News | Feb. 29, 2016

Risk & Reward

By John R. Bell

At the gate of a Defense Logistics Agency facility in Ohio, a police officer looks at the driver’s common access card to make sure the face in the photo matches the face of the driver.

Somewhere in California, a DLA warehouse employee asks her coworker to clarify the code on a packing order.

Across the Pacific, a foodservice manager makes sure the purchase record is updated and matches the data in the system — and suggests a new way to reconcile the costs against the budget with less chance of human error.

In each example, an employee is helping the agency avoid risk, maintain audit readiness, and move toward achieving process excellence, according to DLA audit-readiness experts.

Any employee, no matter the role or location, can help sustain audit readiness by understanding and following procedures; communicating with colleagues; safeguarding documentation; and looking for ways processes could be improved.

Logistics — like any large, complex system — is inherently a risky business. But helping mitigate that risk is everyone’s business.

Internal Controls: Knowing the Rules of the Game

In using an everyday work process or contemplating how that process could be more efficient, faster or more accurate, every DLA employee must bear in mind that some processes exist to reduce or prevent risk — serving as what in the audit and finance world are called internal controls.

Many internal controls prevent fraud, waste or abuse, and some preserve documentation DLA will likely need in a future audit, said Simone Reba, deputy director of DLA Finance. She noted that DLA will face its next financial audit in June or July this year. But if employees are following their standard operating procedures, “a clean audit is the outcome,” Reba said. Internal controls are implemented by literally everyone in the agency, she emphasized — who completes a timesheet, submits proper travel documentation or complies with SOPs.

DLA employees are encouraged to think of ways to improve existing processes and to share those ideas with their managers, through the Process Excellence Pipeline. At the same time, some processes that may seem redundant serve as internal controls, Reba noted.

Being aware of internal controls and what they are designed to mitigate can help the front-line employee do the job in a way that helps the agency reduce risk — not only against fraud, waste and abuse but also against faulty products, delays and other problems that would hinder the warfighter or other DLA customers.

Because it’s crucial for employees to know where their internal controls are, Reba said, she encourages employees to participate in training DLA Finance and DLA Human Resources have developed on internal controls. This training will go beyond SOPs by teaching employees about process cycle memorandums. PCMs offer an in-depth, end-to-end analysis of a process, including its internal controls and the risks those controls help mitigate.

First Line of Defense: You

Billie Sue Goff, DLA’s chief of risk and controls assessment in DLA Strategic Plans and Policy, explained internal controls through the game of football: “The defensive line consists of one or two defensive tackles and two defensive ends that play outside the defensive tackles, she noted. “In a similar way, the first line of defense in risk and controls is with the front-line and mid-line managers who have day-to-day ownership and management of risk and control.

Those managers are required by DoD and other regulations to maintain internal controls to prevent fraud, waste and abuse, said Goff, who is also acting branch chief of the Continuous Process Improvement Branch.

Controls to reduce risk — whether management controls or internal controls built into systems or implemented by front-line employees — are the first line of defense against problems ranging from excess cost to safety violations, Goff said. And the employee can take any of several actions to control the amount of risk, she noted — avoidance, acceptance, transfer or mitigation. Because DLA managers are responsible for the outcome of any risk, Goff said, they decide how to mitigate the risk, by designing and executing the controls. Improper management of risk through established controls can prevent DLA from accomplishing the objectives in the Strategic Plan.

For the DLA employee in the warehouse, distribution center, depot, or disposition facility, what does that mean, exactly?

It comes down following the play book — the standard operating procedures — as well as communicating with coworkers, keeping the big picture in mind and maintaining all documentation in the required format, for the required duration, said Angela Evans, chief of DLA Strategic Plans and Policy’s Enterprise Process Integration Division.

“For someone on a packaging line, it might mean making sure the request you’re getting — whether from another person or a system you use — is clear, and then providing feedback if it isn’t,” Evans said. “On the flip side, it means being open to feedback if you’re the one being asked for more information.”

Likewise, proper recordkeeping is crucial, she said, given that almost every audit any agency undergoes requires a large volume of documentation to prove the agency is complying with a requirement or law. Recordkeeping is just one form of internal control, Evans noted.

Another common example of such an internal control is the timesheet, Evans noted. “It may be tedious to get a supervisor’s signature or to have to fill out a form to request leave — but those are there to prevent fraud and to ensure we have documentation, should it be required by an audit,” she said.

This is just one example of a critical responsibility management has, according to Goff, in addition to risk assessment, control activities, and information and communication. “Just as the defensive line in football is critical to preventing the opposing team from scoring, first-line managers prevent and mitigate risk.”

Second Line of Defense: Management Controls

Using the football analogy, Goff said, the second line of defense is management’s oversight function — entailing risk management and compliance functions to make sure the processes in place are actually being used correctly and are serving as effective safeguards.

Internal controls identify and assess risks, execute activities as intended, highlight inadequate processes, address control breakdowns, and communicate their assessments to leadership, Goff noted. To do this, they typically use internal controls, codified by the Government Accountability Office in a set of 17 principles, of which 12, she said, are the primary responsibility of first line and mid-line managers, whom she considers the first line of defense.

“Operational managers develop and implement the organizations’ control and risk management processes. They maintain the line of defense in the day-to-day operation to move the process toward excellence.”

In particular, DLA supervisors can help, not only by emphasizing the importance of process compliance but also by confirming that employees are in fact following established processes. “You get what you measure,” she said. “It has to be more than just lip service.”

Management controls include monitoring of operations, financial reporting and compliance.

Evans noted that these management controls are really there to protect against the very small number of persons who might act in ways that introduce fraud, waste or abuse. But these measures also ensure compliance with regulation. “It’s important to note that compliant processes are not always efficient,” Evans said.

Goff offered another illustration of how management controls are the agency’s second line of defense: a visit to the doctor. “The exam also gives you a chance to talk to your doctor about any ongoing pain or symptoms that you are experiencing or any other health concerns,” she explained. “The second-line functions are similar to the specialist being called in to give their expert view of the issue.” In the DLA world, Goff said, that specialist could be risk management, information security, health and safety, compliance, inspection, legal, environmental, financial control, physical security, quality, among others.

Third Line of Defense: Internal Audit

The internal audit is as an organization’s third line of defense, Goff said.  It offers independent, objective assurance designed to add value and improve operations. Using a disciplined approach to evaluate and improve the effectiveness of risk management, control and governance, the auditor provides leadership the second set of eyes, she noted.

“Fast-paced environments and complex tasks can often make it a challenge to pay close attention to details of every element of your job performance,” Goff said. “But overlooking details can sometimes be costly, detrimental to the quality of work, or in some cases, even dangerous.”

She raised the example of parts that DLA supplies to deployed service members. “If we didn’t take the time to examine closely the products we receive that support our warfighter, we might be putting their safety in jeopardy,” she noted. “The internal audit function is the second set of eyes.”

The final, “hail Mary pass” of controlling for risk is the external audit. “When coordinated effectively, the external auditor can provide important views and observations to leadership, stakeholders and employees, Goff explained. “The external auditor’s contribution is valuable information, but it shouldn’t substitute our internal lines of defense.”

What does this mean for the DLA employee working in the warehouse, fueling station, disposition center, or maintenance facility? It means looking out for risks is thing to keep in mind in thinking of new ways DLA can do its work. A suggestion to the Process Excellence Pipeline might not necessarily save costs in the short term or reduce the time to conduct a process — but the suggestion is just as valuable if it helps the agency prevent fraud, waste or abuse, while preserving DLA’s internal controls.

It comes down to three things, according to Evans. “Follow your standard operating procedures, communicate with those around you, be open to feedback, and work with your managers to make sure you’re keeping the right documents in the right way.”

By doing these things, every employee can help sustain audit readiness — and the agency’s continued service to the warfighter and all who depend on the Defense Logistics Agency.

 “A lot the problems with audit is where handoffs fail,” Reba said. Those handoffs can be between systems, between a person and a system, or between two people, she explained. Reconciliations can help prevent handoff errors (such as interim document, or IDOC errors) and establish completeness of documentation for an audit, she noted.

An example is the physical inventories some primary field-level activities perform. Although a record exists in the Distribution Standard System and the Fuels Manager Defense system, data errors can occur when one system provides data to the other. Later, a financial audit may compare both records with the data in the Enterprise Business System. Thus manual, human verification that DSS and FMD show the same data for the same transaction is an internal control, as is a review of the property book, Reba explained.

The End Zone:
Clean Audit, Best Possible Customer Support

As important as a clean audit is, it’s not the only goal of internal controls, Reba noted. “Having the wrong data in EBS can lead us to buy the wrong things,” she said. “Say they go to Bin ABC, and it has 100 widgets in it. They go over to DSS, and then they make sure they adjust the DSS record to say there are 100 — but if no one is checking EBS, and a handoff problem between the systems has caused EBS to say there are only 50 widgets, then the planning system will cause us to buy more than we need.” This in turn leads DLA to buy the wrong product or the wrong number — which can in turn hinder the warfighter in operations. “It’s more than just an accounting exercise or a grade from an audit,” she emphasized. “The wrong number can lead us to have a mission problem.”

In terms of process excellence, the recent achievement of documenting all of DLA’s processes is helping the agency standardize its operations and be more efficient, Reba said. Fewer processes, where possible, mean fewer systems requiring training, as well as fewer opportunities for error, and ultimately a more efficient use of funds. “We’re dealing with the taxpayers’ money, and we need to make the most of it.”