R 030035Z OCT 19
MARADMIN 548/19
MSGID/GENADMIN/CMC MRA DAG SECT WASHINGTON DC//
SUBJ//MARINE CORPS CIVILIAN PERSONNEL AND PAY SYSTEMS USER CONTROL REQUIREMENTS//
REF/A/OMB CIRCULAR A-123 APPENDIX A AND D//
REF/B/GAO-17-704G//
REF/C/NIST SP 800-53 REV 4 OF APRIL 2013//
REF/D/DODI 5010.40//
REF/E/DOD ICOFR GUIDE OF MAY 2018//
REF/F/DOD FINANCIAL STATEMENT AUDIT GUIDE OF MAY 2018//
POC/KEVIN RAFFERTY/HQMC M&RA (MX)/TEL: 703-784-4791/DSN 278-4791/ EMAIL KEVIN.RAFFERTY@USMC.MIL//
GENTEXT/Remarks/References (a) and (b) guide Federal Government organizations on their responsibilities for controls over financial operations, financial systems, and non-financial operations.  Reference (c) provides controls standards for information system Service Organizations and users.  References (d) through (f) provide DoD-specific guidance for Financial Improvement and Audit Readiness.
1.  Situation.
1.A.  General.  This MARADMIN issues interim guidance for implementing controls associated with Marine Corps use of Department of Defense (DoD) civilian employee personnel and pay systems.
1.A.1. The Commandant of the Marine Corps (CMC) uses information systems provided by other DoD organizations to deliver personnel and pay support for Marine Corps Appropriated Fund (APF) civilian employees.  CMC retains responsibility for the accuracy and security of the business processes supported by these systems, and must ensure appropriate controls are in place for the information systems and Marine Corps users.
1.A.2.  Service Organizations which provide financial or transactional services for other organizations undergo annual audits with results documented in a System and Organization Controls Report (SOC-1).  The SOC-1 identifies findings that must be addressed by the Service Organization and outlines system controls relevant to User Entities’ (UE) internal controls over financial reporting.  The Marine Corps is the UE for systems identified in paragraph 1.B.
1.A.3. Complementary User Entity Controls (CUECs).  In many cases, control objectives stated in the SOC-1 cannot be achieved by the service organization alone.  In their SOC-1, Service Organizations identify CUECs, which are controls the Service Organization recommends system users implement to “complement” the controls embedded in the IT system.
1.B.  Service Organizations. The Marine Corps receives personnel and pay services for APF civilian employees from two Service Organizations:
1.B.1.  The Defense Finance and Accounting Service is the Service Organization for the Defense Civilian Pay System (DCPS).  DCPS is the payroll system for APF civilian employees.
1.B.2.  The Defense Manpower Data Center, a component of the Defense Human Resources Activity, is the Service Organization for the Defense Civilian Personnel Data System (DCPDS).  DCPDS is the personnel system for Marine Corps APF civilian employees.
2.  Mission.  Functional Advocates (FAs) for APF civilian personnel and pay systems, under the direction of DC M&RA, review Service Organizations’ SOC-1 reports and supervise Marine Corps compliance with relevant CUECs in order to ensure civilian personnel processes operate without risk of material misstatement.
3.  Execution.
3.A.  Commander’s Intent. The purpose of implementing and testing CUECs associated with DCPS and DCPDS is to support an assertion that Marine Corps APF civilian employee personnel and pay processes are operating without any control deficiencies or material weaknesses.
3.B.  Concept of Operations.
3.B.1. Method.  Marine Corps Functional Advocates acknowledge receipt of SOC-1s, review CUECs for applicability, ensure appropriate controls are designed and implemented in the Marine Corps, and test effectiveness of the controls.
3.B.2. End State.  Personnel and pay systems and processes supporting Marine Corps APF civilian employees operate according to their design objectives without deficiencies or material weaknesses. 
3.C.  Tasks.
3.C.1. Director, Marine Corps Staff, Administration and Resource Management Division (DMCS (ARF)).  Execute FA responsibilities for Marine Corps use of DCPS, as identified in paragraph 3.D. of this MARADMIN.
3.C.2.  Deputy Commandant, Manpower and Reserve Affairs, Civilian Human Resources Branch (M&RA (MPC)).  Execute FA responsibilities for Marine Corps use of DCPDS, as identified in paragraph 3.D. of this MARADMIN.
3.C.3. Deputy Commandant, Manpower and Reserve Affairs, Manpower Strategy Branch (M&RA (MX)).  Coordinate with external and Marine Corps internal organizations as necessary to support and facilitate FA’s execution of their SOC-1 and CUEC responsibilities, including participation in internal, external, and full financial statement audits.
3.D.  Coordinating Instructions.  FAs identified in paragraph 3.C. of this MARADMIN will:
3.D.1.  Acknowledge and review SOC-1 reports to determine whether the Service Organization’s system description is presented fairly and whether the system controls are suitably designed and operating effectively.  The FA should evaluate the impact on Marine Corps operations of any system control deficiencies or weaknesses identified in the SOC-1.
3.D.2.  Review CUECs to determine if they are applicable to the Marine Corps and document rationale for CUECs not applicable to the Marine Corps.  For CUECs applicable to the Marine Corps, design appropriate controls, verify they have been implemented in the Marine Corps, test the controls, and document testing results.
3.D.3.  Develop and supervise execution of Corrective Action Plans to address conditions identified during their review of the SOC-1, CUEC testing, and full financial audit Notices of Findings and Recommendations, which apply to the systems and processes for which they are FAs.
3.D.4. Develop, maintain, and ensure compliance with Marine Corps service-level policies related to processes and systems covered by the SOC-1.
3.E.  Commanders Critical Information Requirements.  Report to M&RA (MX):
3.E.1. DCPS and DCPDS SOC-1 deficiencies and any CUECs the Marine Corps is unable to perform.
3.E.2. DCPS and DCPDS non-compliance, control deficiencies, or material weaknesses identified by auditing agencies such as GAO, DoDIG, the Full Financial Statement Audit, Naval Audit Service, and the Marine Corps Administrative Analysis Team.
3.E.3. Identification or discovery of systems provided by external Service Organizations which have not provided a SOC-1.
4.  Administration and Logistics.  M&RA (MX) has coordinated contents of this message with representatives of DMCS (ARF), M&RA (MPC), and P&R (RFD/A-123).
5.  Command and Signal.
5.A.  M&RA (MX) is the Office of Primary Responsibility for Financial Improvement and Audit Readiness for Marine Corps Hire-to-Retire business processes.
5.B.  Release Authorized by Lieutenant General M.A. Rocco, Deputy Commandant, Manpower and Reserve Affairs.//