Fiscal Year 2001 Accountability Report Report of Independent Accountants on Internal Control

REPORT OF INDEPENDENT ACCOUNTANTS ON INTERNAL CONTROL

United States Attorney General and
The Office of the Inspector General
United States Department of Justice

We have audited the accompanying consolidated balance sheets of the U.S. Department of Justice and its components as of September 30, 2001 and 2000, and the related consolidated statements of net cost, changes in net position and custodial activity, and its combined statements of budgetary resources and financing, for the years then ended, and have issued our report thereon dated February 14, 2002.  Except as explained in that report, we conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements.

We did not audit the financial statements of certain components of the Department, including the Office of Justice Programs (OJP), Drug Enforcement Administration (DEA), Federal Bureau of Investigation (FBI), Immigration and Naturalization Service (INS), U.S. Marshals Service (USMS), Bureau of Prisons (BOP), and Federal Prison Industries, Inc. (FPI), which statements reflect total combined assets of $23.4 and $21.2 billion, and total combined net costs of $16.7 and $16.9 billion, as of and for the years ended September 30, 2001 and 2000, respectively.  Those statements were audited by other auditors whose reports thereon have been furnished to us, and our report on the Department’s internal control herein, insofar as it relates to these components, is based solely on the reports of the other auditors.

Management of the Department is responsible for establishing and maintaining accounting systems and internal control.  In fulfilling this responsibility, estimates and judgments are required to assess the expected benefits and related costs of internal control policies and procedures.  The objectives of internal control are to provide management with reasonable, but not absolute, assurance that: (1) transactions are properly recorded, processed, and summarized to permit the preparation of reliable financial statements in accordance with accounting principles generally accepted in the United States of America, and to safeguard assets against loss from unauthorized acquisition, use or disposition; (2) transactions are executed in compliance with laws governing the use of budget authority and other laws and regulations that could have a direct and material effect on the financial statements, and any other laws, regulations and government-wide policies identified in Appendix C of OMB Bulletin No. 01-02; and (3) transactions and other data that support reported performance measures are properly recorded, processed, and summarized to permit the preparation of performance information in accordance with criteria stated by management.  Because of inherent limitations in any internal control, errors or fraud may nevertheless occur and not be detected.  Also, projection of any evaluation of internal control to future periods is subject to the risk that procedures may become inadequate because of changes in conditions or that the effectiveness of the design and operation of policies and procedures may deteriorate.

In planning and performing our audits of the Department’s financial statements, we obtained an understanding of the design of significant internal controls and whether they had been placed in operation, tested certain controls and assessed control risks in order to determine our auditing procedures for the purpose of expressing an opinion on the financial statements.  We limited our internal control testing to those controls necessary to achieve the objectives described above, and we did not test all controls relevant to operating objectives as broadly defined by the Federal Managers' Financial Integrity Act of 1982.  Our purpose was not to provide an opinion on the Department’s internal controls.  Accordingly, we do not express such an opinion.

With respect to internal control relevant to data that support reported performance measures, we obtained an understanding of the design of significant internal controls relating to the existence and completeness assertions, as required by OMB Bulletin No. 01-02.  Our procedures were not designed to provide assurance on internal control over reported performance measures.  Accordingly, we do not provide an opinion on such controls.

We noted, and the reports of other auditors identified, certain matters in the Department's internal control that we consider to be reportable conditions under standards established by the American Institute of Certified Public Accountants.  Reportable conditions involve matters coming to the auditors' attention relating to significant deficiencies in the design or operation of internal control that, in their judgment, could adversely affect the Department's ability to meet the internal control objectives described in the third paragraph.  Material weaknesses are reportable conditions in which the design or operation of one or more of the internal control elements does not reduce to a relatively low level the risk that errors or fraud in amounts that would be material in relation to the financial statements being audited or material to a performance measure or aggregation of related performance measures may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.  The auditors' consideration of internal control would not necessarily disclose all matters in internal control that might be reportable conditions and, accordingly, would not necessarily disclose all reportable conditions that are also considered to be material weaknesses as defined above.

Overview of Material Weaknesses and Reportable Conditions 

Table 1 summarizes the 13 material weaknesses and 12 reportable conditions identified by components’ auditors.  We analyzed the reportable conditions identified by the components’ auditors to determine their effect on the Department’s internal control over financial reporting and identified three Department-wide reportable conditions that were also considered to be material weaknesses.  All three conditions were identified in our fiscal year 2000 report on the Department’s internal control.

Table 1: Department-wide Material Weaknesses (M) and Reportable Conditions (R)

The remainder of this report discusses these material weaknesses in greater detail.  Because of the frequency with which these conditions were found within the ten components, we recommend Department-wide corrective actions. 

Seven of the components' auditors reported the following deficiencies in the components' recording of financial transactions in accordance with the Statements of Federal Financial Accounting Standards (SFFAS) prescribed by the Federal Accounting Standards Advisory Board:

SFFAS No. 5, Accounting for Liabilities of the Federal Government: Auditors of the DEA, the OBDs, the INS, and the FBI reported that components’ processes to estimate accounts payable were not adequate or were not completed timely.  Specifically, auditors of the DEA reported that the methodology used by the DEA to estimate accounts payable was not well supported; auditors of the INS reported that due to limitations in the design and operation of its financial management system, the INS does not record accounts payable at the transaction level throughout the year.  Auditors reported that revisions are needed in the FBI’s estimation process to allow for timely inclusion in interim and year-end financial statements, and we reported that the OBDs did not always properly record the status of delivered and undelivered obligations.  We also identified that the OBDs’ Office of Community Oriented Policing Services used some non-current information in the calculation of accrued grant expenses. 

SFFAS No. 7, Accounting for Revenue and Other Financing Sources: Auditors of the INS, the USMS, the FPI, and the OBDs reported that improvements are needed in the components accounting for earned and deferred revenue.  The auditors of the INS reported that the INS does not have a reliable system that can provide regular, timely data on the number and value of immigration applications and petitions received, completed and pending, which is necessary to support general ledger entries for recording earned revenues when the applications are completed.  Auditors of the USMS reported that its core financial management system does not contain a subsidiary system to record accounts receivable transactions at the customer level.  The auditors of the FPI reported that management did not effectively manage its accounts receivable division and did not consistently or adequately perform collection efforts on its intra-governmental accounts receivable and debt with the public.  We reported that the OBDs do not always “invoice” their customers in a timely manner, including services performed for other Department components. 

SFFAS No 6, Accounting for Property, Plant and Equipment: Auditors reported that improvements are needed in the components’ procedures related to the timely processing, reconciliation, and recording of capitalized property.  Auditors of the FBI reported that a restatement of $11 million to the FBI’s fiscal year 2000 financial statements was required because management in the procurement and contract units did not follow FBI’s Property Management Manual.  Auditors of the OJP reported that physical inventories were not performed in the last two years; and auditors reported that the USMS has not implemented adequate procedures to ensure capitalized property and improvements are identified and properly recorded.

SFFAS No 3, Accounting for Inventory and Related Property: Auditors of the FPI reported that financial accounting system deficiencies continue to exist in the capture, processing, reporting, and utilization of inventory data.  The FPI did not have effective costing procedures in place to reasonably estimate manufacturing overhead rates, and did not have adequate accountability over the Finished Goods at Customer account.  In addition, FPI has not fully developed adequate business processes to ensure that all finished goods inventory items are consistently valued based on transaction processing methods.  Finally, the auditors reported that one processing factory did not perform periodic and systematic counts of its perpetual inventory records as required by policy. 

SFFAS No. 1, Accounting for Selected Assets and Liabilities: Auditors of the FBI reported that the payment of interest and penalties as required by the Prompt Pay Act has doubled in each of the last two year because of inefficient vendor invoice approval and payment processes.  This also contributed to the under-reporting of FBI’s accounts payable and added to the accounts payable estimation workload at year-end.  Auditors reported that the DEA continues to have significant unreconciled differences between the collections and disbursements recorded in its accounting records and those recorded by the U.S. Treasury, and that controls over imprest fund replenishments need to be strengthened.

Recommendation

We recommend that the Chief Financial Officer:

1. Require the Department’s reporting components follow the Department's Financial Statement Preparation and Requirements Guide, and other financial management policies and procedures currently in place.  The Department's Justice Management Division (JMD) should monitor components’ compliance with the Department’s policies and procedures, and require that corrective action plans be submitted that document the timeline for completing critical tasks and the tasks that must be completed.

Management Response: Concur.  JMD will require corrective action plans, including time lines, by March 22, 2002, addressing the conditions identified in the consolidated and component audit Reports on Internal Controls.  JMD will further emphasize its accounting standards and policies through the financial statements working group meetings, training, and management monitoring.  JMD will also monitor component compliance with Department and federal standards through component corrective action plans and advise the CFO on non-compliance with the time line completion dates.

In support of the fiscal year 2001 financial statement audits, we and other component auditors relied on the general controls work performed on select Department financial management information systems as part of the Government Information Security Reform Act (GISRA) review.  The FBI’s auditors performed similar work on the FBI’s information systems.  Our GISRA review was performed, exclusive of the FBI, at the Department’s data centers, the DEA, the BOP, and the Executive Offices of the United States Attorney (EOUSA).  In addition to the GISRA review, we and other auditors performed testing on the general and application controls over components’ financial management information systems.

Our GISRA review at the Department’s data centers, the DEA, the BOP and the EOUSA did not identify weaknesses in financial management systems’ general controls that were deemed to be material weaknesses as defined by the AICPA.  The FBI’s auditors reported their findings to the OIG in a separate limited distribution report. 

Component auditors identified weaknesses in six components’ general and application controls over components’ financial management information systems that increase the risk programs and data processed on these systems are not adequately protected from unauthorized access or service disruption.  Table 2 outlines the more significant weaknesses identified by the auditors.  Following the table, we summarized some of the specific conditions reported by the components’ auditors.

Table 2: Components financial information system weaknesses

Condition in Fiscal Year 2001	FBI	DEA	OJP	INS	USM	FPI
Entity-wide Security	X	X		X	X	X
Access Controls	X	X	X	X	X	X
Application Software Development and Change Controls	X	X		X	X	X
Service Continuity	X			X	X
Segregation of Duties	X	X		X
System Software	X

FBI - Auditors reported that individually or collectively, the weaknesses identified in Table 2 could compromise the agency’s ability to ensure security over sensitive programmatic or financial data, the reliability of its financial reporting, and compliance with applicable laws and regulations.

DEA - Auditors reported that several of DEA’s data processing systems: (a) have an expired certification/accreditation; (b) cannot track personnel who are granted access to the system or whose access should be terminated; (c) do not have documented procedures for handling software changes; and (d) cannot trace data entries to source documents.  In addition, the auditors reported that inactive administrator accounts are not removed timely and that security administrator training should be improved, and that the security administrator’s duties should be appropriately segregated. 

OJP – Auditors reported that user authentication options have not been configured to provide optimal password protection and that several of OJP’s servers have not been optimally configured to monitor actual or attempted unauthorized, unusual, or sensitive access. 

INS - Auditors reported that although its financial management system of record has been in development for almost five years, the implementation is not complete, requiring the majority of INS’s transactions to be entered into its legacy system. Auditors reported that the legacy system, which has many inherent control weaknesses, now serves as a feeder system to the financial management system of record.  Auditors reported that collectively, the conditions noted above present significant risks to the continued operation of INS’s financial management system as a whole.  Without adequate controls over its financial management system, the INS could experience a loss or manipulation of data, expensive efforts to recover the system (and data), as well as financial losses. 

USMS - Auditors reported that significant weaknesses in the USMS's general control environment continue to exist, mainly due to staffing constraints that prevent the implementation of corrective actions to ensure continued reliable operation of the information management system.  Security plans have not been completed for two financial management applications, and contingency plans were either outdated or incomplete.   

FPI - Auditors reported that vulnerabilities were identified during their internal and external penetration testing, and that the FPI's security plan for the general network needs refinement.  The auditors also reported that the financial accounting system databases lacked the required encryption of information deemed sensitive by the Computer Security Act of 1987 and the Department’s information system policies. 

In performing our procedures at the Department’s data centers and on the components’ financial management information systems, we and other component auditors considered the General Accounting Office’s, Federal Information System Controls Audit Manual; OMB Circular A-130, Appendix III, Automated Information Security Programs; the Computer Security Act of 1987; the Department’s Order No. 2640.2C, Telecommunications and Automated Information Systems Security and the National Institute of Standards and Technology’s Publications.

Recommendations

We recommend that the Chief Financial Officer:

2. Require the components’ Chief Information Officers to submit corrective action plans to the Department’s Chief Financial Officer that address the weaknesses identified above.  The action plans should focus on correcting deficiencies in entity-wide security, access controls, application software development and change controls, service continuity, segregation of duties, system software, and other specific application control weaknesses discussed in the components’ auditors reports on internal control.  The corrective action plans should include a timeline that establishes when major events must be completed, and the CIO should monitor components' efforts to correct deficiencies and hold them accountable for meeting the action plan timelines.

Management Response: Concur.  JMD will require by March 22, 2002, that components’ Chief Information Officers (CIO) submit a corrective action plan, including a time line, to the Chief Financial Officer which addresses the cited weaknesses in financial systems and application controls.  The CFO will monitor components’ efforts to correct deficiencies and hold them accountable for meeting the action plan time lines. 

3. Implement the recommendations made in (a) our GISRA reports, (b) the FBI’s auditors’ report on the FBI’s information systems control, and (c) the specific recommendations made in the components’ auditors’ reports on the components’ financial management information systems.

Management Response: Concur.  The Department will implement the recommendations outlined in the limited distribution reports.

The Government Management Reform Act requires federal agencies to submit audited agency-wide financial statements to the OMB by March 1 of each year.  To fulfill this requirement, the Department's ten reporting components prepare separate financial statements that are independently audited and consolidated into the Department's agency-wide financial statements.  The consolidation is performed by the JMD, which has primary responsibility for ensuring the Department's consolidated financial statements are compliant with OMB Bulletin No. 97-01, Form and Content of Agency Financial Statements, as amended. 

In prior reports on the Department’s internal control, we recommended that the Department implement a strategic plan for financial reporting that addresses the need for consistent reporting among components and the need to involve senior financial and program managers in the financial statement preparation process.  In response to this recommendation, JMD issued a number of Department-wide policies and held periodic meetings with the Department's components where the Department’s accounting and financial reporting requirements were discussed. 

A key product of JMD’s efforts was the issuance of the Financial Statement Requirements and Preparation Guide.  The guide provided instructions for preparing components’ financial statements, including the form and content of the statements, and the deadlines for completing and submitting them to JMD for consolidation.  Although we believe JMD’s efforts provided a solid foundation for improved financial reporting in fiscal year 2001, we and other auditors continue to identify weaknesses in the Department’s and components’ financial statement preparation controls: 

• Components’ draft financial statements and Managements’ Discussion and Analysis (MD&A) were incomplete and contained clerical errors.  Auditors of the USMS and the FPI reported that management had not performed adequate reviews of draft financial statements submitted for audit, resulting in mathematical errors, incomplete disclosures, and inconsistencies in the financial statements and note disclosures.  Auditors of the OJP reported that the MD&A was incomplete and the information contained therein was not reliable.
   
• Components’ accrual-based financial transaction processing is not performed on an on-going basis, resulting in substantial efforts at year-end to obtain and analyze financial data necessary for financial statement preparation.  Auditors of the DEA and the OBDs reported that these components must improve their financial statement preparation processes to include performing more procedures throughout the fiscal year, as opposed to the intensive year-end efforts performed in this fiscal year.  In addition, these components must improve the coordination and involvement of program offices in the gathering and analyzing of financial data necessary to prepare the components’ financial statements.  The financial statement preparation effort must be a component-wide effort, involving all program, budget, and administrative offices, not just a finance office task.  Gathering financial data only at year-end does not provide sufficient time to analyze transactions or account balances, and could result in misstated or unsupported financial statement account balances.
   
• Components’ information systems that process financial data are not configured to support financial statement preparation and on-going financial management.  Auditors of the FPI reported that the accounting system of record cannot fully generate data relating to intra-governmental accounts payable, costs, accounts receivable, revenues related to On-line Payment and Collections billings and charge backs, and revenues related to reimbursable and miscellaneous sales.  We reported that some of the OBDs program management systems that provide financial data necessary for the preparation of the financial statements are not integrated with its core financial accounting system, requiring redundant data entry and extensive year-end manual reconciliations.
   
• The FBI’s financial management component lacks adequate staff to perform the many tasks needed to produce annual financial statements.  Auditors reported that inadequate staffing for the financial statement preparation process resulted in the financial statements not being prepared in accordance with the Department’s requirements.  In addition, there is an increased risk that future financial statements will not be prepared in a timely manner because of the limited number of individuals dedicated to this task and the accelerated financial reporting deadlines of the Department and the OMB.
   
• Improvements are needed in the Department's recordation of elimination entries.  Components did not consistently follow the Department's requirements to accumulate and report elimination entries; specifically, timelines were not met, data was not provided in required formats, and not all financial activity among the Department’s components was confirmed.  Delays in finalizing components’ financial statements in accordance with the Department’s requirements, and performing elimination entry procedures only at the end of the fiscal year, contribute to the conditions identified in the Department’s elimination process. 
   
• The reconciliation of intra-governmental transactions with other federal agencies was not fully completed.  Department management reported that they were unable to fully complete the reconciliation of non-fiduciary Federal Intra-governmental Activity and Balances because (a) not all of the Department’s trading partners responded to the confirmations sent by the Department, (b) confirmations received from the Department’s trading partners did not provide sufficient detail to identify the Department components that initiated the transaction, and (c) the Department’s information systems are not fully capable of providing sufficient information to allow for timely reconciliation with trading partners.  Accordingly, extensive manual efforts were attempted, but were not adequate, to complete a full reconciliation of all amounts with the Department’s trading partners.  
   
• Improvements are needed in the preparation of the Department’s MD&A.  We noted that some of the information in the Department’s draft MD&A was not supported by consistent information presented in the components’ MD&A.  Revisions were made to the Department’s final MD&A to correct the inconsistencies; however, improvements are needed in controls to ensure components prepare their MD&As in accordance with the Department’s requirements.  We also noted that the MD&A lacked detailed discussions on the funding aspects of program performance or the outcomes of program missions.
   

The Department and its components corrected material errors and inconsistencies only after JMD, the OIG, or the independent auditors had identified them.  In many cases, the components' financial statements had already been submitted to JMD for consolidation in the Department's financial statements, thus requiring adjustment to the components' financial statements before final auditors' reports on the components' financial statements could be released.  It is essential that all components follow the Department's Financial Statement Preparation and Requirements Guide and other accounting policies to ensure consistency in the Department's consolidated financial statements.  Components' financial managers must perform reviews of financial data to ensure the Department’s requirements are being met, and the components’ must eliminate their dependency on accumulating and reporting financial data only once a year. 

Financial management and reporting must be performed throughout the fiscal year and must be complete (e.g. apply full accrual-based accounting).  This will eliminate the need to perform extensive manual financial statement preparation efforts at the end of the fiscal year that are susceptible to error and increase the risk of misstatement in the Department's and components’ financial statements.  This is especially important given the new financial reporting requirements of the OMB.  Beginning with fiscal year 2002, the Department will have to prepare interim financial statements at March 31, and in fiscal year 2003, quarterly financial statements.  In addition to these multiple reporting dates, the deadlines for the year-end financial statements are being accelerated, approximately one month earlier than the Department was able to fully complete its financial statements in this fiscal year.  Without improvements or fundamental changes to the way components manage their accrual-based financial activities, there is a serious risk that the Department’s fiscal year 2002 financial statements will not be able to be completed and audited in accordance with required deadlines, possibly resulting in modifications to the auditors’ reports on the Department’s financial statements, internal control, or compliance with laws and regulations.

Recommendations

We recommend that the Chief Financial Officer:  

4. Require the Department’s reporting components follow the Department's Financial Statement Preparation and Requirements Guide.  The Guide should be revised to include:
   1. new accounting and reporting requirements of the OMB and/or the FASAB,
   2. accelerated financial statement submission deadlines,
   3. requirements to prepare and submit interim financial statements,
   4. requirements to perform accrual-based accounting throughout the fiscal year, instead of the current dependency to perform accruals at the end of the fiscal year, and
   5. improved controls over the Department’s elimination entry process, its intra-governmental trading partner reconciliation, and preparation and reporting in the MD&A.

   
   JMD should monitor compliance with the Department’s guide and report to the Chief Financial Officer any component that does not meet Department requirements.

Management Response: Concur.  The Financial Statements Guide has already been substantially updated to address the new accounting, reporting, and due date requirements for FY 2002, as amended by OMB, FASAB and the Department.  The Guide contains a time line which identifies critical milestones in completing FY 2002 requirements, including interim financial statements and intra-governmental trading partner reconciliations.  The Guide has been distributed for comment and a final version is expected to be issued to components by approximately March 15, 2002.  JMD will continue to monitor components’ efforts to ensure that financial statements are prepared in accordance with the Guide.

5. Assess the viability of centralizing components’ information systems that capture redundant financial data, or consider standardizing the accumulation and recording of financial transactions in accordance with the Department’s requirements.  For example, information systems that process redundant data entry could be centralized (e.g. inventory and property management) to reduce redundant data entry and the resources needed to account for and monitor data that is similar among components.

   As an alternative to centralizing information systems, the Department could standardize its processing of financial transactions on the budgetary and accrual basis of accounting.  This would increase assurance that components perform consistent financial accounting and reporting. 

   All changes to information systems or financial transaction processing must consider the handling and reporting of classified or other sensitive financial data, and appropriate access controls must be developed to ensure components have access only to their own financial data.

Management Response: Concur.  The Department recognizes that its financial statement preparation and consolidation functions would be improved with more consistent and standardized practices and systems.  The Financial Statements Guide revisions for FY 2002 statements are designed to significantly improve the consistency of information submitted by components for the consolidated statements.  As noted above, the FY 2002 Guide will be issued on or about March 15, 2002.  Plans are underway to acquire a Unified Financial Management System that is compliant with JFMIP requirements, and that system will form the Department’s single core financial management system application.  As a result of the unified system project, the Department will realize improved consistency of processing and data standardization across the components, an improvement which will aid in the preparation of the consolidated financial statements.  The project will be a multi-year effort, with implementation beginning with noncompliant legacy systems.

STATUS OF PRIOR YEAR'S FINDINGS AND RECOMMENDATIONS

As required by Government Auditing Standards and OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, we have reviewed the status of the Department’s corrective actions with respect to the findings and recommendations from our previous reports on the Department’s internal controls.  The following analysis provides our assessment of the progress the Department has made in correcting the material weaknesses and reportable conditions identified in these reports.  We also provide the Office of the Inspector General report number that remains open for audit follow-up, our recommendations for improvement, and the status of the condition as of September 30, 2001:

As required by OMB Bulletin No. 01-02, we have compared the material weaknesses and material nonconformances reported by management in the Department’s Federal Managers’ Financial Integrity Act (FMFIA) Report to our report on the Department’s internal control.  We determined that the third material weakness in our report was not reported in the Department’s FMFIA report; however, we do not believe that the failure to report this material weakness constitutes a separate reportable condition or material weakness because there are different criteria used to determine material weaknesses for both reports and management has reported, in general terms, some of the material weaknesses relating to components’ financial accounting and reporting processes.  However, management did not specifically identify financial statement preparation as a material weakness in their fiscal year 2001 FMFIA certification.

Components' auditors identified other reportable conditions that we considered not to be reportable conditions in relation to the Department’s consolidated financial statements.  A summarization of these and other less significant issues will be addressed to the Department’s management in a separate consolidated management letter dated February 14, 2002.  In addition, components' auditors provided separate management letters to components' management with respect to less significant control issues that were identified during the components' audits.

This report is intended solely for the information of the Attorney General and management of the Department, the Office of the Inspector General, the OMB, and Congress.  This report is not intended to be and should not be used by anyone other than these specified parties.

February 14, 2002
Washington, DC

Return to the Top

• Table of Contents
  


• AG Message
• CFO Message
• Introduction
• Discussion & Analysis
• Accountants' Report
• Accountants' Report Internal Control
• Accountants' Report Compliance
• Financial Statement
• Appendix A
• Appendix B
• Appendix C
• Appendix D
• Appendix E
• Appendix F
• Appendix G
• Appendix H




• USDOJ Homepage