DOL Annual Report, Fiscal Year 2006
Performance and Accountability Report

Independent Auditors' Report

Secretary and Inspector General
U.S. Department of Labor:

We have audited the accompanying consolidated balance sheet of the U.S. Department of Labor (DOL) as of September 30, 2006, and the related consolidated statements of net cost, changes in net position, financing, and custodial activity, and the combined statement of budgetary resources for the year then ended; and the statement of social insurance as of September 30, 2006 (hereinafter referred to as "consolidated financial statements"). The objective of our audit was to express an opinion on the fair presentation of these consolidated financial statements. In connection with our fiscal year 2006 audit, we also considered DOL's internal controls over financial reporting, Required Supplementary Stewardship Information, and performance measures, and tested DOL's compliance with certain provisions of applicable laws, regulations, contracts, and grant agreements that could have a direct and material effect on these consolidated financial statements. The accompanying consolidated financial statements of DOL as of September 30, 2005, were audited by other auditors whose report thereon, dated November 10, 2005, expressed an unqualified opinion on those consolidated financial statements, except for the statement of social insurance which they did not audit.

We have also examined DOL's compliance with section 803a of the Federal Financial Management Improvement Act of 1996 (FFMIA) during the year ended September 30, 2006.

SUMMARY

As stated in our opinion on the consolidated financial statements, we concluded that DOL's consolidated financial statements as of and for the year ended September 30, 2006, are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles.

As discussed in our opinion on the consolidated financial statements, in fiscal year 2006, DOL adopted new accounting and reporting requirements for earmarked funds and social insurance programs.

Our consideration of internal controls over financial reporting, Required Supplementary Stewardship Information, and performance measures resulted in the following conditions being identified as reportable conditions:

1. Lack of Strong Application Controls over Access to and Protection of Financial Information
2. Lack of Strong Logical Security Controls to Secure DOL's Networks and Information
3. Weaknesses Noted over Property, Plant, and Equipment
4. Weaknesses Noted over Grants
5. Weaknesses Noted in the Change Control Process for a Benefits System
6. Weaknesses Noted in Federal Employees Compensation Act Accounting and Financial Reporting
7. Lack of Segregation of Duties over Journal Entries
8. Weaknesses Noted over Payroll Accounting
9. Weaknesses Noted over Budgetary Accounting
10. Weaknesses Noted over Custodial Activities

However, none of the reportable conditions are believed to be material weaknesses.

The results of our tests of compliance with certain provisions of laws, regulations, contracts, and grant agreements disclosed the following instances of noncompliance or other matters that are required to be reported under Government Auditing Standards, issued by the Comptroller General of the United States, and Office of Management and Budget (OMB) Bulletin No. 06-03, Audit Requirements for Federal Financial Statements.

1. Federal Information Security Management Act (Electronic Government Act of 2002)
2. Single Audit Act Amendments of 1996
3. Debt Collection Improvement Act of 1996

As stated in our opinion on DOL's compliance with FFMIA, we concluded that DOL did not comply, in all material respects, with the Federal financial management systems requirements of FFMIA for the year ended September 30, 2006, but did comply, in all material respects, with the applicable Federal accounting standards and the United States Government Standard General Ledger requirements.

The following sections discuss our opinion on DOL's consolidated financial statements; our consideration of DOL's internal controls over financial reporting, Required Supplementary Stewardship Information, and performance measures; our tests of DOL's compliance with certain provisions of applicable laws, regulations, contracts, and grant agreements; our opinion on the DOL's compliance with FFMIA; and management's and our responsibilities.

OPINION ON THE CONSOLIDATED FINANCIAL STATEMENTS

We have audited the accompanying consolidated balance sheet of the U.S. Department of Labor as of September 30, 2006, and the related consolidated statements of net cost, changes in net position, financing, and custodial activity, and the combined statement of budgetary resources for the year then ended; and the statement of social insurance as of September 30, 2006. The accompanying statements of social insurance as of September 30, 2002 through 2005 were not audited by us and, accordingly, we do not express an opinion on them. The accompanying consolidated financial statements of the U.S. Department of Labor as of September 30, 2005, were audited by other auditors whose report thereon, dated November 10, 2005, expressed an unqualified opinion on those financial statements, except for the statement of social insurance, which they did not audit.

In our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the financial position of the U.S. Department of Labor as of September 30, 2006, and its net costs, changes in net position, budgetary resources, reconciliation of net costs to budgetary obligations, and custodial activity for the year then ended, and the financial condition of its social insurance program as of September 30, 2006, in conformity with U.S. generally accepted accounting principles.

As discussed in Note 1.A to the consolidated financial statements, DOL changed its method of reporting earmarked funds to adopt the provisions of the Federal Accounting Standards Advisory Board's Statement of Federal Financial Accounting Standards (SFFAS) No. 27, Identifying and Reporting Earmarked Funds, effective October 1, 2005. In addition, as discussed in Note 1.W to the consolidated financial statements, DOL changed its method of reporting its social insurance program to adopt the provisions of SFFAS No. 25, Reclassification of Stewardship Responsibilities and Eliminating the Current Services Assessment, and No. 26, Presentation of Significant Assumptions for the Statement of Social Insurance: Amending SFFAS 25, effective October 1, 2005.

As discussed in Note 1.W to the consolidated financial statements, the statements of social insurance present the actuarial present value of DOL's estimated future income to be received from or on behalf of the participants and estimated future expenditures to be paid to or on behalf of participants during a projection period sufficient to illustrate long-term sustainability of the social insurance program. In preparing the statements of social insurance, management considers and selects assumptions and data that it believes provide a reasonable basis for the assertions in the statements. However, because of the large number of factors that affect the statements of social insurance and the fact that future events and circumstances cannot be known with certainty, there will be differences between the estimates in the statements of social insurance and the actual results, and those differences may be material.

The information in the Management's Discussion and Analysis, Required Supplementary Stewardship Information, and Required Supplementary Information sections is not a required part of the consolidated financial statements, but is supplementary information required by U.S. generally accepted accounting principles and OMB Circular No. A-136, Financial Reporting Requirements. We have applied certain limited procedures, which consisted principally of inquiries of management regarding the methods of measurement and presentation of this information. However, we did not audit this information and, accordingly, we express no opinion on it. As a result of such limited procedures, we believe that the Required Supplementary Stewardship Information for Employment and Training Administration and Job Corps omits certain output and outcome measures required by U.S. generally accepted accounting principles.

The information in the Secretary's Message, Performance Section, and Appendices are presented for purposes of additional analysis and are not required as part of the consolidated financial statements. This information has not been subjected to auditing procedures and, accordingly, we express no opinion on it.

INTERNAL CONTROL OVER FINANCIAL REPORTING

Our consideration of internal control over financial reporting would not necessarily disclose all matters in the internal control over financial reporting that might be reportable conditions. Under standards issued by the American Institute of Certified Public Accountants, reportable conditions are matters coming to our attention relating to significant deficiencies in the design or operation of the internal control over financial reporting that, in our judgment, could adversely affect DOL's ability to record, process, summarize, and report financial data consistent with the assertions by management in the consolidated financial statements.

Material weaknesses are reportable conditions in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud, in amounts that would be material in relation to the consolidated financial statements being audited, may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. Because of inherent limitations in internal control, misstatements due to error or fraud may nevertheless occur and not be detected.

In our fiscal year 2006 audit, we noted certain matters, discussed in Exhibit I, involving the internal control over financial reporting and its operation that we consider to be reportable conditions. However, none of the reportable conditions are believed to be material weaknesses.

We noted certain additional matters in internal control over financial reporting and its operation that we will report to management of DOL in a separate letter.

INTERNAL CONTROLS OVER REQUIRED SUPPLEMENTARY STEWARDSHIP INFORMATION AND PERFORMANCE MEASURES

Under OMB Bulletin No. 06-03, the definition of material weaknesses is extended to other controls as follows. Material weaknesses are reportable conditions in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud, in amounts that would be material in relation to the Required Supplementary Stewardship Information or material to a performance measure or aggregation of related performance measures, may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. Because of inherent limitations in internal control, misstatements due to error or fraud may nevertheless occur and not be detected.

Our consideration of the internal control over the Required Supplementary Stewardship Information and the design and operation of internal control over the existence and completeness assertions related to key performance measures would not necessarily disclose all matters involving the internal control and its operation related to Required Supplementary Stewardship Information or the design and operation of the internal control over the existence and completeness assertions related to key performance measures that might be reportable conditions.

In our fiscal year 2006 audit, we noted no matters involving the internal control and its operation related to Required Supplementary Stewardship Information that we considered to be material weaknesses as defined above.

Further, in our fiscal year 2006 audit, we noted no matters involving the design and operation of the internal control over the existence and completeness assertions related to key performance measures that we considered to be material weaknesses as defined above.

COMPLIANCE AND OTHER MATTERS

Our tests of compliance with certain provisions of laws, regulations, contracts, and grant agreements, as described in the Responsibilities section of this report, exclusive of those referred to in FFMIA, disclosed three instances of noncompliance or other matters that are required to be reported under Government Auditing Standards or OMB Bulletin No. 06-03, and are described in Exhibit II.

The results of our tests of compliance with certain provisions of other laws and regulations, exclusive of those referred to in FFMIA, disclosed no instances of noncompliance or other matters that are required to be reported under Government Auditing Standards or OMB Bulletin No. 06-03.

Other Matter. DOL is currently reviewing three incidents regarding potential violations of the Anti-deficiency Act. As of the date of this report, no final noncompliance determination has been made for any of the three incidents.

We noted certain additional matters that we will report to management of DOL in a separate letter.

OPINION ON COMPLIANCE WITH FFMIA

The Department represented that in accordance with the provisions and requirements of FFMIA, the Secretary of Labor determined that the Department of Labor's financial management systems are in substantial compliance with FFMIA.

We have examined the U.S. Department of Labor's compliance with section 803a of the Federal Financial Management Improvement Act of 1996 during the fiscal year ended September 30, 2006. Under section 803a of FFMIA, DOL's financial management systems are required to substantially comply with (1) Federal financial management systems requirements, (2) applicable Federal accounting standards, and (3) the United States Government Standard General Ledger at the transaction level. We used OMB's Revised Implementation Guidance for the Federal Financial Management Improvement Act, dated January 4, 2001, to determine compliance.

Our examination disclosed the following material noncompliance with FFMIA section 803a applicable to the U.S. Department of Labor during the fiscal year ended September 30, 2006.

DOL's financial management systems do not comply substantially with Federal financial management system requirements because of certain weaknesses in DOL's general computer access controls, application access controls, and related manual controls. These matters are further described in Exhibit II, Finding No. 4.

In our opinion, except for the material noncompliance described in the preceding paragraph, the U.S. Department of Labor complied, in all material respects, with the aforementioned requirements during the fiscal year ended September 30, 2006.

* * * * *

RESPONSIBILITIES

Management's Responsibilities. The United States Code, Title 31, Sections 3515 and 9106 require agencies to report annually to Congress on their financial status and any other information needed to fairly present their financial position and results of operations. To meet these reporting requirements, DOL prepares and submits financial statements in accordance with OMB Circular No. A-136.

Management is responsible for the consolidated financial statements, including:

• Preparing the consolidated financial statements in conformity with U.S. generally accepted accounting principles;
• Preparing the Management's Discussion and Analysis (including the performance measures), Required Supplementary Information, and Required Supplementary Stewardship Information;
• Establishing and maintaining effective internal control; and
• Complying with laws, regulations, contracts, and grant agreements applicable to DOL, including FFMIA.

In fulfilling this responsibility, management is required to make estimates and judgments to assess the expected benefits and related costs of internal control policies.

Auditors' Responsibilities. Our responsibility is to express an opinion on the fiscal year 2006 consolidated financial statements of DOL based on our audit. We conducted our audit in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and OMB Bulletin No. 06-03. Those standards and OMB Bulletin No. 06-03 require that we plan and perform the audit to obtain reasonable assurance about whether the consolidated financial statements are free of material misstatement. An audit includes consideration of internal control over financial reporting as a basis for designing audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of DOL's internal control over financial reporting. Accordingly, we express no such opinion.

An audit also includes:

• Examining, on a test basis, evidence supporting the amounts and disclosures in the consolidated financial statements;
• Assessing the accounting principles used and significant estimates made by management; and
• Evaluating the overall consolidated financial statement presentation.

We believe that our audit provides a reasonable basis for our opinion.

In planning and performing our fiscal year 2006 audit, we considered DOL's internal control over financial reporting by obtaining an understanding of DOL's internal control, determining whether internal controls had been placed in operation, assessing control risk, and performing tests of controls in order to determine our auditing procedures for the purpose of expressing our opinion on the consolidated financial statements. We limited our internal control testing to those controls necessary to achieve the objectives described in Government Auditing Standards and OMB Bulletin No. 06-03. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers' Financial Integrity Act of 1982. The objective of our audit was not to provide an opinion on DOL's internal control over financial reporting. Consequently, we do not provide an opinion thereon.

As required by OMB Bulletin No. 06-03, in our fiscal year 2006 audit, we considered DOL's internal control over the Required Supplementary Stewardship Information by obtaining an understanding of the DOL's internal control, determining whether these internal controls had been placed in operation, assessing control risk, and performing tests of controls. We limited our testing to those controls necessary to test and report on the internal control over Required Supplementary Stewardship Information in accordance with OMB Bulletin No. 06-03. However, our procedures were not designed to provide an opinion on internal control over the Required Supplementary Stewardship Information and, accordingly, we do not provide an opinion thereon.

As further required by OMB Bulletin No. 06-03, in our fiscal year 2006 audit, with respect to internal control related to performance measures determined by management to be key and reported in the Management's Discussion and Analysis and Performance Section, we obtained an understanding of the design of internal controls relating to the existence and completeness assertions and determined whether these internal controls had been placed in operation. We limited our testing to those controls necessary to test and report on the internal control over key performance measures in accordance with OMB Bulletin No. 06-03. However, our procedures were not designed to provide an opinion on internal control over reported performance measures and, accordingly, we do not provide an opinion thereon.

As part of obtaining reasonable assurance about whether DOL's fiscal year 2006 consolidated financial statements are free of material misstatement, we performed tests of DOL's compliance with certain provisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on the determination of the consolidated financial statement amounts, and certain provisions of other laws and regulations specified in OMB Bulletin No. 06-03. We limited our tests of compliance to the provisions described in the preceding sentence, and we did not test compliance with all laws, regulations, contracts, and grant agreements applicable to DOL. However, providing an opinion on compliance with laws, regulations, contracts, and grant agreements was not an objective of our audit and, accordingly, we do not express such an opinion.

Our responsibility also included expressing an opinion on DOL's fiscal year 2006 compliance with FFMIA section 803a requirements, based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and the standards applicable to attestation engagements contained in Government Auditing Standards issued by the Comptroller General of the United States and, accordingly, included examining, on a test basis, evidence about DOL's compliance with the requirements of FFMIA section 803a and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Our examination does not provide a legal determination on DOL's compliance with specified requirements.

RESTRICTED USE

This report is intended solely for the information and use of DOL's management, DOL's Office of Inspector General, OMB, the U.S. Government Accountability Office, and the U.S. Congress and is not intended to be and should not be used by anyone other than these specified parties.

November 13, 2006

Back to Top

1. Lack of Strong Application Controls Over Access to and Protection of Financial Information

In fiscal years (FY) 2004 and 2005, the Office of Inspector General (OIG) reported consistent weaknesses across the Department of Labor's (DOL) applications tested in the following application control areas:

• Identification and documentation of supporting environments, such as process flow documentation and mapping;
• Application password settings, such as passwords that do not adhere to complexity requirements;
• User access, such as incomplete access request and termination forms;
• Lack of application segregation of duties policies or enforcement of segregation of duties policies;
• Periodic user account review and reauthorization, including lack of user authorization, or incomplete authorization documentation;
• Audit trails, such as lack of monitoring of sensitive application functions and incomplete audit logs; and
• Controls over output to other applications, including reconciliation of control totals and record counts.

The OIG recommended that management:

• Verify that specific security weaknesses identified during the audits and communicated to DOL agencies are included in each individual agency's Plan of Action and Milestones (POA&M), and that appropriate and timely corrective action is taken on the identified weaknesses; and
• Coordinate efforts among the DOL agencies to develop and/or enforce procedures and controls to address systemic application control weaknesses in current financial management systems.

From current year testing, we found the continued presence of numerous weaknesses in the information protection controls over applications. We identified 43 prior year recommendations, 35 from the Office of the Chief Financial Officer (OCFO), 6 from the Employment and Training Administration (ETA), and 2 from the Employment Standards Administration (ESA), related to application controls that have not been corrected. The specific nature of these weaknesses, their causes, and the systems impacted by them have been separately communicated to management.

These findings are a result of a breakdown in the implementation and monitoring of Departmental processes and procedures for application controls. These application control weaknesses could lead to users with inappropriate access to financial systems; inefficient processes; lack of completeness, accuracy, or integrity of financial data; and/or the lack of detection of unusual activity within financial systems. In addition, as a result of these weaknesses, DOL is not in full compliance with the Federal Information Security Management Act (FISMA) passed as part of the Electronic Government Act of 2002.

Management believes that it has made substantial progress during FY 2006 to strengthen application security controls in response to the OIG's prior year recommendations. Management also believes that its financial system, the Department of Labor Accounting and Related Systems (DOLAR$) has sufficient compensating controls to address the deficiencies identified by the OIG.

2. Lack of Strong Logical Security Controls to Secure DOL's Networks and Information

Since FY 2001, the OIG identified and reported continuing weaknesses with DOL's technical security standards and policies; access controls; and segregation of duties. The OIG recommended that management:

• Verify that specific security weaknesses identified during the audits are communicated to DOL agencies and included in each individual agency's POA&M, and that appropriate and timely corrective action is taken on the identified weaknesses; and
• Coordinate efforts among the DOL agencies to develop and/or enforce procedures and controls to address logical security control weaknesses on current financial management systems.

DOL continues to lack strong logical security controls to secure its networks and information. Current year testing showed that improvements are still needed in the following areas:

• Technical security standards and policies need to be updated and implemented to include stronger logical security controls. Specifically, patches need to be applied to systems in a timely manner, unnecessary services need to be disabled, and access to sensitive files and directories needs to be restricted.
• Segregation of duties policies need to be created and enforced for general support systems of financial applications.
• Access controls need to be improved concerning account management, passwords, and audit log reviews.

We identified 55 prior year recommendations (7 related to the OCFO, 12 related to ETA, 23 related to ESA, and 13 related to the Office of the Assistant Secretary for Administration and Management (OASAM)) addressing logical security controls that have not been corrected. Additionally, 24 new recommendations related to logical security controls were issued in FY 2006 (8 related to ETA, 6 related to ESA, and 10 related to OASAM). The specific nature of these weaknesses, their causes, and the systems impacted by them have been separately communicated to management.

These findings are a result of a breakdown in the implementation and monitoring of Departmental processes and procedures for logical security controls. These logical security control weaknesses could lead users to gain unauthorized access to the agency applications and data, and allow users to potentially modify or disclose agency data. Additionally, individuals who have the ability to perform incompatible job duties could perform fraudulent, malicious, or accidental actions that could result in unauthorized access, disclosure, and/or modification of DOL data. As a result of these weaknesses, DOL is not in full compliance with FISMA.

Management believes it has made substantial progress to improve its logical security controls and plans to implement additional corrective actions to address remaining recommendations in FY 2007. Management also believes compensating controls within DOLAR$ address the weaknesses identified related to logical security controls.

3. Weaknesses Noted Over Property, Plant and Equipment

DOL did not consistently implement or follow policies and procedures designed to ensure that property, plant and equipment (PP&E) balances, including construction-in-progress, are stated in accordance with Federal accounting standards.

Internal-Use Software
In FY 2005, the OIG identified that DOL has not capitalized all project costs, such as (1) direct salary and fringe benefit costs of Federal employees involved, and (2) related indirect costs such as overhead, rent, and travel, in accordance with Statement of Federal Financial Accounting Standard (SFFAS) No. 10, Accounting for Internal Use Software, for all of its internal-use software. The OIG recommended the OCFO again notify DOL agencies of their requirements to account for costs related to internal-use software and monitor to ensure they properly account for these costs in accordance with Federal and departmental requirements.

During FY 2006, the OCFO re-issued relevant guidance to the agencies and conducted a meeting with the agencies. Although the OCFO has informally been communicating with the agencies to monitor the implementation of this guidance, no documentation exists to support this monitoring and the OCFO did not maintain a listing of internal use software projects in development. In addition, no one in the OCFO has been designated to be responsible for DOL's internal use software accounting and reporting.

We also noted that although the guidance issued discusses transaction codes used to record related indirect costs, the guidance does not provide detailed enough instructions on how indirect costs related to internal use software should be captured, calculated, and documented. Additionally, the OCFO has not developed an analysis to support its position that the amount of indirect costs associated with the development of internal-use software is not material to the financial statements.

In addition to the open prior year recommendation, we recommend that management designate an official to be responsible for internal-use software accounting and reporting and to perform certain procedures in this role.

Management believes it made substantial progress to capitalize internal use software in response to the OIG's previous recommendations. In FY 2006, management provided guidance and assistance, as well as monitored DOL agencies to ensure they properly capitalized internal use software. Management does not agree that DOL did not capitalize software development costs. For example, costs for the new accounting system have been capitalized, which include federal employee's salaries, travel, rent, and other costs. Management agreed to enhance procedures to compare the internal-use software assets recorded in the Capitalized Asset Tracking and Reporting System (CATARS) to the amounts reported by the agencies and will perform, document, and maintain an analysis of indirect cost associated with software in development to determine whether these costs are material.

Job Corps Property
In the FY 2004 and FY 2005 audits, the OIG reported that ETA did not sufficiently use DOL's subsidiary ledger, the CATARS, as a complete property management system in accordance with the CATARS user guide. The OIG also found that ETA did not establish sufficient controls to ensure that Job Corps' capitalized real property was accurately reported in CATARS and in the Department of Labor Accounting and Reporting System (DOLAR$), DOL's general ledger system. The OIG recommended that management record property transactions timely and make other improvements over accounting for real property.

In the FY 2006 audit, we noted the recurrence of many issues identified in prior audits, and we identified several new property-related issues including untimely transfer of acquisitions from the CATARS holding account, incorrect valuation of land transferred from other Federal agencies, and lack of documented analysis supporting the rationale for leased Job Corps facilities not being recorded as capital leases and property.

We believe that many of these issues stem from the fact that the ETA Capitalized Asset Management Officer (CAMO) position remained vacant for much of the fiscal year under audit. Additionally, during FY 2006, the Job Corps program was transferred from ETA to the Office of the Secretary.

In addition to the open prior year recommendations, we recommend that management take further actions to improve accounting for Job Corps property.

Management believes it made significant progress towards closing the FY 2004 audit finding by implementing procedural changes in the documentation of Job Corps facilities and the recording of substantially completed construction projects into CATARS. Management suspended the implementation of many of these changes after Hurricane Katrina destroyed the New Orleans and Gulfport Job Corps Centers. Management has initiated a full scale review of the Job Corps program policies and procedures, which will result in the implementation of corrective action that will bring the recording of Job Corps assets into compliance with Departmental and Federal government standards.

Other Property
Our FY 2006 audit testing disclosed the following DOL-wide property issues:

• Abnormal balances (e.g., items which appear to be below the applicable capitalization threshold and negative additions on the PP&E rollforward schedule) exist in CATARS that should be researched and resolved.
• Reconciliations between CATARS and the general ledger are not performed timely.
• Documentation to support certain PP&E-related transactions or balances was not readily available or did not exist.
• For additions other than construction-in-progress, we noted 5 instances where an obligating document was signed by an unauthorized person, and 1 instance where the Contracting Officer signed an obligating document in excess of the officer's warrant authority.
• We identified 12 capitalized PP&E additions for which the unit cost was below the capitalization threshold.
• We noted 6 capitalized items that represented costs incurred after the software was placed in service and were not software enhancements. These costs should have been expensed in accordance with U.S. generally accepted accounting principles.
• We identified 5 items related to software that were capitalized based on obligations rather than costs.
• Physical inventories are not being adequately performed and documented. Of the 1,763 physical inventory reports we requested, 1,485 were not provided to us. In addition, 30 of the reports we reviewed were not certified by the Accountable Property Officer (APO).

In addition, we tested a DOL-wide statistical sample of 200 assets to verify the assets existed and were in usable condition. For 40 of the 200 items, DOL could not provide timely and adequate evidence of the asset's existence and use. For 5 of the 200 items, the evidence provided indicated the asset had been transferred or disposed of, and for 9 of the 200 items, the evidence provided indicated the asset was no longer in usable condition. These 54 errors noted represented assets with a total cost of $21,315,130 and accumulated depreciation of $14,832,034. When projected to the entire population of assets, the projected misstatement is $81,527,396 of cost and $66,594,051 of accumulated depreciation. These errors were partially caused by DOL's inability to readily identify an asset based on the inventory number, serial number, or description in CATARS. We noted that the inventory numbers and serial numbers on the assets were not consistently recorded in CATARS. In addition, some errors resulted from the inventory certification process not adequately identifying assets that no longer exist or that are no longer in usable condition. DOL management considered the identified differences to be immaterial to the FY 2006 consolidated financial statements, and as such, these differences were included in the Summary of Unadjusted Audit Differences attached to management's FY 2006 representation letter.

We recommend that management develop and implement policies and procedures, or enhance and enforce existing policies and procedures, related to abnormal balances in CATARS, reconciliations between CATARS and the general ledger, proper recording of acquired and disposed assets in CATARS, document maintenance and retention, obligation approvals, proper capitalization, and physical inventories.

Management is ensuring that the required reconciliation procedures are now being performed and will strengthen procedures to ensure that assets are being recorded with the proper inventory number and proper serial number in CATARS, and that records of assets are being maintained such that each asset can be readily identified and located. Instructions will be provided so that during physical inventories, assets that are no longer in usable condition are identified and properly disposed of in CATARS.

4. Weaknesses Noted Over Grants

Grant Accrual Preparation and Validation
The ETA grant accrual process for the fiscal year-end and quarter-end accruals takes a snapshot of general ledger data for all ETA grants at the end of the period and calculates, at the individual grant level, the probable costs incurred based on the amount of drawdowns recorded at the end of the period. An accuracy analysis is performed on an annual basis to compare the actual costs reported by the grantees to the previous year-end's accrual. During our FY 2006 audit work, we identified segregation of duties weaknesses related to the ETA grant accrual and validation process, and we determined that procedures for the ETA grant accrual and validation process were not documented.

Per the U.S. Government Accountability Office's (GAO) Standards for Internal Control in the Federal Government, "Key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error or fraud. This should include separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets. No one individual should control all key aspects of a transaction or event." Additionally, "The documentation should appear in management directives, administrative policies, or operating manuals and may be in paper or electronic form. All documentation and records should be properly managed and maintained."

Without a proper management review of the quarterly grant accrual and annual accuracy analysis, the risk increases that the grant accrual could be misstated in the consolidated financial statements. Additionally, without another employee trained to calculate the quarterly grant accrual using the current accrual methodology, a risk exists that the accrual would not be prepared timely and/or accurately in the event that the Financial Systems Specialist is absent.

We recommend that management designate and train additional individuals in the grant accrual and validation process to correct this weakness, and that management formally document the grant accrual and validation procedures.

Management agrees that backup procedures and personnel should be in place for calculating the quarterly grant accrual and for performing the annual accuracy analysis. The financial systems specialist now performs the management review of the accruals. Additional accounting office personnel will be trained to perform the accuracy analysis during FY 2007.

Controls over Compliance with the Single Audit Act Amendments of 1996
DOL has no monitoring procedures in place to ensure that audits of its grantees are completed and reports are received in a timely manner for each grantee that meets the audit threshold in Office of Management and Budget (OMB) Circular No. A-133, Audits of States, Local Governments, and Non-Profit Organizations. Therefore, DOL cannot be certain that all required audits have been performed in a timely manner.

In addition, for FY 2006 compliance testing purposes, we selected a sample of DOL grantees that expended $500,000 or more of DOL funding through June 30, 2005. As of September 30, 2006, the latest available OMB Circular No. A-133 audit reports for 5 of the 32 grantees selected were not obtained by DOL for review to determine if any issues related to DOL grants had been reported. According to the Federal Single Audit Clearinghouse website, these 5 audit reports had been completed between the dates of May 7, 2002 and March 5, 2006 and were available on the website.

According to Section 7504 of the Single Audit Act Amendments of 1996, "Each Federal agency shall, in accordance with guidance issued by the Director under section 7505, with regard to Federal awards provided by the agency... monitor non-Federal entity use of Federal awards." According OMB Circular No. A-133, non-Federal entities that expend $500,000 or more in a year in Federal awards shall have a single or program-specific audit conducted for that year. In addition, OMB Circular No. A-133, Subpart D, section 400(c) requires the Federal awarding agency to "perform the following for the Federal awards it makes: "Ensure that audits are completed and reports are received in a timely manner and in accordance with the requirements of this part... Issue a management decision on audit findings within six months after receipt of the audit report and ensure that the recipient takes appropriate and timely corrective action."

DLMS 8 — Audits and Investigations, dated July 7, 2004, paragraph 503 states, "DOL Program Official(s) shall promptly evaluate OIG report findings and recommendations and determine appropriate action... The Office of Inspector General will directly receive all Single Audit Act reports required to be submitted to DOL."

If no procedures are in place to ensure all audit reports that are required to be completed are received by DOL, DOL cannot determine if an audit report is missing or overdue. Additionally, DOL is not in full compliance with OMB Circular No. A-133, and questioned costs may have been reported for DOL programs of which DOL is not aware.

We recommend that management develop and implement a tracking system to identify each grantee for which an OMB Circular No. A-133 audit is required and the date that the audit report is due. DOL should update DLMS to specifically identify which agencies are responsible for populating and maintaining this tracking system and for following-up with grantees when audit reports become overdue. In addition, we recommend that management implement a formal policy or process that defines which agency is responsible to monitor the Federal Single Audit Clearinghouse website for completed DOL grantee audit reports and retrieve them from the website for subsequent review.

Management believes that it is in compliance with OMB Circular No. A-133 as it relates to completion of required audits or follow-up on any questioned costs. The 5 reports noted by the auditor did not contain any findings related to DOL. However, management agrees that the procedures should be strengthened and will coordinate with appropriate agencies to develop and implement changes as recommended above, as appropriate.

5. Weaknesses Noted in the Change Control Process for a Benefits System

A documented and standard process for requesting, reviewing, developing, testing, and approving changes to an ESA benefits system was not in place prior to February 2006. While change control procedures were established and documented in February 2006, the procedures were inconsistently followed during the months of February and March 2006. We noted various weaknesses in our judgmental sample of 30 changes in the two month period. Additionally, procedures have not been established for priority and emergency changes or changes to the system test environment.

Management stated that the system was recently implemented, and management had not finalized change control procedures and was informally processing change control requests and approvals. Additionally, since procedures were implemented in February 2006, management has not had sufficient time or resources to ensure that the policy is being consistently followed. Furthermore, management believed that the procedures were sufficient to cover priority and emergency changes at the time the procedures were implemented.

The DOL Computer Security Handbook, volume 6, System Security Planning for Major Applications", section 4.6, page 37, states that controls must be used to "monitor the installation of, and updates to, hardware, operating system software, and other software to ensure that the hardware and software function as expected, and that a historical record is maintained of application changes." Additionally, the guidance states:

These controls may also be used to ensure that only authorized software is installed on the system. Such controls may include a hardware and software configuration policy that grants managerial approval (reauthorize processing) to modifications and requires that changes be documented.

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-64, Security Considerations in the Information System Development Life Cycle, section 2.3.4.1, page 23, states:

Configuration management and configuration control procedures are critical to establishing an initial baseline of hardware, software, and firmware components for the information system and subsequently controlling and maintaining an accurate inventory of any changes to the system.

Without a proper change control process regarding the flow of changes from development to production, unauthorized and potentially inaccurate program changes may be implemented into the production environment. Without formal acceptance of application changes, program management cannot be assured that the changes made meet their needs and are appropriate for the environment. In addition, as a result of these weaknesses, DOL is not in full compliance with FISMA.

As a result of our findings, management researched the 30 changes and determined the changes were appropriately performed.

We recommend that management develop and/or enforce procedures and controls to address identified change control weaknesses.

Management agrees to include in its Plan of Action and Milestones (POA&M) security weaknesses identified in the report, together with corrective action to be taken and milestone dates. Management has also developed system-specific change control procedures and has updated documentation of approved, tested, and installed system changes. Additionally, management has begun enforcing and will continue to enforce requirements for documentation of approval, indication of release, and integration and IV & V testing.

6. Weaknesses Noted in Federal Employees Compensation Act (FECA) Accounting and Financial Reporting

DOL did not implement or consistently follow its existing management review procedures related to year-end activity reconciliations and continuing FECA eligibility.

FECA Reconciliations
The OCFO does not adequately reconcile (1) the general ledger to the FECA subsidiary ledgers (FECA history databases), and ESA does not adequately reconcile (2) the FECA history databases to the charge-back report that is derived from the history databases and used to bill FECA customer agencies. We noted a reconciling difference of roughly $76 million in (1) above and a difference of $17 million in (2) above. Although DOL management has management review controls in place, they do not sufficiently follow-up on and resolve differences through an adequate reconciliation process.

Per the GAO's Standards for Internal Control in the Federal Government, "Control activities occur at all levels and functions of the entity. They include a wide range of diverse activities such as approvals, authorizations, verifications, reconciliations, performance reviews, maintenance of security, and the creation and maintenance of related records which provide evidence of execution of these activities as well as appropriate documentation."

We recommend that management develop and implement quarterly procedures to reconcile the FECA benefit program expenses to the general ledger and quarterly ESA procedures to adequately reconcile the FECA history databases to the charge-back reports.

Management concurs and will develop and implement formal reconciliation procedures to ensure that the FECA benefit program expenses are reconciled to the general ledger and that the chargeback reports are reconciled to the payment histories.

Management Review of Year-end Accrual
DOL prepares a schedule, Liability for Current Federal Employees Compensation Act Benefits, as of September 30, which is available to other Federal agencies before fiscal year end via the internet. This information is necessary for other Federal agencies to record a liability for fourth quarter benefit payments, which is owed to DOL. The DOL OCFO uses an estimation process to prepare this schedule.

Management does not have procedures in place to review the estimate for the fourth quarter. The estimate for the FY 2006 fourth quarter DOL receivable based on the Liability for Current Federal Employees Compensation Act Benefits schedule differed from the actual DOL receivable by approximately $96 million. This variance primarily resulted from an extra payment cycle in the fourth quarter of FY 2006 for which the estimation model did not account. Had management performed a detailed review of the OCFO estimate, management may have identified that the extra payment cycle was not accounted for in the fourth quarter estimate and requested a correction prior to the posting of the estimate information on the internet.

Per the GAO's Standards for Internal Control in the Federal Government, "Key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error or fraud. This should include separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets. No one individual should control all key aspects of a transaction or event."

We recommend that management develop and implement procedures for management review of the OCFO estimates prior to posting of the estimates on the internet and refine the estimation methodology so that it will more accurately account for varying payment cycles.

Management will develop and implement procedures to formally review the amounts to be posted and will review and refine the methodology as needed.

Delinquent Forms CA-1032, Request for Information on Earnings, Dual Benefits, Dependents and Third Party Settlement Form
DOL policy requires FECA claimants to annually certify their earnings information and dependent status on a Request for Information on Earnings, Dual Benefits, Dependents and Third Party Settlements Form (CA-1032). This information is used to determine if any changes are necessary to a claimant's benefit amount.

Our tests of operating effectiveness noted that Claims Examiners (CE) were not consistently following-up with claimants to ensure that a CA-1032 was received annually for each claimant, as applicable; however, payments continued to be made to non-responsive claimants. ESA management identified the use of the Periodic Eligibility Review (PER) screen capabilities in iFECS as a key control to ensure claimant case files are current. The iFECS PER screen tracks CA-1032 status and documents CA-1032 receipt and review. However, iFECS does not have automated reminders to identify outstanding CA-1032 receipts. For 4 of the 188 disbursements tested, we noted a completed CA-1032 was not returned by the claimant and the CE did not follow the FECA Procedure Manual in following up on the unreturned CA-1032. Without these completed forms, an increased opportunity exists for incorrect payments to be made to claimants in situations where they are either no longer eligible for compensation or are eligible for increased or reduced compensation, based on their earnings, marital status, and/or dependent status, and have not had their information updated in iFECS.

We also noted that 2 of the 188 disbursements tested were made for inaccurate amounts because of inadequate CE reviews of received CA-1032s. The two claimants had provided sufficient information on the CA-1032, noting that they no longer had a spouse or dependents; however, the payments tested identified that they continued to be paid at the higher rate that would apply for a claimant with dependents and/or a spouse.

System controls and reminders should be in place to monitor the status of CA-1032 requests. Once CEs begin to use the PER screen consistently, a report could be written that would provide a list of those claimants for which CA-1032s have not been received, which would facilitate more timely follow-up by the CEs and supervisory staff.

We have noted that management has taken action on these issues. Specifically, management has made enhancements to the PER screen within iFECS and is updating its policies to make the appropriate use of the PER screen a mandatory requirement.

We recommend that management utilize the PER screen within iFECS to track CA-1032 status and document their receipt and review using a system configuration or manual control and require supervisory review of CE receipt and review of CA-1032 forms.

Management believes that with the successful implementation of the enhancements to the Periodic Eligibility Review (PER) screen within iFECS on March 31, 2006, in fulfillment of the response to a prior year finding, the issue was resolved. It is management's position that use of the PER resolves the findings related to processing CA-1032s. A bulletin will be created to outline management's policy on the use of the PER screen and the procedure manual will be updated as it still references claims examiners needing to complete a Form 674.

7. Lack of Segregation of Duties over Journal Entries

All DOL agencies are able to enter journal entries into DOLAR$ via transaction codes. Each transaction code consists of one or more journal entries. The respective agency staff member responsible for recording the particular item accesses DOLAR$ and enters the transaction code and the dollar amount of the item. DOLAR$ does not require these entries to be recorded and approved by separate individuals before they are posted to the general ledger. Hence, transaction codes and corresponding amounts entered into DOLAR$ are posted without any system-controlled review and approval. We noted this condition through procedures performed at the Occupational Safety and Health Administration (OSHA), OASAM, and the OCFO; these agencies do not have manual compensating review controls to address the related risk.

DOLAR$ was not designed to require journal entries to be electronically approved before amounts entered are posted to the general ledger, and management has not required Department-wide manual review controls to compensate for this condition. By allowing individuals the authority to prepare and approve their own transactions in DOLAR$, the risk increases that a material error would not be prevented or detected and corrected on a timely basis.

Per the GAO's Standards for Internal Control in the Federal Government, "Key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error or fraud. This should include separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets. No one individual should control all key aspects of a transaction or event."

We recommend that management ensures the current general ledger system's configuration is modified so that journal entries (via transaction codes) entered into the general ledger are required to be approved electronically by an individual other than the preparer before they are posted. This feature should also be incorporated into the design of the planned replacement general ledger system. The agencies that do not currently have manual compensating review controls should implement such controls to address this risk until the system controls have been implemented.

Management concurs that DOLAR$ does not have a system-controlled approval process and supports the concept of building in automated internal controls into the system that will replace DOLAR$ as long as these controls are reasonable. However, management does not believe that it is feasible or cost effective to retrofit the current system with these controls. Management does not agree with the finding that there are no compensating review controls for the current lack of automated journal voucher review. Overall, the Department believes it has in place adequate compensating controls and will ensure that these procedures are properly documented and improved in FY 2007.

8. Weakness Noted over Payroll Accounting

During FY 2006, the U.S. Department of Agriculture's (USDA) Office of Chief Financial Officer (OCFO)/National Finance Center (NFC) processed DOL's payroll. The Fiscal Year 2006 — Office of the Chief Financial Officer/National Finance Center General Control Review dated September 21, 2006 and issued by the USDA's Office of Inspector General (Report No. 11401-24-FM) reported a qualified opinion regarding the effectiveness of NFC's internal controls for the period October 1, 2005 through June 30, 2006. During FY 2006, DOL did not have policies and procedures in place to reconcile the payroll information it submitted to the NFC to that received and processed by the NFC.

For each FY 2006 pay period, DOL submitted to the NFC payroll information that included all DOL employees for the period, along with their hours worked, leave used, and other payroll related information for the period. The NFC processed the payroll for DOL each period and made available for download a Detail Pay and Deduct Register report for each DOL Human Resources office. We noted that DOL did not utilize these reports to perform reviews or reconciliations of data processed by the NFC, and no other controls were in place during the year to ensure that what was submitted to NFC via Time and Attendance records reconciled to what was shown as paid in the Detail Pay and Deduct Register. The lack of reconciliation controls around the NFC outputs, compounded by the control weaknesses identified at the NFC, increased the risk that payroll-related line items in the FY 2006 financial statements could be misstated because of errors in payroll processing by the NFC.

Additionally, we noted that the Department of Labor Manual Series (DLMS) 6, Financial Management, Chapter 1000, Payroll Accounting, has not been updated since October 1981. However, payroll policies and procedures have changed since 1981, most notably with the change to NFC as DOL's payroll services provider.

Federal agencies that use external service providers, such as the NFC, should have controls in place to ensure the accuracy of processing outputs. As stated by the USDA OIG in its FY 2006 Report No. 11401-24-FM, "The accuracy and reliability of data processed by OCFO/NFC and the resultant reports rests with the customer agency and any compensating controls implemented by the agencies."

OMB Circular No. 123, Management's Responsibility for Internal Control, states, "Application control should be designed to ensure that transactions are properly authorized and processed accurately and that the data is valid and complete. Controls should be established at an application's interfaces to verify inputs and outputs, such as edit checks." Additionally, per the GAO's Standards for Internal Control in the Federal Government, "Internal control should generally be designed to assure that ongoing monitoring occurs in the course of normal operations. It is performed continually and is ingrained in the agency's operations. It includes regular management and supervisory activities, comparisons, reconciliations, and other actions people take in performing their duties." GAO's Standards for Internal Control in the Federal Government also state, "The documentation should appear in management directives, administrative policies, or operating manuals and may be in paper or electronic form. All documentation and records should be properly managed and maintained."

We recommend that management develop and implement policies and procedures to reconcile payroll information provided to the NFC to the payroll information processed by the NFC each pay period. These reconciliations should be documented, reviewed and approved by an appropriate supervisor, and maintained. In addition, management should update DLMS to reflect current payroll-related policies and procedures, and develop and implement a monitoring plan to periodically evaluate and update procedures in the DLMS to ensure the information documented is still appropriate.

Management believes that it currently has available and uses numerous reports for DOL review and analysis of payroll information, has in place a time and attendance reconciliation that validates what is transmitted to NFC and what is processed, and reviews and reconciles data between DOL Human Resources (HR) and HR data in the National Finance Center's data base. Management believes that the PeoplePower and NFC edits ensure the accuracy of the data being processed. DLMS 6 — Chapter 1000 Payroll and Accounting, was updated and circulated to DOL agencies for review in July 2006 and will be issued shortly.

9. Weakness Noted over Budgetary Accounting

During FY 2006, the OCFO did not complete timely reconciliations related to the Apportionment and Reapportionment Schedules (SF-132) and the Report on Budget Execution and Budgetary Resources (SF-133). During our FY 2006 audit work, we requested reconciliations as of June 30, 2006 of (a) the SF-132 to the SF-133, and (b) the SF-133 to the third quarter Statement of Budgetary Resources. However, these reconciliations were not completed and provided to us until late September 2006. In addition, these reconciliations identified several necessary corrections to amounts posted in the general ledger, and various differences remained unresolved. During FY 2006, the OCFO did not have adequate resources and did not adequately enforce policies to ensure the reconciliations were completed and any identified reconciling items resolved in a timely manner. The lack of timely and complete reconciliations increased the risk that material differences in external reports and in the general ledger may not have been detected and corrected in a timely manner during the year.

Additionally, we noted that much of the information referenced in DLMS for the Budget Execution process has not been updated since March 2004. OMB Circular No. A-11, Preparation, Submission and Execution of the Budget, has been revised since that time.

Per the GAO's Standards for Internal Control in the Federal Government, "Control activities occur at all levels and functions of the entity. They include a wide range of diverse activities such as approvals, authorizations, verifications, reconciliations, performance reviews, maintenance of security, and the creation and maintenance of related records which provide evidence of execution of these activities as well as appropriate documentation." Additionally, "The documentation should appear in management directives, administrative policies, or operating manuals and may be in paper or electronic form. All documentation and records should be properly managed and maintained."

According to OMB's Circular No. A-136 (July 2006), section II.4.6.1¹, "... information on the SBR should be consistent with the budget execution information reported on the Report on Budget Execution and Budgetary Resources (SF 133) and with information reported in the Budget of the United States Government to ensure the integrity of the numbers presented... Consistency between budgetary information presented in the financial statements and the Budget of the United States Government is critical to ensure the integrity of the numbers presented. The FACTS II helps to ensure the consistency of data. The FACTS II data submitted by agencies are USSGL-based trial balances, which are used to populate the SF 133 and the actual column of the Program and Financing Schedule of the Budget." In addition, section II.4.6² states "The resources reported on this statement shall agree with, and be reconciled to, the total budgetary resources reported for the aggregate of all budget accounts on the SF 133... The status of budgetary resources reported on this statement shall agree with, and be reconciled to, the total status reported for the aggregate of all budget accounts on the SF 133... The outlays shall also agree with, and be reconciled to, the aggregate of outlays reported on the SF 133 for the aggregate of all budget accounts."

We recommend that management ensure that current policies and procedures over SF-132 and SF-133 reconciliations are enhanced to require (a) quarterly reconciliations be prepared and documented, (b) the completion of documented supervisory reviews over the reconciliations, and (c) the completion of these procedures by a certain date (e.g., 15 days after each quarter-end). In addition, management should update DLMS to reflect current budget-related policies, procedures, and external requirements, and develop and implement a monitoring plan to periodically evaluate and update procedures in the DLMS to ensure the information documented is still appropriate.

Management believes that due to DOL's submission process of data to Treasury, any deficiencies would be identified before the trial balance data is submitted through the edit checks of Treasury. Additionally, the OCFO initiated reconciliation of the SF-132 and SF-133 reports on a quarterly basis in FY 2006. Management is working to enhance its current policies and procedures to require that the quarterly reconciliation be completed 15 days after each quarter and will require that the reconciliation be fully documented, and will require it to be formally reviewed and approved by management.

¹Also cited in the August 2005 version of OMB Circular No. A-136, section 6.1.
²Also cited in the August 2005 version of OMB Circular No. A-136, sections 6.5 through 6.7.

10. Weaknesses Noted over Custodial Activities

Four DOL agencies are responsible for the assessment and collection of fines and penalties — ESA, OSHA, the Employee Benefits Security Administration (EBSA), and the Mine Safety and Health Administration (MSHA). During our FY 2006 testing related to the assessment and collection of fines and penalties, we noted the following conditions:

• Controls were not consistently functioning effectively during FY 2006 to notify the employers of debt delinquency timely (18 exceptions in 74 cases tested) or to send notification of outstanding debt to the U.S. Department of Treasury (Treasury) after 180 days (25 exceptions in 52 cases tested that were greater than 180 days outstanding), in accordance with the Debt Collection Improvement Act of 1996. These exceptions were noted at MSHA and OSHA.
• MSHA and ESA do not write-off debt greater than 2 years old in accordance with OMB Circular No. A129, Managing Federal Credit Programs.
• MSHA does not reconcile its subsidiary ledger to the general ledger on a periodic basis. We requested reconciliations of collections between the subsidiary ledger and the general ledger as of June 30, August 31, and September 30, 2006, and received none of them timely. The September 30 collections reconciliation, received on November 3, 2006, contained a $650,930 unexplained variance (2.7% of MSHA collections recorded in the general ledger as of September 30, 2006).
• Since November 2005, one day of interest was omitted from MSHA's interest calculation each month.
• OSHA only records interest receivable when debt letters are sent to employers and when debt is sent to Treasury, and does not ensure that its quarter-end interest receivable balances are appropriately accrued between the time of the last debt letter and the time the debt is sent to Treasury.
• OSHA collections are not properly cut-off at year-end. $819,126 of FY 2005 collections were posted to DOLAR$ and the SCA in FY 2006, and $1,236,416 of FY 2006 collections were posted to DOLAR$ and the SCA in FY 2007.

DOL management considered the identified differences to be immaterial to the FY 2006 consolidated financial statements, and as such, these differences were included in the Summary of Unadjusted Audit Differences attached to management's FY 2006 representation letter.

We recommend that management develop and implement policies and procedures, or enhance and enforce existing policies and procedures and related systems related to the timely notification to employers of debt delinquency, the timely notification to Treasury of outstanding debt, write-off of debt greater than 2 years old in accordance with OMB Circular No. A-129, Managing Federal Credit Programs reconciliation of the MSHA subsidiary ledger to the general ledger on a quarterly basis, accrual of interest receivable on a quarterly basis, and recording of collections received near year-end in the general ledger in the proper fiscal year. In addition, management should design, test, and implement changes to MSHA's subsidiary ledger to correct errors in the calculation of interest and ensure that controls are in place to detect such system errors in the future.

In FY 2006, DOL updated its procedures for debt management (DLMS 6, Chapter 900); the Chapter is currently in the Departmental clearance process. The revised guidance covers transfers of delinquent or defaulted debts to the U.S. Department of the Treasury, Financial Management Service (FMS) for collection and procedures for the write-off of debt. Management routinely monitors accounts receivable and reviews the agencies' quarterly reports on receivables due from the public to ensure compliance with OMB Circular No. A-129. Management will develop and implement any additional policies and procedures for the management and collection of debts and write-offs to ensure compliance with FMS and the OMB Circular No. A-129 requirements, including interest accruals, reconciliations, and cut-offs.

1. Federal Information Security Management Act (Electronic Government Act of 2002)

The U.S. Department of Labor (DOL) is required to comply with the Federal Information Security Management Act (FISMA), which was enacted as part of the Electronic Government Act of 2002. FISMA requires the head of each agency to be responsible for (1) providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of (a) information collected or maintained by or on behalf of the agency; and (b) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; (2) complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines, including information security standards promulgated under section 11331 of title 40. This particular section requires that Federal agencies provide minimum information security requirements as defined by the National Institute of Standards and Technology. We noted instances of non-compliance with FISMA that have been reported in Exhibit I as Reportable Condition Nos. 1, 2 and 5.

We recommend that DOL follow the recommendations provided in Reportable Condition Nos. 1, 2 and 5 in Exhibit I, and fully implement the requirements of FISMA in fiscal year (FY) 2007.

2. Single Audit Act Amendments of 1996

As a grant-making entity, DOL is required to comply with certain provisions of the Single Audit Act Amendments of 1996 and the corresponding Office of Management and Budget (OMB) Circular No. A-133, Audits of States, Local Governments, and Non-Profit Organizations. According to Section 7504 of the Single Audit Act Amendments of 1996, "Each Federal agency shall, in accordance with guidance issued by the Director under section 7505, with regard to Federal awards provided by the agency... monitor non-Federal entity use of Federal awards." According to Section 400(c) of OMB Circular No. A-133, "The Federal awarding agency shall perform the following for the Federal awards it makes... Ensure that audits are completed and reports are received in a timely manner and in accordance with the requirements of this part... Issue a management decision on audit findings within six months after receipt of the audit report and ensure that the recipient takes appropriate and timely corrective action."

As discussed in Reportable Condition No. 4 in Exhibit I, DOL lacks monitoring procedures to ensure that audits of its grantees are completed and reports are received in a timely manner for each grantee that meets the audit threshold in OMB Circular No. A-133. Therefore, DOL cannot be certain that all required audits have been performed in a timely manner.

DOL has established policies and procedures requiring the Office of Inspector General (OIG) to receive OMB Circular No. A-133 audit reports once they are issued, review these reports for findings relevant to DOL grant programs, and distribute any such findings to the applicable DOL agency for response and resolution. However, we noted instances in which the latest available OMB Circular No. A-133 audit reports were not obtained for review as of September 30, 2006 although they were available on the Federal Single Audit Clearinghouse website.

We recommend that DOL follow the recommendations provided in Reportable Condition No. 4 in Exhibit I in FY 2007.

3. Debt Collection Improvement Act of 1996

The Debt Collection Improvement Act of 1996 (DCIA) is intended to significantly enhance the Federal Government's ability to service and collect debts. Under the DCIA, the U.S. Department of Treasury (Treasury) assumes a significant role for improving government-wide receivables management. According to the DCIA, an agency responsible for collecting debts from the public must "ensure that the public is fully informed of the Federal Government's debt collection policies and that debtors are cognizant of their financial obligations to repay amounts owed to the Federal Government." Also, according to the DCIA, "any Federal agency that is owed by a person a past due, legally enforceable nontax debt that is over 180 days delinquent, including nontax debt administered by a third party acting as an agent for the Federal Government, shall notify the Secretary of the Treasury of all such nontax debts for purposes of administrative offset." Our tests of compliance disclosed instances where DOL was not in compliance with these provisions of the DCIA. In addition, all DOL agencies do not write-off debt greater than two years old in accordance with OMB Circular No. A-129, Managing Federal Credit Programs. See Exhibit I, Reportable Condition No. 10 for further information.

We recommend that DOL follow the recommendations provided in Reportable Condition No. 10 in Exhibit I, and develop policies and procedures to ensure full compliance with the DCIA in FY 2007.

4. Federal Financial Management Improvement Act of 1996

Under section 803a of FFMIA, DOL's financial management systems are required to substantially comply with
(1) Federal financial management systems requirements, (2) applicable Federal accounting standards, and (3) the United States Government Standard General Ledger at the transaction level. The Department represented that in accordance with the provisions and requirements of FFMIA, the Secretary of Labor determined that the Department of Labor's financial management systems are in substantial compliance with FFMIA.

As a result of FY 2006 testing, we concluded that DOL's financial management systems did not substantially comply with Federal financial management systems requirements.

• In the FY 2006 FISMA report, the DOL OIG identified a significant deficiency related to a system considered a mixed system under OMB guidelines as it supports financial and non-financial systems within DOL, including the Department of Labor Accounting and Reporting System (DOLAR$), DOL's general ledger system. See OIG Report No. 23-06-015-07-001.
• Several "high" risk change control and segregation of duties weaknesses related to computer security were identified at the Employment and Training Administration (ETA) and the Employment Standards Administration (ESA) as part of FY 2006 audit work. These weaknesses were identified on systems associated with certain DOL benefits and grants programs. See Exhibit I Reportable Condition No. 1 and 5 for further information.
• Numerous "high" and "medium" risk information technology (IT) general and application control weaknesses related to computer security were identified as part of the IT audit work in FY 2006. These weaknesses impact the IT environments and systems in several large DOL agencies, including the Office of the Chief Financial Officer (OCFO), ETA, ESA, and the Office of the Assistant Secretary for Administration and Management (OASAM). Many of these weaknesses were initially identified in previous years' audits, and DOL has not taken sufficient corrective action to address them. In summary, DOL was not effective (less than 30%) in closing such prior year IT recommendations. As a result of the number of repeat IT weaknesses still present in the DOL financial control environment, added pressure exists on the mitigating manual controls to be operating effectively at all times. See Exhibit I Reportable Conditions Nos. 1 and 2 for further information.
• DOLAR$ does not require journal entries (via transaction codes) to be entered and approved by separate individuals before they are posted to the general ledger. Hence, transaction codes and corresponding amounts entered into DOLAR$ are posted without any system-controlled approval. See Exhibit I Reportable Condition No. 7 for further information.
• Certain procedures in the Department of Labor Manual Series (DLMS) are outdated or should be more comprehensive. See Exhibit I Reportable Condition Nos. 8 and 9 for examples of this condition.

We recommend that DOL follow the recommendations provided in Reportable Condition Nos. 1, 2, 5, 8 and 9 in Exhibit I, and improve its processes to ensure compliance with the Federal financial management systems requirements of FFMIA in FY 2007.