Historically in the Department of the Navy (DON), the organizations within the financial management (FM) and information technology (IT) arenas did not have much interaction and often were not asked to collaborate. Besides budgeting and funding issues, the FM and IT processes were essentially stove-piped in their respective swim lanes.
Those days are gone as the Navy is embarking on the inaugural audit of the FY15 Statement of Budgetary Activity (SBA). Arriving to the state of auditability is a substantial shift in how the Navy does business that has been commonplace at the other federal agencies and private-sector firms for some time now, but is new to the Navy.
Now with the audit driving increased cooperation, the Navy is forced to recognize that IT controls affect financial statement audits. The cascading effect of that recognition means the system program managers (PM) and their respective CIOs that they report to, will be held accountable as it pertains to a financial statement audit. The scope of the audit includes such mundane controls that relate to policies and procedures as well as technical controls that relate to the duration of a computer session lock.
To be clear, the Navy can achieve an unqualified (clean) opinion without reliance on IT controls, but it would be a more laborious, inefficient, and prohibitively costly effort for the auditors as well as for the Navy personnel supporting the audit. In order for the Navy to continue to earn clean opinions year after year, the Navy must rely on its systems IT controls.
Coincidentally, another paradigm shift that aligns closely with the audit has been in the making for several years in the Department of Defense on the information assurance (IA) front, and the change was issued in a DOD Instruction in March 2014. The DoD has replaced the DoD Information Assurance Certification and Accreditation Process (DIACAP) with the Risk Management Framework (RMF) and re-defined IA as cybersecurity.
The RMF methodology follows the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, and the RMF controls follow NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations.” Federal government financial statement audits test the IT systems using the Federal Information System Control Audit Manual (FISCAM) which is based on the NIST SP 800-53.
Another similarity between RMF and FISCAM and the audit as a whole is that they all follow a risk-based approach. This means that IT controls compliance is not a black and white issue. For example, if a control has a high risk priority and it is not met, it could derail the entire security posture for the system. Conversely, if several controls have a low risk priority and they are not met, the system may still overall have an adequate security posture if other high risk controls are in place.
The Navy identified an opportunity to integrate two distinct yet closely aligned initiatives. Thus, personnel from the Office of the Assistant Secretary of the Navy (Financial Management and Comptroller) Office of Financial Management (ASN (FM&C) FMO and DON Chief Information Officer have been working closely with senior leadership from their respective organizations, as well as the Office of the Secretary of Defense Financial Improvement and Audit Readiness (OSD FIAR), DoD CIO, and representatives from the other services in order to align requirements, milestones, resources, and time tables. The goal is to eliminate redundancies in IT controls related work and allow the system PMs to work more efficiently in a budget constrained environment by focusing on the RMF process and applying additional scrutiny and guidance for audit requirements.
Although the NIST SP 800-53 controls are the foundation for both cybersecurity and audit purposes, an auditor and cybersecurity professional may view them from a slightly different perspective. It’s important to keep in mind that ultimately an auditor will be rendering an opinion on the balances on the financial statement to determine if they are free from material misstatement. In the instances where an audit requirement is different than the cybersecurity requirement, the Financial Information System Working Group (FISWG), co-chaired by ASN (FM&C) FMO and DON CIO, will issue supplemental guidance to meet the audit requirements.
The Navy is on the cusp of two significant paradigm shifts that will undoubtedly cause discomfort in the beginning years, but as the Navy matures within the “new normal” of RMF and an audit, we will see synergy and process efficiency gains from integrating the two activities while increasing our IT cybersecurity posture and financial data integrity.