budgetary and financial accounting are complementary, the
20
reconciliation explains the inherent differences in timing and in the types of information between the two
during the reporting period.
The accrual basis of financial accounting is intended to provide a picture of the DISA GF’s operations
and financial position, including information about costs arising from the consumption of assets and the
incurrence of liabilities. Budgetary accounting reports on the management of resources and the use and
receipt of cash by the DISA GF. Outlays are payments to liquidate an obligation, other than the
repayment to the Treasury of debt principal.
Figure 14-Reconciliation of Net Cost to Net Budgetary Outlays
(thousands)
DISA GF
Intragov.
Public
Total
Net Cost of Operations
$ 2,896,620
$ 687,931
$ 3,584,551
Property, Plant, and Equipment, net changes
0
(1,220)
(1,220)
Increase/(Decrease) in Assets:
Accounts and taxes receivable, net
(8,347)
698
(7,649)
Other Assets
0
(12)
(12)
Increase/(Decrease) in liabilities:
Accounts Payable
(35,898)
12,182
(23,716)
Federal employee and veteran benefits payable
0
(829)
(829)
Other liabilities
9
52
61
Other Financing Sources:
Imputed cost
(81,529)
$0
(81,529)
Total Components of Net Cost That Are Not Part
of Net Outlays
$ (125,765)
$ 10,871
$ (114,894)
Miscellaneous Reconciling Items
Transfers (in)/out without reimbursements
159,335
0
159,335
Other
0
9,589
9,589
Total Other Reconciling items
159,335
9,589
168,924
Total Net Outlays
2,930,190
708,391
3,638,581
Agency Outlays, Net, Statement of Budgetary
Resources
$ 3,638,463
Unreconciled difference
$118
The unreconciled difference of $118 thousand is related to Line R1C2, not including Standard General
Ledger (SGL) 711000.9000, which is included in SNC net cost of operations, but not in the SBR net
outlays. The fluctuation is due to adjusting entries made for equipment sent to the Defense Logistics
Agency (DLA) that was no longer in use.
LIMITATIONS
The principal financial statements are prepared to report the financial position, financial condition, and
results of operations, pursuant to the requirements of 31 U.S.C. § 3515(b). The statements are prepared
from records of federal entities in accordance with federal Generally Accepted Accounting Principles
(GAAP) and the formats prescribed by DDRS-B. Reports used to monitor and control budgetary resources
21
are prepared from the same records. Users of the statements are advised that the statements are for a
component of the U.S. government.
The statements should be read with the realization that they are for a defense agency of the U.S.
government, a sovereign entity.
3. Analysis of Systems, Controls, and Legal Compliance
Management Assurances
DISA Office of the Chief Financial Officer (OCFO)/Comptroller has oversight of DISA’s
Risk
Management and Internal Control (
RMIC) Program.
Agency assessable unit managers (AUMs) perform
testing and report results for Internal Controls Over Reporting - Operations (ICOR-O) Non-Financial.
Tests and reports of results are conducted for the Internal Controls Over Reporting - Financial Systems
(ICOR-FS) for the agency. In addition, the OCFO conducts testing and reports on the overall Internal
Controls Over Reporting - Financial Reporting (ICOR-FR) for the agency.
Reviews, testing, and evaluations a
re conducted to assess if the internal control structure is compliant
with the components of the Government Accountability Office (GAO) Green Book objectives of
operations, reporting, and compliance. DISA’s senior management has reviewed and evaluated the system
of internal controls in effect during the fiscal year as of the date of this memorandum, according to the
guidance in OMB Circular No. A-123 and the GAO Green Book. Included is our evaluation of whether
the system of internal controls for DISA is compliant with standards prescribed by the Comptroller
General.
The objectives of the system of internal controls are to provide reasonable assurance for
Operations: effectiveness and efficiency of operations.
Reporting: reliability of financial and non-financial reporting for internal and external use.
Compliance: adherence to applicable laws and regulations, including financial information
systems compliance with the Federal Financial Management Improvement Act (FFMIA) of
1996 (Public Law 104-208).
The evaluation of internal controls extends to every responsibility and activity undertaken by DISA
and applies to program, administrative, and operational controls, making adherence of Risk
Management and Internal Controls not only the responsibility of management, but also every DISA
employee. The concept of reasonable assurance recognizes that DISA’s mission objectives are
achieved, and managers must carefully consider the appropriate balance among risk, controls, costs,
and benefits in our mission-support operations.
Too many controls can result in inefficiencies, while too few controls might increase risk to an
unacceptable level. In that premise, errors or irregularities may occur and not be detected because of
inherent limitations in any system of internal controls, including those limitations resulting from
resource constraints, congressional restrictions, and other factors. Projection of any system
evaluation to future periods is subject to the risk that procedures may be inadequate because of
changes in conditions or that the degree of compliance with procedures may deteriorate. Therefore,
this statement of reasonable assurance is provided within the limits of the preceding description.
DISA management evaluated the system of internal controls in accordance with the guidelines
identified above. The results indicate that the system of internal controls of DISA, in effect as of the
date of this memorandum, taken as a whole, complies with the requirement to provide reasonable
assurance that the above-mentioned objectives were achieved for reporting, operations, and
22
compliance.
B
ased upon this evaluation, establishing and integrating internal control into its operations in a risk-
based and cost beneficial manner, DISA is providing reasonable assurance that our internal controls
over reporting, operations, and compliance are operating effectively. Reasonable assurance has been
achieved. This position on reasonable assurance is within the limits described in the preceding
paragraph.
23
MEM
ORANDUM FOR UNDER SECRETARY OF DEFENSE (COMPTROLLER) (OUSD(C))
DEPUTY CHIEF FINANCIAL OFFICER (DFCO)
SU
BJECT: Annual Statement of Assurance Required Under the Federal Managers’ Financial
Integrity Act (FMFIA) for Fiscal Year (FY) 2023
As Director of the Defense Information Systems
Agency (DISA), I recognize DISA is
responsible for managing risks and maintaining effective internal control to meet the objectives of
Sections 2 and 4 of the Federal Managers’ Financial Integrity Act (FMFIA) of 1982. DISA conducted
its assessment of risk and internal control in accordance with the Office of Management and
Budget (OMB) Circular No. A-123, Management’s Responsibility for Enterprise Risk Management
and Internal Control” and the Green Book, GAO-14-704G,Standards for Internal Control in the Federal
Government. This internal review also included an evaluation of the internal controls around our
Security Assistance Accounts (SAA) activities. Based on the results of the assessment, DISA can provide
reasonable assurance that internal controls over operations, reporting, and compliance are operating
effectively as of September 30, 2023. In FY 2023, there were six categories of material weaknesses
(MWs) and Significant Deficiencies (SDs) that are in process of correction or have mitigating controls:
Accounts Receivable/Revenue; Accounts Payable/Expense; Budgetary Resources; Fund Balance with
Treasury; Financial Reporting; and Property, Plant and Equipment (PPE).
DISA conducted its assessment of the effectiveness of internal controls over operations in
accordance with OMB Circular No. A-123, the GAO Green Book, and the FMFIA. The “Summary of
Management’s Approach to Internal Control Evaluation (Appendix C)” section provides specific
information on how DISA conducted this assessment. This internal review also included an evaluation of
the internal controls around our Security Assistance Accounts (SAA) activities. Based on the results of
the assessment, DISA can provide reasonable assurance that internal controls over operations and
compliance are operating effectively as of September 30, 2023.
DISA conducted its assessment of the effectiveness of internal controls over reporting
(including internal and external financial reporting) in accordance with OMB Circular No. A-123,
Appendix A. The “Internal Control Evaluation (Appendix C)” section, provides specific information on
how DISA conducted this assessment. This assessment also included an evaluation of the internal
controls around our Security Assistance Accounts (SAA) activities. Based on the results of the
assessment, DISA can provide assurance that internal controls over reporting (including internal and
external reporting) as of September 30, 2023), and compliance are operating effectively as of September
30, 2023.
DISA Memo, Annual Statement of Assurance Required Under the Federal Managers Financial
Integrity Act (FMFIA) for Fiscal Year (FY) 2023,
DEFENSE INFORMATION SYSTEMS AGENCY
P.
0.
BOX 549
FORT MEADE, MARYLAND 20755-0549
24
DISA also conducted an internal review of the effectiveness of the internal controls over the
integrated financial management systems in accordance with FMFIA and OMB Circular No. A-123,
Appendix D. The “Internal Control Evaluation (Appendix C)” section provides specific information on
how DISA conducted this assessment. This internal review also included an evaluation of the internal
controls around our Security Assistance Accounts (SAA) activities. Based on the results of this
assessment, DISA can provide assurance, except for one non-conformance reported in the “Significant
Deficiencies and Material Weaknesses Template” that the internal controls over the financial systems are
in compliance with the FMFIA, Section 4;
Federal Financial Management Improvement Act
(FFMIA),
Section 803; and OMB Circular No. A-123, Appendix D, as of September 30, 2023.
DISA has conducted an assessment of entity-level controls including fraud controls in accordance
with the Green Book, OMB Circular No. A-123, the Payment Integrity Information Act of 2019, and
GAO Fraud Risk Management Framework. This internal review also included an evaluation of the
internal controls around our Security Assistance Accounts (SAA) activities. Based on the results of the
assessment, DISA can provide reasonable assurance that entity-level controls including fraud controls are
operating effectively as of September 30, 2023.
DISA is hereby reporting that no Anti-Deficiency Act (ADA) violations have been
discovered/identified during our assessments of the applicable processes OR Anti-Deficiency Act (ADA)
violation(s) has (have) been discovered/identified during our assessments of the applicable processes.
If there are any questions regarding this Statement of Assurance for FY 2023, my point of contact
is Mr. Alex Diaz, and he can be reached at alexis.[email protected] or
(614) 692-9400.
ROBERT J. SKINNER
Lieutenant General, USAF
Director
Attachments:
As stated
25
FY 2023 Internal Control Program Initiatives and Execution
In addition to the foundational sources of guidance such as OMB Circular A-123 and the GAO
Green Book, DISA also receives direction from and coordinates with the Office of Under
Secretary of Defense Comptroller (OUSD [C]) to execute its Risk Management Internal Control
(RMIC) Program. The OUSD Comptroller RMIC Team issues the FY 2023 DOD Statement of
Assurance Handbook that requires deliverables throughout the reporting cycle. The handbook
provides practical guidance to carry out the program. In FY 2022, there was an emphasis on Entity
Level Controls (ELCs), auditor Notice of Findings and Recommendations (NFR), Corrective
Action Plan (CAP) implementation and resolution, and testing to pave the way in support of CAP
resolution or mitigation. This remains in FY 2023; however, there is more focus on integrating an
agency Risk Profile that identifies risks and fraud that may potentially impact the agency’s
strategic objective.
Throughout the process, DISA has provided several templates and deliverables to support not only
DISA, but the overall DOD RMIC Program. In the course of the year, DISA will have submitted
an End-to-End Process Control Narrative Key Controls Memo, Agency Risk Assessment, Material
Weakness (MW) and Deficiencies Reporting and Removal Template, Entity Level Control Testing
Validation, Fraud Controls Matrix, Complementary User Control CAPs, Summary of
Management’s Approach to Internal Control Evaluation Template, and a DATA Act Data Quality
Controls Matrix in support of the program.
Correction of Prior Year Significant Deficiencies and Material Weaknesses
:
One of the department’s focus areas is to make progress towards resolution of prior year MWs and
conditions impeding audit progress. DISA has made concentrated efforts to resolve and clear prior year
issues. In FY 2023, at the time of this memorandum, DISA has a potential to close 9 NFRs upon final
review and approval by the independent public accounting firm (IPA).
Entity Level Controls (ELCs):
ELCs include Control Environment, Risk Assessment, Control Activities, Information and
Communication, and Monitoring. Underlying these five control components, the Green Book states 17
control principles that represent fundamental elements associated with each component of control and
emphasizes that there are significant interdependencies among the various control principles. ELCs
represent the overarching management controls that create an environment of management oversight for
the financial and non-financial activities of the department and DISA as an agency.
Enterprise Approach to Risk Management:
Each year, DISA kicks off its internal control program and begins by performing a risk assessment in
which DISA has taken an enterprise approach that covers key business processes. Risk management has
been aligned to the National Defense Strategy (NDS) and the National Defense Business Operations Plan
(NDBOP). DISA supported NDS Strategic Goal 3 to “Reform the Department’s Business Practices for
Greater Performance and Affordability” through identifying associated control activities and evaluating
risk and control effectiveness.
In addition, DISA adheres to the NDBOP goal of “undergo an audit and improve the quality of budgetary
and financial information that is most valuable in managing the DOD,” through its audit and environment
of continuous improvement and process refinement. The RMIC Program is managed through a three-
tiered approach, which provides a structure to identify risk at an enterprise level, as well as at a more
granular level. DISA director provides a “tone-at-the-top” memo, which defines management’s leadership
and commitment towards an effective internal control structure.
26
The second tier is supported by the Internal Control team, consisting of subject matter experts providing
guidance and execution of the program throughout the agency. The third tier is supported by the AUMs
who manage at the program/directorate level within the organization. Each directorate’s senior leadership,
within each assessable unit, collaborates with AUMs to identify areas of risks in their respective area. The
processes of coordinating and consolidating risk help identify the overall assessment of risk at the
enterprise risk management level, while also reviewing DISA’s detail transactions. This risk assessment
results in reviews and letters of assurance from each area that are considered in the annual Statement of
Assurance assessment.
O
versight and Monitoring:
DISA’s internal control structure of training provides AUM assistance; ELCs
; risk assessments;
continuous testing in mandatory and high-risk areas
; reviews, updates, and management approval of
process narratives and cycle-memos; CAPs; and senior accountable officials (SOAs) letters of assurance.
These elements are all core to an integral program of oversight and monitoring. In addition, the Senior
Assessment Team (SAT) met on Sept. 27, 2023, and provided oversight to the internal control program
through discussion of results and anticipated outcomes to be reported in the FY 2023 Statement of
Assurance.
P
ayment Integrity/Improper Payment Recovery:
For compliance with the Payment Integrity Information Act of 2019 (Pub. L. No. 116-117, 31 U.S.C. §
3352 and § 3357), DISA has an internal control structure in place to mitigate improper payments that
could result in payment recovery actions. Actions taken to prevent overpayments include testing and
review of civilian time and attendance, travel payments, and purchase card transactions. Tests validate
that internal controls are in place and functioning as preventative measures to mitigate risks in the
execution, obligation, and liquidation of funding for transactions. Controls are in place through
established policy and procedures, training, separation of duties, and data mining to identify risks and
fraud vulnerabilities.
A
dditionally, DFAS, as DISA’s accounting service provider, performs overpayment recapture functions
on behalf of DISA. DFAS includes DISA transactions in its sampling populations for improper payment
testing of civilian payroll and travel. There have been no issues arising to merit an anticipated negative
impact regarding payment integrity and improper payment recovery.
Financial Risk Management (FRM):
One of the new recommendations for FY 2023 is the submission of the FRM or tone-at-the-top RMIC
memorandum to the RMIC platform. This is a new submission item added in FY 2023 that is
recommended, but not required. Components that do not have a tone-at-the top memorandum that
includes a commitment to combatting fraud, are encouraged to begin development.
R
isk Assessment Template:
One of the new recommendations for FY 2023. Components that utilize emerging technologies should
leverage the GAO AI framework as described in Government Accountability Office report GAO-21-
519SP, “Artificial Intelligence: An Accountability Framework for Federal Agencies and Other Entities”.
Components should consider risks around implementation of emerging technologies in their risk
assessment.
Entity-Level Components (ELCs):
The use of Committee of Sponsoring Organizations (COSO) framework, to identify types of evidence to
assess emerging technologies in the development of ELCsincluding the Component’s use of data and
system design.
27
F
RM Framework Assessment:
To further align the fraud risk management requirements to the GAO FRM Framework, the Fraud
Controls Matrix Template has been renamed to the “GAO FRM Framework Assessment”.
CARES Act/COVID-19:
The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed on March 2, 2020,
(Public Law 116-136) and includes a military support response to the public health emergency
domestically and internationally. The CARES Act provides the DOD flexibility in executing contract
actions to expedite disbursement of these funds efficiently and effectively. In execution of this funding,
the risk for fraud, waste and abuse is heightened when internal controls are relaxed. COVID19-related
activity has been reviewed and tested using verification and validation (V&V) procedures. There have
been no laws compromised or major issues identified leading to fraud, waste, or abuse as validated
through testing results for FY 2023. Identified areas of improvements for CARES Act execution include
ensuring requirements are aligned with spending plans and ensuring that transactions accurately reflect
the Disaster Emergency Fund Code (DEFC).
F
raud Controls:
In FY 2023, DISA executed a fraud controls assessment on its environment. The review incorporated
components of GAO Fraud Risk Management Framework 11 leading practices to detect gaps that require
designing new or additional controls. These practices were employed in review of ICOR-O, ICOR-FR,
and ICOR-FS for high-risk focus areas.
D
ata Act Data Quality Testing:
The OMB published memorandum 18-16, Appendix A to OMB Circular A-123, Management of
Reporting and Data Integrity Risk, dated June 6, 2018, that outlines guidance for agencies to develop a
Data Quality Plan (DQP) to achieve the objectives of the Data Accountability and Transparency Act
(DATA) Act. DISA has established a DQP that provides an emphasis on a structure for data quality on
financial data elements, procurement data reporting, data standardization, and data reporting. In FY 2023,
in compliance with mandatory reviews, the internal control program has executed data quality testing to
review data integrity. Testing results have documented that there are no major issues with the established
attributes in both FYs 2022 and 2023.
Records Management:
While records management was not an OUSD focal area, DISA Records Management team and the
Internal Control team coordinated together to incorporate a records management checklist into their
processes. The results supported that DISA has established 100 percent coverage and accountability
throughout the organization with appointments of Records Liaisons (RLs). As an agency, the Records
Management Self-Assessment (RMSA) for the National Archives and Records Administration (NARA)
and the Federal Electronic Records and Email Management Maturity Model Report (FEREM) for NARA
are conducted.
Internal Control Structure
Usi
ng the following process, DISA evaluated its system of internal control and maintains a sufficient
documentation/audit trail to support its evaluation and level of assurance. DISA manages the RMIC
Program through a three-tiered approach. The first tier is supported by DISA SAT, which provides
guidance and oversight to the RMIC Program. In FY 2023, DISA director signed a “tone-at-the-top”
memo that defines management’s leadership and commitment towards an effective RMIC: openness,
honesty, integrity, and ethical behavior. The memo directed the agency to follow a risk-based and results-
oriented program in alignment with the GAO Green Book and OMB A-123. The tone-at-the top is set
throughout DISA by all levels of management and has a trickle-down effect on all employees.
28
The second tier is supported by a subject matter expert (SME) team. The team coordinates requirements
with the OUSD comptroller regarding the RMIC Program, in addition to providing training, guidance,
oversight, and review in accordance with directives to the AUMs. DISA provided internal control kick-
off training for the AUMs in November 2022 and conducted three additional workshops in the FY 2023
reporting cycle to address risk assessments, testing grids, and letters of assurance. The RMIC team
compiles assessable unit (AU) submissions for the agency’s Statement of Assurance, facilitates
information sharing between AUMs, consolidates results, and communicates outcomes to OUSD and
agency leadership.
Identification of Material Assessable Units
The third tier is supported by the AUMs, who manage at the program/directorate level within the
organization. For this reporting cycle, DISA identified 14 AUs:
Chief Financial Officer/Comptroller (OCFO)
Component and Acquisition Executive (CAE)
Digital Capabilities and Security Center (DCSC)
Chief of Staff (DDC)
Inspector General (IG)
Joint Force Headquarters DODIN (JFHQ-DODIN)
Joint Service Provider (JSP)
Hosting and Compute Center (HACC)
White House Situation Room (WHSR)
Procurement Services Directorate (PSD)
Enterprise Integration and Innovation Center (EIIC)
Operations & Infrastructure Center (OPIC)
White House Communications Agency (WHCA)
Workforce Services and Development Directorate (WSD)
Each AU is led by at least one member of the Senior Executive Service (SES) or military flag officer and
carries a distinct mission within DISA, which in turn causes the AU to have unique operational risks that
require evaluation.
Identifying Key Controls
Mandatory testing for all organizations is required to identify the functions performed within their area, in
addition to the required testing areas of the Defense Travel System (DTS); Time and Attendance; and
property, plant, and equipment (PP&E) to identify the level of process documentation available and
determine the associated risk of those functions. Additionally, AUMs are responsible for identifying and
documenting the key controls within their AUs in accordance with DOD Instruction 5010.40. The internal
control team documents processes and key controls for all ICOR-FR functions through detailed cycle
memoranda and narratives. Each AU documents its key processes and risks on the Risk Assessment
Template. The OCFO RMIC team advises the AUMs to test, at a minimum, those key processes that were
self-identified as high risk, as well as safety, security (if applicable), and the required testing areas. In
addition, a checklist for records management was prepared by each AUM.
Each AU performs a risk assessment considering what is important to each area, such as those processes
that may be high or medium risk and associated processes that are central to an area. It involves
identifying the risk category (e.g., financial, compliance, operational, etc.); risk description (e.g., if policy
is not implemented); overall impact, likelihood, risk rating, and control activities (such as review and
documented policy); whether risks are mitigated or residual; overall likeliness; and residual risk rating,
process documentation, and financial statement impact. At the AU level and across the agency, this
29
process develops an overarching risk assessment, approved by senior leadership. From this process, tests
are developed for those areas that are high risk or into which management should look further.
Developing the Test Plan/Executing the Test
Each AU completed a plan to test the controls in place for each process identified to be tested. The
development of the plan includes consideration of the nature, extent (including sampling technique), and
timing of the execution of the controls tested. Additionally, the risk magnitude (high, medium, or low),
objective type, risk type, risk response, and tolerance rate are also identified. The test method (or type) is
identified within the plan.
Test Results
After the tests are conducted and results are revealed, the test grid forms the basis to report the results in
the letter of assurance (LoA). The LoA will reflect the data reported on the test grid.
Snapshot in Review
Internal Controls Over Reporting - Operations
Mandatory testing is required for all organizations. In coordination with senior management, AUMs
identify the functions performed within their area, in addition to the required testing areas of DTS, time
and attendance, and PP&E, to identify the level of process documentation available and determine the
associated risk of those functions. Government Purchase Card and Records Management are tested by
process owners, and the results of these tests are reported in each respective area’s letters of assurance.
Internal Controls Over Reporting - Financial Systems
The implementation of Enterprise Resource Planning (ERP) approved systems as of FY 2019 resolved
compliance issues associated with the legacy systems. Some key indicators for underlying sound internal
controls include that DISA consistently provides timely and reliable financial statements to OMB within
21 calendar days at the end of the first through third quarters and unaudited financial statements to OMB,
GAO, and Congress by Nov. 15 each year. DISA has not reported anti-deficiency violations in more than
a decade, and it continues to demonstrate compliance with laws and regulations.
DISA’s core financial management systems routinely provide reliable and timely information for
managing day-to-day operations, as well as information used to prepare financial statements and maintain
effective internal controls. These factors are key indicators of FFMIA compliance.
Additionally, DISA provides application hosting services for the department’s service providers: the
Defense Finance and Accounting Service (DFAS), the Defense Logistics Agency (DLA), the Defense
Contract Management Agency (DCMA), the Defense Human Resource Activity (DHRA), military
services, and other defense organizations. As a result, DISA is responsible for most of the general IT
controls over the computing environment in which many financial, personnel, and logistics applications
reside. For service providers and components to rely on automated controls and documentation within
these applications, controls must be appropriately and effectively designed.
Internal Controls Over Reporting - Financial Reporting
The OCFO documented end-to-end business processes and identified key internal control activities
supporting key business processes for ICOR-FR. DISA conducted an internal risk assessment that
evaluated the results of prior year audits, internal analyses of the results of financial operations, and
known upcoming business events. An internal control assessment was conducted within DISA for key
mission-specific processes. The internal control team annually reviews and updates narratives and cycle
memos of key processes. The internal control team maintains a Control Evaluation Matrix, which
provides a detailed analysis, documents the Control Activities identified in the narratives, and includes
30
mapping to a Financial Improvement and Audit Readiness (FIAR) Financial Reporting Objective; FIAR
Risk of Material Misstatement, Test of Design and Implementation Effectiveness details; and test of
Operating Effectiveness details.
B
ased on the results of the internal risk analysis, internal testing was conducted to evaluate the
significance of potential deficiencies identified. Specific areas of testing included the following:
Figure 15-Areas of Testing
General Fund
Working Capital Fund
Other
Data Quality Plan
CS Trial Balance (Rollforward)
Testing
Active Users
Dormant Reviews
TSEAS Trial Balance
(Rollforward) Testing
Departed Users
Year End Obligations
TSEAS Revenue
PP&E White House
Communications Agency
(WHCA) Existence and
Completeness Training
Trial Balance Rollforward
Testing
TSEAS Expenditure
Continuity of Operations Plan
(COOP) Testing
GF Revenue
System Interface Agreement
(SIA)
GF Expenditure
CS Revenue
CARES Act Testing
CS Expenditure
The OUSD FIAR Office led department-wide discussions regarding SSAE 18 reviews and the impact to
component financial statements. DISA identified more than 199 Complementary User Entity Controls
(CUECs) that impacted our financial statements. In addition to our continued participation in Service
Provider CUEC discussions, at the time of the Statement of Assurance assessment, DISA is completing
the process of reviewing more than 199 identified CUECs to determine our level of risk and identified
control descriptions and attributes for each. For those CUECs determined to be common across all the
identified systems, testing was conducted for areas of high risk. In addition, the internal control team has
developed active and departed user segregation of duties and periodic access system reviews to a more
granular level. Review of these areas further strengthens the internal control backbone for the agency.
T
he following tables provides a summary of DISA’s approach to the FY 2023 internal control evaluation.
Summary of Management’s Approach to Internal Control Evaluation
Reporting Entity/Component Name: Defense Information Systems Agency
Summary of Component Mission: To conduct Department of Defense Information Network (DODIN)
operations for the joint warfighter to enable lethality across all warfighting domains in defense of our
nation.
List of all Component Organizations:
Chief Financial Officer/Comptroller (OCFO)
Component and Acquisition Executive (CAE)
Operations & Infrastructure Center (OPIC)
Digital Capabilities and Security Center (DCSC)
Chief of Staff (DDC)
Inspector General (IG)
31
Joint Force Headquarters DODIN (JFHQ-DODIN)
Joint Service Provider (JSP)
Hosting and Compute Center (HACC)
White House Situation Room (WHSR)
Procurement Services Directorate (PSD)
Enterprise Integration and Innovation Center (EIIC)
Operations & Infrastructure Center (OPIC)
White House Communications Agency (WHCA)
Workforce Services and Development Directorate (WSD)
List of all Component material AUs related to ICOR
Chief Financial Officer/Comptroller (OCFO)
Hosting and Compute Center (HACC)
Procurement Services Directorate (PSD)
Summary of Internal Control Evaluation Approach: DISA’s approach to internal controls extends to
all responsibilities and activities undertaken within DISA. Adherence of RMIC Program internal controls
is not only the responsibility of Management, but every DISA employee. In addition to compliance with
applicable laws and regulations, internal controls are embedded in DISA’s day to day processes. Internal
controls have been evaluated in a top down and bottom-up approach resulting in reasonable assurance that
financial reporting, operations, and systems are operating effectively.
Figure 16-Overall Assessment of a System of Internal Control
Internal Control Evaluation
Designed &
Implemented (Yes/No)
Operating Effectively
(Yes/No)
Control Environment
Yes
Yes
Risk Assessment
Yes
Yes
Control Activities
Yes
Yes
Information and Communication
Yes
Yes
Monitoring
Yes
Yes
Are all components above operating together in
an integrated manner?
Yes
Yes
Fig
ure 17-Overal Evaluation of a System of Internal Control
Overall Evaluation
Operating Effectively (Yes/No)
Is the overall system of internal control effective?
Yes
32
Financial Management Systems Framework, Goals, and Strategies
DISA's financial system implementations have been planned and designed within the framework of the
Business Enterprise Architecture (BEA) established within DOD, which facilitates a more standardized
framework for systems in the department. Financial system-related initiatives target implementation of a
standardized financial information structure that will be compliant with FFMIA and BEA requirements
and provide DISA with cost accounting data and timely accounting information that enable enhanced
decision-making.
During FY 2023, DISA continued to operate, enhance, and sustain the Financial Accounting and
Management Information System (FAMIS), which supports the full breadth of DISA's WCF lines of
business. The FAMIS-WCF solution provided DISA with DOD Standard Line of Accounting and
USSGL compliance in support of a clean audit opinion for the WCF. Additionally, FY 2023
activities/goals include performing a technology refresh of the FAMIS software; implementing a
compliant G-invoicing solution; completing Phase II of Direct Treasury Disbursing; implementing
SOA/Web Services capabilities; and laying the groundwork to migrate FAMIS to a commercial cloud
environment. In addition to the accounting system, DISA's financial systems environment is
complemented by a select group of integrated financial tools and capabilities. These include:
The functionality to provide customer and internal users with the ability to view details behind
their telecommunication and contract IT invoices.
A WCF information/execution management tool that provides users with the ability to view
financial and non-financial (workload) data/consumption at a detailed level and a standardized
method for cost allocations, budget preparation, rate development, and execution tracking with
on
-demand reports, ad-hoc queries, and table proof listings for analysis and decision-making.
A web-based WCF budgeting system and financial dashboard that allows program financial
managers to formulate budgets, project future estimates, prepare required budget exhibits, and
monitor budget execution.
A financial dashboard on a web-based business intelligence platform that enables users across th
e
enterprise to access financial information for DWCF funds through static reports, interactive data
cu
bes, and customizable dashboards.
These capabilities, combined with key interfaces to acquisition, contracting, and ordering systems,
underpin DISA’s automated framework of financial budgeting, execution, accounting, control, and
reporting. Moving forward, DISA continues solution improvements to its suite of financial tools by
leveraging new technologies, evaluating opportunities to eliminate functional duplication where it exists,
and reducing the footprint (and associated costs) of business systems.
In that regard, DISA is driving standardization of the customer order provisioning process to include a
single integrated order entry solution for all orders while validating the solutions that integrate with
DISA’s financial and contracting systems and tools. DISA’s financial systems strategy is purpose driven
to continually innovate and increase its use of technologies, such as robotic process automation and
artificial intelligence, to improve and automate financial and contractual transactions. As a result of
DISA’s experience using its newly modernized/compliant accounting systems for the previous three
years, its accounting operations have stabilized, and it is taking advantage of its capabilities to improve
accounting processes and audit readiness, and to set the course for further financial modernization efforts
across its business ecosystem. This includes identifying and assessing opportunities to sunset older legacy
supporting systems by consolidating and/or migrating functionality to more modern and flexible
technologies and architectures.
These advancements will result in increased automation, transparency, access, and control of financial
information to support financial managers, mission partners, and higher echelon leaders.
33
4. Forward-Looking Information
The DOD information environment is designed to optimize the use of the DOD IT assets, converging
communications, computing, and enterprise services into a single joint platform that can be leveraged for
all department missions. These efforts improve mission effectiveness, reduce total cost of ownership,
reduce the attack surface of our networks, and enable DISA’s mission partners to more efficiently access
the information resources of the enterprise to perform their missions from any authorized IT device
anywhere in the world. DISA continues its efforts towards realization of an integrated department-wide
implementation of the DOD information environment through the development, integration, and
synchronization of technical plans, programs, and capabilities.
DISA is uniquely positioned to provide the kind of streamlined, rationalized enterprise solutions the
department is looking for to effect IT transformation. DISA owns/operates enterprise and cloud-capable
DISA data centers, the worldwide Defense Information Systems Network (DISN), and the DITCO. DISA
data centers routinely see workload increases this trend will increase as major new initiatives begin to
fully impact the department. As part of the department’s transition to the Joint Information Environment,
DISA data centers have been identified as continental United States Core Data Centers.
DISA also anticipates continuation of partnerships with other federal agencies. The DOD/Veterans
Affairs Integrated Electronic Health Record agreement to host all medical records in DISA data centers
and the requirement for DOD to provide Public Key Infrastructure services to other federal agencies on a
reimbursable basis are examples. We continue to move forward on several new initiatives, including:
The implementation of Defense Enterprise office Solutions, which is a commercially provided,
cloud-based enterprise service for common communication, collaboration, and productivit
y
ser
vices. There has been significant progress towards decommissioning legacy email, video, a
nd
a
udio-conferencing services.
The Fourth Estate Network Optimization reform initiative includes the convergency of the Do
D
n
etworks, service desks, and operations centers into a consolidated, secure, and effectiv
e
e
nvironment.
The delivery of an on-premises, cloud hosting capability and commercial cloud acce
ss
i
nfrastructure to enable the department’s migration to cloud computing.
The enterprise-wide roll-out of a Cloud-Based Internet Isolation capability that isolates maliciou
s
c
ode and content from DOD networks.
DISA has implemented the Compute Operations (formerly Ecosystem) to support computing services for
mission partners worldwide. This model aligned like-functions across a single computing enterprise and
established a unified computing structure operating under a single command one large virtual data
center. The Compute Operations prioritizes excellence in service delivery, process efficiency, and
standardization for tools and processes. Ultimately, the shift to the Compute Operations model is
fulfilling the goal of providing excellence in IT service delivery to our mission partners through the
provision of cutting-edge computing solutions and a flexible and adaptable infrastructure. These
optimization efforts are projected to yield a savings of $695 million over 10 years.
34
Defense Information Systems Agency
General Fund
Principal Statements
Fourth Quarter of Fiscal Year 2023, Ending Sept. 30, 2023
35
Department of Defense
Defense Information Systems Agency General Fund
BALANCE SHEET
As of Sept. 30, 2023 and 2022
($ in thousands)
Figure 18-Balance Sheet
Unaudited
2023
Unaudited
2022
Intragovernmental assets:
Fund Balance with Treasury (Note 2)
$ 2,668,626
$ 2,658,098
Accounts receivable, Net (Note 3)
31,138
39,429
Total Intragovernmental assets
2,699,764
2,697,527
Other than intragovernmental assets:
Accounts receivable, net (Note 3)
1,444
747
General property, plant and equipment, net (Note 4)
325,145
326,365
Advances and prepayments-Other Assets (Note 10)
7
19
Total other than intragovernmental assets
326,596
327,131
Total Assets
$ 3,026,360
$ 3,024,658
Stewardship PP&E, (Note 9)
Liabilities (Note 7)
Intragovernmental liabilities:
Accounts payable
$ 351,921
$ 315,964
Other Liabilities (Notes 7 and 9)
2,646
2,655
Total intragovernmental liabilities
354,567
318,619
Other than intragovernmental liabilities:
Accounts payable
9,929
22,112
Federal employee and veteran benefits payable (Note 6)
49,281
48,453
Advances from others and Deferred Revenue (Note 7)
5,393
7,654
Other Liabilities (Notes 7, 8 and 9)
7,740
5,531
Total other than intragovernmental liabilities
72,343
83,750
Total liabilities
426,910
402,369
Commitments and contingencies (Note 9)
Net Position:
Unexpended AppropriationsFunds from Other than Dedicated
Collections
2,333,094
2,345,346
Total Unexpended Appropriations (consolidated)
2,333,094
2,345,346
Cumulative Results from OperationsFunds from Other than
Dedicated Collections
266,356
276,943
Total Cumulative Results of Operations (Consolidated)
266,356
276,943
Total net position
2,599,450
2,622,289
Total liabilities and net position
$ 3,026,360
$ 3,024,658
*The accompanying notes are an integral part of these statements.
36
Department of Defense
Defense Information Systems Agency General Fund
STATEMENT OF NET COST
As of Sept. 30, 2023 and 2022
($ in thousands)
Figure 19- Statement of Net Cost
Gross Program Costs
Unaudited
2023
Unaudited
2022
Gross Costs
$ 3,787,370
$ 3,711,059
Less: Earned Revenue
(202,819)
(212,027)
Net Cost of Operations
3,584,551
3,499,032
Operations & Maintenance
3,017,915
2,827,862
Procurement
382,136
467,272
Research, Development Test & Evaluation
386,145
412,717
Military Construction
1,175
3,208
Less: Earned Revenue
(202,819)
(212,027)
Net Appropriation Costs
$ 3,584,551
$ 3,499,032
*The accompanying notes are an integral part of these statements.
37
Department of Defense
Defense Information Systems Agency General Fund
As of Sept. 30, 2023 and 2022
($ in thousands)
Figure 20- Consolidated Statement of Changes in Net Position
Unaudited
2023
Unaudited
2022
Unexpended Appropriations:
Beginning Balance
$ 2,345,346
$ 2,323,840
Appropriations received
3,693,211
3,418,243
Appropriations transferred-in/out
51,437
133,936
Other Adjustments (+/-)
(93,190)
(28,553)
Appropriations used
(3,663,710)
(3,502,120)
Net Change in Unexpended Appropriations
(12,252)
21,506
Total Unexpended Appropriations
2,333,094
2,345,346
CUMULATIVE RESULTS OF OPERATIONS
Beginning balances, as adjusted
276,943
444,891
Other adjustments (+/-)
0
(34,230)
Appropriations used
3,663,710
3,502,120
Transfers in/out without reimbursement
(161,804)
(202,883)
Imputed financing
81,529
71,946
Other
(9,471)
(5,869)
Net Cost of Operations
3,584,551
3,499,032
Net Change in Cumulative Results of Operations
(10,587)
(167,948)
Total Cumulative Results of Operations
266,356
276,943
Net Position
$ 2,599,450
$ 2,622,289
*The accompanying notes are an integral part of these statements.
38
Department of Defense
Defense Information Systems Agency GF
As of Sept. 30, 2023 and 2022
($ in thousands)
Figure 21- Statement of Budgetary Resources
Unaudited
2023
Unaudited
2022
Budgetary Resources
Unobligated balance from prior year budget authority, net
$ 978,149
$ 998,751
Appropriations (discretionary and mandatory)
3,754,339
3,487,453
Spending Authority from offsetting collections (discretionary and
mandatory)
214,053
232,499
Total Budgetary Resources
4,946,541
4,718,703
Status of Budgetary Resources
New obligations and upward adjustments (total) (Note 11)
4,292,962
4,036,714
Apportioned, unexpired accounts
311,778
302,700
Unapportioned, unexpired accounts
0
0
Unexpired unobligated balance, end of year
311,778
302,700
Expired unobligated balance, end of year
341,801
379,289
Unobligated balance, end of year (total)
653,579
681,989
Total Budgetary Resources
4,946,541
4,718,703
Outlays, Net (Note 38)
Outlays, net (total) (discretionary and mandatory)
3,638,463
3,530,932
Agency outlays, net (discretionary and mandatory)
$ 3,638,463
$ 3,530,932
*The accompanying notes are an integral part of these statements.
39
Defense Information Systems Agency
General Fund
Notes to the Principal Statements
Fourth Quarter of Fiscal Year 2023, Ending Sept. 30, 2023
40
DEFENSE INFORMATION SYSTEMS AGENCY
GENERAL FUND
Notes to the Principal Statements
Fourth Quarter of Fiscal Year 2023, Ending Sept. 30, 2023
Note 1. Summary of Significant Accounting Policies
1A. Reporting Entity
The Defense Information Systems Agency (DISA), a combat support agency within the DOD, is a
“Component Reporting Entity,” as defined by Statement of Federal Financial Accounting Standards
(SFFAS) 47 of and consolidated into the financial statements of the Department of Defense (DOD).
The DOD includes the Office of the Secretary of Defense (OSD), Joint Chiefs of Staff, DOD Office of the
Inspector General (OIG), military departments, defense agencies, DOD field activities, and combatant
commands, which are considered, and may be referred to, as DOD components. The military departments
consist of the Departments of the Army, the Navy (of which the Marine Corps is a component), and the
Air Force (of which the Space Force is a component).
DISA provides, operates, and assures command and control, information-sharing capabilities, and a
globally accessible enterprise information infrastructure in direct support to joint warfighters, national
level leaders, and other mission and coalition partners across the full spectrum of operations. DISA
implements the secretary of defense’s defense strategic guidance and reflects the DOD Chief Information
Officer (CIO) capability planning guidance.
I
n accordance with SFFAS 47, DISA General Fund (GF) does not have any consolidation or disclosure
entities that are required to be disclosed within these notes. Although component reporting entities of the
federal government may significantly influence each other, component reporting entities are subject to the
overall control of the federal government and operate together to achieve the policies of the federal
government and are not considered related parties. Therefore, component reporting entities need not be
disclosed as related parties by other component reporting entities. Disclosure entities are not consolidation
entities. Disclosure entities may provide the same or similar goods and services that consolidation
entities do but are more likely to provide them on a market basis.
1B. Accounting Policies
DISA General Fund (GF) financial statements and supporting trial balances are compiled from the
underlying financial data and trial balances of DISA GF organizational elements. The underlying data is
largely derived from budgetary transactions (obligations, disbursements, and collections), nonfinancial
feeder systems, and accruals made for major items such as payroll expenses and accounts payable.
DISA GF presents the Balance Sheet, Statement of Net Cost, and Statement of Changes in Net Position
on a consolidated basis, which are the summation of the DOD components less the eliminations of
intradepartmental activity. The Statement of Budgetary Resources (SBR) is presented on a combined
basis, which is the summation of the DOD components; therefore, DOD intradepartmental activity has not
been eliminated. The financial transactions are recorded on both a proprietary accrual basis and a
budgetary basis of accounting. Under the proprietary accrual basis, revenues are recognized when earned,
and expenses are recognized when incurred, without regard to the timing of receipt or payment of cash.
Under the budgetary basis, the legal commitment or obligation of funds is recognized in advance of the
proprietary accruals and in compliance with legal requirements and controls over the use of federal funds.
41
DISA GF adopted updated accounting standards and other authoritative guidance issued by the Federal
Accounting Standards Advisory Board (FASAB) as listed below:
SFFAS 50: Establishing Opening Balances for General Property, Plant, and Equipment: Amending
SFFAS 6, 10, and 23, and Rescinding SFFAS 35: Issued Aug. 4, 2016. Effective for periods
beginning after Sept. 30, 2016.
SFFAS 53: Budget and Accrual Reconciliation: Amending SFFAS 7 and 24, and Rescinding SFFAS
22: Issued Oct. 27, 2017: Effective for reporting periods beginning after Sept. 30, 2018.
Technical Bulletin 2020-1, Loss Allowance for Intragovernmental Receivables: Issued Feb. 20,
2020; Effective upon issuance.
DISA GF has implemented Standard Financial Information Structure compliant accounting systems and
improved processes based on independent reviews and compliance with Office of Management and
Budget (OMB) Circular No. A-136 and U.S. Generally Accepted Accounting Principles (GAAP).
The financial statements should be read with the realization that they are for a component of the U.S.
government. Additionally, some of the assets and liabilities reported by the entity may be eliminated for
government-wide reporting because they are offset by assets and liabilities of another U.S. government
entity.
1C. Fund Balance with Treasury
The Fund Balance with Treasury (FBWT) represents the aggregate amount of DISA GF available budget
spending authority available to pay current liabilities and finance future authorized purchases. DISA GF
monetary resources of collections and disbursements are maintained in Department of the Treasury
(Treasury) accounts. The disbursing offices of the Defense Finance and Accounting Service (DFAS), the
military departments, the U.S. Army Corps of Engineers, and the Department of State’s financial service
centers process the majority of the Department of Defense’s cash collections, disbursements, and
adjustments worldwide. Each disbursing station reports to Treasury on checks issued, electronic fund
transfers, interagency transfers, and deposits.
FBWT is an asset of a component entity and a liability of the Treasury General Fund. The amounts
represent commitments by the government to provide resources for programs, but they do not represent
net assets to the government as a whole.
In addition, DFAS reports to Treasury by appropriation on interagency transfers, collections received, and
disbursements issued. Treasury records these transactions to its applicable Fund Balance.
DISA GF does not report deposit fund balances on its financial statements.
For additional information, see the Fund Balance with Treasury, Note 2.
1D. Revenue and Other Financing Sources
As a component of the government-wide reporting entity, DISA GF is subject to the federal budget
process, which involves appropriations that are provided annually and appropriations that are provided on
a permanent basis. The financial transactions resulting from the budget process are generally the same
transactions reflected in the agency and the government-wide financial reports.
DISA GF budgetary resources reflect past congressional action and enable the entity to incur budgetary
obligations, but do not reflect assets to the government. Budgetary obligations are legal obligations for
goods, services, or amounts to be paid based on statutory provisions (e.g., Social Security benefits). After
budgetary obligations are incurred, Treasury will make disbursements to liquidate the budgetary
obligations and finance those disbursements in the same way it finances all disbursements, which, as
noted above, is to borrow from the public if there is a budget deficit.
DISA receives congressional appropriations and funding as general and working capital (revolving) and
42
uses these appropriations and funds to execute its missions and subsequently report on resource usage.
General funds are used for collections not earmarked by law for specific purposes, the proceeds of general
borrowing, and the expenditure of these moneys. DOD appropriations funding covers costs including
personnel, operations and maintenance, research and development, procurement, and military
construction.
DISA GF receives congressional appropriations as financing sources for general funds, and on occasion,
will also receive congressional appropriations for the WCFs. These funds either expire annually, some on
a multi-year basis, or do not expire. When authorized by legislation, these appropriations are
supplemented by revenues generated by sales of goods or services. DISA GF recognizes revenue resulting
from costs incurred for goods and services provided to other federal agencies and the public. Full-cost
pricing is DISA GF standard policy for services provided as required by OMB Circular A-25, “User
Charges.” In some instances, revenue is recognized when bills are issued.
DISA GF net position consists of unexpended appropriations and cumulative results of operations.
Unexpended appropriations represent the amounts of budget authority that are unobligated and have not
been rescinded or withdrawn. Unexpended appropriations also represent amounts obligated for which
legal liabilities for payments have not been incurred.
Cumulative results of operations represent the net difference between expenses and losses and financing
sources (including appropriations, revenue, and gains) since inception. The cumulative results of
operations also include donations and transfers in and out of assets that were not reimbursed.
In accordance with SFFAS 7 “Accounting for Revenue and Other Financing Sources and Concepts for
Reconciling Budgetary and Financial Accounting,” DISA recognizes nonexchange revenue when there is
a specifically identifiable, legally enforceable claim to the cash or other assets of another party that will
not directly receive value in return. Typically, DISA nonexchange revenue is composed of immaterial
amounts of public interest receivable and accumulated penalties and administrative fees as reported in the
Monthly Debt Management Report Contract Debt System.
Deferred revenue is recorded when the DOD receives payment for goods or services that have not been
fully rendered. Deferred revenue is reported as a liability on the balance sheet until earned.
The DOD does not include non-monetary support provided by U.S. allies for common defense and mutual
security in amounts reported in the Statement of Net Cost. The U.S. has cost sharing agreements with
countries, through mutual or reciprocal defense agreements, where U.S. troops are stationed or where the
U.S. fleet is in a port.
1E. Budgetary Terms
The purpose of federal budgetary accounting is to control, monitor, and report on funds made available to
federal agencies by law and help ensure compliance with the law.
The department’s budgetary resources reflect past congressional action and enable the entity to incur
budgetary obligations, but do not reflect assets to the government. Budgetary obligations are legal
obligations for goods, services, or amounts to be paid based on statutory provisions (e.g., Social Security
benefits). After budgetary obligations have incurred, Treasury will make disbursements to liquidate the
budgetary obligations and finance those disbursements.
The following budgetary terms are commonly used:
Appropriation is a provision of law (not necessarily in an appropriations act) authorizing the
expenditure of funds for a given purpose. Usually, but not always, an appropriation provides
budget authority.
Budgetary resources are amounts available to incur obligations in a given year. Budgetary
resources consist of new budget authority and unobligated balances of budget authority provided
43
in previous years.
Obligation is a binding agreement that will result in outlays, immediately or in the future
.
B
udgetary resources must be available before obligations can be incurred legally.
Offsetting collections are payments to the government that, by law, are credited directly to
expenditure accounts and deducted from gross budget authority and outlays of the expenditure
account, rather than added to receipts. Usually, offsetting collections are authorized to be spent
for the purposes of the account without further action by Congress. They usually result from
business-like transactions with the public, including payments from the public in exchange for
goods and services, reimbursements for damages, and gifts or donations of money to the
government and from intragovernmental transactions with other government accounts. The
authority to spend collections is a form of budget authority.
Offsetting receipts are payments to the government that are credited to offsetting receipt account
s
a
nd deducted from gross budget authority and outlays, rather than added to receipts. Usually, they
are deducted at the level of the agency and subfunction, but in some cases they are deducted at
the level of the government as a whole. They are not authorized to be credited to expenditure
accounts. The legislation that authorizes the offsetting receipts may earmark them for a specific
purpose and either appropriate them for expenditures for that purpose or require them to be
appropriated in annual appropriations acts before they can be spent. Like offsetting collections
,
t
hey usually result from business-like transactions with the public, including payments from the
public in exchange for goods and services, reimbursements for damages, gifts or donations of
money to the government, and from intragovernmental transactions with other government
accounts.
Outlays are the liquidation of an obligation that generally takes the form of an electronic funds
transfer. Outlays are reported both gross and net of offsetting collections and they are the measur
e
of
government spending.
For further information about budget terms and concepts, see the “Budget Concepts” chapter of the
Analytical Perspectives volume of the President’s Budget: Analytical Perspectives - The White House.
1F. Changes in Entity or Financial Reporting
Section 406 -Intra-Governmental Capitalized Assets Procedures, of the quarterly reporting guidance was
updated for fourth quarter of Fiscal Year (FY) 2023 to require agencies to record all direct cost to an
expense series account and then offset those amounts using U.S. Standard General Ledger (USSGL) 6610
when the costs are capitalized to the appropriate asset account. Per this updated guidance, the DISA GF
will no longer record federal USSGL 8802. This update was designed to avoid a systemic cost of goods
sold (USSGL 6500) entry for the selling agency, which does not typically recognize inventory. This
process change does not affect prior financial statements, only reconciles interagency expenses and
revenues for fourth quarter of FY 2023 and forward.
1G. Classified Activities
Accounting standards allow certain presentations and disclosures to be modified, if needed, to prevent the
disclosure of classified information.
1H. Parent-Child Reporting
DISA GF is a party to allocation transfers with other federal agencies as a receiving (child) entity. An
allocation transfer is an entity’s legal delegation of authority to obligate budget authority and outlay funds
on its behalf. Generally, all financial activity related to allocation transfers (e.g., budget authority,
obligations, outlays) is reported in the financial statements of the parent entity. Exceptions to this general
rule apply to specific funds for which OMB has directed that all activity be reported in the financial
44
statements of the child entity.
DISA receives allocation transfers from the Defense Acquisition University.
Note 2. Fund Balance with Treasury
The Treasury records cash receipts and disbursements on DISA GF’s behalf and are available only
for the purposes for which the funds were appropriated. The DISA GF balances with treasury
consists of appropriation accounts.
The status of FBWT, as presented below, reflects the reconciliation between the budgetary resources
supporting FBWT (largely consisting of unobligated balance and obligated balance not yet
disbursed) and those resources provided by other means. The total FBWT reported on the balance
sheet reflects the budgetary authority remaining for disbursements against current or future
obligations.
Unobligated balance is classified as available or unavailable and represents the cumulative amount
of budgetary authority set aside to cover future obligations. The available balance consists primarily
of the unexpired, unobligated balance that has been apportioned and available for new obligations.
The unavailable balance consists primarily of funds invested in Treasury securities and are
temporarily precluded from obligation by law. Certain unobligated balances are restricted for future
use and are not apportioned for current use. Unobligated balances for trust fund accounts are
restricted for use by public laws establishing the funds.
Obligated balance not yet disbursed represents funds obligated for goods and services but not paid.
Non-budgetary FBWT includes accounts without budgetary authority, such as deposit funds
unavailable receipt accounts, clearing accounts and nonentity FBWT accounts.
Non-FBWT budgetary accounts create budget authority and unobligated balances, but do not record
to FBWT as there has been no receipt of cash or direct budget authority, such as appropriations. The
DISA GF non-FBWT budgetary accounts are primarily composed of unfilled orders without
advance from customers and receivables.
Treasury securities provide DISA GF with budgetary authority and enable DISA GF to access funds
to make future benefit payments or other expenditures. DISA GF must redeem these securities
before they become part of the FBWT.
Unfilled customer orders without advance receivables provide budgetary resources when
recorded. The FBWT is only increased when reimbursements are collected, not when orders are
accepted or have been earned.
The FBWT reported in the financial statements has been adjusted to reflect the DISA GF balance as
reported in the Cash Management Report (CMR). The difference between FBWT in the DISA GF
general ledgers and FBWT reflected in the CMR is attributable to transactions that have not been
posted to the individual detailed accounts in the DISA GF general ledger as a result of timing
differences or the inability to obtain valid accounting information prior to the issuance of the
financial statements. When research is completed, these transactions will be recorded in the
appropriate individual detailed accounts in the DISA GF general ledger accounts.
45
Figure 22-Fund Balance with Treasury
(thousands)
DISA GF
2023
2022
Unobligated Balance:
Available
$ 311,777
$ 302,699
Unavailable
341,802
379,288
Total Unobligated Balance
653,579
681,987
Obligated Balance not yet Disbursed
2,152,305
2,125,124
Non-FBWT Budgetary Accounts:
Unfilled Customer Orders without Advance
(104,628)
(108,036)
Receivables and Other
(32,630)
(40,977)
Total Non-FBWT Budgetary Accounts
(137,258)
(149,013)
Total FBWT
$ 2,668,626
$ 2,658,098
Note 3. Accounts Receivable, Net
Accounts receivable represent DISA GF’s claim for payment from other entities. Claims with other
federal agencies are resolved in accordance with the business rules published in Appendix 5 of Treasury
Financial Manual, Volume I, Part 2, Chapter 4700. Allowances for uncollectible accounts due from the
public are based on an estimation methodology using three years of historical collection data and is
calculated on consolidated receivable balances.
The FASAB issued Technical Bulletin 2020-1, Loss Allowance for Intragovernmental Receivables, which
clarified previously issued guidance. An allowance recorded to recognize an intragovernmental receivable
at net realizable value on the financial statements does not alter the underlying statutory authority to
collect the receivable or the legal obligation of the other intragovernmental entity to pay. For FY 2023,
the intragovernmental allowance was calculated using the same methodology as for public receivables.
DISA GF developed its policy related to the allowance for uncollectible accounts for intragovernmental
receivables.
For FY 2023, DFAS changed the methodology for calculating the Allowance for Doubtful Accounts and
has determined that the intragovernmental is $0 and non-federal amounts for DISA GF is $17.67. The
amount displayed below from DDRS-AFS for an allowance and stems from transactions processed in
Defense Agencies Initiative (DAI) as well as an adjustment processed in fourth quarter. In any case, the
amount is not material to the financial statements for DISA GF.
46
Figure 23-Accounts Receivable, Net
(thousands)
DISA GF 2023
Gross Amount
Due
Allowance for
Estimated
Uncollectibles
Accounts
Receivable, Net
Intragovernmental Receivables
$ 31,138
$ -
$ 31,138
Non-Federal Receivables (From the Public)
1,443
1
1,444
Total Accounts Receivable
$ 32,581
$ 1
$ 32,582
DISA GF 2022
Gross Amount
Due
Allowance for
Estimated
Uncollectibles
Accounts
Receivable, Net
Intragovernmental Receivables
$ 39,429
$ -
$ 39,429
Non-Federal Receivables (From the Public)
746
1
747
Total Accounts Receivable
$ 40,175
$ 1
$ 40,176
Note 4. General Property, Plant and Equipment, Net
The DISA GF general Property, Plant and Equipment (PP&E) is composed of leasehold improvements,
equipment, and software with a net book value of $325.1 million.
The DISA GF PP&E consists of telecommunications equipment, computer equipment, computer
software, assets under capital lease, and construction in progress. The DISA GF PP&E capitalization
threshold is $250 thousand for asset acquisitions and modifications/improvements placed into service
after Sept. 30, 2013. PP&E assets acquired prior to October 1, 2013, were capitalized at prior threshold
levels ($100 thousand for equipment and $250 thousand for real property). PP&E with an acquisition cost
of less than the capitalization threshold is expensed when purchased. Property and equipment meeting the
capitalization threshold are depreciated using the straight-line method over the initial or remaining useful
life as appropriate, which can range from two to 45 years.
The DISA GF capitalizes improvements to existing General PP&E assets when the improvements equal
or exceed the capitalization threshold and extend the useful life or increase the size, efficiency, or
capacity of the asset.
There are no restrictions on the use or convertibility of DISA GF’s property and equipment, and all values
are based on acquisition cost.
Information concerning deferred maintenance and repairs is discussed in unaudited required
supplementary information.
The following table provides a summary of the activity for the current fiscal year.
47
Figure 24-General Property, Plant, and Equipment, Net
(thousands)
DISA GF
CY
PY
General PP&E, Net beginning of year
$ 326,365
$ 459,395
Capitalized Acquisitions
256,291
162,351
Dispositions
(9,589)
(7,530)
Transfers in/(out) without reimbursement
(159,335)
(200,439)
Revaluations (+/-)
(5,615)
(2,855)
Depreciation Expense
(82,972)
(84,557)
Balance at end of year
$ 325,145
$ 326,365
The charts below provide the depreciation method, service life, acquisition value, depreciation, and net
book value for the different categories in a comparative view.
Figure 25-Major General PP&E Asset Classes
(thousands)
DISA GF 2023
Major Asset Classes
Depreciation/
Amo
rtization
Method
Service Life
Acquisition
Value
(Accumulated
Depreciation/
Amortization)
Net Book
Value
Buildings, Structures, and
Facilities
S/L
35,40, or 45*
$ 0
$ (0)
$ 0
Leasehold Improvements
S/L
Lease term
0
0
0
Software
S/L
2-5 or 10
42,711
(28,852)
13,859
General Equipment
S/L
Various**
591,877
(426,604)
165,273
Construction-in-Progress
N/A
N/A
146,013
N/A
146,013
Total General PP&E
$ 780,601
$ (455,456)
$ 325,145
DISA GF 2022
Major Asset Classes
Depreciation/
Amortization
Method
Service Life
Acquisition
Value
(Accumulated
Depreciation/
Amortization)
Net Book
Value
Buildings, Structures, and
Facilities
S/L
35,40, or 45*
$ 10,012
$ (1,246)
$ 8,766
Leasehold Improvements
S/L
Lease term
81,857
(54,953)
26,904
Software
S/L
2-5 or 10
40,277
(24,125)
16,152
General Equipment
S/L
Various**
542,572
(387,549)
155,023
Construction-in-Progress
N/A
N/A
119,520
N/A
119,520
Total General PP&E
$ 794,238
$ (467,873)
$ 326,365
S/L= Straight Line N/A= Not Applicable
*Estimated useful service life is 35 years for structures, 40 years for linear structures, and 45 years for buildings.
**GF uses 5 years for depreciation, unless otherwise specified (10/20 years)
Note 5. Liabilities Not Covered by Budgetary Resources
Liabilities not covered by budgetary resources require future congressional action whereas liabilities
covered by budgetary resources reflect prior congressional action. Regardless of when the congressional
action occurs, when the liabilities are liquidated, Treasury will finance the liquidation in the same way
that it finances all other disbursements, using some combination of receipts, other inflows, and borrowing
from the public (if there is a budget deficit).
48
Intragovernmental liabilities “other” consists of $771 thousand of unfunded Federal Employees’
Compensation Act (FECA) liabilities related to bills from the Department of Labor (DOL) that are not
funded until the billings are received.
Oth
er than intragovernmental liabilities consist of
“federal employee and veteran benefits,” which include
$42 million in unfunded annual leave liability reflecting earned amounts of annual leave to be paid from
future appropriations, $4.5 million in various employee actuarial FECA liabilities not due and payable
during the current fiscal year, and $1.8 million for legal contingent liabilities. Refer to the Federal
Employee and Veteran Benefits Payable note, for additional details.
Figure 26-Liabilities Not Covered by Budgetary Resources
(thousands)
DISA GF
2023
2022
Intragovernmental Liabilities
Other
$ 771
$ 854
Total Intragovernmental Liabilities
771
854
Other than Intragovernmental Liabilities
Accounts Payable
69
60
Federal employee and veteran benefits payable
46,465
45,869
Other Liabilities
1,787
0
Total Other than Intragovernmental Liabilities
48,321
45,929
Total Liabilities Not Covered by Budgetary Resources
49,092
46,783
Total Liabilities Covered by Budgetary Resources
377,818
355,586
Total Liabilities
$ 426,910
$ 402,369
Note 6. Federal Employee and Veteran Benefits Payable
Actuarial cost method used and assumptions:
The DOL estimates actuarial liability only at the end of each fiscal year.
In FY 2022 and FY 2023, the methodology for billable projected liabilities included, among other things:
1. An algorithmic model that relies on individual case characteristics and benefit payments (the
FECA Case Reserve Model).
2. Incurred but not reported claims were estimated using the patterns of incurred benefit liabilities in
addition to those of payments.
The FY 2022 and FY 2023 methodologies omitted pandemic-related adjustments to normalize the levels
of payments. The FY 2023 methodology red
uced the base factor for medical costs in the FECAS Case
Reserve model.
The effects of inflation on the liability for future workers’ compensation benefits, wage inflation factors,
cost of living adjustments (COLAs), and medical inflation factors consumer price index medical (CPI-M)
were also applied to the calculation of projected future benefits.
DOL selected the COLA factors, CPI-M factors, and discount rate by averaging the COLA rates, CPI-M
rates, and interest rates for the current and prior four years, all while using averaging render estimates that
reflect historical trends over five years instead of opting for conditions that exist over one year.
The FY 2023 and FY 2022 methodologies for averaging the COLA rates used OMB-providededdrates.
49
The FY 2023 and FY2022 methodologies for averaging the CPI-M rates used OMB-provided rates and
information obtained from the Bureau of Labor Statistics public releases for CPI.
The actual rates for these factors for the charge back year (CBY) 2022 were also used to adjust the
methodology’s historical payments to current-year constant dollars. The compensation COLAs and
CPI-Ms used in the projections for various CBY were as follows:
Figure 27-Compensation COLAs and CPI-Ms
CBY
COLA
CPI-M
2023
N/A
N/A
2024
4.04%
3.25%
2025
4.29%
3.21%
2026
4.38%
3.51%
2027
4.13%
3.87%
2028 and thereafter
3.13%
4.03%
DOL selected the interest rate assumptions whereby projected annual payments were discounted to
present value based on interest rate assumptions on the U.S. Department of the Treasury’s Yield Curve
for Treasury Nominal Coupon Issues (the TNC Yield Curve) to reflect the average duration of income
payments and medical payments. Discount rates were based on averaging the TNC Yield Curves for the
current and prior four years for FY 2023 and FY 2022, respectively. Interest rate assumptions utilized for
FY 2023 discounting were as follows:
Discount Rates
For wage benefits:
2.326 percent in year 1 and years thereafter;
For medical benefits:
2.112 percent in year 1 and years thereafter.
To test the reliability of the model, comparisons were made between projected payments in the last year
to actual amounts, by agency. Changes in the liability from last year’s analysis to this year’s analysis were
also examined by agency, with any significant differences by agency inspected in greater detail. The
model has been stable and has projected the actual payments by agency reasonably well.
The American Rescue Plan Act of 2021 (ARPA), P.L. 117-2, section 4016,Eligibility for Workers’
Compensation benefits for Federal Employees Diagnosed with COVID-19," mandated that the FECA
Special Benefits Fund assume an unreimbursed liability (i.e., a liability that is not chargeable to the
agencies) for approved claims of certain covered employees for injuries proximately caused by exposure
to the novel coronavirus that causes COVID-19 (or another coronavirus declared to be a pandemic by
public health authorities) while performing official duties during the covered exposure period. Pursuant
to the ARPA, COVID-19 claims filed or adjudicated under the ARPA standards after March 11, 2021 and
where COVID-19 is diagnosed on or before January 27, 2023 are included in the non-billable liabilities;
accordingly, the methodology properly omits these future benefits.
Expense Components
For FY 2023, the only expense component pertaining to other actuarial benefits for DISA GF is the
FECA expense. The DOL provides the expense data to DISA. The staffing ratio data from the DISA
Headquarters determines the allocation of the expense to DISA GF and DISA WCF.
The DOL provided an estimate for DISA’s future workers' compensation benefits of $9.4 million in total,
of which $4.5 million was distributed to DISA GF based upon staffing ratios. DISA made the distribution
50
using its normal methodology of apportioning FECA liability to GF and WCF based upon relative
staffing levels. DISA used the same apportionment methodology in prior years.
Changes in Actuarial Liability
Fluctuations in the total liability amount charged to DISA by DOL will cause changes in FECA liability.
The other actuarial benefits, FECA liability for DISA GF, decreased $811 thousand due to a decrease in
COLA and CPI-M inflation factors that in turn increased the actuarial liability estimate provided by DOL
(https://www.dol.gov/agencies/ocfo/publications).
Other Benefits
For the fourth quarter of FY 2023, DISA GF’s “other” benefits are composed of unfunded accrued annual
leave in the amount of $42 million.
Figure 28-Federal Employee and Veteran Benefits Payable
(thousands)
DISA GF 2023
Liabilities
(Assets
Available to
Pay Benefits)
Unfunded
Liabilities
Other Benefits
FECA
$ 4,464
$ (0)
$ 4,464
Other
44,817
(2,815)
42,002
Total Other Benefits
49,281
(2,815)
46,466
Federal Employee and Veteran Benefits Payable
(presented separately on the Balance Sheet)
49,281
(2,815)
46,466
Other benefit-related payables included in
Intragovernmental Other Liabilities on the Balance
Sheet
2,646
(1,875)
771
Total Federal Employee and Veteran Benefits
Payable
$ 51,927
$ (4,690)
$ 47,237
DISA GF 2022
Liabilities
(Assets
Available to
Pay Benefits)
Unfunded
Liabilities
Other Benefits
FECA
$ 3,652
$ (0)
$ 3,652
Other
44,801
(2,584)
42,217
Total Other Benefits
48,453
(2,584)
45,869
Federal Employee and Veteran Benefits Payable
(presented separately on the Balance Sheet)
48,453
(2,584)
45,869
Other benefit-related payables included in
Intragovernmental Other Liabilities on the Balance
Sheet
2,655
(1,800)
855
Total Federal Employee and Veteran Benefits
Payable
$ 51,108
$ (4,384)
$ 46,724
51
Note 7. Other Liabilities
DISA GF Intragovernmental Other Liabilities consist of:
Federal employee and veteran benefits of $2.2 million: This liability represents the employer
portion of payroll taxes and employer contributions for health benefits, life insurance, and
retirement, as well as unfunded FECA liability.
DISA GF Other Than Intragovernmental Other Liabilities consist of:
Accrued funded payroll and benefits of $6 million: DISA GF reports as other liabilities, the
unpaid portion of accrued funded civilian payroll and employee’s annual leave as it is earned, and
subsequently reduces the leave liability when it is used.
Legal contingent liabilities of $1.8 million: The contingent liability records the amount of liability
recognized as a result of past events or exchange transactions in which a future outflow or other
sacrifice of resources is both probable and measurable. A quarterly analysis is performed to
determine the pending/threatened litigation and unasserted claims, administrative or judicial
proceedings, lawsuits, and/or other legal actions filed against DISA that could ultimately result in
settlements.
Advances from others (presented separately on the Advances from Others and Deferred Revenue
line below) of $5.4 million: This liability represents liabilities for collections received to cover
future expenses or acquisition of assets DISA GF incurs or acquires on behalf of another
organization. Further, is represents the remaining amount of customer advance billings. These
customer advances will be liquidated in future periods as the result of filling customer
orders/earned revenue based on the completion of contract task orders and other direct costs being
applied to the specific customer advance accounts under major range and test facility base
guidelines, polices, and regulation.
DISA GF’s life and other insurance programs covering civilian employees are provided through the U.S.
Office of Personnel Management (OPM). DISA GF does not negotiate the insurance contracts and incurs
no liabilities directly to the insurance companies. Employee payroll withholdings related to the insurance
and employer matches are submitted to OPM.
Figure 29-Other Liabilities
(thousands)
DISA GF 2023
Current
Liability
Non-Current
Liability
Total
Intragovernmental
Other Liabilities reported on Federal Employee and
Veterans Benefits Payable Note
$ 2,207
$ 439
$ 2,646
Total Intragovernmental
2,207
439
2,646
Other than Intragovernmental
Accrued Funded Payroll and Benefits
5,953
0
5,953
Contingent Liabilities
0
1,787
1,787
Total Other than Intragovernmental
5,953
1,787
7,740
Total Other Liabilities
$ 8,160
$ 2,226
$ 10,386
52
DISA GF 2022
Current
Liability
Non-Current
Liability
Total
Intragovernmental
Other Liabilities reported on Federal Employee and
Veterans Benefits Payable Note
$ 2,247
$ 408
$ 2,655
Total Intragovernmental
2,247
408
2,655
Other than Intragovernmental
Accrued Funded Payroll and Benefits
5,531
0
5,531
Contingent Liabilities
0
0
0
Total Other than Intragovernmental
5,531
0
5,531
Total Other Liabilities
$ 7,778
$ 408
$ 8,186
Figure 30-Advances from others and Deferred Revenue
(thousands)
DISA GF
2023
2022
Other than Intragovernmental Liabilities
$ 5,393
$ 7,654
Total Intragovernmental Liabilities
$ 5,393
$ 7,654
Note 8. Leases
Future Payments Due for Leases:
DISA GF has non-cancelable operating leases for office equipment, vehicles, land, buildings, and
commercial space. The agency does not receive copies of leases but obtains individual occupancy
agreements and is billed a cost based on the space DISA is occupying. The largest portion of these costs
are reimbursements to the Pentagon Reservation Maintenance Fund. Occupancy agreements are also held
with Washington Headquarters Service or the General Services Administration based upon the space
DISA GF is occupying. Prior year tables for future minimum lease payments are not presented. Future
lease payments due as of Sept. 30, 2023, were as follows:
53
Figure 31-Future Payments Due for Non-Cancelable Operating Leases
(thousands)
DISA GF 2023
Land &
Buildings
Equipment
Other
Total
Federal
Fiscal Year 2024
$ 39,146
$ 362
$ 3,658
$ 43,166
Fiscal Year 2025
40,320
362
3,098
43,780
Fiscal Year 2026
41,530
362
2,737
44,629
Fiscal Year 2027
42,776
362
2,726
45,834
Fiscal Year 2028
41,974
0
2,781
44,755
After 5 years
3,303
0
13,950
17,253
Total Federal Future Lease Payments
209,049
1,788
28,950
239,417
Non-Federal
Fiscal Year 2024
0
39
0
39
Total Non-Federal Future Lease Payments
0
39
0
39
Total Future Lease Payments
$ 209,049
$ 1,457
$ 28,950
$ 239,456
No
te 9. Commitments and Contingencies
DISA GF is a party in various administrative proceedings, legal actions, and other claims awaiting
adjudication which may result in settlements or decisions adverse to the Federal government. These
matters arise in the normal course of operations; generally, relate to equal opportunity and contractual
matters; and their ultimate disposition is unknown. In the event of an unfavorable judgment against the
Government, some of the settlements are expected to be paid from the Treasury Judgment Fund. In most
cases, DISA GF does not have to reimburse the Judgment Fund; reimbursement is only required when the
case comes under either the Contracts Disputes Act or the No FEAR Act.
I
n accordance with SFFAS 5, Accounting for Liabilities of the Federal Government, as amended by
SFFAS 12, Recognition of Contingent Liabilities Arising from Litigation, an assessment is made as to
whether the likelihood of an unfavorable outcome is considered probable, reasonably possible, or remote.
DISA GF has accrued contingent liabilities for material contingencies where an unfavorable outcome is
considered probable, and the amount of potential loss is measurable. The estimated liability may be a
specific amount or a range of amounts. If some amount within the range is a better estimate than any other
amount within the range, that amount is recognized, and the range is disclosed. If no amount within the
range is a better estimate than any other amount, the minimum amount in the range is recognized and the
range and a description of the nature of the contingency should be disclosed. No amounts have been
accrued for contingencies where the likelihood of an unfavorable outcome is less than probable, where the
amount or range of potential loss cannot be estimated due to a lack of sufficient information, or for
immaterial contingencies. The presented amounts accrued for legal contingent liabilities are included
within the contingent liabilities amount reported in the Other Liabilities note.
F
or the fourth quarter of FY 2023, DISA GF recognizes $1.8 million of legal contingent liability as a
result of past events or exchange transactions in which a future outflow or other sacrifice of resources is
both probable and measurable. A quarterly analysis is performed to determine the pending/threatened
litigation and unasserted claims, administrative or judicial proceedings, lawsuits, and/or other legal
actions filed against DISA that could ultimately result in settlements.
Note 10. Suborganization Program Costs
The Statement of Net Cost (SNC) represents the net cost of programs and organizations of DISA GF
supported by appropriations or other means. The intent of the SNC is to provide gross and net cost
54
information related to the amount of output or outcome for a given program or organization administered
by a responsible reporting entity. The DOD’s current processes and systems capture costs based on
appropriations groups as presented in the schedule below. The DOD is in the process of reviewing
available data and developing a cost reporting methodology required by the SFFAS 4, “Managerial Cost
Accounting Concepts and Standards for the Federal Government,” as amended by SSFAS No. 55,
“Amending Inter-Entity Cost Provisions.”
The Defense Department implemented SFFAS 55 in FY 2018, which rescinded SFFAS 30, “Inter-Entity
Cost Implementation: Amending SFFAS 4, Managerial Cost Accounting Standards and Concepts and
Interpretation 6, Accounting for Imputed Intra-departmental Costs: An Interpretation of SFFAS 4.”
Intragovernmental costs and revenue are related to transactions between two reporting entities within the
federal government. Public costs and revenue are exchange transactions made between DISA GF and a
non-federal entity.
DISA GF reports exchange revenues for inflows of earned resources. They arise from exchange
transactions, which occur when each party to the transaction sacrifices value and receives value in return.
Exchange revenues arise when DISA GF provides something of value to the public or another
government entity at a price. Pricing policy for exchange revenues are derived by recovering costs.
DISA GF employs a trading partner reconciliation throughout the year to validate buyer-side and seller-
side balances and collaborates with its major DOD partners to identify and resolve material differences.
Generally, in accordance with DOD Financial Management Regulation (FMR) Volume 6B, Chapter 13,
paragraph 13201, the internal DOD buyer-side balances are adjusted to agree with internal seller-side
balances for revenue. For variances that remain unreconciled at the end of the period, the DISA GF
expenses are adjusted by reclassifying amounts between federal and non-federal expenses or by accruing
additional accounts payable and expenses.
55
Figure 32-Costs and Exchange Revenue by Major Program
(thousands)
DISA GF
2023
2022
Operations, Readiness & Support
Gross Cost
$ 3,017,914
$ 2,827,862
Less: Earned Revenue
(165,328)
(171,031)
Net Program Costs
2,852,586
2,656,831
Procurement
Gross Cost
382,136
467,272
Less: Earned Revenue
(9,953)
(7,574)
Net Program Costs
372,183
459,698
Research, Development, Test & Evaluation
Gross Cost
386,145
412,717
Less: Earned Revenue
(27,538)
(33,422)
Net Program Costs
358,607
379,295
Family Housing & Military Construction
Gross Cost
1,175
3,208
Net Program Costs
1,175
3,208
Consolidated
Gross Cost
3,787,370
3,711,059
Less Earned Revenue
(202,819)
(212,027)
Total Net Cost
$ 3,584,551
$ 3,499,032
Note 11. Statement of Budgetary Resources
DISA GF operates primarily with funding derived from direct appropriations that are subject to
cancellation by the time-period in which funds may be used. An additional funding source is the use of
reimbursable authority obtained from customer orders for services provided.
As of Sept. 30, 2023, DISA GF incurred $4.3 billion in obligations, of which $228 million are
reimbursable, $4.1 billion are direct and none of which are exempt from apportionment.
The total unobligated balance available as of Sept. 30, 2023, is $653.6 million and represents the
cumulative amount of budgetary authority that has been set aside to cover future obligations for the
current period.
The DISA GF SBR includes intra-entity transactions because the statements are presented as combined.
As of Sept. 30, 2023, DISA GF’s net amount of budgetary resources obligated for undelivered orders is
$1.8 billion.
DISA GF does not have any legal arrangements affecting the use of unobligated budget authority and has
not received permanent indefinite appropriations.
The amount of obligations incurred by DISA GF may not be directly compared to the amounts reported in
the Budget of the United States Government because DISA GF funding is received and reported as a
component of the “Other Defense Funds” program. The “Other Defense Funds” is combined with the
service components and other DOD elements and then compared to the Budget of the United States
government at the defense agency level.
56
Figure 33-Budgetary Resources Obligated for Undelivered Orders at the End of the Period
(thousands)
DISA GF
2023
2022
Intragovernmental
Unpaid
$ 1,683,060
$ 1,352,635
Total Intragovernmental
1,683,060
1,352,635
Non-Federal
Unpaid
95,329
423,007
Prepaid/Advanced
7
19
Total Non-Federal
95,336
423,026
Total Budgetary Resources Obligated for
Undelivered Orders at the End of the Period
$ 1,778,396
$ 1,775,661
Note 12. Reconciliation of Net Cost to Net Outlays
The reconciliation of net cost to net outlays demonstrates the relationship between DISA GF’s net cost of
operations, reported on an accrual basis on the SNC, and net outlays, reported on a budgetary basis on the
SBR. While budgetary and financial (proprietary) accounting are complementary, the reconciliation
explains the inherent differences in timing and in the types of information between the two during the
reporting period.
T
he accrual basis of financial accounting is intended to provide a picture of DISA GF’s operations and
financial position, including information about costs arising from the consumption of assets and the
incurrence of liabilities. Budgetary accounting reports on the management of resources and the use and
receipt of cash by DISA GF. Outlays are payments to liquidate an obligation, excluding the repayment to
the Treasury of debt principal.
57
Figure 34-Reconciliation of Net Cost of Operations to Net Outlays
(thousands)
DISA GF
Intragov.
Public
Total
Net Cost of Operations (SNC)
$ 2,896,620
$ 687,931
$ 3,584,551
Components of Net Cost That Are Not Part of Net
Outlays:
Change in Property, Plant, and Equipment, net
0
(1,220)
(1,220)
Increase/(Decrease) in Assets:
Accounts receivable, net
(8,347)
698
(7,649)
Other Assets
0
(12)
(12)
Decrease/(Increase) in liabilities:
Accounts Payable
(35,898)
12,182
(23,716)
Federal employee and veteran benefits payable
0
(829)
(829)
Other liabilities
9
52
61
Other Financing Sources:
Imputed cost
(81,529)
0
(81,529)
Total Components of Net Cost Not Part of Net
Outlays
$ (125,765)
$ 10,871
$ (114,894)
Miscellaneous Reconciling Items
Transfers (in)/out without reimbursements
159,335
0
159,335
Other
0
9,589
9,589
Total Other Reconciling Items
159,335
9,589
168,924
Total Net Outlays
2,930,190
708,391
3,638,581
Agency Outlays, Net, Statement of Budgetary
Resources
$ 3,638,463
Unreconciled difference
$ 118
The unreconciled difference of $118 thousand is related to Line R1C2, not including Standard General
Ledger (SGL) 711000.9000, which is included in the SNC net cost of operations, but not in the SBR net
outlays. The fluctuation is due to adjusting entries made for equipment sent to the Defense Logistics
Agency (DLA) that was no longer in use.
Note 13. Reclassification of Financial Statement Line Items for Financial Report Compilation
Process
The Statement of Changes in Net Position reports the change in net position for the period, which results
from changes to cumulative results of operations. During FY 2023, changes for DISA GF primarily
consists of budgetary financing sources for appropriations received, transferred-in/out, and used.
DISA GF does not have funds from dedicated collections. In accordance with OMB A-136 II.3.8, if DISA
GF received funds from dedicated collections, a crosswalk for line items used to prepare the government-
wide SNC would be disclosed in this note.
58
Required Supplemental Information
Deferred Maintenance and Repairs Disclosures
In accordance with FASAB SFFAS 42 and FMR 6B, Chapter 12, paragraph 120301, DISA is to report
material amounts of deferred maintenance and repairs (DM&R) as supplementary information on its
financial statements. In FY 2023, DISA GF has DM&R to report of $31.9 million.
Generally, due to the nature of DISA’s business providing IT, telecommunications and computing
services in support of combat missions, all required maintenance is funded within the period required to
meet performance requirements of DISA missions.
DM&R determination is based on development and annual review of an integrated project list of life-
cycle replacement items and identification of needed maintenance. Analysis determines and identifies any
replacement of life-cycle items in the year that the items are needed. A review is conducted annually to
rank and prioritize maintenance and repairs (M&R) activities, among other activities. The criteria for
prioritizing M&R activities are life, safety, health, mission, and general repairs. The integrated project
listing review and preventative maintenance (PM) contracts from the project manager on equipment are
considered in determining acceptable condition standards when deferred maintenance is not required. PM
is performed at least quarterly on systems based on operations and maintenance contracts.
As of the fourth quarter of FY 2023, DISA has transferred out all GF real property assets. The DISA GF
has DM&R related to capitalized general, non-capitalized or fully depreciated general PP&E. DISA does
not have stewardship PP&E or PP&E for which management does not measure and/or report DM&R. The
rationale for excluding any PP&E asset other than if not capitalized, or it is fully depreciated, is the item
does not meet the applicable capitalization criteria, is not on the integrated project list, or there are
preventative maintenance contracts in place to address maintenance needs in the current year.
There have been changes in identification of DM&R that have occurred since the last fiscal year. In FY
2023, DISA GF has further refined its identification of DM&R and reports deferred maintenance of
$31.9 million for general PP&E. DISA GF will continue to review its process and enhance its
identification of deferred maintenance reporting as needed.
59
Defense Information Systems Agency
General Fund
As of Sept. 30, 2023
(thousands)
Figure 35- Combining Statement of Budgetary Resources
O&M
PROC
RDT&E
MILCON
COMBINED
Budgetary Resources
(discretionary and mandatory):
Unobligated balance from prior year
budget authority, net
$ 498,461
$346,735
$115,547
$ 17,406
$ 978,149
Appropriations
2,950,595
517,416
286,328
0
3,754,339
Spending Authority from offsetting
collections
170,455
969
42,629
0
214,053
Total Budgetary Resources
3,619,511
865,120
444,504
17,406
4,946,541
Status of Budgetary Resources:
New obligations and upward
adjustments
3,354,090
650,399
287,006
1,467
4,292,962
Unobligated balance, end of year:
Apportioned, unexpired accounts
31,513
157,185
115,732
7,348
311,778
Unexpired unobligated balance, end
of year
31,513
157,185
115,732
7,348
311,778
Expired unobligated balance, end of
year
233,908
57,536
41,765
8,592
341,801
Unobligated balance, end of year
(total)
265,421
214,721
157,497
15,940
653,579
Total Budgetary Resources
3,619,511
865,120
444,503
17,407
4,946,541
Outlays, net:
Outlays, net (total) discretionary and
mandatory
2,777,303
475,085
371,971
14,104
3,638,463
Agency Outlays, net (discretionary
and mandatory)
$2,777,303
$475,085
$371,971
$ 14,104
$ 3,638,463
*The Total Budgetary Resources lines for RDT&E and MILCON are not in balance due to chart rounding.
60
Defense Information Systems Agency
General Fund
Other Information
Fourth Quarter of Fiscal Year 2023, Ending Sept. 30, 2023
61
Summ
ary of Financial Statement Audit and Management Assurances
Audit Opinion: Disclaimer of Opinion
Restatement: No
Figure 36- Summary of Financial Statement Audit
Material Weaknesses
Beginning
Balance
New
Resolved
Consolidated
Ending
Balance
Fund Balance with Treasury
5
0
0
0
5
Accounts Payable/Expense
6
0
1
0
5
Accounts Receivable/Revenue
3
0
1
0
2
Unmatched Transactions
1
0
0
0
1
Financial Reporting
3
0
1
0
2
Undelivered Orders
1
1
0
0
2
Unfilled Customer Orders
1
0
0
0
1
PPE
1
0
1
0
0
Total Material Weaknesses
21
1
4
0
18
62
Figure 37- Effectiveness of Internal Control over Financial Reporting (FMFIA § 2) Statement of
Assurance: Disclaimer of Opinion
Material Weakness
Beginning
Balance
New
Resolved
Consolidated
Reassessed
Ending
Balance
Fund Balance with Treasury
5
0
0
0
0
5
Accounts Payable/Expense
6
0
1
0
0
5
Accounts Receivable/Revenue
3
0
1
0
0
2
Internal Controls
0
0
0
0
0
0
Unmatched Transactions
1
0
0
0
0
1
Financial Reporting
3
0
1
0
0
2
Undelivered Orders
1
1
0
0
0
2
Unfilled Customer Orders
1
0
0
0
0
1
PPE
1
0
1
0
0
0
Total Material Weaknesses
21
1
4
0
0
18
Figure 38-Effectiveness of Internal Control over Operations (FMFIA § 2)
Statement of Assurance: Disclaimer of Opinion
Material Weakness
Beginning
Balance
New
Resolved
Consolidated
Reassessed
Ending
Balance
Total Material Weaknesses
0
0
0
0
0
0
Figure 39-Conformance with Federa
l Financial Management System Requirements (FMFIA § 4)
Statement of Assurance: Disclaimer of Opinion
Non-Conformances
Beginning
Balance
New
Resolved
Consolidated
Reassessed
Ending
Balance
IT-Related
0
0
0
0
0
0
Total non-conformance
0
0
0
0
0
0
Figure 40-Compliance with Section 803(a) of the Federal Financial Management Improvement Act
(FFMIA)
Agency
Auditor
Federal Financial Management
System Requirements
No lack of compliance noted except
as noted in IT related material
weaknesses above
Lack of substantial compliance
noted
Applicable Federal
Accounting Standards
No lack of compliance noted except
as noted in financial reporting related
material weaknesses above
Auditor was unable to conclude
USSGL at Transaction Level
No lack of compliance noted
Auditor was unable to conclude
63
Management Challenges
19-Oct-2023
DEFENSE INFORMATION SYSTEMS AGENCY
P. O. BOX 549
FORT MEADE, MARYLAND 20755-0549
MEMORANDUM FOR DIRECTOR (D)
SUBJECT: Top Management and Performance Challenges Facing the Defense Information
Systems Agency (DISA) in Fiscal Year 2024
The Reports Consolidation Act of 2000 requires the DISA Office of the Inspector
General (OIG) to issue a report summarizing what the OIG considers as serious management
and performance challenges facing DISA and assessing the Agency’s progress in addressing
those challenges. DISA is required to include this report in its agency financial report. This
report represents DISA OIG’s independent assessment of the top management challenges
facing DISA in fiscal year 2024.
In developing this report, the DISA OIG considered several criteria including items
such as the impact on safety and cyber security, documented vulnerabilities, large dollar
implications, high risk areas, and the ability of DISA to effect change. We reviewed recent
and prior internal audits, evaluations, and investigation reports; reports published by other
oversight bodies; and input received from DISA senior leadership. In addition, we recognize
that DISA faces the extraordinary task of meeting these challenges while working in a hybrid
work environment.
The DISA OIG identified seven challenges this year. The challenges are not listed in a
specific order and all are considered to be significant to DISA’s work. DISA’s Top Management
and Performance Challenges for Fiscal Year 2024 include:
Meeting Data Management Challenges
Managing Human Capital
Cyber Supply Chain
Current and Future Contracting Environment
Mission Partner Payments
Artificial Intelligence
Safeguarding and Handling Classified Information
RYAN.STEPHEN.M Digitally signed by
ICHAEL.
RYAN.STEPHEN.MICHAEL.1300
Date: 2023.10.19 12:18:09 -04'00'
Stephen M. Ryan
Inspector General
64
Challenge 1
Meeting Data Management Challenges
Data management is the practice of collecting, keeping, and using data securely. DISA
transports mission partner data internally and externally while maintaining various operating
systems that produce massive amounts of complex data.
The federal government, Department of Defense (DoD), and DISA, are under constant data-
driven cyber-attacks. For example, the Federal Bureau of Investigations (FBI), National Security
Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) announced
that hostile state-sponsored hackers targeted and breached U.S. defense and industry critical
infrastructure.
To help address these challenges, DoD outlined data management goals in the 2020 DoD Data
Strategy. Per the Strategy, DoD aims to protect data and evolve data into actionable information
for decision makers. The DoD Data Strategy describes the DoD vision, guiding principles,
essential capabilities, and goals for data management throughout the DoD.
DISA has the responsibility to help DoD modernize the infrastructure and identify, protect,
detect, respond, and recover from data threats. The DISA Office of the Chief Data Officer
(OCDO) was formally established in the standing up of Enterprise Integration and Innovation
(EII) in September 2021. In 2022, the CDO published the DISA Data Strategy Implementation
Plan (IPlan) to describe a modern approach to information architecture and data management,
outline workstreams necessary to organize activities, define future activities, and identify next
steps for the DISA organization. The DISA IPlan aligns with the DoD Data Strategy, DISA
Strategy, and expands upon DISA’s efforts to meet DoD data management principles,
capabilities, and goals. DISA also created the DISA Data Analytics Center of Excellence to
bridge business policies, cyber, and information technology. In 2023, the DISA OIG is assessing
DISA’s data management maturity.
65
Challenge 2
Managing Human Capital
DISA workforce continues as a hybrid work environment with most employees having the
option to work from home more frequently. Moving forward in the hybrid work environment,
DISA leadership will continue to be presented with many challenges including maintaining
employee morale and productivity, acquiring the necessary and relevant technology and tools,
and recruiting and retaining talent.
Recruiting talent continues to be a challenge and recruiting individuals with the right talent in a
timely manner is critical. Whether individuals are recent college graduates, high-performing
industry professionals, or military veterans with years of experience in the field, DISA’s goal is
to make the Agency a place sought out by high-caliber talent and provide a place talented
individuals want to work. DISA competes for talent with the private sector, where additional
benefits and flexibilities can be used to recruit highly qualified workers. DISA’s telework and
remote work policies allow leadership to broaden the hiring pool of candidates in various
geographical regions to attract and retain high quality talent. However, leadership will have to
balance the use of telework and remote work to ensure mission requirements are met while
providing the flexibilities to recruit and retain a skilled cyber workforce.
As DISA continues to strengthen the work culture, the agency invests in key initiatives to attract
and retain a talent pool skilled in critical thinking and diverse in ideas, backgrounds, and
technical expertise. To achieve this, DISA is forecasting needed skills through succession
planning, improving how it markets career opportunities within the agency, and deepening
external partnerships with educational institutions and third-party personnel services.
Workforce 2025 is DISA’s recent initiative designed to address longstanding cyber workforce
challenges, including attracting, training, and promoting a workforce that is equipped with the
knowledge and decision-making abilities to “creatively solve national security challenges in a
complex global environment.” DISA released Workforce 2025 Implementation Plan in
September 2023, and the Plan is a living document that may change due to resources and/or
strategic and workforce priorities.
The Workforce 2025 strategy is designed to enhance the skills and talents of current employees
while ensuring DISA onboards new talent and invests in the professional development of both
throughout their careers. Workforce 2025 is the Agency’s plan to shape an empowered
workforce, inspire trust through high trust behaviors, develop leaders, encourage bold decision
making, enable collaboration, embrace technological advancement, and optimize the hybrid
workforce and hybrid workplace. Workforce 2025 will establish a culture enabling the Agency
to rapidly adapt to inevitable technological advances and mission portfolio adjustments ensuring
DISA delivers relevant, cutting-edge capabilities so our Warfighters gain and maintain an
operational and competitive edge.
66
Challenge 3
Cyber Supply Chain
Strengthening and securing DISA’s Cyber Supply Chain is an important management challenge.
DISA provides, operates, and assures command and control, information-sharing capabilities,
and a globally accessible enterprise information infrastructure in direct support to the warfighter,
national-level leaders, Combatant Commands, and coalition partners across the full spectrum of
military operations
To support this mission DISA relies on an international supply chain to provide software,
hardware, and services. The cyber supply chain includes a complex array of manufacturers,
suppliers, and contractors. Cyber supply chain risk is the possibility that supply chain threats
and vulnerabilities may intentionally or unintentionally compromise Information Technology
(IT) or Operational Technology (OT) products and services.
To secure the cyber supply chain, DISA must protect, detect, respond, and recover from supply
chain threats. Specifically, Information and Communications Technology Supply Chain Risk
Management (ICT-SCRM) is the process of identifying, assessing, and mitigating the risks
associated with the distributed and interconnected nature of IT services and supply chains. ICT-
SCRM covers the entire life cycle of the supply chain, including design, development,
distribution, deployment, acquisition, maintenance, and destruction. ICT-SCRM also includes
cybersecurity, software assurance, obsolescence, counterfeit parts, foreign ownership of sub-tier
vendors and other categories of risk that affect the supply chain. Successful ICT-SCRM
maintains the integrity of products, services, people, technologies, and ensures the undisrupted
flow of product, materiel, information, and finances.
In 2022, the DISA OIG conducted an evaluation of DISA’s ICT-SCRM program and processes.
The OIG observed DISA’s ICT-SCRM program developed several best practices and the Agency
has made significant program investments. For example, DISA created an ICT-SCRM
management office, assigned an acting Branch Chief, and updated the Agency’s ICT-SCRM
instruction along with a Strategy and Implementation Plan. The DISA team has developed in-
depth analysis and documentation of ICT suppliers and products. As a result, the DISA team is
often sought after to support and train external agencies on ICT-SCRM activities. The creation
of these operational relationships enhances DISA’s capability to secure the DoD supply chain
and support the Warfighter’s ability to mitigate risk at the tactical level. Moving forward, DISA
is focusing on ICT-SCRM related activities to address hardware bill of material (HBOM)
rogue/counterfeit detection and software bill of material (SBOM) zero-day mitigation efforts.
Despite these positive elements, the OIG determined DISA can better define ICT-SCRM
processes and provide additional operational guidance to increase the maturity of the program.
We also found inconsistent ICT-SCRM performance across the agency, stakeholders lacked
familiarity with ICT-SCRM, efforts were stove-piped, and training was not conducted in
accordance with DISA requirements. The OIG identified the following four recommendations
as part of our corrective action process: (1) Define, in writing, ICT-SCRM process steps,
integration with other corporate processes, and provide additional operational guidance in
67
accordance with DISAI 240-110-44; (2) Develop DISA ICT-SCRM training in accordance with
NIST SP 800-161 Rev 1 and DISAI 240-110-44 to ensure a common understanding of
processes and methods throughout the organization; (3) Establish ICT-SCRM metrics and
benchmarking for performance analysis; (4) Develop an oversight process to ensure DISA’s
ICT-SCRM repository maintains all required SCRM threats, vulnerabilities, and reporting;
including Criticality Analysis, Due Diligence Reports, and Risk Assessment artifacts.
Since the realignment of the DISA ICT-SCRM program on 01 July 2023, the Risk Management
Executive, Threat Mitigation Division (RE3), continues to focus on the development of
foundational program requirements while maintaining program execution. Of the four OIG
recommendations made in 2022, two have been satisfied through the creation of an internal ICT-
SCRM SharePoint page and ticketing system. RE3 continues to address the outstanding DISA
OIG recommendations by updating the ICT-SCRM CONOPs and the development of DISA
ICT-SCRM annual training; both efforts are on track to be completed by the end of calendar year
2023 (CY23).
68
Challenge 4
Current and Future Contracting Environment
Contracting is a top management challenge at DISA due in part to resource constraints. The
DISA Defense Information Technology Contracting Organization (DITCO) procures complex
mission partner IT, Cyber, and Telecommunications requirements. The Office of Personnel
Management has determined the 1102 (contracting) job series a critical hiring need for which
there is a severe shortage of candidates. DITCO hires a disproportionate number of career ladder
positions (e.g., hire a GS-11 with limited contracting skills for complex requirements and best
value trade off source selections into GS-13 full performance level positions). This also creates
increased work for more experienced 1102s to provide substantive on-the-job training, and
causes an inability to sufficiently and effectively meet DoD and other federal agency mission
needs. DITCO’s mission is to provide efficient and compliant procurement services for
Information Technology, Cyber, and Telecommunication services that support national defense
partners through timely, quality, and ethical contracting. DITCO has turned away mission
partner requests, resulting in lost revenue, due to DITCO’s mission requirements, workload, and
hiring challenges.
In addition, DITCO identified the submission of late procurement packages and late funding
from internal and external mission partners as a systemic, significant challenge. Late
procurement packages occurred because of lack of planning, contract package routing delays,
requirement definition issues, incomplete and unactionable procurement packages, unfunded
requirement delays, and contract scope issues. This and other challenges in contracting faced by
DITCO and mission partners are increased by Office of Management and Budget (OMB), Office
of the Secretary of Defense (OSD), DoD, and DISA funding levels, increased contract
documentation, incrementally funding contracts in small increments throughout the fiscal year
which creates exponentially more work across the Agency, and other indirect process
requirements. Among these are inefficient contracting information systems and interfaces which
creates a substantive amount of manual work (and/or re-work) to include: (1) IDEAS
Telecommunications contract writing system with a significant backlog of system enhancements,
as well as down-time due to technical challenges and inoperable features, (2) lack of a circuit
Review and Revalidation capability, and (3) DoD Procure to Pay Handshakes (i.e., data transfer)
interfaces. DITCO and the Office of the Chief Financial Officer continue to collaborate to
implement process improvements to fulfill contract requirements in a timely manner and meet
mission partner needs.
The DISA OIG reported concerns relating to contracting at DISA; specifically, contracts
pertaining to Government-Furnished Property, cyber safeguards of defense information,
Government Purchase Card oversight, timely contract closeout, and management of unliquidated
obligations. Additionally, the OIG identified concerns relating to Contracting Officer’s
Representatives (CORs) performing their duties and DITCO’s oversight of CORs. CORs ensure
delivery of supplies and critical mission services; however, inadequate COR oversight could
result in decreased quality of contractor services.
69
Challenge 5
Mission Partner Payments
DISA, like other service providers in the Department of Defense, experiences delinquent
accounts receivable as part of doing business with various mission partners. DISA continues to
have challenges obtaining Mission Partner (Military Services and Defense/Non-Defense
Agencies) funding in a timely manner for reimbursable costs incurred. In 2023, the DISA OIG
conducted an audit of DISA’s Reimbursable Services Collections to determine whether DISA
collects accounts receivables for reimbursable services in accordance with DoD and DISA
guidance.
We determined that DISA was not consistently pursuing collection of $137 million in aged
Accounts Receivable (A/R) over 30 days from Mission Partners as of 30 June 2022, in
accordance with the Department of Defense Financial Management Regulation (DoD FMR).
DISA J8 did not pursue collections for General Fund (GF); however, J8 issued Working Capital
Fund’s (WCF’s) collection Memorandums. We found internal control weaknesses, including
incomplete policy, limited automated capabilities and processes, lack of compliance with the
policy, and a policy that did not include the processes for classified and unbillable A/R
transactions.
The audit also found DISA WCF was unable to bill Mission Partners for $77 million aged A/R
over 90 days as of June 2022. DISA was performing work without funding documentation
including a Standard Line of Accounting (SLOA) because DISA did not require Mission
Partners to provide the SLOA prior to performing work for reoccurring services. DISA does
have recurring and automated communication with Mission Partners, requesting the SLOA;
however, many Mission Partners were not responsive in providing the SLOA when requested.
Additionally, DISA’s policy did not include the process for obtaining Mission Partners funding
documentation with a SLOA prior to DISA providing the services that are recurring in nature,
crossing fiscal years..
Incomplete and limited automated capabilities to accomplish and carryout policy for the
collection process hinders J8’s ability to receive timely reimbursement for services and the lack
of funding information leads to delays in Mission Partner payments for services provided. The
DISA OIG made six recommendations to address these issues.
DISA is planning to standardize customer engagement and delinquent customer notices across
the GF and WCF to build a more consistent and streamlined process preventing aged Accounts
Receivable bills from occurring. The updated policy, once signed, will dictate and enforce a
standard process across DISA.
70
Challenge 6
Artificial Intelligence
Artificial intelligence (AI) refers to the ability of machines to perform tasks that normally require
human intelligence. For example, AI includes recognizing patterns, learning from experience,
drawing conclusions, making predictions, or acting. Examples of AI enabled technology include
chatbots that facilitate writing, tools for intelligence analysis, and autonomous weapon systems.
Strategic competitors, such as China and Russia, are also making significant investments in AI.
AI will transform warfare, and failure to adopt AI technology could hinder national security.
According to the DISA Director, generative AI is “probably one of the most disruptive
technologies and initiatives in a very long, long time. Those who harness that and can
understand how to best leverage it, but also how to best protect against it, are going to be the
ones that have the high ground.”
In response to this challenge, the 2018 DoD AI Strategy directs the DoD to accelerate the
adoption of AI and the creation of a force that can protect the security of our nation. In 2022,
DoD also published a Responsible AI (RAI) Strategy and Implementation pathway that
illuminates the path forward by defining and communicating a framework for harnessing AI.
DISA is also looking for ways to repurpose cutting-edge technology like AI for cyber analytics,
cyber protection, and operations to protect the Defense Department's global network. For
example, DISA held an AI Summit. Participants learned about various AI initiatives within
DISA and around the Department of Defense. Participants had the opportunity to meet leaders
that specialize in AI and observed demonstrations by the Joint Artificial Intelligence Center,
DISA, and Industry Leaders. DISA also issued Initial Guidance on the Responsible Use of
Publicly Available Generative Artificial Intelligence Tools.
71
Challenge 7
Safeguarding and Handling Classified Information
Safeguarding sensitive and classified data is a top management challenge to DISA, not only for
the organization but also for mission partners. DISA provides crucial infrastructure and network
capabilities enabling DoD Organizations and our global partners with carrying out strategic
objectives as well as their daily business operations. Internal controls and security of sensitive
information is not only a national defense priority, it comes with a significant cost to maintain.
In April 2023, the DoD CIO issued a memorandum “Department of Defense Guidance on
Safeguarding Responsibilities Regarding Classified Information” regarding the improvement of
controls around safeguarding classified information. In response, DISA leadership took action by
issuing Operations Orders to address unauthorized disclosures and report postures and actions
taken to improve compliance.
Recent DoD incidents relating to military service members, personnel, and contractors
accessing and distributing sensitive and classified data have occurred from reasons such as
personal ethics to espionage by nation states. These increasing number of incidents within
DoD raise concerns by senior leadership over DoD’s organizational and personnel access to
sensitive infrastructure and data, what requirements are there to access data, and what systems
are connected to this sensitive infrastructure. The resulting fallout from spillage or
unauthorized disclosure incidents not only damages National Security, but also could threaten
DISA’s strategic mission, DISA’s reputation within the DoD, and the loss of trust with our
mission partners.
72
OFFICE OF THE INSPECTOR GENERAL
The Office of the Inspector General (OIG) is an impartial fact-finder for the director and leaders
of DISA. The OIG seeks to improve the efficiency and effectiveness of DISA’s programs and
operations by conducting audits, investigations, and evaluations. The OIG then evaluates and
coordinates to close the recommendations through the Liaison office.
AUDIT
OIG Audit provides independent and objective audit services to promote continuous
performance improvement, management, and accountability of DISA operations, programs, and
resources to support DISA’s missions as a combat support agency. The types of services OIG
Audit provides are performance audits, attestation engagements, financial audits, and,
occasionally, non-audit services. OIG Audit is built on a framework for performing high-
quality audit work with competence, integrity, and transparency.
INVESTIGATION
OIG Investigation supports the efficiency and effectiveness of DISA by providing accurate,
thorough, and timely investigative products to key agency leaders. OIG Investigation performs
five primary functions: Hotline Program, Administrative Investigations, Digital Forensics,
Criminal Investigation Liaison Support, and Fraud Awareness Program. The fundamental
purpose of investigations is to resolve specific allegations, complaints, or information
concerning possible violations of law, regulation, or policy.
EVALUATION
OIG Evaluation conducts evaluations and special inquiries to improve processes, optimize the
effective use of military and civilian personnel, enhance operational readiness, assess focus
areas, and provide recommendations for improvement while teaching and training. The
fundamental purpose of evaluations is to assess, assist, and enhance the ability of a command or
component to prepare for and perform its assigned mission.
LIAISON
OIG Liaison serves as the conduit between DISA and external parties by providing guidance
and assistance, ensuring leadership at all levels is appropriately informed and external agency
objectives are met while minimizing the impact to DISA operations. OIG Liaison supports
DISA as a whole by providing:
Audit Coordination - Monitor all oversight activities impacting DISA.
Communication - Liaison between DISA leadership and external parties.
Follow-up - Track and ensure implementation of all external/internal recommendations.
73
Payment Integrity
For compliance with the Payment Integrity Information Act of 2019 (Pub. L. No. 116-117, 31 U.S.C.
§ 33
52 and § 3357), DISA has an internal control structure in place to mitigate improper payments
that could result in payment recovery actions. Actions taken to prevent overpayments include testi
ng
and review of civilian time and attendance, travel payments, and purchase card transactions. Tests
v
alidate that internal controls are in place and functioning as preventative measures to mitigate risk
s
i
n the execution, obligation, and liquidation of funding for transactions. Controls are in place through
established policy and procedures; training; separation of duties; and data mining to identify risks and
f
raud vulnerabilities. Additionally, DFAS, as DISA’s accounting service provider, performs
overpayment recapture functions on behalf of DISA. DFAS includes DISA transactions in its
sampling populations for improper payment testing of civilian payroll and travel. There have been no
i
ssues arising to merit an anticipated negative impact regarding payment integrity and improper
payment recovery in FY 2023.
74
DOD Office of Inspector General (OIG)
Audit Report Transmittal Letter
75
November 8, 2023
MEMORANDUM FOR UNDER SECRETARY OF DEFENSE (COMPTROLLER)/
CHIEF FINANCIAL OFFICER, DOD
DIRECTOR, DEFENSE FINANCE AND ACCOUNTING SERVICE
DIRECTOR, DEFENSE INFORMATION SYSTEMS AGENCY
SU
BJECT: Transmittal of the Independent Auditor’s Reports on the Defense Information Systems
Agency General Fund Financial Statements and Related Notes for
FY 2023 and FY 2022
(Project No. D2023-D000FL-0056.000, Report No. DODIG-2024-009)
W
e contracted with the independent public accounting firm of Kearney & Company, P.C.
(Kearney) to audit the Defense Information Systems Agency (DISA) General Fund
Financial Statements and related notes as of and for the fiscal years ended
September 30, 2023, and 2022. The contract required Kearney to provide a report on
internal control over financial reporting and compliance with provisions of applicable laws
and regulations, contracts, and grant agreements, and to report on whether DISA’s financial
management systems substantially complied with the requirements of the Federal Financial
Management Improvement Act of 1996. The contract required Kearney to conduct the
audit in accordance with generally accepted government auditing standards (GAGAS);
Office of Management and Budget audit guidance; and the Government Accountability
Office/Council of the Inspectors General on Integrity and Efficiency, “Financial Audit
Manual,” Volume 1, May 2023, Volume 2, May 2023, and Volume 3, June 2023.
Kearney’s Independent Auditor’s Reports are attached.
Kear
ney’s audit resulted in a disclaimer of opinion. Kearney could not obtain sufficient,
appropriate audit evidence to support the reported amounts within the DISA General Fund
Financial Statements. As a result, Kearney could not conclude whether the financial
statements and related notes were presented fairly and in accordance with Generally
Accepted Accounting Principles. Accordingly, Kearney did not express an opinion on the
DISA General Fund FY 2023 and FY 2022 Financial Statements and related notes.
Kear
ney’s separate report, “Independent Auditor’s Report on Internal Control Over Financial
Reporting,” discusses five material weaknesses related to the DISA General
OFFICE OF INSPECTOR GENERAL
DEPARTMENT OF DEFENSE
4800 MARK CENTER DRIVE
ALEXANDRIA, VIRGINIA 22350-1500
76
Fund’s internal controls over financial reporting.
*
Specifically, Kearney’s report stated
that DISA did not design or implement internal controls to:
r
econcile and accurately report Fund Balance with Treasury;
an
alyze, record, and support Accounts Receivable and revenue transactions in
a
tim
ely manner;
v
alidate, record, and support Accounts Payable accrual estimates and expen
se
t
ransactions;
validate, record, and support budgetary resource related transactions; or
provide accurate and timely financial reporting information.
K
earney’s additional report, “Independent Auditor’s Report on Compliance with Laws and
Regulations, Contracts, and Grant Agreements,” discusses two instances of noncompliance
with provisions of applicable laws and regulations, contracts, and grant agreements.
Specifically, Kearney’s report describes instances in which DISA did not comply with the
Federal Financial Management Improvement Act of 1996 and the Federal Managers’
Financial Integrity Act of 1982.
I
n connection with the contract, we reviewed Kearney’s reports and related documentation
and discussed them with Kearney’s representatives. Our review, as differentiated from an
audit of the financial statements and related notes in accordance with GAGAS, was not
intended to enable us to express, and we do not express, an opinion on the DISA General
Fund FY 2023 and FY 2022 Financial Statements and related notes. Furthermore, we do
not express conclusions on the effectiveness of internal controls over financial reporting,
on whether DISA’s financial systems substantially complied with Federal Financial
Management Improvement Act of 1996 requirements, or on compliance with provisions of
applicable laws and regulations, contracts, and grant agreements. Our review disclosed no
instances where Kearney did not comply, in all material respects, with GAGAS. Kearney
is responsible for the attached November 8, 2023 reports and the conclusions expressed
within the reports.
*
A material weakness is a deficiency, or a combination of deficiencies, in internal control
over financial reporting that results in a reasonable possibility that management will not
prevent, or detect and correct, a material misstatement in the financial statements in a
77
We appreciate the cooperation and assistance received during the audit. If you have any
questions, please contact me.
F
OR THE INSPECTOR GENERAL:
Lo
rin T. Venable, CPA
Assistant Inspector General for Audit Financial
Management and Reporting
Attachments:
As stated
78
Independent Auditor’s Report
U.S. Property of DoD
79
1701 Duke Street, Suite 500, Alexandria, VA 22314
PH:
703.931.5600, FX: 703.931.3655, www.kearneyco.com
INDEPENDENT AUDITOR’S REPORT
To the Director, Defense Information Systems Agency, and Inspector General of the Department
of Defense
Report on the Audit of Financial Statements
Disclaimer of Opinion
We were engaged to audit the General Fund (GF) financial statements of the Defense
Information Systems Agency (DISA), which comprise the Balance Sheets as of
September 30, 2023 and 2022, the related Statements of Net Cost and Changes in Net Position,
and the combined Statements of Budgetary Resources (hereinafter referred to as the “financial
statements”) for the years then ended, and the related notes to the financial statements.
We do not express an opinion on the accompanying GF financial statements of DISA. Because
of the significance of the matters described in the Basis for Disclaimer of Opinion section of our
report, we have not been able to obtain sufficient appropriate audit evidence to provide a basis
for an audit opinion on the financial statements.
Basis for Disclaimer of Opinion
We were unable to obtain sufficient appropriate audit evidence to provide a basis for an audit
opinion that the financial statements are complete and free from material misstatements when
taken as a whole.
We were unable to obtain sufficient appropriate audit evidence to support the existence,
completeness, and accuracy of Fund Balance with Treasury (FBWT), Accounts Receivable
(AR), Accounts Payable (AP), Earned Revenue, Gross Costs, and the related budgetary accounts.
DISA was unable to provide sufficient supporting documentation in a timely manner to support
these line items in fiscal year (FY) 2023. DISA was also unable to provide sufficient supporting
documentation in a timely manner to complete testing over Financial Reporting. Specifically,
DISA was unable to provide sufficient appropriate audit evidence to support certain types of
transactions, referred to as undistributed and unmatched transactions, that materially impacted
each of the aforementioned audit areas.
DISA was unable to support its revenue and expense activity during FY 2023 due to the
underlying key supporting documentation missing critical information, such as quantity, price,
amount, and delivery and receipt timeframes. Intra-governmental and intra-Department of
Defense (DoD) activity was unsupported for a majority of the samples selected for testing. This
also impacts DISA’s ability to develop and validate an AP accrual estimate.
U.S. Property of DoD
80
Undistributed transactions are disbursements and collections from feeder systems that were
unable to interface into DISA’s general ledger (GL) system. Unmatched transactions are
disbursements that interface into DISA’s GL system, but do not match to an obligating document
in the GL system. DISA reported a significant number of either undistributed or unmatched
transactions for each of the quarter-ends during FY 2023. Undistributed and unmatched
transactions prevent DISA from preparing and supporting transaction-level lists of activity for its
Revenue, Expense, AR, AP, and related budgetary accounts. The undistributed and unmatched
transactions significantly impacted our audit procedures and DISA’s ability to accurately provide
sufficient audit evidence.
The effects of the conditions described in the preceding paragraphs cannot be fully quantified,
nor was it practical, given the available information, to extend audit procedures to sufficiently
determine the extent of the misstatements to the financial statements. The effects of the
conditions in the preceding paragraphs and overall challenges in obtaining timely and sufficient
audit evidence also made it impractical to execute all planned audit procedures. As a result of
these departures, we were unable to determine whether any adjustments might have been found
necessary with respect to recorded or unrecorded amounts within the elements of the financial
statements.
Responsibilities of Management for the Financial Statements
Management is responsible for: 1) the preparation and fair presentation of the financial
statements in accordance with accounting principles generally accepted in the United States of
America; 2) the preparation, measurement, and presentation of Required Supplementary
Information (RSI) in accordance with U.S. generally accepted accounting principles; 3) the
preparation and presentation of Other Information included in DISA GF’s Agency Financial
Report (AFR), as well as ensuring the consistency of that information with the audited financial
statements and the RSI; and 4) the design, implementation, and maintenance of internal control
relevant to the preparation and fair presentation of financial statements that are free from
material misstatement, whether due to fraud or error.
In preparing the financial statements, management is required to evaluate whether there are
conditions or events, considered in the aggregate, that raise substantial doubt about DISA GF’s
ability to continue as a going concern for a reasonable period of time beyond the financial
statement date.
Auditor’s Responsibilities for the Audit of the Financial Statements
Our responsibility is to conduct an audit of DISA GFs financial statements in accordance with
auditing standards generally accepted in the United States of America; the standards applicable
to financial audits contained in Government Auditing Standards, issued by the Comptroller
General of the United States; and Office of Management and Budget (OMB) Bulletin No. 24-01,
Audit Requirements for Federal Financial Statements, and to issue an auditor’s report. However,
because of the matters described in the Basis for Disclaimer of Opinion section of our report, we
were not able to obtain sufficient appropriate audit evidence to provide a basis for an audit
opinion on these financial statements. We are required to be independent of DISA GF and to
U.S. Property of DoD
81
meet our other ethical responsibilities in accordance with the relevant ethical requirements
relating to our audit.
Required Supplementary Information
Accounting principles generally accepted in the United States of America require that
Management’s Discussion and Analysis and other RSI be presented to supplement the financial
statements. Such information is the responsibility of management and, although not a part of the
basic financial statements, is required by OMB and the Federal Accounting Standards Advisory
Board (FASAB), who consider it to be an essential part of financial reporting for placing the
basic financial statements in an appropriate operational, economic, or historical context. We
were unable to apply certain limited procedures to the RSI in accordance with auditing standards
generally accepted in the United States of America because of matters described in the Basis for
Disclaimer of Opinion section above. We do not express an opinion or provide any assurance on
the information.
Other Reporting Required by Government Auditing Standards
In accordance with Government Auditing Standards and OMB Bulletin No. 24-01, we have also
issued reports, dated November 8, 2023, on our consideration of DISA GF’s internal control over
financial reporting and on our tests of DISA GFs compliance with provisions of applicable laws,
regulations, contracts, and grant agreements, as well as other matters for the year ended
September 30, 2023. The purpose of those reports is to describe the scope of our testing of
internal control over financial reporting and compliance and the results of that testing, and not to
provide an opinion on internal control over financial reporting or on compliance and other
matters. Those reports are an integral part of an audit performed in accordance with Government
Auditing Standards and OMB Bulletin No. 24-01 and should be considered in assessing the
results of our audit.
Alexandria, Virginia
November 8, 2023
U.S. Property of DoD
82
1701 Duke Street, Suite 500, Alexandria, VA 22314
PH: 703.931.5600, FX: 703.931.3655, www.kearneyco.com
INDEPENDENT AUDITOR’S REPORT ON INTERNAL CONTROL OVER
FINANCIAL REPORTING
To the Director, Defense Information Systems Agency, and Inspector General of the Department
of Defense
We were engaged to audit, in accordance with auditing standards generally accepted in the
United States of America; the standards applicable to financial audits contained in Government
Auditing Standards, issued by the Comptroller General of the United States; and Office of
Management and Budget (OMB) Bulletin No. 24-01, Audit Requirements for Federal Financial
Statements, the General Fund (GF) financial statements of the Defense Information Systems
Agency (DISA) as of and for the year ended September 30, 2023, and the related notes to the
financial statements, which collectively comprise DISA GF’s financial statements, and we have
issued our report thereon dated November 8, 2023. Our report disclaims an opinion on such
financial statements because we were unable to obtain sufficient appropriate audit evidence to
provide a basis for an audit opinion.
Internal Control over Financial Reporting
In planning and performing our audit of the financial statements, we considered DISA GFs
internal control over financial reporting (internal control) as a basis for designing audit
procedures that are appropriate in the circumstances for the purpose of expressing our opinions
on the financial statements, but not for the purpose of expressing an opinion on the effectiveness
of DISA GF’s internal control. Accordingly, we do not express an opinion on the effectiveness
of DISA GF’s internal control. We limited our internal control testing to those controls necessary
to achieve the objectives described in OMB Bulletin No. 24-01. We did not test all internal
controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial
Integrity Act of 1982 (FMFIA), such as those controls relevant to ensuring efficient operations.
Our consideration of internal control was for the limited purpose described in the preceding
paragraph and was not designed to identify all deficiencies in internal control that might be
material weaknesses or significant deficiencies; therefore, material weaknesses or significant
deficiencies may exist that have not been identified. However, as described in the accompanying
Schedule of Findings, we identified certain deficiencies in internal control that we consider to be
material weaknesses and significant deficiencies.
A deficiency in internal control exists when the design or operation of a control does not allow
management or employees, in the normal course of performing their assigned functions, to
prevent, or detect and correct, misstatements on a timely basis. A material weakness is a
deficiency, or combination of deficiencies, in internal control such that there is a reasonable
possibility that a material misstatement of the entity’s financial statements will not be prevented,
or detected and corrected, on a timely basis. We consider the deficiencies described in the
accompanying Schedule of Findings to be material weaknesses.
A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is
U.S. Property of DoD
83
less severe than a material weakness, yet important enough to merit attention by those charged
with governance. We consider the deficiencies described in the accompanying Schedule of
Findings to be significant deficiencies.
We noted certain additional matters involving internal control over financial reporting that we
will report to DISA GF’s management in a separate letter.
Defense Information Systems Agency General Fund’s Response to Findings
Government Auditing Standards requires the auditor to perform limited procedures on DISA
GFs response to the findings identified in our engagement and described in the accompanying
Agency Financial Report (AFR). The DISA GF acknowledged the findings identified in our
engagement. DISA GF’s response was not subjected to the other auditing procedures applied in
the engagement to audit the financial statements; accordingly, we express no opinion on the
response.
Purpose of this Report
The purpose of this report is solely to describe the scope of our testing of internal control and the
results of that testing, and not to provide an opinion on the effectiveness of DISA GF’s internal
control. This report is an integral part of an engagement to perform an audit in accordance with
Government Auditing Standards and OMB Bulletin No. 24-01 in considering the entity’s internal
control. Accordingly, this report is not suitable for any other purpose.
Alexandria, Virginia
November 8, 2023
U.S. Property of DoD
84
Schedule of Findings
Material Weaknesses
Throughout the course of our audit work of the Defense Information Systems Agency (DISA)
General Fund (GF), we identified internal control deficiencies which were considered for the
purposes of reporting on internal control over financial reporting. The material weaknesses
presented in this Schedule of Findings have been formulated based on our determination of how
individual control deficiencies, in aggregate, affect internal control over financial reporting.
Exhibit 1 presents the material weaknesses identified during our audit.
Exhibit 1: Material Weaknesses and Sub-Categories
Material Weakness
Material Weakness Sub-Category
I. Fund Balance with
Treasury
A. Budget Clearing Account Reconciliation and Reporting
Processes
B. Statement of Differences Reconciliation and Reporting
Processes
C. Lack of Controls over the Cash Management Report
Creation Process
D. Cash Management Report Reconciliation and Reporting
Procedures
E. Lack of Controls over the Advana Reconciliation Process
II. Accounts
Receivable/Revenue
A. Revenue Samples Not Supported
B. Lack of Revenue Recognition
C. Defense Agencies Initiative Report Functionality
III. Accounts
Payable/Expense
A. Lack of Accounts Payable Validation
B. Expense Samples Not Supported
C. Lack of Receipt and Acceptance
IV. Budgetary Resources
A. Invalid Unfilled Customer Orders Without Advance
Transactions
B. Invalid Undelivered Orders Transactions
C. Inaccurate Recoveries of Prior-Year Unpaid Obligations
D. Unsupported End-of-Year Obligations
V. Financial Reporting
A. Untimely Issuance of Requested Audit Documentation
and Financial Statement Package
B. Undistributed and Unmatched Defense Agencies Initiative
Transactions
C. Lack of Timely Validation of Undistributed Journal
Vouchers
U.S. Property of DoD
85
I. Fund Balance with Treasury (Repeat Condition)
Deficiencies in five related areas, in aggregate, define this material weakness:
A. Budget Clearing Account Reconciliation and Reporting Processes
B. Statement of Differences Reconciliation and Reporting Processes
C. Lack of Controls over the Cash Management Report Creation Process
D. Cash Management Report Reconciliation and Reporting Procedures
E. Lack of Controls over the Advana Reconciliation Process
A. Budget Clearing Account Reconciliation and Reporting Processes
Background: DISA’s service organization manages, reports, and accounts for Fund Balance
with Treasury (FBWT) budget clearing (suspense) account activities to the U.S. Department of
the Treasury (Treasury). DISA is responsible for monitoring and approving the FBWT
reconciliations performed by its service organization on its behalf and is responsible for the
complete and accurate reporting of FBWT on its financial statements and disclosures.
Suspense accounts temporarily hold unidentifiable general, revolving, special, or trust fund
collections or disbursements that belong to the Federal Government. An “F” preceding the last
four digits of the fund account symbol identifies these funds. These accounts are to be used only
when there is a reasonable basis or evidence that the collections or disbursements belong to the
U.S. Government and, therefore, properly affect the budgetary resources of the Department of
Defense (DoD) activity. None of the collections recorded in suspense accounts are available for
obligation or expenditure while in suspense. Agencies should have a process to research and
properly record clearing account transactions in their general ledgers (GL) timely. Transactions
recorded in DoD suspense are required to be reconciled monthly and moved to the appropriate
Line of Accounting (LOA) within 60 business days from the date of transaction.
On behalf of DoD agencies, including DISA, DISA’s service organization prepares materiality
assessments quarterly using a combination of historical data and the current quarter’s raw
Universe of Transactions (UoT) to estimate the potential impact of outstanding suspense
transactions to each DoD entity. The raw UoTs have not been fully researched to identify
transaction count and dollar amount impact to DISA and other DoD entities and could contain
summary lines. Fully researched UoTs are not available until 53 days after quarter-end and year-
end financial reporting timelines.
DISA suspense transactions, if any, are included and accounted for in Treasury Index (TI)-97
Other Defense Organizations (ODO), Department of the Navy (TI-17), Department of the Air
Force (TI-57), and Department of the Army (TI-21) suspense accounts based on DoD disbursing
processes.
Condition: DISA, in coordination with its service organization, has not implemented sufficient
internal control activities to ensure that transactions recorded in suspense accounts do not contain
DISA collections and disbursements that should be recognized in DISA’s accounting records.
The processes currently in place cannot be relied upon to prevent, detect, or correct
U.S. Property of DoD
86
misstatements in time for quarterly and fiscal year (FY)-end financial reporting. While DISA’s
service organization prepares quarterly suspense materiality assessments for each TI to identify
the total count and amount of suspense account transactions resolved to DISA and other Defense
agencies, the uncleared suspense transactions included in the assessment are material, and the
assessments are not available in a timely manner to perform sufficient analysis for financial
reporting.
Cause: DISA’s suspense activity is not recorded in unique suspense accounts, but rather in
shared TI-97, TI-57, TI-21, and TI-17 suspense accounts. DoD suspense accounts continue
to contain a high volume of collections and disbursements which require manual research
and resolution. That manual research and resolution is what supports the production of the
final UoTs and materiality assessments but takes a significant amount of time, which is the
cause of them not being available in a timely manner for financial reporting. Additionally, at
the time of UoT availability, there has been a significant volume of transactions for a
material dollar amount in suspense that has not been identified to an entity and is listed in the
UoT as “to be determined” (TBD). As of FY 2023 Quarter (Q) 3, the following were noted
as “TBD” in the Suspense UoTs:
TI-17 reported 14 out of 2,799 transactions (1%) totaling ($1.3 million) net and $1.3
million absolute (ABS) (11%), respectively
TI-21 reported 566 out of 2,380 transactions (24%) totaling ($27.2 million) net and
$62.3 million ABS (12%), respectively
TI-57 reported 863 out of 1,380 transactions (63%) totaling $9.5 million net and
$21.7 million ABS (45%), respectively
TI-97 reported 19,101 out of 19,618 transactions (97%) totaling ($320.9 million) net
and $655.9 million ABS (97%), respectively.
DISA and its service organization have not designed and implemented a methodology to
determine the financial reporting impact of DoD suspense account balances to DISA’s
financial statements for financial reporting in a timely manner sufficient for quarterly and
annual financial reporting timelines. The assessments do not identify amounts attributed to
DISA for the current quarter, but estimate the amount based on historical data. Per Statement
of Federal Accounting Standards (SFFAS) No. 1, Accounting for Selected Assets and
Liabilities, DISA’s FBWT represents its claim to the Federal Government’s resources and its
accounts with Treasury for which DISA is authorized to make expenditures and pay
liabilities. The materiality assessment methodology is not designed effectively as it pertains
to recording an FBWT projection, should a material misstatement be identified. SFFAS No.
1 does not permit FBWT as a viable account for estimated amounts.
Effect: DISA cannot identify and record its suspense activity into its GL and financial statements
pursuant to quarterly financial reporting timelines. Without additional compensating internal
controls or monitoring procedures and analyses, the lack of effective internal controls and
processes to determine the financial reporting impact of the suspense balances inhibits DISA’s
ability to assert to the completeness and accuracy of reported FBWT on its Balance Sheet and
other financial statement line items, as applicable.
U.S. Property of DoD
87
Recommendations: Kearney & Company, P.C. (Kearney) recommends that DISA implement
internal control activities to ensure that material DISA transactions, individually and in the
aggregate, are identified and appropriately included within DISA’s accounting records.
Specifically, Kearney recommends that DISA perform the following:
1. Continue implementing business process improvements in the related financial statement
line items to prevent items from reaching suspense. Specifically, DISA should develop
and implement monitoring controls and processes for Accounts Receivable (AR) and
Accounts Payable (AP) balances to reduce the risk of DISA having a material amount of
disbursements and collections not reflected on its financial statements.
2. Research and resolve suspense transactions by correcting the transactions in source
systems and assist DISA’s service organization with necessary supporting documentation
for corrections, if needed.
3. Consider any limitations to DISA’s service organization’s suspense account
reconciliation process and develop compensating controls to reconcile any included
FBWT suspense activity or, through documented materiality analysis, indicate that
management accepts the risk of potential misstatement. This includes considering the
materiality assessments and the amount of TBD” data included, as well as the risk that
DISA could have material transactions included in what is flagged as TBD” in the UoTs
that are used to create those assessments.
4. Pursuant to receiving the necessary information and documentation from DISA’s service
organization, develop and implement procedures to identify DISA’s suspense account
balances for recording and reporting into the GLs and financial statements.
In addition, Kearney recommends that DISA coordinate with its service organization to perform
the following:
1. Continue to develop procedures to determine what portion of the suspense balances, if
any, should be attributed to DISA for financial reporting in a timely manner and made
available for year-end financial reporting purposes.
2. Continue to monitor and track the resolution of suspense activity cleared to DISA to
enable the entity to perform root cause analysis. This includes further research and
resolution over the transactions not resolved in the UoTs and listed as TBD.”
3. Continue to work to develop effective system and process controls to ensure that
disbursements and collections are processed with valid TI, Treasury Account Symbol
(TAS), and FY inputs.
4. Continue to develop and implement processes and controls to eliminate instances where
transactions are being placed in suspense accounts intentionally.
5. Develop and implement a process to establish unique identifiers for each transaction in
suspense UoTs that roll forward from period to period. DISA’s service organization
should develop controls over the establishment and roll-over of those unique identifiers
that can be tested for reliance.
B. Statement of Differences Reconciliation and Reporting Processes
Background: DISA’s service organization provides daily Non-Treasury Disbursing Office
U.S. Property of DoD
88
(NTDO) disbursing services under various Agency Location Codes (ALC), often referred to as
Disbursing Symbol Station Numbers (DSSN). Additionally, DISA’s service organization
provides monthly Treasury reporting services under various reporting ALCs, which are different
than disbursing ALCs. Monthly, NTDO disbursing activity is submitted to its assigned reporting
ALC to generate a consolidated Standard Form (SF)-1219, Statement of Accountability, and SF-
1220, Statement of Transactions. Daily, Treasury Disbursing Office (TDO) ALCs submit reports
directly to Treasury and complete SF-224, Statement of Transactions, at month-end.
Treasury compares data submitted by financial institutions and Treasury Regional Financial
Centers to ensure the integrity of the collection and disbursement activity submitted. A Statement
of Differences (SOD) report, known as the Financial Management Services (FMS) 6652, is
generated by Treasury each month in the Central Accounting Reporting System (CARS). The
SOD report identifies discrepancies between the collections and disbursements reported to
Treasury and the transactions that were processed by the ALCs each month (i.e., the month the
report is generated).
There are three categories of SOD reports generated by Treasury: 1) Deposit in Transit (DIT); 2)
Intra-Governmental Payment and Collections (IPAC) or Disbursing; and 3) Check Issued.
Disbursing Officers within the ALCs are required to research and resolve DIT, IPAC, and Check
Issued differences monthly. DISA’s service organization has three reporting ALCs which are
responsible for month-end reporting of collections and disbursements to Treasury. Further, as a
reporting entity, DISA is responsible for monitoring differences identified on the FMS 6652 for
the ALCs that process its transactions to determine whether its transactions are included in an
SOD and erroneously omitted from its financial statements.
Condition: DISA, in coordination with its service organization, has not implemented a
monitoring control to ensure that transactions that compose the SOD balances in DISA’s primary
DSSNs do not contain DISA collections and disbursements that should be recognized in DISA’s
accounting records. The processes currently in place cannot be relied upon to prevent, detect, or
correct misstatements in time for quarterly and FY-end financial reporting. While DISA’s
service organization prepares quarterly SOD materiality assessments at the DSSN level (for
DISA’s service organization’s managed DSSNs) to identify the total count and dollar value of
the SOD transactions resolved to DISA and other Defense agencies, the uncleared SOD
transactions included in the assessments are significant. Assessments with fully cleared data
identified to an entity are not available in a timely manner to perform sufficient analysis for
financial reporting timelines.
Cause: DISA’s service organization’s process to create the UoT for SODs is a time-intensive
and manual process that requires the consolidation of multiple files from various sources. The
SOD UoTs continue to contain a high volume of collection and disbursements which require
manual research and resolution. That manual research and resolution supports the production of
the final UoTs and materiality assessments but takes a significant amount of time making them
unavailable for financial reporting. Additionally, at the time of UoT availability, there is a
significant volume of transactions, for a significant dollar amount, making up the SOD balances
that have not been identified to an entity and are listed in the UoTs as TBD.
U.S. Property of DoD
89
While DISA’s service organization has continued efforts to identify root causes by DSSN to
reduce SOD balances and clear transactions to DoD entities timely, shared ALCs and lack of
LOA information continue to make it difficult to resolve differences timely.
Effect: Without receiving the complete and final SOD UoTs from DISA’s service organization
in a timely manner, DISA is unable to identify its transactions that are included within SODs, if
any, to recognize amounts within its accounting records in the period in which the transactions
were processed. Further, without additional compensating controls and/or monitoring
procedures, DISA is unable to assert to the completeness and accuracy of reported FBWT on its
Balance Sheet and other financial statement line items, as applicable.
Recommendations: Kearney recommends that DISA implement internal control activities to
ensure that material DISA transactions, individually and in the aggregate, are identified and
appropriately included within DISA’s accounting records. Specifically, Kearney recommends
that DISA perform the following:
1. Assist DISA’s service organization by providing supporting information to clear
transactions reported in SODs.
2. Continue working with Treasury, the Office of the Secretary of Defense (OSD), DISA’s
service organization, and other parties to transition from using monthly NTDO reporting
ALCs to daily TDO reporting ALCs.
3. Consider any limitations to DISA’s service organization’s SOD process and develop
compensating controls to reconcile SOD balances to minimize the risk of a potential
material misstatement.
4. Pursuant to receiving the necessary information and documentation from DISA’s service
organization, develop and implement procedures to identify DISA’s actual or estimated
SOD balances for recording and reporting adjustments within the financial statements.
In addition, Kearney recommends that DISA coordinate with its service organization to perform
the following:
1. Continue to develop procedures to determine what portion of the SOD balances, if any,
should be attributed to DISA for financial reporting in a timely manner and made
available for year-end financial reporting purposes.
2. Continue to monitor and track the resolution of SOD activity cleared to DISA to enable
the entity to perform root cause analysis. This includes further research and resolution
over the transactions not resolved in the UoTs and listed as TBD.
3. Continue to develop effective system and process controls to ensure that disbursements
and collections are processed with valid TI, TAS, and FY inputs.
4. Assess and identify ALCs that primarily report collection and disbursement activity to
Treasury on behalf of DISA.
5. Monitor and track the resolution of SODs cleared to DISA to enable the entity to perform
root cause analysis and develop compensating controls for financial reporting purposes.
6. Coordinate recurring meetings with DISA to help resolve outstanding differences.
U.S. Property of DoD
90
C. Lack of Controls over the Cash Management Report Creation Process
Background: DISA is one of the TI-97 ODOs whose funds are aggregated at Treasury. Treasury
maintains and reports FBWT balances through CARS at the TAS and ALC level, rather than at
the limit level, which would distinguish DISA’s FBWT balance from the combined ODO FBWT
amount. DISA’s service organization’s Treasury Division produces the Cash Management
Report (CMR) to provide ODOs with individual FBWT at the limit level.
The CMR creation process is complex and requires the compilation of data from multiple
sources and systems, including:
Headquarters Accounting and Reporting System (HQARS)
- CIGGAX.txt – A text file of current and cumulative year-to-date disbursement and
collection transactions
- Hcb04y01.txt (Edit Table 4) – Period of Availability (POA) crosswalk table
maintained by the Fiscal Code Team at DISA’s service organization per 7097 and the
Sub-Allocation Holder Identifier (SAHI) regulations
Defense Cash Accounting System (DCAS)
- OSDLimitConvTable.csv – Navy Subhead distribution file, which crosswalks Navy
subheads to valid OSD limits
Treasury CARS data
- CARS_EXPEND.csv – Funding and expenditure data by appropriation reported to
U.S. Treasury by ALCs for the current FY
- CARS_RECEIPTS.csv – Net Activity Data by appropriation reported to U.S.
Treasury by ALCs for the current FY
Defense Departmental Reporting System (DDRS) Budgetary (B) of data from the
Program Budget Accounting System (PBAS)/Enterprise Funds Distribution (EFD)
- CMR_Funding.csv – Contains TI-97 funding.
DISA’s service organization consolidates the expenditure and budgetary data in HQARS and
then transfers the compiled activity to a C# database to create the CMR. The CMR is
disaggregated and used to generate TI-97 Audit Workbooks and is then ingested into DDRS-B to
calculate automated undistributed adjustments, which forces DISA’s FBWT balance to reconcile
to the CMR at the limit level. As a DoD Component, DISA is responsible for monitoring and
approving the reconciliations performed on its behalf by its service organization.
Condition: Internal control deficiencies identified in the CMR creation process negatively
impact DISA’s ability to support the completeness and accuracy of its FBWT balance. The
specific conditions comprise:
DISA’s FBWT is reconciled to Treasury via the CMR created by its service organization.
DISA’s service organization does not perform data validation procedures to ensure the
source files used to create the CMR reconcile back to the original source systems. This
applies to expenditure activity that is imported at the summary level from DCAS and the
Defense Cash Management System (DCMS) into HQARS, as well as to the files
U.S. Property of DoD
91
imported or interfaced into HQARS for the DSSNs managed by DISA’s service
organization
DISA’s service organization creates the CMR to determine the FBWT balance for each
TI-97 agency at the limit level. The CMR contains unidentified differences with Treasury
which could contain transactions belonging to DISA and could pose a completeness risk
to DISA
The data in the CMR is obtained from a number of different sources which use a variety
of structures for myriad data elements. DISA’s service organization has created several
databases to convert the data into a consistent format that is compatible with HQARS.
The tables in these databases that perform the conversions do not have documented
controls to ensure the data conversions are performed accurately.
Cause: DISA shares TI and basic symbols with multiple agencies, which prevents it from
obtaining its discrete FBWT balance directly from Treasury. DISA is dependent on its service
organization to provide the FBWT amount on the financial statements. DISA’s service
organization does not reconcile input data for the CMR back to source systems. The CMR
contains unidentified differences with Treasury, which could contain transactions belonging to
DISA and could pose a completeness risk to DISA. While DISA’s service organization has
developed a Corrective Action Plan (CAP) to remediate this issue, the corrective actions are not
planned to be fully in place until March 30, 2029.
Effect: The internal control deficiencies surrounding the CMR creation process may impact
DISA’s ability to: 1) support its financial statement balances in a timely manner; 2) support the
completeness and accuracy of its FBWT; and 3) increase the risk that errors or necessary
adjustments exist but remain undetected by management. DISA is unable to support the
completeness and accuracy of its FBWT without sufficiently documented procedures and
controls over the generation of the CMR. The internal control deficiencies over the creation of
the CMR also mean that the assignment of transactions in the CMR to various ODOs may not be
accurate. As a result, DISA’s financial statements may contain significant misstatements that
may not be detected and corrected in a timely manner.
Recommendations: Kearney recommends that DISA work with its service organization to
perform the following:
1. Work with Treasury to establish subaccounts under the basic symbols used by DISA
(0100, 0300, 0400, 0500) that are unique to DISA so that it can obtain CARS reports to
document its FBWT balance directly from Treasury and remove the need for the creation
of the CMR.
U.S. Property of DoD
92
In addition, Kearney recommends that DISA’s service organization perform the following:
1. Implement appropriate data validation controls of the source files used to create the CMR
as they are gathered and transferred from system to system during the creation of the
CMR process.
2. Create the CMR in a system with appropriate general application information technology
(IT) controls to prevent changes to the data without appropriate authorization.
D. Cash Management Report Reconciliation and Reporting Procedures
Background: DISA is one of the TI-97 ODOs whose funds are aggregated at Treasury. Treasury
maintains and reports FBWT balances through CARS at the TAS and ALC level, rather than at
the limit level, which would distinguish DISA’s FBWT balance from the aggregated ODO
FBWT amount. DISA’s service organization’s Treasury Division produces the CMR to provide
ODOs with individual FBWT at limit level.
The CMR is broken up into two different categories: “Reconciling Items” and “Unidentified
Variances. For the transactions in these categories, the owner agency has not been identified at
the time of reporting and, therefore, is not reported on any specific ODO’s financial statements,
including DISA’s. DISA’s service organization is responsible for tracking, researching, and
resolving the Reconciling Items and Unidentified Variances timely as part of the TI-97 FBWT
reconciliation. The CMR Reconciling Items and Unidentified Variances could potentially result
in material misstatements for any one specific TI-97 agency, including DISA.
Condition: DISA, in coordination with its service organization, has not implemented sufficient
internal control activities to ensure that transactions recorded in the CMR Reconciling Items and
Unidentified Variances do not contain DISA collections and disbursements that should be
recognized in DISA’s accounting records. The processes currently in place cannot be relied upon
to prevent, detect, or correct misstatements in time for quarterly and FY-end financial reporting.
While DISA’s service organization prepares quarterly CMR materiality assessments to identify
the total count and dollar amount of Reconciling Items and Unidentified Variances transactions
resolved to DISA and other Defense agencies, the uncleared CMR transactions included in the
assessments are material. Assessments with fully cleared data identified to an entity are not
available in a timely manner to perform sufficient analysis for financial reporting timelines.
Cause: DISA shares TI and TAS with multiple agencies, which prevents it from obtaining its
discrete FBWT balance directly from Treasury. DISA is dependent on its service organization to
provide the FBWT amount on the financial statements in order to balance with the CMR. DISA’s
service organization’s process to create the UoT for the CMR is a time-intensive and manual
process that requires the consolidation of multiple files from various sources. The CMR UoT
continues to contain a high volume of collections and disbursements which require manual
research and resolution. That manual research and resolution supports the production of the final
UoT and materiality assessment but takes a significant amount of time, making them unavailable
for financial reporting. Additionally, at the time of UoT availability, there is historically a
significant volume of transactions, for a material dollar amount, making up the CMR balances
that have not been identified to an entity and are listed in the UoTs as TBD.” As of FY 2023
U.S. Property of DoD
93
Q3, 1,087 out of 4,304 transactions (25%) totaling ($24 million) net and $46.4 million ABS
(15%) were noted as “TBDin the CMR UoT.
Effect: DISA cannot identify or record CMR Reconciling Items or Unidentified Variances
activity belonging to DISA into its GL and financial statements pursuant to quarterly financial
reporting timelines. Without additional compensating internal controls or monitoring procedures
and analyses, the lack of methodology to determine the financial reporting impact of these
balances inhibits DISA’s ability to assert to the completeness and accuracy of reported FBWT on
its Balance Sheet and other financial statement line items, as applicable.
Recommendations: Kearney recommends that DISA, its service organization, and other
agencies listed below perform the following:
1. Work with Treasury to establish subaccounts under the basic symbol used by DISA
(0100, 0300, 0400, 0500) that are unique to the entity so that it can obtain Treasury
CARS reports to document its FBWT balance directly from Treasury and remove the
need for the CMR.
2. Work with Treasury, OSD, DISA’s service organization, and other parties to transition
away from using monthly non-CARS reporting ALCs to daily full CARS reporting
ALCs.
3. Consider any limitations to DISA’s service organization’s CMR reconciliation process
and continue developing compensating controls to reconcile the CMR to minimize the
risk of potential material misstatement.
In addition, Kearney recommends that DISA coordinate with its service organization to perform
the following:
1. Continue to develop and implement procedures to resolve differences between the CMR
and CARS monthly and identify the agencies for which the differences impact.
2. Continue to monitor and track the resolution of the various CMR differences categories
cleared to DISA to enable the entity to perform root cause analysis. This includes further
research and resolution over the transactions not resolved in the UoTs and listed as
TBD.”
3. Continue to develop effective system and process controls to ensure that disbursements
and collections are processed with valid TI, TAS, and DoD limits.
E. Lack of Controls over the Advana Reconciliation Process
Background: DISA is a DoD agency that is required to prepare quarterly and annual financial
statements in accordance with U.S. Generally Accepted Accounting Principles (GAAP), as
established by the Federal Accounting Standards Advisory Board (FASAB).
Advana is a tool developed by the Office of the Under Secretary of Defense (Comptroller)
(OUSD[C]) which performs a monthly FBWT reconciliation for multiple ODOs to identify
differences in FBWT balances between what is reported on the CMR and what is recorded in an
entity’s GL system. Advana replaced the functions previously performed by the Department 97
U.S. Property of DoD
94
Reconciliation and Reporting Tool (DRRT), for which there are prior-year control findings.
DISA’s service organization’s Client Systems Team performs a review and approval of the Non-
Secure Internet Protocol Router Network (NIPR) dataset in the Transporter Application. Once
approved, OUSD(C) transfers the results from Secret Internet Protocol Router Network (SIPR)
to NIPR via the Cross Domain Solution (CDS) and publishes the results to the NIPR WebApp
(no later than two business days after DISA’s service organization's Client Systems Team
completes its review on SIPR). Each month, after reconciliations are performed within Advana,
DISA’s service organization provides the undistributed journal voucher (JV) to DISA and posts
to its GL system in order to tie to the CMR.
DISA is responsible for reconciling its FBWT monthly and maintaining effective internal
controls over its financial reporting to prevent, detect, and correct material misstatements in a
timely manner. This includes coordinating with its service organization, as necessary, and
monitoring, reviewing, and approving the reconciling procedures performed on its behalf.
Without administering these steps, DISA is at risk of posting unsupported adjusting entries and
potentially reporting material misstatements in its financial statements.
Condition: During audit walkthroughs, DISA’s service organization confirmed that no new
controls had been put in place to remediate prior-year findings regarding reconciling data back to
source systems as a part of this process previously performed in DRRT. Additionally, DISA does
not validate the information received from Advana or have front-end controls in place to confirm
the accuracy and completeness of the data attributed to DISA GF.
DISA’s service organization does not have procedures or controls in place to reconcile input data
imported into Advana back to original source systems. Additionally, DISA’s service
organization does not have a process in place to validate that the limits assigned to transactions
within Advana are accurate and attributed to the correct entities, including the transactions
attributed to DISA GF.
Cause: OUSD(C) created Advana to replace DRRT, but no controls were implemented over the
ingestion of data that would validate the LOA, specifically the limit during that process, as
supported by the material CMR Unidentified Variances balances. Additionally, DISA and its
service organization did not design and implement effective FBWT reconciliation controls to
ensure that accurate, complete, and properly supported financial data is included within the
Advana reconciliation.
Effect: As a result of the lack of effective controls over the Advana reconciliation process, the
FBWT may be misstated and include transactions that do not belong to DISA, and misstatements
may not be detected and corrected timely, causing a potential misstatement of DISA’s financial
statements.
Recommendations: Kearney recommends that DISA perform the following:
1. Coordinate with OUSD(C) to develop and implement a process in which data imported
into Advana is traced to original source systems and the accuracy of the LOA information
is validated.
U.S. Property of DoD
95
2. Develop and implement procedures for effective communication with its service
organization’s management throughout the Advana reconciliation process to ensure there
is DISA management review and approval of the data being attributed to DISA from
Advana.
3. Develop and implement effective controls to ensure the validation and/or review of the
data received by DISA’s service organization, produced by Advana, before it is recorded
into DISA’s GL system.
In addition, Kearney recommends that DISA coordinate with its service organization to perform
the following:
1. Develop and implement effective controls related to identifying and analyzing the risk
with regard to the incorrect and incomplete data used for ODOs’ financial statement
compilation, including an analysis of internal and external factors, involving appropriate
level of management, and determining how to respond to risk.
2. Develop and implement effective procedures to internally communicate information
necessary to support the functioning of internal controls related to the Advana
reconciliation, including relevant objectives and responsibilities. These procedures should
include the flow of information up, down, and across the organization using a variety of
methods and channels.
II. Accounts Receivable/Revenue (Repeat Condition)
Deficiencies in three related areas, in aggregate, define this material weakness:
A. Revenue Samples Not Supported
B. Lack of Revenue Recognition
C. Defense Agencies Initiative Report Functionality
A. Revenue Samples Not Supported
Background: DISA participates in various types of activities that generate revenue that are
reported on its annual Statement of Net Cost (SNC). This revenue is generated primarily to
provide information system (IS) services to various trading partners throughout the FY.
Examples of revenue include labor hours for services performed and rendered, cost distribution
and sharing services among DoD entities, and passthrough revenue where DISA GF bills its
customer based off of an expense incurred. The DISA GF revenue recorded for the period ended
June 30, 2023 totaled $126.4 million. DISA management is responsible for ensuring revenue
transactions are recorded in the correct period for the correct amount. During FY 2023, DISA
GF’s audit transitioned to an Audit Continuation Methodology (ACM). Based on prior-year audit
results and findings, a targeted sampling approach was designed to test only revenue transactions
that occurred in October and November 2022. During that period, DISA GF recorded $16.1
million in revenue that was subjected to audit testing.
As part of the procurement process, DISA prepares billing documentation for services performed
for its customer. This invoice type varies, as it is dependent on whether the transaction is
U.S. Property of DoD
96
between another Government agency or a commercial customer. DISA utilizes SF-1080,
Vouchers for Transfers Between Appropriations and/or Funds for a majority of its
intragovernmental transactions. Each source of intragovernmental transaction and billing on
behalf of the customers is processed by DISA’s service organization and collected on behalf of
the performing agency.
Condition: DISA GF’s targeted sampling approach included a review of 110 revenue
transactions. Testing revealed that, for 81 of the 110 (74%) samples, DISA GF recorded revenue
in FY 2023 for goods and services provided in a prior FY. Exhibit 2 summarizes the 81
exception results:
Exhibit 2: Revenue Exception Results
Exception Transaction Type
Error Count
Amount
Cost Distribution Activity
16
$249.6 thousand
Joint Interoperability Test Command
(JITC)/Labor Hours
25 $186.6 thousand
Passthrough Expense
40
$4.4 million
For an additional 14 of the 110 samples, totaling approximately $3.2 million, the supporting
documentation did not provide enough evidence to determine when revenue was earned.
Cause: DISA management does not have processes or controls in place to ensure revenue is
recorded in the period in which it is earned. DISA does not currently record an accrual to account
for revenue that is earned, but not yet billed. Many of DISA’s revenue transactions are driven by
its expense recognition, which is subject to an accrual. However, when these expense accruals
are recorded, DISA does not always record an entry to reflect the corresponding revenue accrual.
Although DISA is in the process of designing a revenue accrual, DISA has not completed its
analysis of the impact to trading partner reconciliations. Additionally, as noted in Notice of
Finding and Recommendation (NFR) 2023-FIN-GF-02, Undistributed and Unmatched DAI
Transactions, a significant number of payments (expenses) were not recorded in DISA’s
financial accounting system accurately and timely. When expenses that drive its revenue are not
recorded timely, DISA cannot effectively perform analysis to ensure revenue is recorded in the
correct period.
Effect: The exceptions noted during sample-based testing amounted to DISA’s earned revenue
being likely misstated by $4.9 million. However, due to the nature of this control deficiency,
along with the unable to conclude activity totaling $3.2 million, additional misstatements may
also exist in the balance. Without effective controls relating to timely revenue recognition, DISA
is unable to ensure that revenue will be billed and collected accurately, completely, and in a
timely manner. DISA management cannot assert to the completeness and accuracy of the
amounts recorded on the SNC Earned Revenue line item, as well as the AR line item on the
Balance Sheet. DISA’s current revenue recognition process does not ensure revenue is recorded
in the period it is earned.
Recommendations: Kearney recommends that DISA perform the following:
U.S. Property of DoD
97
1. Design and implement procedures and controls to confirm that revenue accruals are
recorded to match corresponding expense accruals, when appropriate. This should
include posting a JV entry to ensure revenue is recorded in the proper period.
2. Review and identify specific revenue activity that is at risk of being recorded in the
subsequent period. This includes JITC labor, cost distribution/sharing activity, and
passthrough activity (i.e., recorded external expense drives revenue) as noted in the
condition.
3. Implement the recommendations described in NFR 2023-FIN-GF-02, Undistributed and
Unmatched DAI Transactions, and reconcile expenditure activity to revenue activity.
B. Lack of Revenue Recognition
Background: DISA provides goods and services to other Federal and commercial entities that
generate revenue reported on the SNC. These revenues are generated primarily to provide IS
services to various trading partners throughout the FY. Much of DISA’s revenue is earned by
performing work through Reimbursable Agreements.
Under the Economy Act of 1932, which allows Federal agencies to use advances or
reimbursements in return for providing others with goods and services, payment (via expenditure
transfer) may be made in advance or reimbursements may be made. Advances and
reimbursements from other Federal Government appropriations are available for obligation, but
not disbursed until received, when the ordering appropriation records a valid obligation to cover
the order. The Act states that the providing agency shall charge the ordering agency “on the basis
of the actual cost of goods or services provided” as agreed to by the agencies.
In addition, DISA also provides passthrough services, where DISA GF procures goods and
services through DISA Working Capital Fund (WCF) or other commercial entities. DISA GF
records AP to account for goods and services performed or procured, but not yet invoiced. Due
to the nature of DISA GF’s business processes, there is reimbursable and passthrough activity
within its estimated AP population. This contracting and passthrough activity has a
corresponding revenue event that should be recorded at the same time. A JV adjustment should
be recorded to ensure that revenue is recorded in the correct period.
Condition: DISA identified instances where goods and services were provided to other Federal
agencies, but revenue was not being systematically recorded in its accounting system, Defense
Agencies Initiative (DAI), as expected. Manual research conducted by DISA, utilizing the End-
to-End Reimbursable Data Mart (E2ERDM) system reports and Advana, has made significant
progress, but not yet identified or corrected all instances of unrecorded revenue. Further, DISA
has not posted an adjusting entry to AR/Revenue to account for reimbursable and passthrough
activity within its estimated AP population. DISA’s analysis indicated the unposted adjustment
for March 31, 2023 totaled $11.95 million.
Cause: DISA relies on transaction posting models in DAI to ensure that revenue is recorded and
billed. Expenditures relating to reimbursable activity should systematically generate revenue
within DAI. Although DISA implemented a control to review and reconcile reimbursable
U.S. Property of DoD
98
activity to ensure all revenue was being accurately recorded, a variance still exists. Further,
DISA has not evaluated the need for an adjusting entry to AR/Revenue to account for its
reimbursable activity within the estimated AP population.
Effect: DISA has not completed its analysis to determine the total impact of unbilled and
unrecorded revenue in DAI. The revenue reported on DISA’s SNC may not be complete or
accurate for the period ended September 30, 2023. DISA’s revenue and related budgetary
accounts could potentially be materially misstated due to prior-year and current-year unrecorded
revenue.
Recommendations: Kearney recommends that DISA perform the following:
1. Continue to research, identify, and quantity the total misstatement due to the lack of
revenue recognition. Once complete, DISA should post the appropriate adjusting entries
to ensure the SNC Revenue line item is materially correct.
2. Continue to design and implement processes and controls to ensure all revenue from
reimbursable activities is actually recorded and reconciles to the associated expenditure.
3. Continue review of the E2ERDM system-generated reports to review revenue to
determine if the revenue posted is recognized in the proper period.
C. Defense Agencies Initiative Report Functionality
1. Defense Agencies Initiative Accounts Receivable Aging Schedule Functionality and
Universe of Transactions
Background: AR arise from claims to cash or other assets. A receivable should be recognized
when a Federal entity establishes a claim to cash or other assets against other entities, either
based on legal provisions, such as a payment due date (e.g., taxes not received by the date they
are due) or goods or services provided. When a receivable is not collected for an extended period
of time and payments are outstanding, it should be subject to an aging schedule for review of
collectability/allowance for doubtful accounts. DISA GF utilizes DAI to function as its GL
accounting system. DAI is managed by a third party, the Defense Logistics Agency (DLA), who
established a Project Management Office (PMO) to assist customer agencies with
troubleshooting issues and system functions. DISA GF’s AR population comprises every
transaction recorded, including the recognition of a receivable, posting of a receipt, or
cancellation of an invoice/bill. To review outstanding receivables for aged AR analysis and the
calculation of the allowance for uncollectible amounts, DISA GF summarizes the population on
fund and project segment for review at a summarized level.
In accordance with the Financial Management Regulation (FMR), DISA GF designed steps to
coordinate with mission partners that have outstanding payments of receivable transactions over
90 days. In order to properly monitor the aged receivables, DISA is required to submit a formal
letter to the mission partner for debts greater than 90 days outstanding that would prompt the
mission partner to fulfill their outstanding receivables. If there are past due receivables greater
than 120 days outstanding, DISA is required to create and submit an Elevation Package to the
mission partner. Within the Elevation Package, DISA must include a memorandum signed by the
U.S. Property of DoD
99
Comptroller, formally notifying the mission partner of its aged outstanding receivables. DISA is
responsible for establishing the policies and procedures to determine the collectability of the
receivables to ensure that an allowance for the uncollectible amount is created, if necessary.
Condition: DISA GF cannot properly age its outstanding receivables without significant manual
processes and data manipulation. DISA GF’s UoT AR population includes outstanding bills,
receipts, and corrections that do not offset correctly within the GL population. Because of this,
DISA GF is unable to use DAI to generate an aging report for outstanding receivables by bill
number and, therefore, cannot accurately age receivables and implement processes and controls
related to the allowance for doubtful accounts.
Cause: Since the inception of DAI, DISA GF encountered several known system issues which
allowed for receipts to be processed without correctly or completely matching to the original bill
establishing the receivable. These posting errors require manual efforts to ensure that
transactions are reposted correctly. Further, a known issue within DAI prevents DISA from
generating an AR aging schedule. DISA is working with the DAI PMO to research potential
implementation of additional reporting functionality over its AR processes. In the meantime,
DISA has created a manual process to produce a UoT that includes an aged AR report by bill
number.
Effect: The manual efforts needed to resolve errors where receipts are posted into DAI without
matching to an outstanding bill introduce additional risk of misstatement when errors are not
corrected timely. Further, without an accurate and effective method of generating an AR aging
schedule, DISA cannot fully implement its control processes related to aged AR and the
calculation of the allowance over uncollectible accounts. Therefore, DISA GF has an increased
risk of overstating its AR balance and not fully collecting funds timely from its mission partners.
Recommendations: Kearney recommends that DISA continue to properly document and
execute the CAPs in place for the FY 2023 financial statement audit. Specifically, we
recommend that DISA perform the following:
1. Continue to coordinate with the DAI PMO to improve DAI functionality to assist in the
monitoring of aged receivables.
2. Ensure that the AR control environment incorporates any updates to the monitoring
controls and review of DISA’s AR balances and its service organization reconciliations.
3. Review aged AR balances to determine collectability and resolve outstanding receivables
timely.
4. Implement and document a process to research, identify, and correct systematic issues in
DAI in a timely manner to reduce the instances where receipt of funds is not properly
matched to the established receivable.
2. Reliable Defense Agencies Initiative General Ledger Report Data
Background: In October 2018, DISA transitioned its GL accounting system from the
Washington Headquarters Services Allotment and Accounting System (WAAS) to DAI, which is
managed by DLA. DAI was intended to improve and modernize the budget, finance, and
U.S. Property of DoD
100
accounting operations of DISA and other DoD agencies for the purpose of achieving accurate
and reliable financial information in support of financial accountability and effective and
efficient decision-making. DISA GF also utilizes Advana to standardize and create functional
GL reports outside of DAI.
A GL accounting system is designed to process transactions systematically throughout the entire
lifecycle of an economic event, such as a bill or invoice. A receivable must be recognized when a
Federal entity establishes a claim to cash or other assets against other entities based on goods or
services provided. Further, a liability must be recognized when a Federal entity accepts title to
goods which remain unpaid or owes money for services rendered. When receivables are
collected or liabilities are paid, the previously established bill or invoice is liquidated and,
therefore, removed from the GL population. However, within DISA GF’s DAI GL system, these
proprietary asset and liability accounts, as well as the associated budgetary accounts, are
disrupted by errors and reclassifications from the unmatched and undistributed processes, which
break the link between receivable and collection, as well as invoice and payment. Specifically,
these transaction types relate to financial transactions that occur but do not properly post to the
correct corresponding budgetary and proprietary accounts and require significant manual
analysis and corrections to be properly accounted for.
Condition: DISA’s cumulative account balances for AR, AP, Undelivered Orders (UDO), and
Unfilled Customer Orders (UCO) include errors, reclassifications, and abnormal activity from
unmatched and undistributed transactions that inhibit their ability to perform effective analysis,
support statistically valid samples, and produce reliable financial statements. These residual
errors from unmatched, undistributed, and conversion activity limit the integrity of the data
available to DISA management. Further, DISA cannot use the functional reports from DAI, such
as “Open AR” or “Open AP,” because they do not tie to DISA GF’s trial balance. DISA’s
attempt to create a valid UoT begins with a report that includes every transaction that has been
recorded in DAI from inception and involves significant manual effort to remove off-setting
transactions and identify those transactions that compose the current balance.
Cause: DISA does not have effective controls established and has not identified all root causes
or implemented corrective actions to prevent unmatched and undistributed transactions. In order
to correct unmatched activity within DAI, DISA performs a process to void and cancel the
original transaction and re-enter the transaction matching to the bill/invoice. Duplicative
balances and residual errors from unmatched and undistributed transactions cause excessive
activity and result in increased file size and volume of transactions, which limits DISA’s ability
to appropriately reconcile, monitor, and support its GL balances within DAI.
Effect: Without the ability to generate accurate reports from DAI, DISA cannot identify, correct,
and attest to the validity of all transactions within its cumulative proprietary and budgetary
accounts. Manual data analysis through Advana is time-consuming and could potentially lead to
additional reporting errors due to the manual nature of the process. Additionally, DISA cannot
perform effective analysis or provide the appropriate GL documentation to successfully support
audit requests.
U.S. Property of DoD
101
Recommendations: Kearney recommends that DISA continue to design approaches to reconcile
and review the GL data accurately and timely through enhancements to Advana. We also
recommend that DISA continue to work with its service organization and the DLA PMO to
perform the following:
1. Implement effective DAI report functionality and resolve errors to ensure reports
generated within DAI, such as “Open AR” and “Open AP,” agree to the trial balance.
2. Continue to work with its service organization to perform root cause analysis to identify
why transactions systematically do not interface into DAI. This should include
identifying which specific systems and transaction types fail to interface correctly and
implementing corrective actions to mitigate future unmatched and undistributed
transactions from being processed.
3. Develop and implement alternative methods to effectively correct unmatched
transactions and discontinue the void and cancel process within DAI.
III. Accounts Payable/Expense (Repeat Condition)
Deficiencies in three related areas, in aggregate, define this material weakness:
A. Lack of Accounts Payable Validation
B. Expense Samples Not Supported
C. Lack of Receipt and Acceptance
A. Lack of Accounts Payable Validation
Background: A liability is a responsibility of a Federal Government agency to provide assets or
services to another entity at a determinable date, when a specific event occurs, or on demand.
Federal agencies should only record a liability when there is a probable and measurable future
outflow or other sacrifice of resources as a result of past transactions. The United States Standard
General Ledger (USSGL) provides guidance on which USSGL accounts should be used to report
the various types of liabilities that a Federal entity may encounter.
When a Federal agency is preparing financial statements, a methodology for estimating amounts
owed, but not yet invoiced, must be established. This AP estimate ensures expenses are recorded
in the proper period using accrual accounting and the matching principle. Management is
responsible for developing these reasonable estimates based on assumptions and relevant factors
and comparing estimates with subsequent results to assess the accuracy of the estimation process.
An AP accrual is intended to recognize amounts owed by DISA for goods and services received,
but not yet invoiced. The majority of AP recorded by DISA GF is estimated. As of
September 30, 2022, invoiced AP totaled $10.7 million, while estimated AP totaled
$326.6 million. Nearly 75% of DISA GF’s estimated AP is with the WCF, which is validated
through a reconciliation process. The GF’s estimated non-WCF accrual subject to a separate
validation as of September 30, 2022 totaled $89.1 million.
Condition: DISA GF records estimated AP/Expenses based on a straight-line estimation
methodology of 91% of the total contract value over the period of performance specified in the
U.S. Property of DoD
102
signed contract agreement. DISA calculated this estimate by reviewing its history of completed
contracts and the payments recorded compared to contractual ceiling values. DISA has not
successfully implemented a process or control non-WCF AP accrual to analyze subsequent
vendor invoices paid to determine which FY the underlying goods and services were received.
Such an analysis would provide a validation of whether the estimated AP reported at period-end
was estimated based on reasonable assumptions.
Cause: DISA has not successfully executed a process to validate its AP accrual estimates
through a review of documentation in a timely and effective manner that supports when the
goods or services were actually received. DISA is in the process of reviewing its AP accrual and
subsequent disbursements by vendor type. However, several factors continue to impact DISA’s
ability to complete the validation in a complete and timely manner. For example, supporting
documentation behind DISA’s intra-governmental expenses does not consistently contain
sufficient detail to determine when goods or services were actually incurred. Further, corrections
to prior-year unmatched disbursement activity cannot be easily identified and appear to be
current-year activity.
Effect: Without sufficient underlying supporting documentation and a process to validate the
reasonableness of significant accounting estimates, the estimates may be based on assumptions
that are not consistent with actual events and data. This increases the risk that DISA’s financial
statements may be misstated.
Recommendations: Kearney recommends that DISA perform the following:
1. Continue to execute its plan to perform an accrual validation through the review of
subsequent vendor invoices. DISA should compare actual vendor invoice amounts to the
estimated AP balance to assess the reasonableness of the estimate.
2. Reassess the reasonableness of the AP estimation technique and its underlying
assumptions based on the results and conclusion of the validation effort. This could
include analyzing and organizing the data and activity in similar categories.
3. Coordinate with its service organization to ensure expense transaction supporting
documentation contains sufficient evidence of when goods/services were provided, as
prescribed in the FMR.
B. Expense Samples Not Supported
Background: DISA participates in various types of transaction activities that generate expenses
for the agency which are reported on the SNC. These expenses are generated primarily through
the costs to provide IS services to various trading partners, as well as the standard, operational
expenses incurred throughout the FY. DISA GF records expenses based on cash payments and
estimated expenses based on a straight-line estimation methodology of 91% of the total contract
value over the period of performance specified in the signed contract agreement through an
accrual JV. DISA calculated this estimate by reviewing its history of completed contracts and the
expenses recorded compared to contractual ceiling values. DISA GF expenses recorded for the
period ended June 30, 2023 totaled $2.7 billion. DISA management is responsible for ensuring
U.S. Property of DoD
103
expense transactions are recorded in the correct period for the correct amount and that
appropriate documentation is readily available to support the transaction.
As part of the procurement process, DISA obtains documentation for services received from the
vendor. This invoice type varies, as it is dependent on whether the transaction is between another
Government agency or a commercial vendor. When the transaction is with another Government
agency, DISA typically obtains an SF-1080, Vouchers for Transfers Between Appropriations
and/or Funds. DISA’s service organization processes and collects on behalf of the performing
agency for each source of intragovernmental transaction.
During FY 2023, DISA GF’s audit transitioned to an ACM. Based on prior-year audit results and
findings, a targeted sampling approach was designed to test only expense transactions that
occurred in October through December 2022. During that period, DISA GF recorded
$185.3 million in expenses that were subjected to audit testing.
Condition: A sample of 160 (110 Federal, 50 Non-Federal) GF expense transactions totaling
$105.2 million were selected for review. Several exceptions related to expenses recorded by
DISA in the current year; however, the supporting documentation provided indicated the expense
was incurred in a prior year and not accounted for through DISA’s prior-year accrual process.
Additionally, in some cases, the supporting documentation did not provide sufficient evidence
for when a good or service was performed. Testing indicated further exceptions for transactions
in which DISA was not able to provide sufficient audit evidence to support what period the
expense was incurred. Due to the ACM, DISA did not reach out to mission partners to resolve
the exceptions and retrieve additional supporting documentation. Results of testing are
summarized below:*
Exhibit 3: Expense Exception Results
Exception Type
Non-Federal Amount
(Count)
Federal Amount (Count)
Prior Period Expense Error $8.6 million (10) $39.6 million (39)
Insufficient Service/Delivery Date
Documentation to Conclude
$1.7 million (4) $17.3 million (27)
Insufficient Goods/Service
Description to Conclude
$9.5 million (26) $60.1 million (83)
*Some exceptions may fall into multiple categories
Cause: DISA’s service organization does not always maintain appropriate evidence to support
the payments made on DISA’s behalf. DISA does not have controls in place to retain
documentation of when or what expenses were incurred.
Additionally, DISA has not established controls and methodologies to ensure expenses are
recognized in the appropriate period. As noted in NFR 2023-FIN-GF-14, Lack of Timely
Validation of Undistributed JVs, and NFR 2023-FIN-GF-02, Undistributed and Unmatched
Transactions, a significant number of payments are not recorded in DISA’s financial accounting
system timely and accurately, and DISA relies on payments to post expenses in its accounting
U.S. Property of DoD
104
system. Historically, undistributed and unmatched transactions have hindered DISA’s ability to
develop and perform a supported GF AP accrual. For example, DISA GF’s accrual methodology
includes a provision to stop accruing expenses seven months after the contractual period of
performance end date. This methodology does not account for the fact that invoices may be
billed after seven months or may remain posted as unmatched or undistributed before correctly
posting to the Purchase Order (PO) in DAI. When transactions are not posted timely in DAI,
DISA GF’s accrual methodology cannot effectively ensure that the resulting estimated expenses
are accounted for in the correct period.
Effect: Without sufficient and appropriate audit evidence for underlying expenses, DISA is
unable to sufficiently support the amounts reported in DISA’s Gross Cost line (SNC) and AP
(Balance Sheet). This lack of documentation also impacts DISA’s ability to sufficiently complete
accrual estimates, with supported assumptions, to ensure expenses are posted in the proper
period.
Recommendations: Kearney recommends that DISA perform the following:
1. Design and implement procedures and controls to confirm the expenses are appropriately
recorded in the proper period or accounted for through DISA’s accrual process, as well as
contain the necessary documentation and support for each transaction type.
2. Require trading partners to provide sufficient and appropriate audit evidence for each
individual invoice transaction as part of the initial Military Interdepartmental Purchase
Request (MIPR) or contractual agreement.
3. Review the GF accrual methodology to determine if additional accruals or a change to the
current methodology is required based on the exceptions identified in the condition. This
may include studying significant trading partners, lag periods for billing activity, and
certain system interface analysis for undistributed/unmatched activity.
U.S. Property of DoD
105
In addition, Kearney recommends that DISA coordinate with its service organization to perform
the following:
1. Ensure that sufficient and appropriate evidence is collected and maintained for each
expense transaction prior to processing the payment so DISA has readily available
documentation to support expense transactions (e.g., applicable invoice, matching
receiving report, and/or applicable contract).
2. Establish preventative controls to ensure payments made on behalf of DISA cannot
process as unmatched into DAI without a valid obligation and AP. This would ensure all
payments post correctly in DAI.
3. Develop and implement alternative methods to effectively correct unmatched transactions
and discontinue the void and cancel process within DAI.
C. Lack of Receipt and Acceptance
1. Intragovernmental Payment and Collection System Receipt and Acceptance Process
Background: DISA GF participates in Reimbursable Work Order (RWO)Grantor (G)
transactions with its intragovernmental trading partners. Within an RWO-G agreement, DISA
grants reimbursable authority to another Federal entity that performs the work stipulated in the
agreement and bills DISA in order to replenish the funding that it expended on DISA’s behalf. In
this process, DISA, through its service organization, reimburses its trading partners using IPAC.
The IPAC system allows intragovernmental entities to transfer funding between one another as
reimbursement for goods and services provided. This system is configured to allow the service
organization to process payments without prior approval from the receiver of those goods or
services. These disbursements and collections are reported to Treasury on a monthly basis on
behalf of DISA by its service organization. DISA allows its service organization to accept and
create payments on its behalf. DISA retains responsibility for ensuring it has sufficient
appropriate documentation to support the payment.
Condition: DISA does not consistently obtain, review, and document the receipt and acceptance
of goods and services received from intragovernmental trading partners prior to payment.
Cause: DISA has engaged a service organization to process disbursements that pertain to
expenses on the entity’s behalf. DISA has not developed and implemented a formalized process
with supporting internal controls to validate trading partner activity prior to payment via
evidence of receipt and acceptance. It has not yet implemented G-Invoicing, which is required
for all new orders dated October 1, 2022 and later. DISA has not developed and implemented a
process to obtain timely post-payment evidence of receipt.
Effect: Without appropriate receipt and acceptance of trading partner activity, DISA is unable to
confirm the accuracy, validity, or timeliness of its intergovernmental transactions (both Gross
Costs and AP). As a result, it may have misstatements in its Gross Costs and AP in the period it
receives goods and services, as well as additional misstatements in the subsequent period when
the Gross Costs and AP are recorded. The entity is at increased risk of paying trading partners for
U.S. Property of DoD
106
goods or services that did not conform with the terms of its agreements or that DISA did not
receive.
Recommendations: Kearney recommends that DISA coordinate with its service organization to
perform the following:
1. Design, track, and implement G-Invoicing and ensure the process is mitigating the issues
identified in the condition accordingly.
2. Design and implement a process to validate and document receipt and acceptance of
goods/services provided by intragovernmental trading partners to confirm the valuation
and occurrence of expense transactions.
3. Coordinate with trading partners to ensure Support Agreements (SA), Inter-Agency
Agreements (IAA), Memorandums of Understanding (MOU), or equivalent include
language requiring cooperation of the trading partner to provide any required
documentation necessary for DISA to validate the accuracy of the amounts that have
been billed.
2. Wide Area Workflow Receipt and Acceptance Documentation
Background: DISA GF procures various telecommunication and computing goods and services
throughout the year with both DoD and non-DoD agencies. DISA receives invoices for the
procured goods/services through the Wide Area Workflow (WAWF) system. A majority of these
transactions are invoiced through the system. WAWF provides the DoD and its suppliers with a
single point of entry to generate, process, and store invoices, receiving reports, non-contractual
payment requests, and acceptance data sets, as well as other related data to support DoD asset
visibility, tracking, and payment processes by a systematic flow for agencies. It provides the
connection of information related to the acceptance of goods and services in support of the DoD
supply chain. WAWF has a System and Organization Controls (SOC) 1® report that is
completed each FY in order to assess the specific systematic controls, as well as to identify the
complementary user entity controls (CUEC) that the user entity (i.e., DISA) has the
responsibility to implement to support WAWF transactions.
WAWF system end users include vendor technicians entering the invoice detail, as well as the
specific Contracting Officer’s Representatives (COR) who approve orders within WAWF, which
initiates payment. WAWF’s Program Office encourages the user entities to implement the
entity’s own policies and procedures relating to what is required to be confirmed for each
WAWF transaction. The WAWF process is initiated by the vendor, who is providing
goods/services to DISA, loading the invoice detail (e.g., amounts, Contract Line Item Number
[CLIN], description of goods and services, date received) into WAWF. The vendor submits this
summary of the invoice information and can also upload an electronic copy of the invoice from
the vendor’s accounting system for additional support as an attachment within WAWF. The
COR is responsible for verifying the vendor attachments in WAWF, ensuring the transaction is
accurate and valid, as well as documenting and retaining evidence of receipt.
Condition: DISA does not have a process in place to consistently validate the supporting
documentation submitted by vendors and approved by the COR prior to certification and
U.S. Property of DoD
107
payment. DISA has not implemented a consistent process to document evidence of the review of
the invoice, receiving report, and contract/purchase request. Additionally, DISA has not
implemented the CUECs from the WAWF SOC 1® report regarding obtaining and maintaining
sufficient support to document evidence of receipt and acceptance of goods and/or services.
Cause: DISA management places reliance on the general functionality of the WAWF
environment in order to perform a systematic receipt and acceptance of the transactions. DISA’s
CORs and customers do not have a consistent methodology to retain the supporting
documentation of their concurrence, in having received the specific goods/services as noted by
their systematic approval. DISA has chosen not to outline or document a policy in place to
emphasize the COR’s retention of supporting documentation per the WAWF SOC 1® report,
which is documented as a key responsibility of DISA.
Effect: Without appropriate review of the supporting documentation submitted and attached for
receipt and acceptance within WAWF, there is an increased risk that DISA has not received the
goods or services described in the vendor invoice. CORs who are responsible for receipt and
acceptance will have varying decisions on what documentation would demonstrate acceptance,
thus resulting in an inconsistency across DISA. DISA is not able to support the accuracy,
validity, or timeliness of its receipt and acceptance in instances where the invoices are not
submitted with applicable descriptions of the goods or services, whether that is on a timely basis
or billed erroneously. Ineffective controls or control objectives may result from DISA’s failure to
implement internal controls to address all required CUECs.
Recommendations: Kearney recommends that DISA perform the following:
1. Design and implement a standardized process to perform a three-way match between the
invoice, receiving report, and contract/purchase request in order to validate the
documentation of the receipt and acceptance of goods and/or services provided by
vendors through WAWF.
2. Design and implement the CUEC described in the WAWF SOC 1® report to ensure that
the COR consistently reviews and documents evidence of the receipt and acceptance of
the goods and service prior to approving the invoice in WAWF. This may include
updating the Standard Operating Procedures (SOP) and COR training to meet those
requirements.
3. Establish a threshold to determine which invoices should be subject to an enhanced
control environment based on a risk assessment.
4. Further engage with the Procurement Services Directorate (PSD) to configure alternative
ways to provide evidence of the COR’s review over transaction support.
U.S. Property of DoD
108
IV. Budgetary Resources (Repeat Condition)
Deficiencies in four related areas, in aggregate, define this material weakness:
A. Invalid Unfilled Customer Orders Without Advance Transactions
B. Invalid Undelivered Orders Transactions
C. Inaccurate Recoveries of Prior-Year Unpaid Obligations
D. Unsupported End-of-Year Obligations
A. Invalid Unfilled Customer Orders Without Advance Transactions
Background: USSGL Account 422100, Unfilled Customer Orders (UCO) Without Advance,
represent orders for goods and/or services to be furnished for other Federal Government agencies
and for the public. Federal agencies record UCOs Without Advance when they enter into an
agreement, such as a MIPR, contract, or sales order, to provide goods and/or services when a
customer cash advance is not received. These orders provide obligational budgetary authority for
reimbursable programs. Agencies should maintain policies and procedures to ensure that UCOs
represent valid future billings and collections.
DISA GF reported approximately $166.3 million in UCOs Without Advance on its
March 31, 2023 trial balance. The account balance is supported by a subsidiary ledger that
details information such as the fund, document number, order amount, and transaction date,
among other unique identifying details for each UCO balance.
DISA and its service organization’s current business processes and control structures allow
payments to be processed without correctly or completely matching all data elements to an
obligating document/AP balance in DAI. These transactions are processed as “unmatched.” For
undistributed transactions, when payments do not successfully interface into DAI, a bulk JV is
assigned to DISA, which reduces DISA’s FBWT and AP line items and corresponding Budget
Accounts. When an unmatched transaction interfaces to DAI and does not post to a PO, it creates
an abnormal UDO (4801) until it can be cleared by successfully matching to a PO. Once the
unmatched transaction is successfully cleared, the clearing transactions remain in the unmatched
UoT. The dormant UCOs are impacted by unmatched and undistributed transactions as revenue
transactions are driven by expenditures through a passthrough process.
In FY 2022, DISA GF implemented a control to record an adjustment for dormant UCOs, in
which the entity would post an on-the-top JV to reduce the obligation balance by the amount
identified. Dormant UCOs are identified by UCO balances as uncollected orders aged greater
than 365 days and the obligation date is greater than 18 months.
Condition: DISA GF’s control to adjust UCOs for dormant activity is based on inaccurate data
due to the effect of unmatched and undistributed transactions. Due to these limitations, the
dormant UCO control cannot be effective until the unmatched and undistributed transactions are
reduced to insignificant amounts.
U.S. Property of DoD
109
Cause: Systems used for processing DISA’s obligations and disbursements do not have effective
controls established to prevent disbursements from being processed when they cannot be
matched to an outstanding payable and obligation. All undistributed transactions that are
assigned to DISA but do not interface into DAI are posted via a JV through DISA’s service
organization’s reconciliation process. DISA has not yet identified all root causes or implemented
corrective actions for undistributed and unmatched disbursements (refer to the documented
finding at NFR 2023-FIN-GF-02, Undistributed and Unmatched DAI Transactions).
The accuracy of DISA’s data and effectiveness of its process to identify dormant UCOs and
adjust its financial statements is impacted by unmatched and undistributed transactions. Without
resolving these issues, DISA is unable to confirm the validity and accuracy of a significant
number of its UCO balances.
DISA has not developed internal controls to ensure that all JVs, such as the adjustments to
reduce UCOs at year-end, are appropriate and supported by documentation.
Effect: Because DISA cannot account for the impact of unmatched and undistributed
transactions, it cannot reconcile and assert to the completeness, accuracy, and validity of its UCO
population. Without sufficient and appropriate audit evidence for the validity of the UCOs,
DISA’s Statement of Budgetary Resources (SBR) Lines 1071, Unobligated balance from prior
year budget authority, net (discretionary and mandatory), and 1890, Spending Authority from
offsetting collections (discretionary and mandatory), could be materially misstated.
Recommendations: Kearney recommends that DISA perform the following:
1. Identify unmatched transactions and undistributed amounts affecting the UCOs Without
Advance population.
2. Continue to perform analysis to determine the root cause of the unmatched and
undistributed transactions and establish controls to mitigate future transactions from
being processed unless its service organization can confirm they will post correctly.
3. Implement policies to ensure that funds holders are adequately assessing the validity of
the open UCO balances and liquidate invalid UCOs when possible.
4. Implement policies, or update existing policies, which require PSD to process contract
actions timely once all goods and services have been provided to the customer.
5. Ensure deobligations of UCOs are supported by documented communications and
agreements with customer organizations.
B. Invalid Undelivered Orders Transactions
Background: UDOs represent the amount of goods and/or services ordered which have not been
actually or constructively received and for which amounts have not been prepaid or advanced.
Federal agencies record UDOs when they enter into an agreement, such as a MIPR, contract, or
sales order, to receive goods and/or services. Agencies should maintain policies and procedures
to ensure that UDOs represent valid future outlays.
U.S. Property of DoD
110
DISA GF reported more than $1.76 billion in UDOs on its March 31, 2023 trial balance. The
account balance is supported by a subsidiary ledger that details information such as the document
number, obligated amount, undelivered amount, and transaction date, among other unique
identifying details for each UDO balance.
DISA and its service organization’s current business processes and control structures allow
payments to be processed without correctly or completely matching all data elements to an
obligating document/AP balance in DAI. These transactions are processed as “unmatched.” For
undistributed transactions, when payments do not successfully interface into DAI, a bulk JV is
assigned to DISA, which reduces DISA’s FBWT and AP line items and corresponding Budget
Accounts. When an unmatched transaction interfaces to DAI and does not post to a PO, it creates
an abnormal UDO (4801) until it can be cleared by successfully matching to a PO. Once the
unmatched transaction is successfully cleared, the clearing transactions remain in the unmatched
UoT.
In FY 2022, DISA GF implemented a control to record an adjustment for dormant UDOs, in
which DISA would post an on-the-top JV to reduce the obligation balance by the amount
identified. Dormant UDOs are identified by UDO balances as uncollected orders aged greater
than 365 days and the obligation date is greater than 18 months.
Condition: DISA GF’s control to adjust UDOs for dormant activity is based on inaccurate data
due to the effect of unmatched and undistributed transactions. Due to these limitations, the
dormant UDO control cannot be effective until the unmatched and undistributed transactions are
reduced to insignificant amounts.
Cause: Systems used for processing DISA’s obligations and disbursements do not have effective
controls established to prevent disbursements from being processed when they cannot be
matched to an outstanding payable and obligation. All unmatched transactions that are assigned
to DISA but do not interface into DAI, known as “undistributed transactions,” are posted via a
JV through DISA’s service organization reconciliation process. DISA has not yet identified all
root causes or implemented corrective actions for undistributed and unmatched disbursements
(refer to the documented finding at NFR 2023-FIN-GF-02, Undistributed and Unmatched DAI
Transactions).
The accuracy of DISA’s data effectiveness of its process to identify dormant UDOs and adjust its
financial statements is impacted by unmatched and undistributed transactions. Without resolving
the issues, DISA is unable to confirm the validity and accuracy of UDO balances.
Effect: Because DISA cannot account for the impact of unmatched and undistributed
transactions, it cannot reconcile and assert to the completeness, accuracy, and validity of its
UDO population. Without sufficient and appropriate audit evidence for the validity of the UDOs,
DISA’s SBR Lines 1071, Unobligated balance from prior year budget authority, net
(discretionary and mandatory), and 2190, New obligations and upward adjustments (total)
Unobligated balance, end of year, could be materially misstated.
Recommendations: Kearney recommends that DISA perform the following:
U.S. Property of DoD
111
1. Implement procedures to determine the impact of the unmatched and undistributed
transactions on the GF UDO population, to include the impact of obligations not recorded
in DAI.
2. Continue to perform analysis to determine the root cause of the unmatched and
undistributed transactions and establish controls to mitigate future transactions from
being processed unless its service organization can confirm they will post correctly.
3. Update existing policies to ensure that funds holders are adequately assessing the validity
of the open UDO balances and deobligate invalid UDOs when possible.
4. Implement policies, or update existing policies, which require PSD to process contract
actions timely once all goods and services have been provided to the customer.
C. Inaccurate Recoveries of Prior-Year Unpaid Obligations
Background: Recoveries of unpaid obligations consist of USSGL Accounts 487100, Downward
Adjustments of Prior-Year Unpaid Undelivered Orders – Obligations, Recoveries, and 497100,
Downward Adjustments of Prior-Year Unpaid Delivered Orders Obligations, Recoveries.
These accounts represent Recoveries during the current FY resulting from downward
adjustments to obligations or delivered orders originally recorded in a prior FY. Recovered
budget authority is presented on SBR Line 1071, Unobligated Balance from Prior Year Budget
Authority, net. DISA is responsible for developing policies and procedures to ensure that
budgetary activity is accurately reported in accordance with USSGL guidelines.
DISA GF reported $357.4 million in Recoveries to USSGL Account 487100 on its
March 31, 2023 trial balance. The account balance is supported by transaction-level detail that
contains information such as document number, project number, and amount, among other
identifying details.
DISA developed a JV process starting in Q2 of FY 2021 to remove Inaccurate Recoveries of
Prior-Year Unpaid Obligations resulting from DAI posting logic issues. Specifically, DISA
became aware that the processing of certain administrative modifications resulted in
inappropriate postings to its budgetary accounts. To adjust for these inaccurate postings, DISA
determines the Inaccurate Recoveries of Prior-Year Obligations from the UDO report identifying
matching transactions to General Ledger Account Codes (GLAC) 4871 and 4881.
Condition: A sample of 15 Recoveries of Prior-Year Obligations was selected for review. As a
result of testing, the following exceptions were identified:
Five Recovery of Prior-Year-Obligations totaling $8.5 million where the Deobligation
Acceptance was recorded in the incorrect FY and, therefore, untimely
U.S. Property of DoD
112
Five Recovery of Prior-Year-Obligations totaling $4.8 million where the Deobligation
resulted from either funding being moved from one CLIN to another, movement of funds
from one PO to another, or Administrative Update. The administrative changes should
not have resulted in a downward adjustment of Prior-Year-Obligation.
Cause: Despite DISA’s implementation of a new process to identify and adjust for erroneous
transactions resulting from DAI posting logic issues, a significant number of unsupported or
untimely transactions exist in DISA’s accounts. Additionally, DISA’s financial system, DAI,
does not allow administrative changes on Prior-Year Obligations without posting the
administrative change through USSGL Accounts 487100 and 488100, causing errors on the
SBR. In some instances, DISA has not yet implemented effective control procedures to ensure
that transactions recorded to USSGL Account 487100 were properly supported downward
adjustments to Prior-Year Obligations. DISA also did not have effective control procedures to
ensure that transactions recorded in USSGL Account 487100 were recorded in a timely manner
in the correct FY.
Effect: SBR Line 1071, Unobligated balance from prior year budget authority, net
(discretionary and mandatory), was misstated due to $13.3 million known errors as of
March 31, 2023.
Recommendations: Kearney recommends that DISA perform the following:
1. Implement a process and controls to ensure that all transactions recorded to USSGL
Account 487100 reference obligations are recorded in a prior FY and are recorded timely.
2. Implement procedures to confirm that each transaction is supported by documentary
evidence meeting the requirement for Government obligations of USSGL Account
487100 transactions to ensure that any transactions are produced by accounting events
(i.e., contractual deobligation and not administrative fund changes).
3. Work with the DAI PMO to implement a systems change that allows administrative
changes to Prior-Year Obligations without posting an entry to USSGL Account 487100.
D. Unsupported End-of-Year Obligations
Background: UDOs represent the amount of goods and/or services ordered which have not been
actually or constructively received and for which amounts have not been prepaid or advanced.
Federal agencies record UDOs when they enter into an agreement, such as a MIPR, contract, or
sales order, to receive goods and/or services. Agencies should maintain policies and procedures
to ensure that UDOs represent valid future outlays.
DISA GF reported more than $1.76 billion in UDOs on its March 31, 2023 trial balance. The
account balance is supported by a subsidiary ledger that details information such as the document
number, obligated amount, undelivered amount, and transaction date, among other unique
identifying details for each UDO balance. It is the responsibility of DISA management to ensure
that all End-of-Year (EOY) modifications (MOD) are supported by adequate documentation.
Condition: DISA GF reported $13.6 million in EOY MODs as of September 30, 2022, where
U.S. Property of DoD
113
the entity recorded an unsupported obligation to match a customer order. DISA was unable to
provide evidence that an obligation existed, such as a contract with a vendor to provide the
requested goods or services to the customer agency. It subsequently deobligated these amounts in
FY 2023, causing an overstatement in USSGL 487100, Downward Adjustment of Prior-Year
Unpaid Undelivered Orders.
Cause: DISA recorded unsupported obligations to preserve funding provided on a customer
order. It also recorded the unsupported obligation based on anticipated EOY usage charge for
customer orders to preserve funding and does not have a control to ensure there is a written
agreement with a vendor.
Effect: Because DISA cannot provide supporting documentation to verify the amount of the
EOY MODs, it cannot reconcile and assert to the completeness, accuracy, and validity of its
UDO population. Without sufficient and appropriate audit evidence for the validity of the UDOs,
DISA’s SBR Lines 1071, Unobligated balance from prior year budget authority, net
(discretionary and mandatory), and 2190, New obligations and upward adjustments (total)
Unobligated balance, end of year, could be materially misstated.
Recommendations: Kearney recommends that DISA perform the following:
1. Update existing procedures for recording obligations for estimated usage charges for
customer orders at year-end to ensure that obligations are only recorded when valid
obligations exist, are supported by documentary evidence in accordance with 31 United
States Code (U.S.C.) 1501, and represent a valid future outlay.
V. Financial Reporting (Repeat Condition)
Deficiencies in three related areas, in aggregate, define this material weakness:
A. Untimely Issuance of Requested Audit Documentation and Financial Statement Package
B. Undistributed and Unmatched Defense Agencies Initiative Transactions
C. Lack of Timely Validation of Undistributed Journal Vouchers
A. Untimely Issuance of Requested Audit Documentation and Financial Statement
Package
Background: As a part of the financial statement audit of the DISA GF, DISA management will
submit Provided by Client (PBC) documentation regularly throughout the course of the audit.
Because of the nature of a financial statement audit, DISA management receives specific
supporting documentation requests at FY-end to substantiate the balances reported within the
financial statements as of September 30, 2023 and to support critical year-end procedures, which
are necessary for DISA to obtain an opinion on its financial statements. DISA is responsible for
preparing and maintaining the documentation in order to be readily available for auditors and
applicable stakeholders.
U.S. Property of DoD
114
DISA’s service organization compiles DISA GF’s financial statements. When the financial
statement compilation process is initiated, the DISA GF DDRS-B trial balance is imported into
DDRS Audited Financial Statements (AFS). Once received, the Defense Agencies Audited
Financial Statements Branch collects, consolidates, and identifies all ODO’s GF financial
activity for the Defense agencies under its purview and reports the information within DDRS-
AFS. DISA GF utilizes the DDRS-AFS information to complete the year-end financial statement
package, to include the draft Agency Financial Report (AFR) with Management’s Discussion
and Analysis, financial statements, footnotes, and Other Information. Historically, DISA GF’s
financial statements have included both a high volume and material amount of on-top JV
adjusting entries posted in DDRS-B and DDRS-AFS. In order to determine what composes the
ending balances reported in DDRS-AFS, DISA creates a crosswalk from its GL system, DAI, to
DDRS-AFS. DISA relies on its service organization to provide the JV listings out of DDRS-B
and DDRS-AFS to complete the crosswalk. DISA management is responsible for performing a
quality control review of the files prepared by its service organization.
OUSD(C) has established due dates for the submission of year-end documents to allow agencies
to meet the schedule requirements of their respective financial statement audits. The DoD Office
of Inspector General (OIG) establishes contractual deadlines for DISA’s external auditors, which
comprises requiring the draft audit report, with all underlying supporting working papers,
including the aforementioned working papers related to the financial statements, footnotes, and
related audit documentation, to be completed by deadlines at the end of October each FY.
Condition: DISA GF, in coordination with its service organization, was unable to provide several
of the applicable audit documentation requests in time for year-end testing procedures, which
would be necessary to conclude on a potential audit opinion and maintain compliance with
contractual external audit deliverables. Specifically, the following documents listed in Exhibit 4
below, which are needed to perform testing procedures over and support the final reported
amounts on the AFR, were not provided in time for year-end testing procedures to be performed
in time for contractual audit deliverables. Per the Statement of Work, the draft portion of the
Testing Phase and Reporting Phase are due October 25 and October 26, respectively. See below
for the financial reporting audit documentation requests that were not received on-time or before
the October 25, 2023, deadline:
Exhibit 4: PBC Timeline and AFR Schedule
PBC Name
Date Due to
the Auditor
Date Received by Auditor
September 30, 2023 GL Activity
10/11/2023
10/16/2023
September 30, 2023 Financial Statements
and Footnotes
10/20/2023 10/25/2023
September 30, 2023 TI-97 GF Audit
Workbook
10/23/2023 10/24/2023
September 30, 2023 Unallocated Funds
Reconciliation
10/27/2023 Not received as of 10/25/2023
September 30, 2023 CMR GF Undistributed
Posting
11/3/2023 Not received as of 10/25/2023
U.S. Property of DoD
115
PBC Name
Date Due to
the Auditor
Date Received by Auditor
TI-17 September 30, 2023 Suspense Aging,
UoT, and Cleared Analysis
11/9/2023 Not received as of 10/25/2023
TI-21 September 30, 2023 Suspense Aging,
UoT, and Cleared Analysis
11/9/2023 Not received as of 10/25/2023
TI-57 September 30, 2023 Suspense Aging,
UoT, and Cleared Analysis
11/9/2023 Not received as of 10/25/2023
TI-97 September 30, 2023 Suspense Aging,
UoT, and Cleared Analysis
11/9/2023 Not received as of 10/25/2023
September 30, 2023 Payroll Register
Reconciliation
10/19/2023 10/23/2023
Cause: DISA’s current procedures and dependencies on its service organization contribute to its
inability to timely and sufficiently provide documentation in a reasonable timeframe for financial
reporting and audit timelines. The OUSD(C) schedule does not allow sufficient time for review
and performance of testing procedures by external component auditors of necessary audit
documentation in time for the draft audit report due date of October 26, 2023. Additionally, the
process of posting a high volume of material adjusting entry JVs into DDRS-B and DDRS-AFS,
rather than ensuring entries are posted in DISA’s GL system in time for year-end reporting,
contributes to the need to perform testing procedures over year-end JVs for the draft audit report.
Effect: Without readily available documentation, DISA management may not be able to perform
critical functions to monitor and provide requests necessary to obtain an audit opinion or provide
year-end financial statements and reports to the relevant stakeholders and auditors. Delayed PBC
items which were provided shortly before or after that date did not allow sufficient time to
complete required audit procedures.
There is an increased risk that the lack of controls and processes in place adequately substantiate
whether the balances reported within DISA GF’s financial statements are materially correct and
presented in accordance with GAAP.
Recommendations: Kearney recommends that DISA to perform the following:
1. Continue to develop processes and facilitate the delivery of critical audit documentation
requests made by the external auditor in line with quarterly and year-end financial
reporting timelines.
2. Develop and implement processes which ensure timely posting of accounting entries into
the GL system, DAI, and reduce the volume of adjusting entry JVs entered on-top via
DDRS-B and DDRS-AFS.
3. Coordinate with its service organization and OUSD(C) to establish processes and
controls for completing year-end financial reporting documentation in a timelier manner
to be available for external audit review and testing.
U.S. Property of DoD
116
B. Undistributed and Unmatched Defense Agencies Initiative Transactions
Background: In October 2018, DISA transitioned its GL accounting system from WAAS to
DAI, which is managed by DLA. Due to data conversion and posting logic challenges, a
significant number of payments made by DISA’s service organization on behalf of DISA were
processed without matching the payment to the appropriate project within DAI. Payments not
linked to a document in DAI, also called “unmatched” disbursements, generate expense
transactions. In order to correct unmatched activity within DAI, DISA’s service organization
voids and cancels the original transaction. In some cases, transactions are not posted to DAI or
fail to interface but are assigned to DISA and posted through an unsupported JV entry, called
“undistributed” activity.
When a Federal agency prepares financial statements, a methodology for estimating amounts
owed, but not yet invoiced, must be established. The AP estimate ensures expenses are recorded
in the correct period following accrual accounting and the matching principle. The DISA GF
records estimated AP/Expenses based on a straight-line estimation methodology of 91% of the
total contract value over the period of performance specified in the signed contract agreement.
This estimate, along with other key estimates, relies on accurate and complete obligation and
payment data in DAI. Management is responsible for developing these reasonable estimates
based on assumptions and relevant factors and comparing estimates with subsequent results to
assess the accuracy of the estimate.
Identified as part of FY 2022 UDO testing, when an unmatched transaction interfaces to DAI and
does not post to a PO, the unmatched transaction posts to a project segment “0” and creates an
abnormal UDO (4801) until cleared by successfully matching to a PO. Once the unmatched
transaction is successfully cleared, the clearing transactions remain on the unmatched UoT.
DISA conducts manual research to determine why the transaction did not post to the correct
project and coordinates with its service organization to post the correction to clear the unmatched
transaction in DAI. To preserve the integrity of the financial IS, it is important to identify and
prevent unmatched and undistributed transactions and develop a reasonable estimate to establish
a proper AP
Condition: DISA and its service organization’s current business processes and control structures
allow payments to be processed without correctly or completely matching all data elements to an
obligating document/AP balance in DAI. These transactions are processed as “unmatched.” For
undistributed transactions, when payments do not successfully interface into DAI, a bulk JV is
assigned to DISA, which reduces DISA’s FBWT and AP line items. This JV is unsupported
without underlying details available at the time it is posted. In order to clear unmatched
transactions from DAI, a manual process of research and coordination with its service
organization is required by DISA. Clearing unmatched transactions through the manual void and
cancel process causes errors to remain in DISA’s accounting records and financial statements.
These cumulative errors impact the ability to select and conduct adequate testing on these
balances.
For the period ended June 30, 2023, the following amounts remained unmatched and
undistributed:
U.S. Property of DoD
117
Exhibit 5: Unmatched and Undistributed Balances
Account
Unmatched/Undistributed Amounts
Unmatched Expense
($980.4) thousand
Unmatched AP
$215.7 thousand
Unmatched UDOs
$5.85 million
Undistributed
$17.1 million*
*Net, Undistributed JVs’ impact reduces AP and cash
Cause: Systems used for processing DISA’s obligations and disbursements do not have effective
controls established to prevent disbursements from being processed when they cannot be
matched to an outstanding payable and obligation. All undistributed transactions that are
assigned to DISA but do not interface into DAI are posted via JV through a reconciliation
process completed by DISA’s service organization.
DISA has not yet identified all root causes or implemented corrective actions for undistributed
and unmatched disbursements. However, DISA officials have identified several causes of
unmatched transactions to date, including:
Certain Disbursing Offices do not interface specific data elements, such as CLIN and
Accounting Classification Reference Numbers (ACRN)
Some documents have truncated document numbers
Payment amounts are higher than the project’s AP balance
Typographical errors (i.e., “0” versus “O”) exist
Certain systems do not interface correctly into DAI and drop key data elements required
to pass validation checks and match appropriately in DAI
Obligating documents are not always entered timely in DAI, and payments are sometimes
made before initial agreements and/or modifications are recorded.
Effect: Unmatched/undistributed transactions result in several negative impacts to DISA’s
financial management and reporting processes. When material undistributed/unmatched
transactions exist, DISA cannot perform effective analysis or assert to the existence or
completeness of its FY 2023 Gross Costs on its SNC or Cumulative Results of Operations
(CRO) on its Balance Sheet. DISA cannot perform an effective AP accrual or accrual validation,
conduct cut-off procedures, support the validity of open obligations, or support that the amounts
reported on Gross Costs on its SNC and AP on its Balance Sheet are complete and exist or
occurred.
The process to clear and post unmatched activity correctly into DAI causes duplicative activity
within DAI, limiting DISA’s ability to produce reliable GL data, and leaves the Unmatched
clearing transactions on the UDO UoT, which was identified as part of the FY 2022 UDO testing
results. Undistributed and unmatched transactions could lead to erroneous or duplicative
disbursements made without detection until the completion of the manual research process. The
manual process needed to resolve undistributed/unmatched transactions introduces additional
risk of misstatement and is inherently inefficient. Prior-year misstatements impact the Gross
U.S. Property of DoD
118
Costs (SNC), which are unaddressed, resulting in an overstatement in the CRO balance (Balance
Sheet). DISA has not determined the impact to SBR Lines 2190, New Obligations and Upward
Adjustments, and 1071, Unobligated balance from Prior-Year Budget Authority, Net.
Recommendations: Kearney recommends that DISA perform the following:
1. Conduct an analysis over the unmatched expense population and the contract accrual
population to determine the impact of double-counted prior-year Gross Cost (SNC)
transactions, which are now in CRO (Balance Sheet) in order to post an adjustment based
on the analysis. This should include a review of abnormal AP balances.
2. Review cumulative GL accounts, such as AP and UDOs, to remediate and correct prior-
period errors in order to determine the potential misstatement to prior-period and current-
year activity.
In addition, Kearney recommends that DISA work with its service organization and the DLA
PMO to perform the following:
1. Establish preventative controls to ensure payments made on behalf of DISA cannot
process as unmatched into DAI without a valid obligation and AP. This would ensure all
payments are posted correctly in DAI.
2. Perform root cause analysis to identify why transactions systematically do not interface
into DAI. This should include identifying which specific systems and transaction types
fail to interface correctly and implementing corrective actions to mitigate future
unmatched and undistributed transactions from being processed.
C. Lack of Timely Validation of Undistributed Journal Vouchers
Background: DISA is one of the TI-97 ODO whose funds are aggregated at Treasury. Treasury
maintains and reports FBWT balances at the TAS level, rather than at the limit level, which
would distinguish DISA’s FBWT balance from the aggregated ODO FBWT amount. DISA’s
service organization’s Treasury Division produces the CMR to provide ODOs with individual
FBWT at limit level.
DISA’s service organization prepares various JVs for DISA and other customers and processes
them within DDRS-B. DISA’s service organization processes many of these JVs within DDRS-
B, on behalf of DISA, including the Undistributed Cash JV. Since the accounting cycle is cut off
the last day of each month, there is a timing difference between cash transactions reported on the
CMR by DISA’s service organization on behalf of TI-97 agencies, including DISA, and cash
transactions recorded in agencies’ GL, including DAI and the Financial Accounting and
Management Information System (FAMIS) WCF for DISA GF and DISA WCF, respectively.
The CMR is used to prepare the Undistributed JV. The Advana repository is not available until
after the JVs have been completed. The Undistributed JV is prepared by calculating the
difference between the CMR and the DAI trial balance. The JV is recorded to eliminate the
difference between the CMR and DISA’s GL. Each month, DISA’s service organization prepares
the Undistributed JV, DISA reviews the JV, and its service organization then processes it in
DDRS-B. The difference is known as the Undistributed Cash amount, as it includes transactions
U.S. Property of DoD
119
which have not been distributed to the specific agencies’ GL system.
DISA is responsible for ensuring FBWT is reconciled and maintaining effective internal controls
over its financial reporting to prevent, detect, or correct material misstatements in a timely
manner, as mandated by the DoD FMR and Government Accountability Office (GAO). This
includes reviewing, approving, and maintaining support for all transactions and JVs recorded by
DISA or by its service organization on DISA’s behalf. By not administering these steps, DISA is
at risk of posting unsupported adjusting entries and potentially reporting material misstatements
in its financial statements. Additionally, DISA is responsible for implementing and maintaining
effective controls and system interfaces to ensure that transactions posted outside of its GL
system are recorded to its financial statements timely and accurately.
Condition: DISA does not have effectively designed controls in place to ensure and verify in a
timely manner that the transactions on the Undistributed JV belong to DISA and are adequately
supported. At the time of its posting, the Undistributed JV is not validated or researched by
DISA to verify that the transactions included in this JV belong to DISA (i.e., were properly
attributed to DISA based on the full LOA, including limit). Additionally, the Q3 Undistributed
samples were unable to be supported timely. The sample was submitted on September 19, 2023
with a due date of October 3, 2023 and, after multiple extensions, the final submission of sample
support was received on October 18, 2023.
Cause: Though DISA performed a root cause analysis in response to prior-year NFR 2022-
FIN-GF-09, Lack of Timely Validation of Undistributed JVs, and determined the source
systems from which transactions are not properly interfacing to DAI, DISA did not effectively
identify the specific causes regarding why the transactions do not interface from those source
systems into DAI. Further, DISA did not validate that all of its financial systems properly
interface to DAI, ensuring transactions are recorded timely. The Undistributed JV as of Q3 FY
2023 includes 2,780 transactions from multiple different source systems for which transactions
are processed but are not making it into DISA GF’s DAI GL system timely.
Additionally, DISA has not designed or implemented effective controls to reconcile and review
Undistributed adjustments that are posted to its FBWT or resolve any differences timely and
ensure that they are properly supported. In particular, there are no front-end controls in place to
validate that the transactions included in the Undistributed JV belong to DISA and are supported
with proper documentation.
DISA does not effectively monitor the CMR process to ensure that the data populating the CMR
is accurate and transactions belong to them. When the CMR data is reconciled in Advana, there
are not sufficient controls to verify that the limits are accurate, so the accuracy of the data that
processes through the CMR, Advana, and, ultimately, to DISA’s financial statements is not
properly verified (see the documented control deficiency over the Advana process at NFR 2023-
FIN-GF-08, Lack of Controls over the Advana Process).
Effect: As a result of a lack of effective controls in place, the following line items were adjusted
without validating the transactions or obtaining appropriate supporting documentation for the
transactions prior to posting (amounts in millions):*
U.S. Property of DoD
120
Exhibit 6: Undistributed Balances per Line Item
Line Item
September
2022
December
2022
March
2023
June
2023
FBWT
($16.8)
($42.1)
($23.6)
($17)
AR
($1.1)
$1.2
($2.8)
($3.5)
AP
$17.9
$40.9
$26.4
$20.5
*Amounts of AR and AP combined do not equal amounts of FBWT due to limitations in data available.
While DISA has made progress over the past FY in determining the split between amounts
recorded to “Intragovernmental” and “Other than intragovernmental” for AR or AP, the
percentages and Advana data used to create them is not reliable or readily available at the time of
the Undistributed JV entry. Therefore, DISA is unable to effectively support the percentage
allocation in its current form. This increases the risk that the Undistributed postings to
Intragovernmental AR and AP and Other than Intragovernmental AR and AP are misstated.
Without appropriate processes and controls in place, there is an increased risk that FBWT, AP,
and AR are materially misstated on DISA’s financial statements and may not be presented in
accordance with GAAP.
Recommendations: Kearney recommends that DISA perform the following:
1. Continue to perform root cause analysis to identify why transactions do not make it into
DISA GF’s DAI system and why some external systems do not appropriately interface
with DAI. DISA should determine what steps are necessary to fix the interface issues and
ensure that transactions post correctly and timely into DISA GF’s DAI to reduce the
balance and material impact of the monthly Undistributed JVs.
2. Monitor the Undistributed adjustments recorded in DDRS-B and research all unsupported
adjustments to ensure the FBWT balances reported are accurate and complete prior to
posting.
3. Document and implement appropriate controls to ensure that the balances recorded
within the financial statements are appropriately classified and truly belong to DISA.
4. Develop and implement procedures to maintain readily available supporting
documentation for the transactions included in the Undistributed JVs.
* * * * *
U.S. Property of DoD
121
Significant Deficiencies
Throughout the course of our audit work of the Defense Information Systems Agency (DISA)
General Fund (GF), we identified internal control deficiencies which were considered for the
purposes of reporting on internal control over financial reporting. The significant deficiencies
presented in this Schedule of Findings has been formulated based on our determination of how
individual control deficiencies, in aggregate, affect internal control over financial reporting.
Exhibit 7 presents the significant deficiencies identified during our audit:
Exhibit 7: Significant Deficiencies
Significant Deficiency
Significant Deficiency Sub-Category
I. Property, Plant, and
Equipment
A. Property, Plant, and Equipment Completeness
Issue
II. Information Technology
A. Incomplete Complementary User Entity Controls
Implementation
I. Property, Plant, and Equipment (New Condition)
A. Property, Plant, and Equipment Completeness Issue
Background: The June 30, 2023 DISA GF General Property, Plant, and Equipment (PP&E) line
item on the Balance Sheet was composed of leasehold improvements, equipment, software, and
Construction in Progress (CIP) with a net book value (NBV) of $356.8 million.
The Federal Accounting Standards Advisory Board (FASAB) defines PP&E as meeting the
criteria of having an estimated useful life of two or more years that are not intended for the sale
in the ordinary course of operations and has been acquired or constructed with the intention of
being used or being available for use by the entity. FASAB defines an expense as an outflow of
or other decrease in assets, an increase in liabilities, or a combination of both that results in a
decrease in the Government's net position during the reporting period.
When purchases are made, the Office of the Chief Financial Officer (OCFO) routes potential
capital asset purchases to DISA’s Capital Asset Management (CAM) Team to manually review
the acquisition package. The CAM Team determines if the asset is capital or non-capital using
the Capital Determination Checklist. It is the responsibility of DISA management to ensure that
expenditures are being properly recorded as either capital purchases on the Balance Sheet or
expenses on the Statement of Net Cost (SNC).
Condition: A limited pilot sample of 160 expense transactions were subject to sample-based
testing related to PP&E completeness testing. Testing revealed three exceptions totaling
approximately $4.8 million that were incorrectly expensed and should have been capitalized.
Cause: DISA OCFO did not complete its internal control procedures, which includes identifying
potential capital purchases and notifying the CAM Team to complete the Capital Determination
Checklist. DISA GF failed to properly identify and capitalize purchases that met its capitalization
criteria thresholds.
U.S. Property of DoD
122
Effect: The exceptions noted during sample-based testing amounted to an approximately $4.8
million understatement of DISA’s PP&E line on the June 30, 2023 Balance Sheet and an
overstatement of approximately $4.8 million of the Gross Costs line on the June 30, 2023 SNC.
However, due to the nature of this control deficiency, additional misstatements may exist on the
Balance Sheet and SNC. Without effective operating controls related to DISA GF’s
capitalization policies and procedures, there is an increased risk that DISA GF will continue to
incorrectly expense capital asset purchases.
Recommendations: Kearney & Company, P.C. (Kearney) recommends that DISA perform the
following:
1. Expand its existing control for the Capital Determination Checklist to ensure that all
equipment purchases are included in the control.
2. Review existing agreements that are not subject to the Capital Determination Checklist to
ensure additional misstatements are corrected timely.
II. Information Technology (Repeat Condition)
A. Incomplete Complementary User Entity Controls Implementation
Background: DISA utilizes several service organizations to support its operations and mission.
As such, DISA obtains assurances from each organization regarding the effectiveness of the
organization’s internal controls related to the service(s) provided. Specifically, each organization
provides a written assertion that accompanies a description of its service(s) and related
information system(s) (IS). These assertions are communicated via a System and Organization
Controls (SOC) report. In fiscal year (FY) 2023, each service organization provided DISA
management with a SOC 1®, Type 2, Report on an Examination of Controls at a Service
Organization Relevant to User Entities’ Internal Control Over Financial Reporting, to report on
the design and operating effectiveness of its internal controls.
In many cases, service organizations design their controls in support of their service(s) with the
assumption that the user entities (i.e., customers or users of the service[s]) will implement certain
controls (i.e., complementary user entity controls [CUEC]) to achieve the overall control
objectives and create a secure computing environment. Specifically, Statement on Standards for
Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and
Recodification, defines CUECs as controls that management of the service organization assumes,
in the design of the service organization’s system, will be implemented by user entities and are
necessary to achieve the control objectives stated in management’s description of the service
organization’s system.
DISA relies on multiple service organizations and their respective SOC reports to gain an
understanding of the security posture of each of the systems upon which DISA relies. For
example, DISA utilizes the Defense Logistics Agency’s (DLA) Defense Agencies Initiative
(DAI) system for financial management; DLA’s Defense Property Accountability System
(DPAS) for logistics and property management services; DLA’s Wide Area Workflow (WAWF)
U.S. Property of DoD
123
for management of goods and services; the Defense Finance and Accounting Service’s (DFAS)
Defense Cash Accounting System (DCAS) for transaction distribution services; DFAS’s Defense
Civilian Pay System (DCPS) for Federal civilian payroll services; DFAS’s Defense
Departmental Reporting System (DDRS) for financial reporting services; DFAS’s Automated
Disbursing System (ADS) for standard disbursing services; the Defense Manpower Data
Center’s (DMDC) Defense Civilian Personnel Data System (DCPDS) for processing payroll
affecting civilian human resource transactions; and the Chief Digital and Artificial Intelligence
Office (CDAO) Directorate for Business Analytics’ Advancing Analytics (Advana) for data
analytics.
Condition: DISA has not implemented all of the CUECs required by its service organizations.
Based on a subset of high-risk CUECs (e.g., cross-system segregation of duties [SD], periodic
access reviews, removals, and user authorization) required by DISA’s service organizations,
examples of control deficiencies indicating CUECs that DISA has not fully implemented
included:
DISA did not develop cross-system SD documentation to detail conflicts that may occur
when personnel obtain access to multiple systems utilized by DISA to include, but not be
limited to, ADS, Advana, DAI, DCAS, DCPS, DCPDS, DDRS, DPAS, and WAWF
DISA did not effectively perform periodic reviews of all DISA users for the Advana
application
DISA did not maintain adequate documentation to support management’s approval of the
level of access granted to DISA users of the DAI and DCPS applications
DISA did not consistently remove or disable access to DISA users of the DAI and
WAWF applications upon their separation from the agency.
Cause: Although DISA was aware of the requirements for implementing the CUECs and had
begun implementation, it had not finalized implementation of all CUECs as of the end of the
FY 2023 financial statement audit. Throughout FY 2023, DISA refined its existing process
regarding review and implementation of all CUECs identified within each service organization
SOC 1®, Type 2 report, determined relevance to DISA, and assessed its corresponding DISA
control, as well as continued to identify and implement controls to remediate gaps for CUECs
not sufficiently designed (e.g., cross-systems SD). Additionally, due to the large number of
CUECs, DISA established a phased approach and executed it to test CUECs based on level of
risk and document results of implementation.
Effect: DISA’s failure to implement internal controls to address all required CUECs may result
in ineffective controls/control objectives. As SOC 1®, Type 2 reports address the effectiveness
of controls related to the user entity’s financial reporting, ineffective controls/control objectives
(i.e., Access Controls, Security Management, and Configuration Management) increase the risk
of negative impact to the confidentiality, integrity, and availability of data supporting DISA’s
financial statements.
Recommendations: Kearney recommends that DISA perform the following:
1. Implement all CUECs identified within each service organization’s SOC 1®, Type 2
report.
U.S. Property of DoD
124
2. Identify gaps for CUECs not designed effectively, as well as design and implement
controls to remediate those gaps.
* * * * *
U.S. Property of DoD
125
APPENDIX A: STATUS OF PRIOR-YEAR DEFICIENCIES
In the Independent Auditor’s Report on Internal Control over Financial Reporting included in
the audit report on the Defense Information Systems Agency (DISA) General Fund’s (GF) fiscal
year (FY) 2022 financial statements, we noted several issues that were related to internal control
over financial reporting. The statuses of the FY 2022 internal control findings are summarized in
Exhibit 8.
Exhibit 8: Status of Prior-Year Findings
Control Deficiency
FY 2022 Status
FY 2023 Status
Fund Balance with Treasury
Material Weakness
Material Weakness
Accounts Receivable/Revenue
Material Weakness
Material Weakness
Property, Plant, and
Equipment
Material Weakness Significant Deficiency
Accounts Payable/Expense
Material Weakness
Material Weakness
Budgetary Resources
Material Weakness
Material Weakness
Financial Reporting
Material Weakness
Material Weakness
Information Technology
Significant Deficiency
Significant Deficiency
U.S. Property of DoD
126
1701 Duke Street, Suite 500, Alexandria, VA 22314
PH: 703.931.5600, FX: 703.931.3655,
www.kearneyco.com
INDEPENDENT AUDITOR’S REPORT ON COMPLIANCE WITH LAWS,
REGULATIONS, CONTRACTS, AND GRANT AGREEMENTS
To the Director, Defense Information Systems Agency, and Inspector General of the Department
of Defense
We were engaged to audit, in accordance with auditing standards generally accepted in the
United States of America; the standards applicable to financial audits contained in Government
Auditing Standards, issued by the Comptroller General of the United States; and Office of
Management and Budget (OMB) Bulletin No. 24-01, Audit Requirements for Federal Financial
Statements, the General Fund (GF) financial statements of the Defense Information Systems
Agency (DISA) as of and for the year ended September 30, 2023, and the related notes to the
financial statements, which collectively comprise DISA GF’s financial statements and have
issued our report thereon dated November 8, 2023. Our report disclaims an opinion on such
financial statements because we were unable to obtain sufficient appropriate audit evidence to
provide a basis for an audit opinion.
Report on Compliance and Other Matters
In connection with our engagement to audit the financial statements of DISA GF, we performed
tests of its compliance with certain provisions of laws, regulations, contracts, and grant
agreements, noncompliance with which could have a direct and material effect on the
determination of the financial statement amounts, and provisions referred to in Section 803(a) of
the Federal Financial Management Improvement Act of 1996 (FFMIA). We limited our tests of
compliance to these provisions and did not test compliance with all laws, regulations, contracts,
and grant agreements applicable to DISA GF. However, providing an opinion on compliance
with those provisions was not an objective of our engagement; accordingly, we do not express
such an opinion. The results of our tests, exclusive of those referred to in FFMIA, disclosed
instances of noncompliance or other matters that are required to be reported under Government
Auditing Standards and OMB Bulletin No. 24-01 and which are described in the accompanying
Schedule of Findings as Items I and II.
The results of our tests of compliance with FFMIA disclosed that DISA GF’s financial
management systems did not comply substantially with the Federal financial management
system’s requirements, applicable Federal accounting standards, or application of the United
States Standard General Ledger at the transaction level, as described in the accompanying
Schedule of Findings as Items I and II.
Additionally, if the scope of our work had been sufficient to enable us to express an opinion on
the financial statements, other instances of noncompliance or other matters may have been
identified and reported herein.
U.S. Property of DoD
127
Defense Information Systems Agency General Fund’s Response to Findings
Government Auditing Standards requires the auditor to perform limited procedures on DISA
GFs response to the findings identified in our engagement and described in the accompanying
memorandum attached to this report in the Agency Financial Report (AFR). The DISA GF
acknowledged the findings identified in our engagement. DISA GF’s response was not subjected
to the other auditing procedures applied in the engagement to audit the financial statements;
accordingly, we express no opinion on the response.
Purpose of this Report
The purpose of this report is solely to describe the scope of our testing of compliance and the
results of that testing, and not to provide an opinion on the effectiveness of the entity’s
compliance. This report is an integral part of an engagement performed in accordance with
Government Auditing Standards and OMB Bulletin No. 24-01 in considering the entity’s
compliance. Accordingly, this report is not suitable for any other purpose.
Alexandria, Virginia
November 8, 2023
U.S. Property of DoD
128
Schedule of Findings
Noncompliance and Other Matters
I. Noncompliance with Federal Financial Management Improvement Act of 1996
(Repeat Condition)
The Federal Financial Management Improvement Act of 1996 (FFMIA) requires that an entity’s
overall financial management systems environment operate, process, and report data in a
meaningful manner to support business decisions. FFMIA states that Federal agencies shall
comply substantially with the requirements within Section 803(a). These requirements include:
Federal financial management system requirements
Applicable Federal accounting standards
United States Standard General Ledger (USSGL) at the transaction level.
The Defense Information Systems Agency’s (DISA) financial management systems do not
substantially comply with the requirements within FFMIA, as discussed below.
Federal Financial Management Systems Requirements
FFMIA requires reliable financial reporting, including the availability of timely and accurate
financial information, and maintaining internal control over financial reporting and financial
system security. The matters described in the Basis for Disclaimer of Opinion section in the
accompanying Independent Auditor’s Report, as well as the material weaknesses reported in the
accompanying Report on Internal Control over Financial Reporting, represent noncompliance
with the requirement for financial systems and reliable financial reporting.
Federal Accounting Standards
FFMIA requires that agency management systems maintain data to support financial reporting in
accordance with accounting principles generally accepted in the United States of America
(GAAP). As described in the Basis for Disclaimer of Opinion section in the accompanying
Independent Auditor’s Report, we experienced a scope limitation and were unable to obtain
sufficient appropriate audit evidence regarding the completeness and accuracy of DISA’s
financial statements. Because of the significance of this scope limitation, we were unable to
determine whether DISA’s financial statements contained material departures from GAAP.
United States Standard General Ledger at the Transaction Level
FFMIA requires that agency management systems record financial events by applying the
USSGL guidance in the Treasury Financial Manual (TFM) at the transaction level. As described
in the Basis for Disclaimer of Opinion section in the accompanying Independent Auditor’s
Report, we experienced a scope limitation and were unable to obtain sufficient appropriate audit
evidence regarding the completeness and accuracy of DISA’s financial statements. Because of
U.S. Property of DoD
129
the significance of this scope limitation, we were unable to execute all planned audit procedures,
including tests for compliance with the USSGL at the transaction level.
II. Noncompliance with Federal Managers’ Financial Integrity Act of 1982 (Repeat
Condition)
Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for
Enterprise Risk Management and Internal Control, implements the requirements of the Federal
Managers’ Financial Integrity Act of 1982 (FMFIA). FMFIA and OMB Circular A-123 require
agencies to establish a process to document, assess, and assert to the effectiveness of internal
control over financial reporting.
DISA has not established and implemented controls in accordance with standards prescribed by
the Comptroller General of the United States, as codified in the Government Accountability
Office’s (GAO) Standards for Internal Control in the Federal Government (Green Book), as
described by the material weaknesses in the Report on Internal Control over Financial
Reporting.
130
DISA Management Comments to Auditor’s Report
131
DEFENSE INFORMATION SYSTEMS AGENCY
P. O. BOX 549
FORT MEADE, MARYLAND 20755-0549
Mr. Kelly Gorrell
Kearney & Company
1701 Duke Street, Suite 500
Alexandria, VA 22314
Mr. Gorrell:
DISA acknowledges receipt of Kearney & Company’s draft audit report for
DISA's FY 2023 General Fund (GF) financial statements.
We acknowledge the auditor-identified findings in the following key areas:
1) Fund Balance with Treasury, 2) Accounts Receivable/Revenue, 3) Accounts Payable/
Expense, 4) Budgetary Resources, and 5) Financial Reporting, each of which, in the
aggregate are considered material weaknesses. We also acknowledge the auditor-
identified findings in the Information Technology and Property, Plant & Equipment areas
which are considered significant deficiencies.
DISA made great progress in FY 2023, specifically with reducing the unmatched
and undistributed balances that impact the key areas identified above and has a placed a
renewed focus on successful resolution of the remaining audit issues during the upcoming
audit cycle.
ALEX DIAZ
Director, Accounting Operations and
Compliance
132
Appendix A- DISA Organizational Chart
Joint Service Provider
Joint Force Headquarter-DODIN
DISA Director JFHQ-DODIN Commander
Deputy Director
Procurement Services Directorate
Chief Financial Officer and Comptroller
Assistant to the Director
Chief of Staff
Workforce Services and Development Directorate
Digital Capabilities and Security Center
Cyber Security and Analytics
Joint Enterprise Services
Defense Spectrum Organization
Joint Interoperability Test Command
Hosting and Compute Center
Compute Operations
Operations Support
Product Management
Enterprise Operations and Infrastructure Center
Endpoint Services and Customer Support
Transport Services
Cyberspace Operations
Enterprise Integration and Innovation Center
Emerging Technology and Enterprise Architecture
Enterprise Engineering and Governance
Risk Management Executive
Chief Data Officer
Special Staff
Chaplain Program Office
Congressional Affairs Coordinator
Office of Strategic Communication and Public Affairs
General Counsel
Inspector General
Component Acquisition Executive
Small Business Programs
Protocol
Pentagon Liaison Officer
Office of Equality, Diversity and Inclusion
ADCON Organizations
Joint Artificial Intelligence Center
Secretary of Defense Communications
White House Communications Agency
White House Situation Support Staff