News | Oct. 29, 2019

Risk management, internal controls top DLA’s fiscal 2020 audit agenda

By Beth Reece

A new organizational structure and stronger focus on enterprise risk management and internal controls are expected to guide the Defense Logistics Agency’s fiscal 2020 audit efforts. 

Following the Office of Management and Budget Circular A-123, which emphasizes the inclusion of risk management and internal controls in existing business practices as an essential part of managing federal agencies, will help the agency achieve a favorable audit in the next five to seven years, said DLA Finance Deputy Director Jeffrey Zottola. 

“The foundation we build with A-123 principles will provide the assurance auditors are looking for that we’re actually doing what we say we’re doing and assessing risks while protecting against fraud, waste and abuse,” he said. “It will give us a strong foundation and set us on a path to success.”

Zottola leads the Audit Task Force, created in fall 2018 as an independent team to tracking findings, recommendations and corrective plans resulting from previous reviews by independent auditor Ernst & Young. Realigning the task force under DLA Finance and creating a new ERM Program Office under the DLA chief of staff will help ensure audit-related tasks are coordinated among major subordinate commands, regional commands and headquarters-level directorates, added Navy Reserve Capt. Charles Parker III, ATF deputy director. 

A key part of DLA’s audit is ensuring agency processes are properly documented. Although standard operating procedures and DLA instruction manuals already exist for most of DLA’s end-to-end processes, ERM will require employees to review those SOPs to ensure they cover all aspects of the processes as well as risks and internal control measures.
“There’s already a lot of good documentation out there so we’re not starting from scratch, but in some cases we need to be more thorough,” Parker said. “For example, we may have an SOP that addresses inventory control but doesn’t account for financial controls or vice versa. We need to connect those dots.” 

In some cases, SOPs were written by individuals without functional knowledge or a clear understanding of the multitude of steps and participants with key roles in DLA’s processes, he added. Employees who perform those operations on a daily basis will have a critical role in refining SOPs and instruction manuals.

“They’re the key component of this process because their supervisors aren’t necessarily going to know what all the risk points are. The only person who knows all that is the person right there on the ground doing the work,” Parker continued. 

Ensuring employees are following SOPs and instructions as written is also critical because auditors are looking to see if employees’ actions match prescribed procedures even when troops seek the agency’s support during emergency or short-notice operations. 

“Our primary mission is to support the warfighter, and at any cost, SOPs be damned. If an organization needs five engines to get five tanks moving, we’re going to provide them with five engines whatever it takes,” Zottola said. “And that is okay, but the thing is, we’ve still got to ensure we’re following our own procedures and protecting against fraud, waste and abuse. This is personal for me and should be for all of us as hard working taxpayers. I don’t want my tax dollars being pilfered. Who would?” 

Strict adherence to SOPs and instructions may feel like a culture shift to some employees but will quickly become the normal course of business, Parker said.

“In the commercial world where I come from, we do all kinds of things that are auditable but we just don’t know it. It’s transparent to the average worker because it’s just part of what they’re supposed to do,” he added.

Air Force Col. Scott Ritzel, DLA’s chief risk officer and head of the new ERM Office, and Kelleye Elmore, ERM and Internal Control Program coordinator, have already presented three A-123 workshops to process owners and functional area managers throughout the agency. Additional training will ensure employees can fully document end-to-end business cycles, identify risks, and implement and assess internal controls. Some training will be mandatory for all DLA supervisors, who will be expected to pass the knowledge on to their teams, Elmore said. 

“Over the next year, we’ll be working with this new team to get A-123 implemented and ensure people understand their roles,” Zottola said.

While he and Parker believe A-123 is a linchpin in DLA’s audit, neither expect an unmodified opinion to happen overnight. 

“I believe it’s going to be five to seven years before we can actually get everything done because a lot of it is dependent upon implementing new systems and those things take time,” Zottola said. “The thing for employees to know is they’ve already made tremendous strides and as long as we’re making incremental progress every year, that’s a significant victory.”