Appendix B

Appendix B — How a DoD Financial Statement Audit Actually Works

Who audits DoD, the opinion spectrum, the five assertions, FIAR/NFR/CAP remediation, and a worked example.

Prepared for: Peter Shang, GS-15 Portfolio ManagerResearch compiled July 2026 — unclassified, open-source sources only
FOR OFFICIAL REFERENCE USE — NOT AN OFFICIAL DoD/DFAS PUBLICATION

DoD OIG is the office responsible for managing and completing the audits of the department-wide financial statements DoD submits annually; to carry out that responsibility, DoD OIG contracts with Independent Public Accountant (IPA) firms — commercial accounting firms, not DoD employees — to audit specific DoD reporting entities, and DoD OIG monitors and oversees the IPAs' work to ensure it complies with contract requirements and audit standards. Over 60 DoD components submit financial information to DFAS in preparation for the annual audit; 29 of those prepare and issue their own stand-alone financial statements (including the Army, Navy, Air Force, and Marine Corps general funds and several working capital funds) in addition to rolling up into the consolidated DoD Agency-Wide statements.

These audits are performed under Generally Accepted Government Auditing Standards (GAGAS — commonly called “the Yellow Book”), which is a more rigorous standard than a typical private-sector financial statement audit: GAGAS layers additional requirements around internal control testing, compliance with laws and regulations, and reporting on both the financial statements and the underlying control environment. The scale is genuinely enormous — DoD's FY2018 audit alone involved roughly 1,200 auditors, more than 900 site visits, and the review of hundreds of thousands of individual items covering total assets exceeding $2.7 trillion.

A one-sentence plain-language summary worth internalizing, paraphrased from DAU's own description of what a financial statement audit actually is at the unit level: it functions something like an inspection, but without a fixed checklist — the auditor exercises professional judgment against accounting and auditing standards, and is fundamentally assessing whether the organization consistently follows its own documented policies, whether its processes are well-controlled, and whether property and funds are accounted for in a current, reliable system of record. The audit's substance doesn't change year to year even though the individual auditors and DoD personnel involved do — which is exactly why building the right habits into daily operations, rather than treating audit season as a one-time scramble, is the only sustainable path to a repeatable clean opinion.

B.2 The opinion spectrum, and where DoD has actually landed on it

An IPA's audit concludes in one of four possible opinions, and the difference between them is not a technicality — each represents a fundamentally different level of assurance:

OpinionWhat it meansDoD's documented history
Unmodified (“clean”)The financial statements are presented fairly, in all material respects, in accordance with U.S. GAAP.The Marine Corps has achieved this on its stand-alone audit in multiple recent years; as of GAO's most recent reporting cited in this paper (Section 3.13), DFAS, the Defense Contract Audit Agency, the Defense Commissary Agency, and Defense Health Agency contract elements have also achieved it on DAI-supported statements.
QualifiedThe statements are fairly presented except for a specific, identified matter — the auditor can express an opinion on everything else.Two of DoD's 24 stand-alone FY2018 component audits received qualified opinions.
AdverseThe statements are not fairly presented — the identified problems are pervasive enough that the auditor concludes the statements are actually wrong, not merely unsupported.Rare at the DoD component level relative to disclaimers, but not unheard of (Section 11.3 documents an adverse opinion on Advana's FY2025 SOC-1 examination specifically, a related-but-distinct type of audit).
Disclaimer of opinionThe auditor could not obtain sufficient appropriate evidence to form any opinion at all — not “the numbers are wrong,” but “we cannot tell.”DoD OIG issued a disclaimer of opinion on the DoD consolidated financial statements for FY2018 (20 material weaknesses, 2,595 NFRs); 16 of the 24 FY2018 stand-alone component audits also received disclaimers. This remains the modal outcome for DoD's largest, most complex reporting entities.

The practical implication: for most of DoD's history under audit, the dominant finding has not been “your numbers are wrong” (an adverse opinion) — it has been “we cannot get enough evidence to tell whether your numbers are right” (a disclaimer). That distinction matters enormously for what daily business practices actually move the needle: the department's primary problem, documented repeatedly throughout this paper, has been an evidence and traceability problem — exactly the kind of problem Section 9's GFEBS/GAFS traceability deep-dives and this annex's B.6 playbook are aimed at.

B.3 What the auditor is actually testing: the five assertions

Every account balance, transaction class, and disclosure in a DoD financial statement is tested against five standard audit assertions. Understanding these is the single most useful mental model for translating “what does an auditor want” into “what should I do differently in daily operations”:

AssertionThe question it asksWhere this paper already traces the DoD-specific version of it
Existence / occurrenceDoes this asset actually exist, and did this transaction actually happen?Section 7.3 (inventory physical test counts), Section 7.4 (real property RPUID-to-facility verification) — DoD's single most storied audit challenge, per this paper's own repeated findings.
CompletenessIs everything that should be recorded actually recorded — nothing left out?Section 7.2's accrued-unbilled-liability gap, Section 3.13's DDRS/DODIG-2026-013 findings about balances and adjustments that don't identify their source system, Section 9.9's IGT trading-partner traceability chain.
Valuation / allocationIs the recorded dollar amount correct, using the right method?Section 7.3 (Moving Average Price/standard cost for inventory), Section 7.4 (estimated original cost for older real property), Section 7.5 (SFFAS 54 discount-rate selection for lease present value).
Rights and obligationsDoes the entity actually own this asset, or actually owe this liability — as opposed to holding it for someone else or having already transferred the obligation?Section 7.3's note on FMS-customer-held inventory, Section 7.6's entire IGT framework (does the Requesting or Servicing agency actually carry the obligation at a given point in the GT&C/Order/Performance/Settlement cycle).
Presentation and disclosureIs the item classified in the right financial-statement line and appropriately disclosed in the footnotes?Section 7.4's real-property footnote requirements, Section 7.5's new SFFAS 54 lease-footnote requirements, Section 11.1's DDRS-AFS footnote-schedule production process.

Every DoD-specific weakness this paper has documented in detail — GAFS-R's interface-integrity gaps (Section 3.15), STARS' $112.1 billion of unresolved balances (Section 3.13.4), the DTS-to-DEAMS interface defect (Section 3.4) — is, underneath the system-specific detail, an instance of one or more of these five assertions failing. An IPA auditor does not test “GFEBS” or “GAFS-R” as such; they test whether the balances those systems produce satisfy existence, completeness, valuation, rights, and presentation. This is the conceptual bridge between everything in Sections 1–11 of this paper and what actually happens during an audit.

B.4 How the audit actually gets done: the IPA's method

An IPA audit follows a risk-based approach, not a check-every-transaction approach — DoD's transaction volume makes 100% testing impossible, so the entire methodology is built around identifying where risk of material misstatement is highest and concentrating audit effort there. The typical sequence:

StageWhat the IPA doesWhat DoD personnel should expect
Planning and risk assessmentThe IPA identifies significant accounts, transaction classes, and reporting entities based on materiality (dollar significance) and inherent risk (how error-prone or judgment-heavy an area is — environmental liabilities and real property valuation are classic high-inherent-risk areas).Certain accounts — typically the ones this paper has flagged repeatedly (inventory, PP&E, accrued liabilities, intragovernmental balances) — will consistently draw more audit attention than routine, low-judgment transactions.
WalkthroughsThe IPA traces a handful of individual transactions from initiation through the entire chain this paper's Section 7 documents — business event, feeder system, GL posting, trial balance, financial statement — to understand how the process actually works and to identify where controls exist (or don't).Be prepared to demonstrate, concretely and specifically, how a transaction moves through your unit's process — not describe it in the abstract. An auditor doing a walkthrough wants to see an actual document trail, not a policy statement.
Test of designThe IPA evaluates whether a control, as designed, would actually prevent or detect a material misstatement if it operated as intended.A control that exists only on paper (“we require a two-person review”) but has no actual mechanism enforcing it will fail test of design, independent of whether any specific error occurred.
Test of operating effectivenessThe IPA selects a sample of actual transactions and tests whether the control was actually applied, consistently, throughout the period — not just designed correctly.This is where documentation habits matter most: if the two-person review happened but wasn't documented (a signature, a timestamp, a system log), the control cannot be shown to have operated even if it genuinely did.
Substantive testingBeyond controls, the IPA directly tests account balances and transactions using techniques including inspection (examining documents/records), observation (watching a process happen, e.g., a physical inventory count), confirmation (getting independent third-party verification, e.g., from a bank or a trading partner), recalculation (independently redoing a computation), reperformance (independently redoing a control procedure), analytical procedures (testing whether relationships in the data make sense), and inquiry (asking questions of DoD personnel, always corroborated with other evidence, never relied on alone).“We told the auditor that's how it works” is never sufficient on its own — inquiry is the weakest form of evidence in GAGAS methodology and must be corroborated by inspection, observation, confirmation, recalculation, or reperformance.
SamplingGiven DoD's transaction volume, the IPA typically cannot test every item and instead selects a statistical or judgmental sample, then projects the results (or, if errors are found, investigates whether they're isolated or symptomatic of a broader control failure).A single identified error rarely closes an issue — the auditor's real question is whether that error is isolated or indicates the underlying control cannot be relied upon, which is why root-cause analysis (not just fixing the one transaction) is what actually resolves an NFR.

B.5 The DoD-specific remediation apparatus: FIAR, NFRs, and CAPs

DoD's Financial Improvement and Audit Readiness (FIAR) Methodology is the department's own structured framework for getting a reporting entity from “not yet auditable” to “audit-ready,” and it maps closely onto the IPA methodology in B.4 by design: a reporting entity defines and prioritizes its processes into assessable units, identifies risks and control objectives for each, tests the design and operating effectiveness of its own controls before the IPA ever arrives, and evaluates the sufficiency and accuracy of its own supporting documentation — essentially rehearsing the audit internally first. Only once a reporting entity formally asserts readiness does it notify the FIAR Directorate and undergo examination; a reporting entity's first-year Statement of Budgetary Resources audit is typically scoped as a “Specified Elements Audit” under AU-C Section 805, covering only current-year appropriations and related activity rather than the full multi-year picture.

When an IPA identifies a control deficiency or misstatement during this process, it issues a Notice of Finding and Recommendation (NFR) — a formal, tracked finding, logged in an OUSD(Comptroller) NFR Database, that the responsible DoD component must respond to with a Corrective Action Plan (CAP). CAPs must include, at minimum, the data elements described in OMB Circular A-123's Implementation Guide, and the FIAR Directorate provides templates and best practices to standardize them. The scale of this apparatus is substantial and has historically outpaced DoD's ability to close findings faster than new ones are issued: as of the end of FY2021, 3,368 NFRs were open department-wide; during FY2022, auditors closed only 634 (19%) of those while issuing or reissuing 2,992 more.

This is the single most important operational fact in this annex: DoD's NFR closure rate has historically run well behind its NFR issuance rate. That imbalance is not primarily a resourcing problem at the IPA or DoD OIG level — it is a direct, structural consequence of the workforce gap documented in Annex A (the people who create the underlying transactions are largely not the people who understand what evidence an NFR response needs) and the systems-traceability gaps documented in Sections 3.13–9 of this paper (evidence that should exist often cannot be efficiently reconstructed after the fact). Closing NFRs faster than they're issued requires fixing the root cause — the daily business practices in B.6 below — not simply adding more people to write CAP responses.

B.6 The daily-business playbook: what generates audit evidence as a byproduct of good operations, instead of a year-end scramble

Everything above translates into a small number of concrete, year-round habits. None of these are new DoD policy — they are existing requirements, restated here specifically through the lens of what an IPA auditor needs to see:

  • Record the accrual, not just the obligation, and record it close to when the event happens. DoD's own Ten-Day Rule (Section 3.15's obligation-recording standard applies the same logic to accruals) exists precisely because evidence gathered close to the event is far stronger, and far cheaper to produce on demand, than evidence reconstructed months later. Annex A's quick-reference table (A.4) is built around exactly this habit.
  • Treat documentation as part of the transaction, not a separate compliance task. A control that isn't documented cannot pass test of operating effectiveness (B.4) even if it was actually performed — a receiving report without a signature/date, a fund certification without a retained record, or a physical inventory count without a reconciled tally sheet is, from the auditor's perspective, indistinguishable from a control that never happened.
  • Keep property, equipment, and material visible in a government system of record at all times — including when it's physically in a contractor's hands. Per DAU's own FIAR guidance, government-funded material turned over to a contractor is not audit-evidence-sufficient merely because it appears in the contractor's own system; it must also be visible in a government Accountable Property system of record, because that is the system that supports DoD's financial reporting chain.
  • Tag trading-partner and Federal/Non-Federal data at the point of original entry for any intragovernmental transaction (Sections 7.6, 9.8–9.9). This single data element, captured or missed at the moment a MIPR or reimbursable order is created, determines whether an eventual GTAS elimination is a five-minute lookup or a multi-week research project.
  • When an NFR or CAP references your unit, treat root-cause analysis as the actual deliverable, not a formality attached to a one-time fix. Because DoD's aggregate NFR closure rate has run behind its issuance rate for years, a CAP that fixes one transaction without addressing why the underlying control failed is very likely to generate a reissued or related NFR the following audit cycle.
  • Know, before the auditor asks, which of the five B.3 assertions your unit's activity is most exposed on. A unit primarily executing travel and simple purchases is mostly an existence/completeness/accrual-timing risk (Section 7.1–7.2); a unit managing real property or leases is primarily a valuation and presentation risk (Sections 7.4–7.5); a unit executing MIPRs or reimbursable work is primarily a rights-and-obligations/completeness risk (Section 7.6). Knowing this in advance lets a unit focus its limited documentation effort where it actually reduces audit risk, rather than spreading it evenly.
  • Use Annex A's accounting liaison and cross-training recommendations specifically to close the walkthrough gap. An IPA's walkthrough (B.4) is looking for someone who can concretely demonstrate the transaction's path through the system — exactly the capability Annex A's workforce-structure diagnosis shows is currently concentrated away from the units where transactions originate.

B.7 Worked example: how one of this paper's own documented findings would run through the B.1–B.6 lifecycle

To make this concrete, walk the STARS/TTBCASH example already documented in Section 3.13.1 and 3.13.4 through the IPA lifecycle described above, as a single illustrative case study:

  • Risk assessment (B.4): a legacy, retired system (STARS) with a large residual balance is inherently high risk — the underlying transactions are old, the original preparers may no longer be reachable, and the system itself is no longer actively maintained.
  • Walkthrough and substantive testing: the IPA (or, in this case, DoD IG's own audit team) traced the $112.1 billion STARS balance and found it could not be adequately supported — a completeness and existence problem (B.3) at enormous scale.
  • Root cause: the Navy's “point-forward” migration approach (Section 3.13.4) never fully migrated or zeroed out STARS' non-expiring-fund balances — a control-design gap in the migration process itself, not a one-time data-entry error.
  • NFR and CAP: this would generate an NFR requiring a corrective action plan addressing both the immediate balance (research and resolve the $112.1 billion) and the systemic issue (why does DFAS's own archiving fix, originally scoped in 2017, still show incomplete as of mid-2025 per Section 3.13.4) — illustrating exactly why DoD's aggregate NFR closure rate lags issuance: fixing the systemic root cause is a multi-year undertaking, not a single CAP milestone.
  • What daily business could have prevented this: had the original point-forward migration decision been paired with the daily-business habit in B.6 (“treat documentation as part of the transaction, not a separate task”) — specifically, a documented, closed-out reconciliation at the moment STARS was retired rather than an assumption that balances would resolve themselves over time — this NFR would likely never have been necessary at this scale.

This worked example is deliberately built from material already fully sourced and cited earlier in this paper (Section 3.13), rather than a hypothetical — the point is that Sections 1–11 of this paper are not separate from Annex B's audit methodology; they are, collectively, a set of real, documented illustrations of exactly the assertion failures, root causes, and remediation dynamics this annex describes in the abstract.

ANNEX C

The Fund-Management Systems That Aren't Accounting Systems

Budget formulation, fund distribution, and payment-processing systems that sit outside the GL/accounting systems this paper otherwise catalogs, but without which none of those GL systems would ever receive a transaction to post.