KMMG logo
KPMG LLP
2001 M Street, NW
Washington, DC 20036

Independent Auditorsí Report on Internal Control over Financial Reporting

Inspector General
U. S. Department of Justice

Director
Asset Forfeiture Management Staff
U. S. Department of Justice

We have audited the consolidated balance sheets of the U.S. Department of Justice Assets Forfeiture Fund and Seized Asset Deposit Fund (AFF/SADF) as of September 30, 2005 and 2004, and the related consolidated statements of net cost, changes in net position, and financing, and the combined statements of budgetary resources, for the years then ended, and have issued our report thereon dated October 26, 2005. We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements.

In planning and performing our fiscal year 2005 audit, we considered the AFF/SADF’s internal control over financial reporting by obtaining an understanding of the AFF/SADF’s internal control, determining whether internal controls had been placed in operation, assessing control risk, and performing tests of controls in order to determine our auditing procedures for the purpose of expressing our opinion on the financial statements. We limited our internal control testing to those controls necessary to achieve the objectives described in Government Auditing Standards and OMB Bulletin No. 01-02. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act of 1982. The objective of our audit was not to provide assurance on the AFF/SADF’s internal control over financial reporting. Consequently, we do not provide an opinion thereon.

Our consideration of internal control over financial reporting would not necessarily disclose all matters in the internal control over financial reporting that might be reportable conditions. Under standards issued by the American Institute of Certified Public Accountants, reportable conditions are matters coming to our attention relating to significant deficiencies in the design or operation of the internal control over financial reporting that, in our judgment, could adversely affect the AFF/SADF’s ability to record, process, summarize, and report financial data consistent with the assertions by management in the financial statements. Material weaknesses are reportable conditions in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements, in amounts that would be material in relation to the financial statements being audited, may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. Because of inherent limitations in any internal control, misstatements due to error or fraud may occur and not be detected.

In our fiscal year 2005 audit, we noted one matter relating to improvements needed in information system controls, which is discussed in Exhibit I, involving the internal control over financial reporting and its operation that we consider to be a reportable condition. However, this reportable condition is not believed to be a material weakness. Exhibit II presents the status of the prior year reportable condition.

We noted certain additional matters that we have reported to the management of the AFF/SADF in a separate letter dated October 26, 2005.

This report is intended solely for the information and use of the management of the U.S. Department of Justice, the U.S. Department of Justice Asset Forfeiture Management Staff, the U.S. Department of Justice Office of the Inspector General, the OMB, the Government Accountability Office, and the U.S. Congress and is not intended to be and should not be used by anyone other than these specified parties.

KPMG LLP

October 26, 2005

Exhibit I

U.S. Department of Justice Assets Forfeiture Fund and Seized
Assets Deposit Fund

Reportable Condition

Weaknesses Exist in the Information System Controls Environment

We performed a general information system (IS) and application controls review at the AFF/SADF by (1) documenting our understanding of the general control environment; (2) evaluating the effectiveness of IS general and specific application controls at the AFF/SADF; and (3) updating the general controls tests related to the FY 2004 audit. Using guidance contained in the U.S. Government Accountability Office’s (GAO), Federal Information System Controls Audit Manual, we evaluated the general controls as they apply to key financial management systems and the application controls associated with these systems. We evaluated the IS control environment against guidance issued by the DOJ Information Technology Security Staff, technical publications issued by the National Institute of Standards and Technology (NIST), and as established in OMB Circular No. A-130, Management of Federal Information Resources.

The following reportable condition is also described in several DOJ financial reporting component’s fiscal year 2005 audit reports because they rely on the DOJ consolidated IS general controls processing environment and Financial Management Information System (FMIS2) as their core financial management system.

Control improvements are needed in the DOJ consolidated IS general controls environment

We performed a review of the DOJ consolidated IS general controls environment that provides general control support for several DOJ components’ financial applications and identified one overall reportable condition in the areas of security program, access controls, and system software. We concluded that the IS controls in place for the consolidated IS general controls environment as of September 30, 2005, were adequate to safeguard the programs and data files from unauthorized access and modification, except as noted in the overall reportable condition. As a result, a moderate level of reliance can be placed on the general controls associated with the consolidated IS general controls environment.

This reportable condition and related recommendations will be addressed to Justice Management Division (JMD) in a separate report. JMD has primary responsibility over the consolidated IS general controls environment. Accordingly, no recommendations for this reportable condition are addressed to AFF/SADF’s management.

OBDs’ management of logical access for FMIS2 lacks effective controls

The AFF/SADF uses the FMIS2 accounting system maintained by the Offices, Boards and Divisions (OBDs). As a result, the control improvements needed in the FMIS2 accounting system, as described below, also impact the AFF/SADF.

The following weaknesses related to access controls were identified:

Department of Justice (DOJ) Information Technology Security (ITS) Standard 2.1, Personnel IT Security, section 3.1.8 “User Account Life Cycle” states: “A process shall exist for requesting, establishing, issuing, and closing user accounts… When user accounts are no longer required, the supervisor shall inform the system administrator and system management office so accounts can be removed in a timely manner… System access should be terminated as quickly as possible.”

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-12, An Introduction to Computer Security: The NIST Handbook, Section 10.2.2, states: “From time to time, it is necessary to review user account management on a system. Within the area of user access issues, such reviews may examine the levels of access each individual has, conformity with the concept of least privilege, whether all accounts are still active, whether management authorizations are up-to-date, whether required training has been completed, and so forth.”

Financial Management Policies and Procedures Bulletin No. 00-07 requires that the Financial and Administrative Systems Support Group (FASSG) maintain the original FMIS2 identification (ID) change request form for each recertified FMIS2 ID.

Insufficient and inconsistent policies, procedures, and practices that address the maintenance and management of FMIS2 user accounts may increase the risk that information resources could be compromised or disabled by malicious or unauthorized use.

Recommendations for this reportable condition will be addressed to the OBDs, which has primary responsibility over FMIS2, as further described in their Independent Auditors’ Report on Internal Control over Financial Reporting. Accordingly, no recommendations for this reportable condition are addressed to AFF/SADF’s management.

Exhibit II

U.S. Department of Justice Assets Forfeiture Fund and Seized
Assets Deposit Fund

Status of Prior Years’ Recommendations

September 30, 2005

Reported Condition

Recommendations

Status

Weaknesses exist in the information system controls environment.

  • The Offices, Boards and Divisions’ (OBDs) manage­ment must implement effective entity-wide security program planning for the Financial Manage-ment Information System (FMIS2).
  • The OBDs’ management of logical access for FMIS2 lacks effective controls.
  • The OBDs’ management of change control for FMIS2 lacks effective controls.
  • Segregation of duties for FMIS2 needs to be strengthened.

(FY 2004 AFF/SADF Annual Financial Statement, Report No. 05-12 – Reportable Condition.)

 

This reportable condition was described in several DOJ financial reporting components’ Fiscal Year 2004 audit reports because they relied on FMIS2 as their core financial management system. This reportable condition and related recommendations were provided to the Justice Management Division of the OBDs, which has primarily responsibility for corrective action regarding FMIS2. Accordingly, no recommendations for this reportable condition were provided to the AFF/SADF management.

 

 

Completed

 

 

In process


Completed


Completed

 

As required by Government Auditing Standards and OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, we have reviewed the status of prior years’ findings and recommendations. The above table summarizes the prior year finding and provides our assessment of the progress that the AFF/SADF has made in correcting the reportable condition. We have also provided the Office of the Inspector General report number by which the recommendations are monitored for audit follow-up.