Developing More Stringent Security Control Requirements For Financially Relevant Systems To Support Audit Readiness

Joint Memo - Publish Date: 11/03/13


download PDF

This joint memo details how the Department of the Navy must achieve audit readiness of its Statement of Budgetary Resources by 2014 and full audit readiness by 2017. Our Defense Business Information Technology systems are part of the critical infrastructure that will support our ability to achieve and sustain audit readiness. A comprehensive assessment of the business processes and data within these systems is critical to our success in achieving audit readiness objectives. As part of audit readiness assessments, systems will be evaluated using the Federal Information System Controls Audit Manual.

From: Assistant Secretary of the Navy (Financial Management & Comptroller)
Department of the Navy Chief Information Officer

Subj: DEVELOPING MORE STRINGENT SECURITY CONTROL REQUIREMENTS FOR FINANCIALLY RELEVANT SYSTEMS TO SUPPORT AUDIT READINESS

Ref: (a) ASN RD&A, ASN FM&C, DUSN DCMO, and DON CIO memo of 17 Sep 2012 "Assessment of Information Technology System that Enable and Sustain Audit Readiness"
(b) UNSECNAV memo of 10 Jan 2012, "Achieving Audit Readiness"
(c) Federal Information System Controls Audit Manual of Feb 2009, http://www.gao.gov/new.items/d09232g.pdf
(d) NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems and Organizations," of Apr 2013

Encl: (1) Audit Readiness Assessment System List
(2) IT Control Baseline Prioritization List

1. Per references (a) and (b), the Department of the Navy (DON) must achieve audit readiness of its Statement of Budgetary Resources (SBR) by 2014 and full audit readiness by 2017. Our Defense Business Information Technology (IT) systems are part of the critical infrastructure that will support our ability to achieve and sustain audit readiness. A comprehensive assessment of the business processes and data within these systems is critical to our success in achieving audit readiness objectives. As part of audit readiness assessments, systems will be evaluated using reference (c), the Federal Information System Controls Audit Manual (FISCAM). FISCAM and the Office of the Under Secretary of Defense (Comptroller) (OUSD(C)) dictate that systems that impact our financial audit readiness must meet the federal IT control standards contained in reference (d). Enclosure (1) provides the initial list of systems that will undergo audit readiness assessments.

2. While transition to NIST controls will better posture the DON to achieve audit readiness objectives, it will not address the controls most likely to be audited nor answer all audit readiness security requirements. Given the limited resources available for this purpose in our fiscally constrained environment, it is important for Program Managers (PMs) to prioritize the implementation of financial system controls based on their likely impact to DON audit readiness. Enclosure (2) outlines the DON's prioritization of controls based on NIST guidance and the likelihood of controls to be tested in an audit. Notwithstanding their responsibility to implement all relevant security controls, PMs should use enclosure (2) to focus on near term efforts. Further, additional control requirements are expected to result from the DON's work with the OUSD(C) staff to define requirements necessary for systems that impact our audit readiness.

3. In order to prepare for the transition to NIST security controls and to meet audit readiness objectives, PMs should review the enclosures and begin planning to meet the requirements. Additional guidance with specific timelines for NIST security control implementation and any additional requirements for financial systems is forthcoming.

4. Questions or comments on this guidance may be directed to Mr. Danny Chae, Finance and Accounting System Division (FM0-1). Mr. Chae may be reached by email at Danny.Chae@navy.mil ,or by telephone at (202) 685-6729.

Signed by:
Terry A. Halvorsen
Department of the Navy Chief Information Officer

Signed by:
S. J. Rabern
Assistant Secretary of the Navy (Financial Management and Comptroller)

TAGS: Investment Management

Related Policy