Back to TOC

PriceWaterhouseCoopers Masthead
 
Pricewaterhouse Coopers LLP
Suite 800W 1301 K St., N.W.
Washington DC 20005-3333

REPORT OF INDEPENDENT ACCOUNTANTS ON INTERNAL CONTROL

United States Attorney General and
The Office of the Inspector General
United States Department of Justice  

We have audited the accompanying consolidated balance sheets of the U.S. Department of Justice and its components as of September 30, 2002 and 2001, and the related consolidated statements of net cost, changes in net position and financing, and its combined statements of budgetary resources and custodial activity, for the years then ended, and have issued our report thereon dated January 15, 2003.  We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements.

We did not audit the financial statements of certain components of the Department, including the Office of Justice Programs (OJP), Drug Enforcement Administration (DEA), Federal Bureau of Investigation (FBI), Immigration and Naturalization Service (INS), and U.S. Marshals Service (USMS), which statements reflect total combined assets of $17.5 and $15.8 billion and total combined net costs of $15.6 and $12.8 billion, as of and for the years ended September 30, 2002 and 2001, respectively.  We did not audit the financial statements of the Bureau of Prisons (BOP) and the Federal Prison Industries, Inc. (FPI), which statements reflect total combined assets of $7.6 billion and total combined net costs of $4.0 billion, as of and for the year ended September 30, 2001; and we did not audit the summarized financial information of the Victim Compensation Fund, which transactions reflect total assets of $111.8 million and total benefit payments of $20.2 million, as of and for the year ended September 30, 2002.  Those statements and financial information were audited by other auditors whose reports thereon have been furnished to us, and our report on the Department’s internal control herein, insofar as it relates to these components, is based solely on the reports of the other auditors.

Management of the Department is responsible for establishing and maintaining accounting systems and internal control.  In fulfilling this responsibility, estimates and judgments are required to assess the expected benefits and related costs of internal control policies and procedures.  The objectives of internal control are to provide management with reasonable, but not absolute, assurance that: (1) transactions are properly recorded, processed, and summarized to permit the preparation of reliable financial statements in accordance with accounting principles generally accepted in the United States of America, and to safeguard assets against loss from unauthorized acquisition, use or disposition; (2) transactions are executed in compliance with laws governing the use of budget authority and other laws and regulations that could have a direct and material effect on the financial statements, and any other laws, regulations and government-wide policies identified in Appendix C of OMB Bulletin No. 01-02; and (3) transactions and other data that support reported performance measures are properly recorded, processed, and summarized to permit the preparation of performance information in accordance with criteria stated by management.  Because of inherent limitations in any internal control, errors or fraud may nevertheless occur and not be detected.  Also, projection of any evaluation of internal control to future periods is subject to the risk that procedures may become inadequate because of changes in conditions or that the effectiveness of the design and operation of policies and procedures may deteriorate.

In planning and performing our audits of the Department’s financial statements, we obtained an understanding of the design of significant internal controls and whether they had been placed in operation, tested certain controls and assessed control risks in order to determine our auditing procedures for the purpose of expressing an opinion on the financial statements.  We limited our internal control testing to those controls necessary to achieve the objectives described above, and we did not test all controls relevant to operating objectives as broadly defined by the Federal Managers' Financial Integrity Act of 1982.  Our purpose was not to provide an opinion on the Department’s internal controls.  Accordingly, we do not express such an opinion.

With respect to internal control relevant to data that support reported performance measures, we obtained an understanding of the design of significant internal controls relating to the existence and completeness assertions, as required by OMB Bulletin No. 01-02.  Our procedures were not designed to provide assurance on internal control over reported performance measures.  Accordingly, we do not provide an opinion on such controls.

We noted, and the reports of other auditors identified, certain matters in the Department's internal control that we consider to be reportable conditions under standards established by the American Institute of Certified Public Accountants (AICPA).  Reportable conditions involve matters coming to the auditors' attention relating to significant deficiencies in the design or operation of internal control that, in their judgment, could adversely affect the Department's ability to meet the internal control objectives described in the third paragraph.  Material weaknesses are reportable conditions in which the design or operation of one or more of the internal control elements does not reduce to a relatively low level the risk that errors or fraud in amounts that would be material in relation to the financial statements being audited or material to a performance measure or aggregation of related performance measures may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.  The auditors' consideration of internal control would not necessarily disclose all matters in internal control that might be reportable conditions and, accordingly, would not necessarily disclose all reportable conditions that are also considered to be material weaknesses as defined above.

Overview of Material Weaknesses and Reportable Conditions 

Table 1 summarizes the nine material weaknesses and ten reportable conditions identified by components’ auditors.  We analyzed these conditions to determine their effect on the Department’s internal control over financial reporting and determined that there are two Department-wide reportable conditions that we also considered to be material weaknesses. 


Table 1: Department-wide Material Weaknesses (M) and Reportable Conditions (R)


Department (DOJ) Condition
During Fiscal Year 2002

D
O
J

O
B
D

A
F
F

F
B
I

D
E
A

O
J
P

I
N
S

U
S
M

B
O
P

F
P
I

W
C
F

Improvements are needed in the Department's financial accounting and reporting.


M


M


R

M
M


R


-

M
M


R


R


R


M

Improvements are needed in the Department’s components' general and application controls over financial management systems.


M


R


-


M


R


R


M


R


R


M


-

Total Material Weaknesses Reported by components’ auditors

FY2002

9

1

0

3

0

0

3

0

0

1

1

FY2001

13

0

0

3

4

0

3

1

0

2

0

Total Reportable Conditions Reported by components’ auditors

FY2002

10

1

1

0

2

1

0

2

2

1

0

FY2001

12

2

0

1

1

3

1

2

0

2

0

Offices, Boards and Divisions (OBD); Assets Forfeiture Fund and Seized Asset Deposit Fund (AFF); Working Capital Fund (WCF); United States Marshals Service (USM). 

In our fiscal year 2001 report on internal control, we reported separate material weaknesses related to financial accounting, financial statement preparation, and the general and application controls over financial management systems.  In this report, we combined the material weakness on financial accounting with the remaining elements of the material weakness on financial statement preparation into one material weakness on financial accounting and reporting. The remainder of this report discusses the two material weaknesses in greater detail.  Because of the frequency with which these conditions were found within the ten components, we recommend Department-wide corrective actions.

* * * * * * * * * *



Improvements are needed in the Department's financial accounting and reporting.

The Department is required to prepare and submit audited agency-wide financial statements to the OMB by January 31, 2003.  To fulfill this requirement, the Department's ten reporting components prepare separate financial statements that are independently audited and consolidated into the Department's agency-wide financial statements.  This consolidation is performed by the Justice Management Division (JMD), which has primary responsibility for ensuring the Department's consolidated financial statements are compliant with OMB Bulletin No. 01-09, Form and Content of Agency Financial Statements.

In our prior reports on the Department’s internal control, we recommended that the Department standardize components’ recordation of financial transactions in accordance with generally accepted accounting principles (GAAP) and assess the viability of developing a single core financial management system that will improve the consistency of data processing and financial reporting across the Department’s components.  We also recommended that the Department continually update its Financial Statement Requirements and Preparation Guide as new accounting and reporting requirements are implemented and record accrual based financial transactions throughout the fiscal year.

During fiscal year 2002, the Department implemented a plan to acquire a Unified Financial Management System that is compliant with Joint Financial Management Improvement Program (JFMIP) requirements and will form the Department’s core financial management system.  Management believes the Unified System will improve consistency among the Department’s components’ financial accounting and reporting and will aid in the Department’s preparation of the consolidated financial statements.  The project will be a multi-year effort, with implementation beginning with noncompliant legacy systems in fiscal year 2004.  In addition to this major system effort, JMD issued several policy revisions to the Department’s Financial Statement Requirements and Preparation Guide to address new accounting and reporting requirements. 

Although these efforts continue to provide a foundation for improved financial reporting in future years, we and other auditors identified weaknesses in the Department’s and components’ internal controls over financial accounting and reporting during fiscal year 2002.  Specifically, we identified weaknesses in the Departments and components’ financial management, financial systems, and financial statement preparation.

Financial Management

Nine of the components' auditors reported that components did not adequately record financial transactions throughout the fiscal year in accordance with GAAP, as summarized below:

Statements of Federal Financial Accounting Standards (SFFAS) No. 5, Accounting for Liabilities of the Federal Government: We reported that some of the WCF, OBDs, BOP, and AFF program offices did not adjust the status of obligations on a quarterly basis as required by policy; as a result, program offices performed extensive manual efforts at the end of the fiscal year to correct the status of obligation records.  The processes of reviewing the status of obligations only at the end of the year when staff resources are limited increases the risk that errors will go undetected and result in misstatements in the Department’s consolidated financial statements.

Auditors of the DEA and FBI reported that these components must implement effective controls or adhere to established processes to manage their obligated funds and to ensure that obligation transactions are recorded in the appropriate period.  Reconciliation and quarterly certifications of outstanding obligations were not performed in accordance with policy, increasing the risk that the status of obligations was incorrect or not recorded in the proper period.

Auditors of the INS reported that procedures for identifying and obtaining unobligated commitments and contingencies throughout the fiscal year have not been developed.  We reported that the FPI did not have procedures in place to estimate the amount of warranty costs on product sales during fiscal year 2002.  Failure to establish procedures to routinely identify and value commitments and contingencies could result in an understatement of liabilities on the Department’s financial statements.  Finally, auditors of the USMS reported that adjustments to accrued liabilities were necessary because the USMS does not have formal policies or procedures for ensuring these accounts are updated and reconciled on a recurring and timely basis. 

SFFAS No. 7, Accounting for Revenue and Other Financing Sources: Auditors of the INS, FPI, OBDs, and WCF reported that improvements are needed in the components’ accounting for revenue and related accounts receivable.  The auditors of the INS reported that INS’s service-wide inventory plan does not include procedures that address interim financial reporting for undeposited collections.  We reported that the OBDs and WCF do not always “invoice” their customers in a timely manner, including services performed for other Department components.  Finally, we reported that FPI did not always recognize sales in accordance with GAAP or FPI policy, including, classifying installation and shipping sales as “other income” and shipping products prior to obtaining an authorized purchase order.

SFFAS No 6, Accounting for Property, Plant and Equipment: Auditors of the FBI reported that management adjusted FBI’s fiscal year 2002 financial statements for capitalized property acquired prior to fiscal year 2002 because management did not enter this property into FBI’s property management system. 

SFFAS No 3, Accounting for Inventory and Related Property:  We reported that valuation and status errors existed in AFF’s seized and forfeited property account balances.  We noted that several conditions exist which cause incorrect status or values, including: (a) not processing forfeiture orders in a timely manner, (b) the failure to obtain and/or enter appraisals based on the fair market value of the seized/forfeited properties throughout the fiscal year, and (c) the failure to adjust property management systems for errors identified in physical inventory counts.  Auditors of the FBI reported that errors were identified in the reporting of seized property held for evidence, including, errors resulting from monetary asset dispositions, mathematical errors and misclassification of property.

SFFAS No. 1, Accounting for Selected Assets and Liabilities: We reported that the Office of Community Oriented Policing Services (COPS), a reporting component of the OBDs, used financial data greater than one-year old to estimate the amount of advances and accrued grant expenditures to grantees participating in the COPS program.  Using non-current financial information in developing estimates increases the risk of misstatements in the grant advance and accrued grant payables account balances.  Auditors of the INS reported that intragovernmental advances are not reported at the transaction level in INS’s general ledger; thus, INS is not able to obtain accurate information on advances on an on-going basis.  In addition, INS auditors reported that improvements are needed when performing monthly or quarterly reconciliations of accounts receivable.


Because some of the Department’s components do not completely record financial transactions throughout the fiscal year, significant manual efforts are required at the end of the year to obtain, record, analyze and adjust financial information necessary for financial statement preparation in accordance with GAAP.  Gathering financial data only at year end does not provide sufficient time for management to analyze transactions or account balances; and as a result, there is an increased risk that errors and inconsistencies existing in components’ financial statements would not be detected. 

Financial Management Systems

We and other auditors reported that components’ financial management systems are not configured to support financial statement preparation and on-going financial management.  Additionally, the systems do not adequately process, track or provide accurate, timely and accessible financial information.  The weaknesses components’ auditors reported are summarized below:

Property and Leasehold Improvements:  FBI auditors reported weaknesses in property management input and processing controls and noted that there is no independent verification of information entered into the FBI’s property management system.  Auditors of the USMS, INS, OBDs and WCF reported that these components do not have property management systems that are integrated with the components’ core financial management systems, requiring redundant manual data entry to record basic property management transactions such as acquisitions, disposals and depreciation.  Separate manually prepared schedules are often used to track capitalized property and leasehold improvements, increasing the risk that property transactions initially recorded in the core financial management system as costs are not identified and entered in the manually prepared property schedules and, therefore, misstate capitalized property and leasehold improvements on the Department’s financial statements.   

Revenue and Accounts Receivable:  Auditors reported that the INS does not have a reliable system that can provide timely data on the number and value of immigration applications and petitions received, completed or pending.  As a result of these system deficiencies, the INS must record revenue as application fees are collected, not when the application has been processed and the fees are actually earned.  In addition, INS must perform a manually intensive inventory of outstanding applications and petitions at the end of the fiscal year to determine the amount of fees that have been collected but not earned. 

Auditors reported that the USMS’s core financial management system does not contain a subsidiary ledger to allow for transactions to be recorded at the customer level, requiring a separate spreadsheet to track reimbursable agreements, costs, billings and subsequent collections that is used to adjust the USMS’s general ledger.

We reported that the Executive Office for United States Trustees (EOUST) fee collection system is not integrated with the OBDs’ core financial management system and does not provide case-level information to support the Chapter 11 Quarterly Fees due from the public. As a result, accrual-based financial transactions are updated once a year through a manual adjusting entry to the OBDs’ general ledger.

Expenses and Accounts Payable:  Auditors of INS reported that program codes used to ensure proper allocation of direct program costs among goals and programs were not consistently used during INS’s implementation of a new financial management system, and INS used expenses recorded in their legacy system to determine the allocation percentage to be used on costs recorded in their new system.  In addition, auditors reported that INS was not able to effectively record accounts payable at the transaction level. 

Financial Statement Preparation

We identified weaknesses in the Department’s consolidating financial statement preparation procedures, some of which were caused by components’ improper application of the Department’s accounting and reporting requirements.  We identified the following:

Auditors of the FBI reported that inadequate resources and delayed recording of accruals for expenses and associated liabilities led to delays in meeting some of the Department’s established deadlines for financial statement preparation.  Insufficient personnel resources are assigned to perform the many tasks needed to produce the annual financial statement package and to support the ongoing audit process on a timely basis.  A small core group of staff has assumed responsibility for developing year-end estimates and accruals, preparing intra-governmental trading partner provider listings, processing year-end adjustments, and providing documentation and explanations needed to complete the audit in a timely manner. 

We reported that some of the OBDs did not incorporate intra-entity accounting concepts in their processing of transactions with other Department reporting components, requiring finance staff to perform an extensive search of its databases to obtain, analyze, and reconcile amounts with their trading partners.  We also reported that the some of the OBDs and WCF did not provide adequate documentation supporting account balances until after the established deadlines, and in a few instances, documentation was not provided until the last few days of the audit. 

Components’ financial accounting and reporting must be performed throughout the fiscal year and must include both budgetary and accrual-based accounting concepts.  Components must eliminate their dependency to obtain, analyze and adjust financial information only at the end of the fiscal year when staff resources are strained by competing tasks.  This is especially important given the new financial reporting requirements of the OMB and the Department.  Beginning with fiscal year 2003, the Department will have to prepare interim financial statements quarterly, and may have to complete its year-end financial statements approximately one month earlier than in the current fiscal year.  In addition, components’ must improve the participation of program offices in the gathering and analyzing of financial data necessary to prepare components financial statements.  The financial statement preparation effort must be a component-wide effort, involving program, budget, and administrative offices.

Standardized accounting policies and procedures for all components are needed and should be communicated in the Department's Financial Statement Requirements and Preparation Guide, thereby ensuring consistency in the Department's consolidated financial statements.  As part of this effort, the Department’s financial management systems should be configured to support not only basic financial accounting and reporting functions, but should also integrate budget, financial and performance information that managers can use to make decisions on their programs throughout the fiscal year.  Without fundamental changes to the Department’s and components’ financial management, there is a serious risk that the Department’s fiscal year 2003 financial statements will not be completed timely and in accordance with generally accepted accounting principles, resulting in modifications to the auditors’ reports on the Department’s financial statements, internal control, or compliance with laws and regulations.

Recommendation

We recommend that the Chief Financial Officer:

  1. Issue guidance that requires components to perform financial accounting and reporting throughout the fiscal year and include both budgetary and accrual-based accounting concepts in this guidance.  Components should analyze financial information throughout the fiscal year when staff resources are not constrained by year-end financial closing processes.  Adjustments should be made as errors are identified instead of waiting until the end of the fiscal year.

    Management Response:  Concur.  JMD will continue to emphasize its accounting standards and policies for quarterly reporting requirements through the Financial Managers Council and Financial Statements Working Group Meetings.  We will also require corrective action plans in March 2003, addressing the conditions identified in the components audit reports and provide updates to the CFO on component’s progress in correcting the material weaknesses and reportable conditions.
  2. Continue the implementation of a core financial management system that is compliant with JFMIP requirements and require its use by components.  The core financial system should include, but not be limited to, applications that support: (a) funds control [e.g. budget execution]; (b) obligation accounting and control; (c) cash management; (d) inventory and property management; (e) the standard general ledger; (f) financial statement preparation, consolidation and reporting; and (g) customer/vendor recognition.  To the extent possible, the financial management system should be able to provide real-time financial data and provide flexibility in meeting external reporting requirements.  Finally, a standard transaction inventory schedule should be developed and implemented in the system that describes the accounting transaction and the standard general ledger accounts to be used [both proprietary and budgetary], and assigns a transaction code to each transaction.  During the development of the transaction schedule, we strongly encourage the use of the Department of the Treasury’s, Treasury Financial Manual, Section III, which provides a detailed list of budgetary and proprietary transactions and the U.S. Government Standard General Ledger accounts affected. 

    Management Response:  Concur.  The Department is committed to implementing a Joint Financial Management Improvement Program (JFMIP) certified core financial system.  During FY 2002, the Department established a formal Project Management Office, completed core systems requirements, timeline, acquisition documents, and met with core software providers.  Implementation at DOJ components will begin during FY 2004 and continue through FY 2007.  JMD will ensure that the financial management system meets the functional requirements of JFMIP.
  3. Update the Department’s Financial Statement Requirements and Preparation Guide for the following:

    A.     Re-enforce the fact that the components’ financial activities represent segments of the Department’s consolidated financial statements, and that components’ financial accounting and reporting must be completed in the form and content prescribed by the Department, including, information presented in required supplementary information and the Management’s Discussion and Analysis.

    B.     Eliminate the components’ ability to adjust components’ financial statements or account balances without guidance and concurrence from the Department’s consolidated finance staff, the OIG and the consolidated auditors.  Materiality decisions should only be made at the consolidated financial statement level.

    C.     Include new accounting and reporting policies and procedures for, but not limited to: (a) the accounting of non-standard transactions (e.g. unobligated balance transfers), (b) property management (e.g. capitalization criteria), (c) budgetary accounting issues (e.g. status of obligations), and (d) an accounts grouping worksheet crosswalk for the Department’s Statement of Budgetary Resources and Statement of Financing. Alternatively, a separate accounting manual that documents the Department’s policies and procedures could be developed that compliments the Department’s Financial Statement Requirements and Preparation Guide.

    D.     Timely communicate to the components all changes made to the Department’s Financial Statement Requirements and Preparation Guide.

    Management Response:  Concur.  JMD will strictly enforce new accounting and reporting policies through the Financial Statements Requirement and Preparation Guide, addressing the conditions identified above.  In addition, JMD plans to implement a financial statements consolidation tool in FY 2003.  This tool will require components to submit data import files/templates based on standard general ledger account methodologies for all financial statements, footnotes and required supplementary information.
  4. Provide training to components’ program and finance staff responsible for financial management.  Include a detailed discussion on the Department’s consolidated accounting and reporting requirements and emphasize that components’ financial statements are segments of the Department’s consolidated financial statements requiring the components’ statements to be prepared in the form and content prescribed by Department policy.

Management Response:  Concur.  JMD agrees that responsible staff should have a general knowledge of the OMB reporting requirements for consolidated financial statements.  JMD will continue to encourage component senior management to enforce OMB’s reporting requirements at the component level.  In addition, JMD will brief these managers on the overall audit process, and the importance of the corrective action plans.  JMD will also continue to emphasize the importance of adhering to the requirements of the Guide.



Improvements are needed in the Department’s components' general and application controls over financial management systems. 

In support of the Department’s fiscal year 2002 consolidated financial statement audit, we performed an assessment of the general controls established over four mainframe environments located at the Department’s data centers that process financial and other applications for the bureaus, offices, boards, and divisions within the Department.  The Department’s Computer Services Staff (CSS), the Information Management and Security Staff (IMSS) and the various components of the Department share the responsibility for establishing and maintaining the overall security and control environment at the Department’s data centers.  The IMSS provides the overall security framework for the CSS to formulate and enforce security policies and procedures at the data centers.  The CSS coordinates, with the IMSS and the components, the decentralization of logical security administration as well as the development and testing of an entity-wide business continuity plan.  We conducted our general controls review for the fiscal year ending September 30, 2002.

Our review of financial management system general controls conducted at the Department’s data centers did not identify material weaknesses as defined by the AICPA.  The FBI’s auditors reviewed the FBI’s information systems control environment and reported their detailed findings to the Office of the Inspector General in a separate limited distribution report.

In performing procedures at the Department’s data centers and on the components’ financial management information systems, we and other component auditors considered the General Accounting Office’s, Federal Information System Controls Audit Manual; OMB Circular A-130, Appendix III, Automated Information Security Programs; the Department’s Order No. 2640.2C, Telecommunications and Automated Information Systems Security and other guidance.  Table 2 outlines the more significant weaknesses identified by the auditors.  Following the table, we summarized some of the specific conditions reported by the components’ auditors.

Table 2: Components financial information system weaknesses


General Control Weaknesses

O
B
D

F
B
I

D
E
A

I
N
S

U
S
M

B
O
P

F
P
I

O
J
P

Entity-wide Security

X

X

       

X

 

Access Controls

X

X

X

X

X

X

X

X

Application Software Development and Change Controls/System Development Life Cycle (SDLC)

     

X

 

X

X

 

Service Continuity

 

X

 

X

X

 

X

X

Segregation of Duties

X

X

 

X

X

X

   

System Software

 

X

       

X

 

Data Processing Controls /Specific Applications

X

 

X

         

OBD - We reported that the U.S. Trustees’ Fee Information and Collection System contained weaknesses in entity-wide security program management, segregation of duties (programmers and security administrators have inappropriate access), and data input, processing and output controls.

FBI - Auditors reported that individually or collectively, the weaknesses identified in Table 2 could compromise the agency’s ability to ensure security over sensitive programmatic or financial data, the reliability of its financial reporting, and compliance with applicable laws and regulations.

DEA - Auditors reported that improvements are needed in security administrator training and account administration.  In addition, improperly configured authentication, authorization, and audit policy vulnerabilities were identified across twelve hosts on the DEA’s Firebird System.  Finally, weaknesses were observed in the input and processing controls of DEA’s Property Management System for Motor Vehicles.

INS - Auditors reported that INS’s legacy financial management system continues to exhibit control weaknesses in the areas of segregation of duties, access controls, change control, and service continuity.  Management believes the weaknesses are costly or impractical to correct and are foregoing corrective actions in order to concentrate on the implementation of its new financial management system.  These weaknesses, however, present continuing risks to INS’s financial management as a whole.  With respect to INS’s new financial management system, auditors reported that during initial phases of the implementation, weak access controls were identified and subsequently corrected.  Finally, auditors reported that access control weaknesses continue to exist in INS’s general network control environment.

USMS - Auditors reported that weaknesses in the USMS's general network control environment continue to exist in the areas of user access, service continuity, and segregation of duties.  With respect to the USMS’s core financial management system, auditors reported that (a) change control procedures do not exist for a Web application, (b) there was improper access provided on user accounts, and (c) password controls did not meet Department requirements.

BOP - We reported that a formal documented and agreed-upon SDLC methodology was not in place for development, implementation, and maintenance efforts.  We also reported that SENTRY programmers have the ability to move data between the development and production environments in violation of the Department’s security requirements, and SENTRY System Change Request files are missing change control documentation.

FPI - We reported that there have been no updates, modifications, and/or corrections to findings identified in an independent risk assessment of FPI’s entity-wide security management.  We also reported that (a) policies have not been effectively implemented for requesting, authorizing, and terminating user access to FPI systems, (b) administrator and user level accounts have weak password control, (c) staff are not following FPI’s SDLC (change controls), and (d) there have been no updates to FPI’s contingency plan to reflect the physical and logical access changes made to the current operating environment.

OJP – Auditors reported that access controls are weak; specifically, user authentication options have not been configured to provide optimal password protection.  In addition, improvements are needed in service continuity to ensure OJP can restore its capability to process, retrieve, and protect information in the event of service interruption.

The weaknesses identified by components’ auditors in the components’ general and application controls increase the risk that programs and data processed on components’ information systems are not adequately protected from unauthorized access or service disruption. 

Recommendations

We recommend that the Chief Information Officer:

  1. Require the components’ Chief Information Officers (CIO) to submit corrective action plans that address the weaknesses identified above.  The action plans should focus on correcting deficiencies in entity-wide security, access controls, application software development and change controls, service continuity, segregation of duties, system software, and other specific application control weaknesses discussed in the components’ auditors reports on internal control.  The corrective action plans should include a timeline that establishes when major events must be completed, and the Department’s CIO should monitor components' efforts to correct deficiencies and hold them accountable for meeting the action plan timelines.

Management Response: Concur.  The Department’s CIO will work with component CIOs to ensure that comprehensive plans of action and milestones (POAMs) are developed to address the findings identified in the audit report.  Component's POAMs will be updated into the Department's Security Management and Reporting Tool (SMART) database and will be monitored by the CIO staff to ensure progress is achieved.

* * * * * * * * * *

STATUS OF PRIOR YEARS FINDINGS AND RECOMMENDATIONS

As required by Government Auditing Standards and OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, we have reviewed the status of the Department’s corrective actions with respect to the findings and recommendations from our previous reports on the Department’s internal controls.  The following analysis provides our assessment of the progress the Department has made in correcting the material weaknesses and reportable conditions identified in these reports.  We also provide the Office of the Inspector General report number that remains open for audit follow-up, our recommendations for improvement, and the status of the condition as of September 30, 2002:

Report

Reportable Condition

Status



01-07
(2000)

Material Weakness: The Department’s components did not record financial transactions in accordance with generally accepted accounting principles, laws and regulations, or the Department’s financial reporting policies.

Recommendations:  Emphasize the proper processing and recording of financial transactions in accordance with generally accepted accounting principles and monitor components’ efforts to eliminate the weaknesses.



In
Process
(a)



98-07A
(1997)

Material Weakness: The Department must perform key reconciliations.  In fiscal year 1997, this was reworded to emphasize reconciliation of fund balance with Treasury, and was downgraded to a reportable condition in fiscal year 1998.

Recommendations:  Perform reconciliations and resolve all differences on a timely basis.




Closed



 01-07
(2000)

Material Weakness: Improvements are needed in components’ general and application controls over financial management systems and the general controls at the Department’s data processing centers.

Recommendations:  Implement corrective actions identified in data center reports and monitor components’ efforts to correct control deficiencies at the component level.



In
Process




02-06
(2001)

Material Weakness: Improvements are needed in the Department’s financial statement preparation controls and the components’ compliance with the Department’s Financial Statement Requirements and Preparation Guide.

Recommendations: Require components to follow the Department’s Financial Statement Requirements and Preparation Guide, revise the Guide for new accounting and reporting requirements, and assess the viability of centralizing component’s information systems. 




In
Process
(a)

(a) – Reworded and combined with the first material weakness in this report.

* * * * * * * * * *

We identified other matters that we considered not to be reportable conditions in relation to the Department’s consolidated financial statements.  A summarization of these less significant matters will be addressed to the Department’s management in a separate consolidated management letter.  In addition, components' auditors provided separate management letters to components' management with respect to less significant control issues that were identified during the components' audits.

This report is intended solely for the information and use of the Attorney General and management of the Department, the Office of the Inspector General, the OMB, and Congress.  This report is not intended to be and should not be used by anyone other than these specified parties.

PriceWaterhouseCoopers LLP Signature

January 15, 2003
Washington, DC