AGA Audio Conference Business Activity Monitoring BAM

1
AGA Audio Conference Business Activity
Monitoring (BAM)

• Ms. Martha Smith
• Defense Finance and Accounting Service
• February, 2008

2
Overview

• DFAS Objective
• BAM Methodology
• BAM Implementation
• Expected Outcomes

3
DFAS Objective

• Most internal control assessment methodologies
  apply a sequential approach
• Plan Document, Access and Test
  Remediate
• This traditional assessment approach normally
  produces small and much delayed returns since the
  focus is on rework and reaction, not on the early
  detection and remediation of deficiencies that
  are costing DFAS significant amounts of money
  every day.

Plan
Document, Access Test
Remediate
4
DFAS Objective

• Plan Document, Access and Test
  Remediate
• An Enterprise Risk Management Program (ERMP)/BAM
  capability will produce significant savings for
  DFAS by focusing the compliance assessment
  process on results of real-time or near-real time
  Business Activity Monitoring and the integration
  of that capability within an enterprise risk
  management program.
• This approach will allow DFAS to prioritize
  compliance efforts on key business processes and
  associated control activities that have a high
  financial impact and maximize overall savings by
  preventing further losses.

Plan
Remediate
Document, Access Test
5
DFAS Objective

• The solution will help DFAS in fulfilling the
  following Federal requirements
• Presidents Management Agenda
• Chief Financial Officers Act of 1990
• Federal Managers Financial Integrity Act of 1982
• OMB Circular A-123 (Rev.), Managements
  Responsibility for Internal Controls
• Government Performance and Results Act of 1993
• Improper Payments Information Act of 2002
• Prompt Payment Act of 1997
• Government Waste Corrections Act of 1999 and 2000

6
DFAS Objective

• Enterprise Risk Management Program/Business
  Activity Monitoring (ERMP/BAM) will
• Highlight, identify, monitor and track weaknesses
  in processes and systems
• Alert senior managers of current and potential
  problem areas
• Provide real time or near real time analysis of
  current and projected deficiencies
• Reduce improper payments
• Assist and supplement internal, operational and
  pre and post payment review processes
• Help to identify problem areas BEFORE an incident
  occurs

7
Enterprise Risk Management Program/Business
Activity Monitoring
DFAS MISSION CUSTOMERS/FS/ASA/PAR
REQUIREMENTS
DFAS PLAYERS
CFO Act FMFIA/A-123 OMB Cir A-50 Audit
Follow-up IPIA GPRA PMA
Executive Managerial Technical
DFAS STRATEGIC PLAN BSC/METRICS/INITIATIVES
Transformation
Flowcharts
DASHBOARD Web-based Reporting
Risk Assessments/ICRs
Assessable Units
ERMP
Business Intel
Material Weaknesses
Audits
FIAR Tool
High Risk Areas
Business Activity Monitoring
Feeder Systems
8
BAM Methodology
Step 1 Document Key Business Processes Material
and Risk Based Scope to determine high dollar and
high risk areas.

• Identify key DFAS business processes that have a
  material transaction volume and value
• Identify DFAS processes with inherently high risk

Step 2 Document Major Classes of
Transactions Major classes of transactions are
those classes of transactions that are
significant to the key business process.

• Identify material classes of transactions that
  comprise the key business processes

Step 3 Document Processes The specific processes
and systems comprising each class of transactions.

• Identify processes and systems that support the
  financial events comprising the class of
  transactions
• Evaluate processes and prioritize implementation
  schedule

Step 4 Configure and Initiate BAM Utilize
existing predefined control analytics or
translating DFAS business issues, risks, and
controls into monitoring-based rule-sets.
Configure baseline control activities.

• Map baseline control activities
• Configure and install BAM appliance within DFAS
  environment
• Perform initial system run

9
BAM Methodology, continued
Step 5 Evaluate and Document Exceptions Tolerance
levels over reached or control objectives are
not achieved.

• Review exception reports
• Investigate underlying source of exception
• Fully document

Step 6 Assess Impact and Severity Determine
potential impact and frequency of occurrence.
Deficiency Reportable Condition Material
Weakness

• Assess potential monetary impact
• Assess likelihood of reoccurrence
• Determine severity Inconsequential deficiency,
  reportable condition, material weakness

Step 7 Develop Remediation Activities Design
remediation efforts appropriate with severity.

• Develop recommended remediation steps to correct
  exception
• Develop and submit exception report with
  recommendations to correct

Step 8 Remediate Prioritize, manage and track
remediation efforts agency wide.

• Risk based prioritization of remediation efforts
• Prioritize, track, manage, and monitor
  remediation of deficiencies
• Update policies and procedures documentation

10
BAM Implementation Process

• Scope Plan
• Assess Validate Controls to Automate
• Requirements Analysis
• Integration Implementation
• Design/Define Integrity Checks
• Integrate Systems and Test Configuration
• Refine Remediation
• Evaluate Data/Processes
• Review and Modify
• Initial Operating Capability
• Final Operating Capability

11
Cycle 1, Spiral 1, Process Flowchart
12
Cycle 1 FBWT C1P1S2 Process Flow
13
Cycle 2 Phase I OnePay Process Flow
14
Cycle 3 READ Process Flow
15
Need for BAM

• Improper payments process improvements needed
• Many different codes used to track reasons for
  erroneous payments across the enterprise
• Duplicate payments
• Lag time recording manual payments
• Duplicate billings
• Over and under payments
• Incorrect calculations
• Incorrect discounts
• Transposed numbers (keypunch errors)
• Progress payments not considered

16
Expected Outcomes Efficient Operations