REPORT OF INDEPENDENT ACCOUNTANTS ON INTERNAL CONTROL
United States Attorney General and
We have audited the accompanying consolidated balance sheets of the U.S. Department of Justice and its components as of September 30, 2001 and 2000, and the related consolidated statements of net cost, changes in net position and custodial activity, and its combined statements of budgetary resources and financing, for the years then ended, and have issued our report thereon dated February 14, 2002.† Except as explained in that report, we conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements.
We did not audit the financial statements of certain components of the Department, including the Office of Justice Programs (OJP), Drug Enforcement Administration (DEA), Federal Bureau of Investigation (FBI), Immigration and Naturalization Service (INS), U.S. Marshals Service (USMS), Bureau of Prisons (BOP), and Federal Prison Industries, Inc. (FPI), which statements reflect total combined assets of $23.4 and $21.2 billion, and total combined net costs of $16.7 and $16.9 billion, as of and for the years ended September 30, 2001 and 2000, respectively.† Those statements were audited by other auditors whose reports thereon have been furnished to us, and our report on the Departmentís internal control herein, insofar as it relates to these components, is based solely on the reports of the other auditors.
Management of the Department is responsible for establishing and maintaining accounting systems and internal control.† In fulfilling this responsibility, estimates and judgments are required to assess the expected benefits and related costs of internal control policies and procedures.† The objectives of internal control are to provide management with reasonable, but not absolute, assurance that: (1) transactions are properly recorded, processed, and summarized to permit the preparation of reliable financial statements in accordance with accounting principles generally accepted in the United States of America, and to safeguard assets against loss from unauthorized acquisition, use or disposition; (2) transactions are executed in compliance with laws governing the use of budget authority and other laws and regulations that could have a direct and material effect on the financial statements, and any other laws, regulations and government-wide policies identified in Appendix C of OMB Bulletin No. 01-02; and (3) transactions and other data that support reported performance measures are properly recorded, processed, and summarized to permit the preparation of performance information in accordance with criteria stated by management.† Because of inherent limitations in any internal control, errors or fraud may nevertheless occur and not be detected.† Also, projection of any evaluation of internal control to future periods is subject to the risk that procedures may become inadequate because of changes in conditions or that the effectiveness of the design and operation of policies and procedures may deteriorate.
In planning and performing our audits of the Departmentís financial statements, we obtained an understanding of the design of significant internal controls and whether they had been placed in operation, tested certain controls and assessed control risks in order to determine our auditing procedures for the purpose of expressing an opinion on the financial statements.† We limited our internal control testing to those controls necessary to achieve the objectives described above, and we did not test all controls relevant to operating objectives as broadly defined by the Federal Managers' Financial Integrity Act of 1982.† Our purpose was not to provide an opinion on the Departmentís internal controls.† Accordingly, we do not express such an opinion.
With respect to internal control relevant to data that support reported performance measures, we obtained an understanding of the design of significant internal controls relating to the existence and completeness assertions, as required by OMB Bulletin No. 01-02.† Our procedures were not designed to provide assurance on internal control over reported performance measures.† Accordingly, we do not provide an opinion on such controls.
We noted, and the reports of other auditors identified, certain matters in the Department's internal control that we consider to be reportable conditions under standards established by the American Institute of Certified Public Accountants.† Reportable conditions involve matters coming to the auditors' attention relating to significant deficiencies in the design or operation of internal control that, in their judgment, could adversely affect the Department's ability to meet the internal control objectives described in the third paragraph.† Material weaknesses are reportable conditions in which the design or operation of one or more of the internal control elements does not reduce to a relatively low level the risk that errors or fraud in amounts that would be material in relation to the financial statements being audited or material to a performance measure or aggregation of related performance measures may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.† The auditors' consideration of internal control would not necessarily disclose all matters in internal control that might be reportable conditions and, accordingly, would not necessarily disclose all reportable conditions that are also considered to be material weaknesses as defined above.
Overview of Material Weaknesses and Reportable Conditions†
Table 1 summarizes the 13 material weaknesses and 12 reportable conditions identified by componentsí auditors.† We analyzed the reportable conditions identified by the componentsí auditors to determine their effect on the Departmentís internal control over financial reporting and identified three Department-wide reportable conditions that were also considered to be material weaknesses.† All three conditions were identified in our fiscal year 2000 report on the Departmentís internal control.
Table 1: Department-wide Material Weaknesses (M) and Reportable Conditions (R)
The remainder of this report discusses these material weaknesses in greater detail.† Because of the frequency with which these conditions were found within the ten components, we recommend Department-wide corrective actions.
Improvements are needed in the Department's componentsí recordation of financial transactions in accordance with generally accepted accounting principles.
Seven of the components' auditors reported the following deficiencies in the components' recording of financial transactions in accordance with the Statements of Federal Financial Accounting Standards (SFFAS) prescribed by the Federal Accounting Standards Advisory Board:
SFFAS No. 5, Accounting for Liabilities of the Federal Government: Auditors of the DEA, the OBDs, the INS, and the FBI reported that componentsí processes to estimate accounts payable were not adequate or were not completed timely.† Specifically, auditors of the DEA reported that the methodology used by the DEA to estimate accounts payable was not well supported; auditors of the INS reported that due to limitations in the design and operation of its financial management system, the INS does not record accounts payable at the transaction level throughout the year.† Auditors reported that revisions are needed in the FBIís estimation process to allow for timely inclusion in interim and year-end financial statements, and we reported that the OBDs did not always properly record the status of delivered and undelivered obligations.† We also identified that the OBDsí Office of Community Oriented Policing Services used some non-current information in the calculation of accrued grant expenses.†
SFFAS No. 7, Accounting for Revenue and Other Financing Sources: Auditors of the INS, the USMS, the FPI, and the OBDs reported that improvements are needed in the components accounting for earned and deferred revenue.† The auditors of the INS reported that the INS does not have a reliable system that can provide regular, timely data on the number and value of immigration applications and petitions received, completed and pending, which is necessary to support general ledger entries for recording earned revenues when the applications are completed.† Auditors of the USMS reported that its core financial management system does not contain a subsidiary system to record accounts receivable transactions at the customer level.† The auditors of the FPI reported that management did not effectively manage its accounts receivable division and did not consistently or adequately perform collection efforts on its intra-governmental accounts receivable and debt with the public.† We reported that the OBDs do not always ďinvoiceĒ their customers in a timely manner, including services performed for other Department components.†
SFFAS No 6, Accounting for Property, Plant and Equipment: Auditors reported that improvements are needed in the componentsí procedures related to the timely processing, reconciliation, and recording of capitalized property.† Auditors of the FBI reported that a restatement of $11 million to the FBIís fiscal year 2000 financial statements was required because management in the procurement and contract units did not follow FBIís Property Management Manual.† Auditors of the OJP reported that physical inventories were not performed in the last two years; and auditors reported that the USMS has not implemented adequate procedures to ensure capitalized property and improvements are identified and properly recorded.
SFFAS No 3, Accounting for Inventory and Related Property: Auditors of the FPI reported that financial accounting system deficiencies continue to exist in the capture, processing, reporting, and utilization of inventory data.† The FPI did not have effective costing procedures in place to reasonably estimate manufacturing overhead rates, and did not have adequate accountability over the Finished Goods at Customer account.† In addition, FPI has not fully developed adequate business processes to ensure that all finished goods inventory items are consistently valued based on transaction processing methods.† Finally, the auditors reported that one processing factory did not perform periodic and systematic counts of its perpetual inventory records as required by policy.†
SFFAS No. 1, Accounting for Selected Assets and Liabilities: Auditors of the FBI reported that the payment of interest and penalties as required by the Prompt Pay Act has doubled in each of the last two year because of inefficient vendor invoice approval and payment processes.† This also contributed to the under-reporting of FBIís accounts payable and added to the accounts payable estimation workload at year-end.† Auditors reported that the DEA continues to have significant unreconciled differences between the collections and disbursements recorded in its accounting records and those recorded by the U.S. Treasury, and that controls over imprest fund replenishments need to be strengthened.
We recommend that the Chief Financial Officer:
Management Response: Concur.† JMD will require corrective action plans, including time lines, by March 22, 2002, addressing the conditions identified in the consolidated and component audit Reports on Internal Controls.† JMD will further emphasize its accounting standards and policies through the financial statements working group meetings, training, and management monitoring.† JMD will also monitor component compliance with Department and federal standards through component corrective action plans and advise the CFO on non-compliance with the time line completion dates.
Improvements are needed in the Departmentís components' general and application controls over financial management systems.†
In support of the fiscal year 2001 financial statement audits, we and other component auditors relied on the general controls work performed on select Department financial management information systems as part of the Government Information Security Reform Act (GISRA) review.† The FBIís auditors performed similar work on the FBIís information systems.† Our GISRA review was performed, exclusive of the FBI, at the Departmentís data centers, the DEA, the BOP, and the Executive Offices of the United States Attorney (EOUSA).† In addition to the GISRA review, we and other auditors performed testing on the general and application controls over componentsí financial management information systems.
Our GISRA review at the Departmentís data centers, the DEA, the BOP and the EOUSA did not identify weaknesses in financial management systemsí general controls that were deemed to be material weaknesses as defined by the AICPA.† The FBIís auditors reported their findings to the OIG in a separate limited distribution report.†
Component auditors identified weaknesses in six componentsí general and application controls over componentsí financial management information systems that increase the risk programs and data processed on these systems are not adequately protected from unauthorized access or service disruption.† Table 2 outlines the more significant weaknesses identified by the auditors.† Following the table, we summarized some of the specific conditions reported by the componentsí auditors.
Table 2: Components financial information system weaknesses
FBI - Auditors reported that individually or collectively, the weaknesses identified in Table 2 could compromise the agencyís ability to ensure security over sensitive programmatic or financial data, the reliability of its financial reporting, and compliance with applicable laws and regulations.
DEA - Auditors reported that several of DEAís data processing systems: (a) have an expired certification/accreditation; (b) cannot track personnel who are granted access to the system or whose access should be terminated; (c) do not have documented procedures for handling software changes; and (d) cannot trace data entries to source documents.† In addition, the auditors reported that inactive administrator accounts are not removed timely and that security administrator training should be improved, and that the security administratorís duties should be appropriately segregated.†
OJP Ė Auditors reported that user authentication options have not been configured to provide optimal password protection and that several of OJPís servers have not been optimally configured to monitor actual or attempted unauthorized, unusual, or sensitive access.†
INS - Auditors reported that although its financial management system of record has been in development for almost five years, the implementation is not complete, requiring the majority of INSís transactions to be entered into its legacy system. Auditors reported that the legacy system, which has many inherent control weaknesses, now serves as a feeder system to the financial management system of record.† Auditors reported that collectively, the conditions noted above present significant risks to the continued operation of INSís financial management system as a whole.† Without adequate controls over its financial management system, the INS could experience a loss or manipulation of data, expensive efforts to recover the system (and data), as well as financial losses.†
USMS - Auditors reported that significant weaknesses in the USMS's general control environment continue to exist, mainly due to staffing constraints that prevent the implementation of corrective actions to ensure continued reliable operation of the information management system.† Security plans have not been completed for two financial management applications, and contingency plans were either outdated or incomplete.†††
FPI - Auditors reported that vulnerabilities were identified during their internal and external penetration testing, and that the FPI's security plan for the general network needs refinement.† The auditors also reported that the financial accounting system databases lacked the required encryption of information deemed sensitive by the Computer Security Act of 1987 and the Departmentís information system policies.†
In performing our procedures at the Departmentís data centers and on the componentsí financial management information systems, we and other component auditors considered the General Accounting Officeís, Federal Information System Controls Audit Manual; OMB Circular A-130, Appendix III, Automated Information Security Programs; the Computer Security Act of 1987; the Departmentís Order No. 2640.2C, Telecommunications and Automated Information Systems Security and the National Institute of Standards and Technologyís Publications.
We recommend that the Chief Financial Officer:
Management Response: Concur.† JMD will require by March 22, 2002, that componentsí Chief Information Officers (CIO) submit a corrective action plan, including a time line, to the Chief Financial Officer which addresses the cited weaknesses in financial systems and application controls.† The CFO will monitor componentsí efforts to correct deficiencies and hold them accountable for meeting the action plan time lines.†
Management Response: Concur.† The Department will implement the recommendations outlined in the limited distribution reports.
Improvements are needed in the Departmentís financial statement preparation controls and the componentsí compliance with the Departmentís Financial Statement Requirements and Preparation Guide.
The Government Management Reform Act requires federal agencies to submit audited agency-wide financial statements to the OMB by March 1 of each year.† To fulfill this requirement, the Department's ten reporting components prepare separate financial statements that are independently audited and consolidated into the Department's agency-wide financial statements.† The consolidation is performed by the JMD, which has primary responsibility for ensuring the Department's consolidated financial statements are compliant with OMB Bulletin No. 97-01, Form and Content of Agency Financial Statements, as amended.†
In prior reports on the Departmentís internal control, we recommended that the Department implement a strategic plan for financial reporting that addresses the need for consistent reporting among components and the need to involve senior financial and program managers in the financial statement preparation process.† In response to this recommendation, JMD issued a number of Department-wide policies and held periodic meetings with the Department's components where the Departmentís accounting and financial reporting requirements were discussed.†
A key product of JMDís efforts was the issuance of the Financial Statement Requirements and Preparation Guide.† The guide provided instructions for preparing componentsí financial statements, including the form and content of the statements, and the deadlines for completing and submitting them to JMD for consolidation.† Although we believe JMDís efforts provided a solid foundation for improved financial reporting in fiscal year 2001, we and other auditors continue to identify weaknesses in the Departmentís and componentsí financial statement preparation controls:†
The Department and its components corrected material errors and inconsistencies only after JMD, the OIG, or the independent auditors had identified them.† In many cases, the components' financial statements had already been submitted to JMD for consolidation in the Department's financial statements, thus requiring adjustment to the components' financial statements before final auditors' reports on the components' financial statements could be released.† It is essential that all components follow the Department's Financial Statement Preparation and Requirements Guide and other accounting policies to ensure consistency in the Department's consolidated financial statements.† Components' financial managers must perform reviews of financial data to ensure the Departmentís requirements are being met, and the componentsí must eliminate their dependency on accumulating and reporting financial data only once a year.†
Financial management and reporting must be performed throughout the fiscal year and must be complete (e.g. apply full accrual-based accounting).† This will eliminate the need to perform extensive manual financial statement preparation efforts at the end of the fiscal year that are susceptible to error and increase the risk of misstatement in the Department's and componentsí financial statements.† This is especially important given the new financial reporting requirements of the OMB.† Beginning with fiscal year 2002, the Department will have to prepare interim financial statements at March 31, and in fiscal year 2003, quarterly financial statements.† In addition to these multiple reporting dates, the deadlines for the year-end financial statements are being accelerated, approximately one month earlier than the Department was able to fully complete its financial statements in this fiscal year.† Without improvements or fundamental changes to the way components manage their accrual-based financial activities, there is a serious risk that the Departmentís fiscal year 2002 financial statements will not be able to be completed and audited in accordance with required deadlines, possibly resulting in modifications to the auditorsí reports on the Departmentís financial statements, internal control, or compliance with laws and regulations.
We recommend that the Chief Financial Officer:††
Management Response: Concur.† The Financial Statements Guide has already been substantially updated to address the new accounting, reporting, and due date requirements for FY 2002, as amended by OMB, FASAB and the Department.† The Guide contains a time line which identifies critical milestones in completing FY 2002 requirements, including interim financial statements and intra-governmental trading partner reconciliations.† The Guide has been distributed for comment and a final version is expected to be issued to components by approximately March 15, 2002.† JMD will continue to monitor componentsí efforts to ensure that financial statements are prepared in accordance with the Guide.
Management Response: Concur.† The Department recognizes that its financial statement preparation and consolidation functions would be improved with more consistent and standardized practices and systems.† The Financial Statements Guide revisions for FY 2002 statements are designed to significantly improve the consistency of information submitted by components for the consolidated statements.† As noted above, the FY 2002 Guide will be issued on or about March 15, 2002.† Plans are underway to acquire a Unified Financial Management System that is compliant with JFMIP requirements, and that system will form the Departmentís single core financial management system application.† As a result of the unified system project, the Department will realize improved consistency of processing and data standardization across the components, an improvement which will aid in the preparation of the consolidated financial statements.† The project will be a multi-year effort, with implementation beginning with noncompliant legacy systems.
STATUS OF PRIOR YEAR'S FINDINGS AND RECOMMENDATIONS
As required by Government Auditing Standards and OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, we have reviewed the status of the Departmentís corrective actions with respect to the findings and recommendations from our previous reports on the Departmentís internal controls.† The following analysis provides our assessment of the progress the Department has made in correcting the material weaknesses and reportable conditions identified in these reports.† We also provide the Office of the Inspector General report number that remains open for audit follow-up, our recommendations for improvement, and the status of the condition as of September 30, 2001:
As required by OMB Bulletin No. 01-02, we have compared the material weaknesses and material nonconformances reported by management in the Departmentís Federal Managersí Financial Integrity Act (FMFIA) Report to our report on the Departmentís internal control.† We determined that the third material weakness in our report was not reported in the Departmentís FMFIA report; however, we do not believe that the failure to report this material weakness constitutes a separate reportable condition or material weakness because there are different criteria used to determine material weaknesses for both reports and management has reported, in general terms, some of the material weaknesses relating to componentsí financial accounting and reporting processes.† However, management did not specifically identify financial statement preparation as a material weakness in their fiscal year 2001 FMFIA certification.
Components' auditors identified other reportable conditions that we considered not to be reportable conditions in relation to the Departmentís consolidated financial statements.† A summarization of these and other less significant issues will be addressed to the Departmentís management in a separate consolidated management letter dated February 14, 2002.† In addition, components' auditors provided separate management letters to components' management with respect to less significant control issues that were identified during the components' audits.
This report is intended solely for the information of the Attorney General and management of the Department, the Office of the Inspector General, the OMB, and Congress.† This report is not intended to be and should not be used by anyone other than these specified parties.
February 14, 2002