Back to TOC

	PricewaterhouseCoopers LLP Suite 800W 1301 K St., N.W. Washington DC 20005-3333 Telephone (202) 414 1000 Facsimile (202) 414 1301

REPORT OF INDEPENDENT AUDITORS

United States Attorney General and
Inspector General
United States Department of Justice

We have audited the accompanying consolidated balance sheets of the U.S. Department of Justice (the Department) and its components as of September 30, 2003 and 2002, and the related consolidated statements of net cost, of changes in net position and of financing, and its combined statements of budgetary resources and of custodial activity, for the years then ended. These financial statements are the responsibility of the Department’s management. Our responsibility is to express an opinion on these financial statements based on our audits. We did not audit the financial statements of certain components of the Department, including the Office of Justice Programs; Drug Enforcement Administration; Federal Bureau of Investigation; Bureau of Alcohol, Tobacco, Firearms and Explosives; United States Marshals Service; and the Immigration and Naturalization Service, which statements reflect total combined assets of $13.9 and $17.5 billion and total combined net costs of $12.6 and $15.6 billion, as of and for the years ended September 30, 2003 and 2002, respectively; and we did not audit the financial information of the September 11^th Victim Compensation Fund, which transactions reflect total assets of $105.1 and $111.8 million and total benefit payments of $708.5 and $20.2 million, as of and for the years ended September 30, 2003 and 2002, respectively. Those statements and financial information were audited by other auditors whose reports thereon have been furnished to us, and our opinion expressed herein, insofar as it relates to the amounts for these components, is based solely on the reports of the other auditors.

We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audits provide a reasonable basis for our opinion.

In our opinion, based on our audits and the reports of other auditors, the financial statements referred to above, present fairly, in all material respects, the financial position of the Department of Justice and its components, at September 30, 2003 and 2002, and their net cost, changes in net position, budgetary resources, financing and custodial activity for the years then ended, in conformity with accounting principles generally accepted in the United States of America.

Pursuant to the Homeland Security Act of 2002, Public Law 107-296, the operations and funds of the Immigration and Naturalization Service were transferred to the Department of Homeland Security on March 1, 2003, and the operations and funds of certain programs of the U.S. Department of the Treasury Bureau of Alcohol, Tobacco and Firearms were transferred to the Department’s newly created Bureau of Alcohol, Tobacco, Firearms and Explosives on January 24, 2003.

Our audits were conducted for the purpose of forming an opinion on the Department’s consolidated and combined financial statements taken as a whole. The consolidating and combining information is presented for purposes of additional analysis of the Department’s consolidated and combined financial statements rather than to present the financial position, net cost, changes in net position, budgetary resources, financing, and custodial activity of the Department’s components. The consolidating and combining information has been subjected to the auditing procedures applied in the audits of the Department’s consolidated and combined financial statements and, in our opinion, based on our auditing procedures and the reports of the other auditors, the consolidating and combining information is fairly stated in all material respects in relation to the Department’s consolidated and combined financial statements taken as a whole.

The Management’s Discussion and Analysis (MD&A), Required Supplementary Information (RSI), and Required Supplementary Stewardship Information (RSSI) are not required parts of the financial statements but are supplementary information required by the Federal Accounting Standards Advisory Board and OMB Bulletin No. 01-09, Form and Content of Agency Financial Statements. We did not audit the information and express no opinion on it. However, we and other auditors have applied certain limited procedures, which consisted principally of inquiries of management regarding the methods of measurement and presentation of the MD&A, RSI and RSSI. The Department did not complete the reconciliation of non-fiduciary transactions with their intra-governmental trading partners as required by OMB Bulletin No. 01-09.

In accordance with Government Auditing Standards, we have also issued a report dated January 16, 2004, on our consideration of the Department's internal controls and a report dated January 16, 2004, on its compliance with laws and regulations. Those reports are an integral part of an audit performed in accordance with Government Auditing Standards and should be read in conjunction with this report in considering the results of our audits.

January 16, 2004

	PricewaterhouseCoopers LLP Suite 800W 1301 K St., N.W. Washington DC 20005-3333 Telephone (202) 414 1000 Facsimile (202) 414 1301

REPORT OF INDEPENDENT AUDITORS ON INTERNAL CONTROL

United States Attorney General and
Inspector General
United States Department of Justice

We have audited the accompanying consolidated balance sheets of the U.S. Department of Justice (the Department) and its components as of September 30, 2003 and 2002, and the related consolidated statements of net cost, of changes in net position and of financing, and its combined statements of budgetary resources and of custodial activity, for the years then ended, and have issued our report thereon dated January 16, 2004. We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements.

We did not audit the financial statements of certain components of the Department, including the Office of Justice Programs; Drug Enforcement Administration; Federal Bureau of Investigation; Bureau of Alcohol, Tobacco, Firearms and Explosives; United States Marshals Service; and the Immigration and Naturalization Service, which statements reflect total combined assets of $13.9 and $17.5 billion and total combined net costs of $12.6 and $15.6 billion, as of and for the years ended September 30, 2003 and 2002, respectively; and we did not audit the financial information of the September 11^th Victim Compensation Fund, which transactions reflect total assets of $105.1 and $111.8 million and total benefit payments of $708.5 and $20.2 million, as of and for the years ended September 30, 2003 and 2002, respectively. Those statements and financial information were audited by other auditors whose reports thereon have been furnished to us, and our report on the Department’s internal control herein, insofar as it relates to these components, is based solely on the reports of the other auditors.

Pursuant to the Homeland Security Act of 2002, Public Law 107-296, the operations and funds of the Immigration and Naturalization Service were transferred to the Department of Homeland Security on March 1, 2003, and the operations and funds of certain programs of the U.S. Department of the Treasury Bureau of Alcohol, Tobacco and Firearms were transferred to the Department’s newly created Bureau of Alcohol, Tobacco, Firearms and Explosives on January 24, 2003.

Management of the Department is responsible for establishing and maintaining accounting systems and internal control. In fulfilling this responsibility, estimates and judgments are required to assess the expected benefits and related costs of internal control policies and procedures. The objectives of internal control are to provide management with reasonable, but not absolute, assurance that: (1) transactions are properly recorded, processed, and summarized to permit the preparation of reliable financial statements in accordance with accounting principles generally accepted in the United States of America, and to safeguard assets against loss from unauthorized acquisition, use or disposition; (2) transactions are executed in compliance with laws governing the use of budget authority and other laws and regulations that could have a direct and material effect on the financial statements, and any other laws, regulations and government-wide policies identified in Appendix C of OMB Bulletin No. 01-02; and (3) transactions and other data that support reported performance measures are properly recorded, processed, and summarized to permit the preparation of performance information in accordance with criteria stated by management. Because of inherent limitations in any internal control, errors or fraud may nevertheless occur and not be detected. Also, projection of any evaluation of internal control to future periods is subject to the risk that procedures may become inadequate because of changes in conditions or that the effectiveness of the design and operation of policies and procedures may deteriorate.

In planning and performing our audits of the Department’s financial statements, we obtained an understanding of the design of significant internal controls and whether they had been placed in operation, tested certain controls and assessed control risks in order to determine our auditing procedures for the purpose of expressing an opinion on the financial statements. We limited our internal control testing to those controls necessary to achieve the objectives described above, and we did not test all controls relevant to operating objectives as broadly defined by the Federal Managers' Financial Integrity Act of 1982. Our purpose was not to provide an opinion on the Department’s internal controls. Accordingly, we do not express such an opinion.

With respect to internal control relevant to data that support reported performance measures, we obtained an understanding of the design of significant internal controls relating to the existence and completeness assertions, as required by OMB Bulletin No. 01-02. Our procedures were not designed to provide assurance on internal control over reported performance measures. Accordingly, we do not provide an opinion on such controls.

We noted, and the reports of other auditors identified, certain matters in the Department's internal control that we consider to be reportable conditions under standards established by the American Institute of Certified Public Accountants (AICPA). Reportable conditions involve matters coming to the auditors' attention relating to significant deficiencies in the design or operation of internal control that, in their judgment, could adversely affect the Department's ability to meet the internal control objectives described in the fourth paragraph. Material weaknesses are reportable conditions in which the design or operation of one or more of the internal control elements does not reduce, to a relatively low level, the risk that errors or fraud in amounts that would be material in relation to the financial statements being audited or material to a performance measure or aggregation of related performance measures may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. The auditors' consideration of internal control would not necessarily disclose all matters in internal control that might be reportable conditions and, accordingly, would not necessarily disclose all reportable conditions that are also considered to be material weaknesses as defined above.

Overview of Material Weaknesses and Reportable Conditions

Table 1 summarizes the nine material weaknesses and ten reportable conditions identified by component auditors. We analyzed these reportable conditions to determine their effect on the Department’s internal control over financial reporting and determined that there are two Department-wide reportable conditions, the first of which we also consider to be a material weakness.

The remainder of this report discusses in greater detail the two consolidated reportable conditions, the first of which is considered a material weakness. Because of the frequency with which these conditions were found within the Department’s components, we recommend Department-wide corrective actions.

Fundamental changes are needed in the components’ internal control to ensure financial information can be provided timely to manage the Department’s programs and to prepare its financial statements within the accelerated reporting deadlines of the OMB.

As a result of our financial audit of the Department’s fiscal year 2002 consolidated financial statements, we issued a report on internal control that identified that fundamental changes were needed in the Department’s, and components’, financial management to ensure the Department’s financial statements could be completed timely and in accordance with generally accepted accounting principles. We reported that standardized accounting policies and procedures for all the Department’s components were needed to ensure timely and consistent consolidation of the components’ financial statements, and we reported that the Department’s financial management systems should be configured to support not only basic financial accounting and reporting functions, but should also integrate budget and performance information that managers can use to make decisions on their programs throughout the fiscal year. We and other auditors reported that components obtain, analyze and adjust financial information at the end of the fiscal year when staff resources are strained by competing tasks, and that budgetary and accrual-based accounting concepts must be used to record transactions throughout the fiscal year. Finally, we reported that components must improve the participation of program offices in the gathering and analyzing of financial data necessary to prepare components’ financial statements because the financial statement preparation effort must be a component-wide effort, involving all program, budget, and administrative offices.

We believed fundamental changes to the components’ financial management were necessary because of the fiscal year 2003 financial reporting objectives of the Department. The Department established an aggressive goal to deliver a final Performance and Accountability Report (PAR), which included the Department’s consolidated financial statements, to OMB by December 30, 2003. This date was one month ahead of OMB’s deadline of January 30, 2004 for all Federal agencies to submit PARs. We believed that without fundamental changes to the Department’s and components’ financial management processes, this goal would not be achievable; accordingly, we recommended several actions that we believed would assist the Department in meeting its financial reporting objectives. First, we recommended that the Department continue the implementation of a new financial management system that would support the fundamental changes needed in the components’ financial management processes to meet the accelerated financial statement reporting deadlines of OMB. Second, we recommended that the Department develop policies and procedures that would ensure consistent application of generally accepted accounting principles throughout the fiscal year and promote consistent financial reporting in the form and content prescribed by the Department. Finally, we recommended that the Department provide training to program, budget, and administrative staff on their responsibilities for components’ financial management and reporting prescribed by the Department.

• Poorly designed controls that do not enforce management’s directives or address the risks identified by management. For example, auditors reported deficiencies in basic controls such as account reconciliations, edit checks for data entered, and the creation and retention of related records that provide evidence of recorded transactions. Weaknesses were noted in both electronic data processing systems and manual processes.
  
  
• Deficiencies in the monitoring of internal controls by the Department’s supervisory personnel. Monitoring procedures either did not exist or were not designed properly to detect deficiencies in control activities timely. For example, auditors reported that components’ internal controls were found to be ineffective during interim test procedures, resulting in a “no controls” reliance approach, which requires significant additional substantive testing to perform the audit. In many instances, management did not identify these control deficiencies because of the lack of an effective monitoring control program.
  
  
• Ineffective communication of both operational and financial controls by program managers. This ineffective communication impedes their ability to determine whether programs are meeting the Department’s strategic, performance, and financial reporting plans, and whether they are meeting their goals for accountability for effective and efficient use of resources. For example, the Department reported $858 million in recoveries of excess obligations. An effective communication plan could have identified and perhaps reduced this amount, thereby, freeing resources that could have been used to support other initiatives within the Department.

Senior leadership of the Department must portray a positive attitude towards the Department’s control environment and communicate to the components the importance of improving internal controls to ensure that operational and financial data is provided to managers to meet the Department’s objectives and to ensure accountability for effective and efficient use of resources. Components must also ensure that timely and ongoing monitoring occurs in the course of normal operations and is ingrained in the components’ daily operations.

During fiscal year 2003, the Department began the process to acquire a Unified Financial Management System that is compliant with Joint Financial Management Improvement Program (JFMIP) requirements and will form the Department’s core financial management system. Management believes the Unified System will improve consistency among the Department’s components’ financial accounting and reporting and will aid in the Department’s preparation of the consolidated financial statements. The project is projected to be a multi-year effort, with implementation beginning with noncompliant legacy systems in fiscal year 2004. In addition to this major system effort, the Department’s Justice Management Division (JMD) issued several policy revisions to the Department’s Financial Statement Requirements and Preparation Guide to address component accounting and reporting requirements. Although these efforts provided a foundation for improved financial reporting in fiscal year 2003, the Department and its components did not make the changes that were necessary to achieve the Department’s financial reporting objectives.

We and other auditors continue to identify weaknesses in the Department’s and components’ financial management systems, financial accounting in accordance with generally accepted accounting principles, and their financial statement preparation process that, if not addressed, will prevent the Department from meeting the accelerated reporting requirements of OMB in fiscal year 2004. Summarizations of these weaknesses are presented below:

Financial Management Systems - Components’ financial management systems are not integrated or are not configured to support financial management and reporting. Specifically, we and other auditors identified the following:

• Revenue and accounts receivable: The FBI, OBDs and WCF financial management systems do not link obligations incurred under reimbursable authority to specific reimbursable agreements, requiring a manually intensive process to determine earned revenue and unfilled customer orders amounts. The Executive Office for United States Trustees (EOUST) fee collection system is not linked to the general ledger and, therefore, EOUST provides case-level information to support the Chapter 11 Quarterly Fees due from the public to JMD, requiring adjustments to the general ledger after the fiscal year-end. The USM system lacks a fully integrated subsidiary ledger that provides real-time accounts receivable balances with transaction level data by agreement, increasing the risk that project costs could exceed the project reimbursable authority without detection by management. Finally, the INS did not have a reliable system that provides regular, timely and detailed data on the number and value of immigration applications received, pending and completed which impedes the timely recordation of fees earned when applications are completed.
  
  
• Property and leasehold improvements: The OBDs and WCF property management systems are not integrated with the components’ core financial management systems, requiring redundant manual data entry to record basic property management transactions such as acquisitions, leasehold improvements, disposals and depreciation.
  
  
• Disbursements: The FBI and USM reported that advances made to other Federal agencies are recorded as expenses rather than assets because financial management systems or policies are not adequate to record the appropriate financial transaction when it is originated. A similar condition was identified at the OBDs and WCF relating to the recordation of transfers as earned revenue.
  
  
• Other required information: The FBI financial systems do not adequately capture information related to trading partner activity, FACTS II, and cost activities at the transaction level. The OBDs and WCF financial management systems do not prevent the creation of an obligation with a fiscal year 2003 obligation number in subsequent fiscal years, thereby, increasing the risk that expired funds will be used to support financial activity from another fiscal year.
  
  
• Fund balance with Treasury: The INS financial management system does not produce the level of detail required for management to research reconciling items, such as trial balances by location, requiring significant manual resources to identify the cause of reconciling items.

Because the components’ financial management systems do not completely support the processing of financial transactions in an automated and on-going basis, significant manual efforts are required at the end of each fiscal quarter to correct misstatements in components’ financial statements. Financial analysis performed in a compressed period of time increases the risk that errors and inconsistencies existing in components’ financial statements will not be detected. The Department’s financial management systems must be configured to support not only basic financial accounting and reporting functions, but should also integrate budget and performance information that managers can use to make decisions on their programs throughout the fiscal year.

Financial accounting in accordance with SFFAS – The components did not adequately record financial transactions throughout the fiscal year in accordance with Statements of Federal Financial Accounting Standards (SFFAS). Components’ financial accounting and reporting must include both budgetary and accrual-based accounting concepts and components must eliminate their dependency on obtaining, analyzing, and adjusting financial information only at the end of the fiscal year when staff resources are strained by competing tasks. This is especially important given the new financial reporting requirements of the OMB. In fiscal year 2004, the Department will have to prepare interim financial statements each quarter and prepare and deliver its Performance and Accountability Report, which includes the Department’s consolidated financial statements, within 45 days after the fiscal year-end. We and other auditors identified the following weaknesses with respect to components application of SFFAS:

• SFFAS No. 1, Accounting for Selected Assets and Liabilities: INS’s intragovernmental advances could not be adequately tracked and INS must rely on its customers to determine the amount of the advance that has been earned. Undeposited collections and related deferred revenue is captured for financial statement purposes, but transactions are not maintained in INS’s financial management system. The OBDs, WCF and AFF do not have adequate procedures for the allocation and timely resolution of amounts reported in their Budget Clearing Accounts (BCA). Errors in the assignment of BCA transactions to these components were not identified by management, requiring audit adjustments to the financial statements in the last few days of the audits. In addition, management does not have adequate procedures to identify the appropriate budget accounts to charge the expenditure timely, and does not age transactions to permit the assignment of resources to resolve older BCA transactions, including determining whether a charge-back of the transaction to its Federal trading partner is warranted.
  
  
• SFFAS No 3, Accounting for Inventory and Related Property: Valuation and status errors existed in AFF’s seized and forfeited property account balances because forfeiture orders, fair market value appraisals, and errors identified in physical inventory counts were not entered timely in the seized and forfeited property management system.
  
  
• SFFAS No. 5, Accounting for Liabilities of the Federal Government: The DEA, WCF, OBDs, BOP, and AFF program offices did not perform an adequate review of obligations in accordance with established policies, requiring an extensive manual effort after the fiscal year end to correct the status of obligation records and adjust for errors in accounts payable (delivered orders - unpaid) account balances; and DEA, INS, OBDs and WCF have not fully developed and tested accrual estimation policies to ensure reliability.
  
  
• SFFAS No 6, Accounting for Property, Plant and Equipment (PPE): The USM did not have effective policies and procedures for identifying capital projects with the General Services Administration, and the FBI recorded adjustments to its PPE account balances because management at FBI’s headquarters, field divisions, and contracting units did not coordinate efforts to ensure requirements of the FBI’s Property Manual were followed. The OBDs and WCF do not have adequate processes for obtaining information necessary to calculate the future cost of leased property that is required information for financial statement reporting purposes.
  
  
• SFFAS No. 7, Accounting for Revenue and Other Financing Sources: The information related to the sale of forfeited real property was not always accurate, resulting in revenue being incorrectly recorded in AFF’s general ledger. The OBDs and WCF financial statements required year-end adjustments to properly reflect the amount of revenue earned from reimbursable activity because of unsupported accrual estimates or errors in accrual calculations.

Standardized accounting policies and procedures for all components are needed and should be communicated in the Department's Financial Statement Requirements and Preparation Guide, thereby ensuring consistency in the Department's consolidated financial statements. Without fundamental changes to the Department’s and components’ financial management, the Department’s fiscal year 2004 financial statements will not be completed timely or in accordance with generally accepted accounting principles.

Financial Statement Preparation – The Department’s components do not sufficiently obtain, record, analyze, or adjust financial information throughout the fiscal year, increasing the risk that errors and inconsistencies in components’ financial statements will not be detected timely. In addition, components must improve the participation of program offices in the gathering and analyzing of financial data necessary to prepare components financial statements. The financial statement preparation effort must be a component-wide effort, involving program, budget, and administrative offices. We and other auditors identified the following weaknesses:

• Year-end financial management processes: The management of the USM, OBDs, and WCF do not have effective controls in place to detect misstatements in account balances throughout the fiscal year. In some instances, these components’ Finance Offices must perform substantial testing after the fiscal year end to identify and correct errors in program office recordation of transactions. For example, JMD had to extend the audits of the OBDs and WCF and review over 750 transactions related to obligations and reimbursable revenue in order to identify and correct misstatements in these account balances; however, in many instances, the program managers did not ensure that the necessary documentation was provided to JMD. In addition, JMD had not established adequate review processes that ensured documentation provided by program and field offices supported the transactions under review. In many instances, multiple requests were required in order to obtain sufficient evidential matter to support the transactions. Also, the USM performs a manual process to identify and accumulate reimbursable activity, which takes a considerable amount of time to reconcile and causes year-end reporting delays.
  
  
• Staff resources: The OBDs’ and WCF’s program, budget, and administrative offices did not adequately support the financial audit of these components, requiring JMD to perform significant analysis after the fiscal year end in order to identify and correct misstatements in the OBD’s and WCF’s financial statements, even though JMD’s staff resources were strained with other responsibilities. The FBI does not have sufficient financial management personnel to record the numerous accruals, estimates, and adjusting entries that are necessary to prepare financial statements in accordance with SFFAS and the Department’s reporting deadlines.
  
  
• Quarterly financial reporting: The WCF, AFF, and OBDs do not perform adequate reviews and correct misstatements in obligations, revenues, seized/forfeited property, and other financial statement accounts throughout the fiscal year; as a result, auditors identified significant misstatements in these components’ interim financial statements that prohibited the auditors’ reliance on them and on related internal controls. As a result, management was required to perform extensive detailed substantive procedures after the fiscal year end to identify and correct misstatements in year-end account balances.
  
  
• Adhering to year-end deadlines: With the exception of the DEA, components made corrections or changes to the presentation of the components’ financial statements after established deadlines, and in some instances, two months after the components’ statements were to be finalized in accordance with the Department’s financial reporting deadlines. This increases the risk that inconsistencies and errors could occur and not be detected when management consolidates the components’ financial statements into the Department’s consolidated financial statements, and creates delays that could prevent the Department from submitting its consolidated financial statements in accordance with OMB’s deadlines.
  
  
• Elimination entries: Components did not consistently follow the Department's requirements to accumulate and report elimination entries at an interim period; therefore, financial activity among the Department’s components could not be reconciled or confirmed until after the end of the fiscal year, when components’ resources were dedicated to preparing their components’ financial statements, resulting in errors in the recordation of the Department’s intra-departmental transactions.
  
  
• Intragovernmental confirmations: The Department was not able to complete the reconciliation of non-fiduciary Federal Intragovernmental Activity and Balances because not all of the Department’s trading partners responded to the confirmations sent by the Department and confirmations received from the Department’s trading partners did not provide sufficient detail to identify the Department components that initiated the transaction. In addition, the Department did not include in the confirmations five months of financial activity relating to the INS.

Inadequate or outdated financial management systems do not permit the types of automated financial transaction processing that is needed in a time when more financial information is being requested with a shorter period of time to respond to these requests. As a result of the components’ financial system deficiencies, the components are forced to perform significant “manual fixes” to compensate for the lack of financial accounting capabilities of the systems. In some instances, components’ do not have sufficient resources with the appropriate financial accounting skills who have a direct stake in the outcome of the financial reporting process; therefore, components’ staff often do not review accounting transactions until after the fiscal year when competing tasks, such as budget justifications, reduce the level of time and commitment components’ staff can provide to the financial reporting process. This directly affects management’s ability to monitor controls that would prevent or detect errors that could cause misstatements in the components’ financial statements and prevent management from implementing corrective actions in a timely manner.

Without fundamental changes to the Department’s and components’ financial management, including the establishment of an effective internal control program that includes timely monitoring of financial controls by management, the Department will not be able to prepare auditable financial statements in fiscal year 2004 within the accelerated timelines of the OMB. This will result in modifications to the auditors’ reports on the Department’s financial statements, internal control, or compliance with laws and regulations.

Recommendations

We recommend that the Chief Financial Officer:

1. Improve the Department-wide internal control program and include timely monitoring of financial controls by management. Communicate this to the components in the Department’s Financial Statement Requirements and Preparation Guide. Senior leadership of the Department must support this effort and assign direct responsibility for the implementation of the internal control program to senior leaders at each component.

   Management Response:

   Concur. The CFO will continue to emphasize the importance of improving internal controls through the Department’s Financial Managers Council and the financial statement working group meetings, and implement a program for internal review and monitoring of the adequacy of those controls. The Department will incorporate this guidance in the Financial Statement Requirements and Preparation Guide, and require senior management in the Department’s components to implement the identified review and monitoring program.

2. Develop accounting and reporting policies and procedures for, but not limited to: (a) the accounting of non-standard transactions (e.g., unobligated balance transfers), (b) property management (e.g., leases), (c) budgetary accounting issues (e.g., status of obligations), and (d) expense and revenue recognition. Issue guidance that requires components to perform financial accounting and reporting throughout the fiscal year that includes budgetary and accrual-based accounting concepts.

   Management Response:

   Concur. JMD will continue to develop and enforce existing accounting policy that requires components to perform reliable financial accounting and reporting throughout the fiscal year. JMD will ensure that accounting policy exists for unobligated balances and similar funding transfers, leases, budgetary transactions, and revenue recognition. The updated policies will be included and emphasized in the Financial Statement Requirements and Preparation Guide.

3. Proceed with the rapid implementation of the Department’s Unified Financial Management System Project. The core financial system should include, but not be limited to, applications that support: (a) funds control (e.g., budget execution); (b) obligation accounting and control; (c) cash management; (d) inventory and property management; (e) the standard general ledger; (f) financial statement preparation, consolidation and reporting; and (g) customer/vendor recognition, including, intragovernmental trading partners. To the extent possible, the financial management system should be able to provide real-time financial data and provide flexibility in meeting external reporting requirements. As part of this effort, the Department should continue its development of a consolidation tool that will automate the current labor-intensive consolidation process, including, performance and accountability reporting, and the reconciliation of intragovernmental and intra-departmental transactions. Finally, a standard schedule of transaction codes should be developed and implemented in the system that describes the accounting transactions and the standard general ledger accounts to be used (both proprietary and budgetary). During the development of the transaction schedule, we strongly encourage the use of the Department of the Treasury’s Treasury Financial Manual, Section III, which provides a detailed list of budgetary and proprietary transactions and the U.S. Government Standard General Ledger accounts affected.

   Management Response:

   Concur. The Department is committed to implementing an integrated financial management system that is in compliance with federal financial management systems requirements and applicable federal accounting standards, addressing the functionality proposed by the audit report recommendation. JMD is scheduled to complete its COTS software evaluation in the second quarter of FY 2004. Product acceptance testing is scheduled for the third quarter, and system implementation/integration, supported via a commercial firm or cross service provider, will begin in the fourth quarter. JMD will also continue its efforts to implement the financial statement consolidation tool for the FY 2004 reporting cycle.

4. Ensure components have allocated sufficient resources to support the financial management and reporting process. Develop training for components’ program and finance staff on the responsibilities for internal control and financial management. Include a detailed discussion on the Department’s consolidated accounting and reporting requirements and emphasize that components’ financial statements are segments of the Department’s consolidated financial statements.

   Management Response:

   Concur. The Department is committed to implementing human capital initiatives aimed at training employees and addressing its hiring needs to ensure that components have the skill base and the diversified workforce to accomplish the DOJ financial management mission. By June 30, the CFO will develop a statement of core financial management “principles” which it will issue to each component, emphasizing the priority of the DOJ consolidated statement in relationship to the component statements.

Improvements are needed in the Department’s components' financial systems’ general and application controls and the general controls at the Department’s data centers.

In support of the Department’s fiscal year 2003 consolidated financial statement audit, we performed an assessment of the general controls established over four mainframe environments located at the Department’s Data Centers to evaluate the effectiveness of the general controls environment. These data centers house financial and other financial-related applications for the bureaus, offices, boards, and divisions within the Department, except for the FBI, DEA, USM, ATF, FPI, and OJP. The review focused on evaluating the adequacy of management and internal controls in accordance with the General Accounting Office (GAO), Federal Information System Controls Audit Manual (FISCAM) general control areas of (a) access controls, (b) system software controls and modification, (c) entity-wide security program planning and management, (d) segregation of duties, (e) service continuity, and (f) application software development change controls. Our approach to testing and evaluating the controls was performed in accordance with the FISCAM and included the use of practice aids for the specific technical areas of the operating systems. During our audit of the Department’s data centers, we noted the following deficiencies:

• The Computer Services (CS) Internal Auditor performs CA-Top Secret security administration functions in addition to internal audit functions. This individual is also designated as the junior CA-Top Secret security administrator’s backup to ensure coverage of security administration responsibilities.
  
  
• Security monitoring reports are run and reviewed by an individual within computer operations, and exceptions are reported to the CS Internal Auditor for reporting and follow-up.
  
  
• Management does not conduct reviews to evaluate the risks of not segregating incompatible duties.

Lack of segregation of duties increases the risk that fraudulent activity or errors may not be prevented, detected, and corrected. These inadequacies may lead to the loss of data and system integrity.

According to the CS’s System Access Control Policy, “…access controls shall be in place and operational for all CS IT systems to enable the use of resources such as data and programs necessary to fulfill job responsibilities and no more… and enforce separation of duties based on roles and responsibilities… and protect the system, its data and applications, from unauthorized disclosure, modification, or erasure.

In performing procedures at the Department’s data centers and on the components’ financial management information systems, we and other component auditors considered the FISCAM; OMB Circular A-130, Appendix III, Automated Information Security Programs; the Department’s Order No. 2640.2D, Information Technology Systems Security; and other guidance. The FBI’s auditors reviewed the FBI’s information systems control environment and reported their detailed findings to the Office of the Inspector General in a separate limited distribution report. Table 2 outlines the more significant weaknesses identified by the auditors on the nine of eleven DOJ reporting components for fiscal year 2003. Following the table, we summarized some of the specific conditions reported by the components’ auditors.

OBD - The U.S. Trustees’ Fee Information and Collection System contained weaknesses in entity-wide security program management, segregation of duties (programmers and security administrators have inappropriate access), and data input, processing, and output controls.

FBI - The weaknesses identified in Table 2 could compromise the agency’s ability to ensure security over sensitive programmatic or financial data, the reliability of its financial reporting, and compliance with applicable laws and regulations. In addition, FBI’s property management system input and processing controls were not adequate, resulting in excessive access privileges.

DEA - Improvements are needed in DEA’s Firebird Network user account administration, and access to the Federal Financial System is not removed timely for transferred or terminated employees. Finally, consistent processes are not in effect to prevent weaknesses resulting from a prior year Government Information Systems Reform Act audit covering system configuration, password management, logon management, account integrity management, and system auditing management.

OJP – Several instances of configuration management vulnerabilities continue to exist and access privileges and profiles are not properly administered. Improvements are needed in service continuity to ensure OJP can restore its capability to process, retrieve, and protect information in the event of service interruption.

ATF – Financial network operating systems that provide user connectivity to ATF systems have not been configured to reduce the risk of circumventing security controls, and database authentication and authorization controls have not been effectively implemented to prevent unauthorized access.

USM – Weaknesses in the general network control environment continue to exist in the areas of segregation of duties and access controls, and with respect to the application controls review of the USM’s core financial management system, a static temporary password is used to set up new accounts, developers have access to testing, production and development environments, and a contingency plan has not been tested.

BOP – System development life cycle policy is not current and does not reflect the current SENTRY system environment. Change controls do not adequately address segregation of duties or adequately document whether test plans were implemented or whether test results were analyzed and conditions addressed in a timely manner. Finally, BOP’s implementation plan for the TRUFACS system did not adequately document required procedures for the conversions process.

FPI – The financial management system does not include specific strategies and policies that address high-risk security identifications, profiles, and transactions. An excessive number of users have access to sensitive transactions and segregation of duty conflicts exist among various accounting functions of the system. Finally, security administration is not consistently applied to ensure that visibility and control over user access are monitored.

INS – Weaknesses were identified in INS’s general network controls, including inactive accounts, no network audit logs or security violation reports, passwords are not in compliance with Department policies, no certification or accreditation for the Debt Management Center, and systems do not automatically log-off after a period of inactivity. Finally, an initial password for a significant financial management system is static for new users.

The weaknesses identified by components’ auditors in the components’ general and application controls increase the risk that programs and data processed on components’ information systems are not adequately protected from unauthorized access or service disruption.

Recommendations

We recommend that the Chief Information Officer:

5. Reassign the CS Internal Auditor’s responsibility of performing CA-Top Secret Security administration functions as part of daily operations and in serving as the backup to the junior CA-Top Secret Security Administrator. Update the established emergency fire-wall identification policies and procedures to ensure that all CA-Top Secret Security administration functions performed in emergency situations using fire-wall identifications are properly documented and describe the independent monitoring and follow-up procedures performed by internal audit.

   Management Response:
   Concur. The CIO is committed to the implementation of corrective actions that provide adequate security controls and protect sensitive information, and effect the recommended realignments in responsibility assignments. JMD will ensure that emergency fire-wall identification policies and procedures are updated and properly documented.

6. Require the components’ Chief Information Officers (CIO) to submit corrective action plans that address the weaknesses identified above. The action plans should focus on correcting deficiencies in entity-wide security, access controls, application software development and change controls/SDLC, service continuity, segregation of duties, system software, and other specific application control weaknesses discussed in the component auditors’ reports on internal control. The corrective action plans should include a timeline that establishes when major events must be completed, and the Department’s CIO should monitor components' efforts to correct deficiencies and hold them accountable for meeting the action plan timelines.

Management Response:
Concur. The Department’s CIO will require the necessary corrective action plans from each component CIO, including comprehensive plans of action and milestones, to address the findings identified in the audit report.

* * * * * * * * * *

STATUS OF PRIOR YEARS FINDINGS AND RECOMMENDATIONS

As required by Government Auditing Standards and OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, we have reviewed the status of the Department’s corrective actions with respect to the findings and recommendations from our previous reports on the Department’s internal controls. The following analysis provides our assessment of the progress the Department has made in correcting the material weaknesses and reportable conditions identified in these reports. We also provide the Office of the Inspector General Report number that remains open for audit follow-up, our recommendations for improvement, and the status of the condition as of September 30, 2002:

* * * * * * * * * * *

We identified other matters that we considered not to be reportable conditions in relation to the Department’s consolidated financial statements. A summarization of these less significant matters will be addressed to the Department’s management in a separate consolidated management letter. In addition, components' auditors provided separate management letters to components' management with respect to less significant control issues that were identified during the components' audits.

This report is intended solely for the information and use of the Attorney General and management of the Department, the Office of the Inspector General, the OMB, and Congress. This report is not intended to be and should not be used by anyone other than these specified parties.

January 16, 2004

	PricewaterhouseCoopers LLP Suite 800W 1301 K St., N.W. Washington DC 20005-3333 Telephone (202) 414 1000 Facsimile (202) 414 1301

REPORT OF INDEPENDENT AUDITORS ON
COMPLIANCE WITH LAWS AND REGULATIONS

United States Attorney General and
Inspector General
United States Department of Justice

We have audited the accompanying consolidated balance sheets of the U.S. Department of Justice (the Department) and its components as of September 30, 2003 and 2002, and the related consolidated statements of net cost, of changes in net position and of financing, and its combined statements of budgetary resources and of custodial activity, for the years then ended, and have issued our report thereon dated January 16, 2004. We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements.

We did not audit the financial statements of certain components of the Department, including the Office of Justice Programs; Drug Enforcement Administration; Federal Bureau of Investigation (FBI); Bureau of Alcohol, Tobacco, Firearms and Explosives; Immigration and Naturalization Service (INS); and United States Marshals Service (USM), which statements reflect total combined assets of $13.9 and $17.5 billion and total combined net costs of $12.6 and $15.6 billion, as of and for the years ended September 30, 2003 and 2002, respectively; and we did not audit the financial information of the September 11^th Victim Compensation Fund, which transactions reflect total assets of $105.1 and $111.8 million and total benefit payments of $708.5 and $20.2 million, as of and for the years ended September 30, 2003 and 2002, respectively. Those statements and financial information were audited by other auditors whose reports thereon have been furnished to us, and our report on the Department’s compliance with laws and regulations, insofar as it relates to these components, is based solely on the reports of the other auditors.

Pursuant to the Homeland Security Act of 2002, Public Law 107-296, the operations and funds of the INS were transferred to the Department of Homeland Security on March 1, 2003; and the operations and funds of certain programs of the U.S. Department of the Treasury Bureau of Alcohol, Tobacco and Firearms were transferred to the Department’s newly created Bureau of Alcohol, Tobacco, Firearms and Explosives, referred to herein as ATF, on January 24, 2003.

Compliance with laws and regulations applicable to the Department is the responsibility of management. As part of obtaining reasonable assurance about whether the financial statements are free of material misstatement, we and other auditors performed tests of the components' compliance with certain provisions of laws and regulations, non-compliance with which could have a direct and material effect on the determination of financial statement amounts and certain other laws and regulations specified in OMB Bulletin No. 01-02, including the requirements referred to in the Federal Financial Management Improvement Act of 1996 (FFMIA). However, the objective of our audit of the financial statements was not to provide an opinion on overall compliance with such provisions and, accordingly, we do not express such an opinion.

The results of our and other auditors’ tests of components' compliance with the provisions of laws and regulations described in the preceding paragraph, exclusive of FFMIA, disclosed the following instance of non-compliance that is required to be reported under Government Auditing Standards and OMB Bulletin No. 01-02:

• OMB Circular No. A-11, Preparation, Submission and Execution of the Budget – The FBI, ATF and USM do not fully fund the acquisition of leased assets at the inception of the lease, and the Offices, Boards and Divisions (OBDs), Working Capital Fund (WCF), and the Assets Forfeiture Fund and Seized Asset Deposit Fund (AFF) do not record the full amount of an unfilled customer order (for services performed) or an obligation (for services acquired) in the general ledger, when a reimbursable agreement or contract to provide/acquire goods or services is signed.

Under FFMIA, we and other auditors are required to report whether the Department's financial management systems substantially comply with (1) the Federal financial management systems requirements, (2) the applicable Federal accounting standards, and (3) the United States Standard General Ledger at the transaction level. The results of our and other auditors' tests disclosed the following instances where the components' financial management systems did not substantially comply with the three FFMIA requirements discussed in this paragraph:

• Federal Financial Management Systems Requirements: The FBI, INS and USM financial management systems do not meet Federal financial management systems requirements; specifically, deficiencies were noted in entity-wide security, access and change controls, service continuity, and segregation of duties.
  
  
• Federal Accounting Standards: The FBI, OBDs, INS, WCF and AFF do not adequately record financial transactions in accordance with Statements of Federal Financial Accounting Standards (SFFAS); specifically, deficiencies were reported in recordation of obligations, expenses and revenue, and seized and forfeited property. The FBI, OBDs and WCF need to improve financial statement preparation processes to ensure financial statements can be prepared within the acceleration reporting deadlines of the OMB and in accordance with SFFAS. Finally, the OBDs and WCF interim financial statements contained misstatements that prevented reliance on their internal controls, requiring management to perform manually intensive efforts to identify and correct misstatements in the OBDs and WCF year-end financial statements.

All significant facts pertaining to the matters referred to above, and recommended remedial actions, are included in the components’ auditors' Reports on Internal Control and are summarized in our report dated January 16, 2004, on the Department’s internal control.

This report is intended solely for the information and use of the Attorney General and management of the Department, the Office of the Inspector General, the OMB, and Congress. This report is not intended to be, and should not be, used by anyone other than these specified parties.

January 16, 2004

Back to TOC