Objective
We determined whether the Invoice, Receipt, Acceptance, and Property Transfer (iRAPT)
system (formerly called wide area work flow) user organization controls administered by the
Department of the Navy were designed and operating effectively. We also determined the
effect of any identified deficiencies on audit readiness goals.
Finding
The iRAPT controls administered by the Navy, also referred to as complementary user entity controls (CUECs), were not designed or operating effectively for the three commands reviewed. Specifically, Navy system management did not design CUECs because they relied on the Defense Logistics Agency’s controls and did not know they were required to independently develop and document CUECs. Additionally, group administrators at the three commands did not disable iRAPT accounts for separated users because Navy system management did not develop procedures for out processing, or group administrators did not make user account reviews a priority. Also, supervisors and group administrators granted certifying officers access without the proper appointment and training because they did not review appointment documents. Further, supervisors and group administrators granted users more access than required to do their job duties because they created a work around to reject
misrouted invoices.
Navy system management did not develop and document change management roles, responsibilities, and procedures because they did not consider them to be significant enough to warrant documenting.
Navy Enterprise Resource Planning management did not correct a control deficiency with data sent from iRAPT to the Navy Enterprise Resource Planning system because of resource constraints.
As a result, the Navy increased the risk of unauthorized system access and improper or fraudulent payments. Undetected errors and fraud could lead to misstatements on financial statements, specifically for contractor and vendor pay, which is material to the outlays (disbursements) line on the Schedule of Budgetary Activity. Without correcting these CUECs it could impact the audit readiness goals of the Navy.
Recommendations
The Deputy Assistant Secretary of the Navy for Financial Operations should coordinate with other key stakeholders in the Navy to develop procedures to: define CUECs that clearly describe roles and responsibilities; add iRAPT users to command out-processing procedures; and review certifying officers’ appointment records and training certificates. The Deputy Assistant Secretary of the Navy for Financial Operations should also review iRAPT to ensure separated employees user accounts were disabled; review training and DD Forms 577 for certifying officers at all Navy commands; disable the certifying officer role at other commands that use the Navy Enterprise Resource Planning system; and develop and implement a Navy Enterprise Resource Planning System change request. The iRAPT
Program Manager at the Defense Logistics Agency should implement a system change that automatically disables user accounts after 30 days of inactivity.
Management Comments and Our Response
The Deputy Assistant Secretary of the Navy for Financial Operations addressed all specifics of Recommendation 1. However, we request additional comments from the iRAPT Program Manager, DLA, for Recommendation 2 by March 24, 2016.