Independent Accountants’ Report on Internal Control over Financial Reporting

United States Attorney General and
Inspector General
U. S. Department of Justice

We were engaged to audit the consolidated balance sheet of the U.S. Department of Justice (the Department) as of September 30, 2004, and the related consolidated statements of net cost, changes in net position, and financing, and the combined statements of budgetary resources and custodial activity for the year then ended (hereinafter collectively referred to as the financial statements), and have issued our report thereon dated November 12, 2004.  In that report, we disclaimed an opinion on the Department’s financial statements. 

We did not audit the financial statements of certain components of the Department, including the Office of Justice Programs (OJP); US Marshals Service; Federal Bureau of Prisons; and the Federal Prison Industries, Inc.  Those financial statements, except for OJP’s, were audited by other auditors whose reports thereon have been furnished to us, and our report on the Department’s internal control over financial reporting, insofar as it relates to these components, is based solely on the reports of the other auditors.  Because of limitations on the scope of their work, other auditors disclaimed an opinion on the 2004 financial statements of OJP. 

In planning and performing our engagement, we considered the Department’s internal control over financial reporting by obtaining an understanding of the Department’s internal control, determining whether internal controls had been placed in operation, assessing control risk, and performing tests of controls in order to determine our auditing procedures for the purpose of expressing our opinion on the financial statements.  We limited our internal control testing to those controls necessary to achieve the objectives described in Government Auditing Standards and Office of Management and Budget (OMB) Bulletin No. 01-02.  We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act of 1982.  The objective of our engagement was not to provide assurance on the Department’s internal control over financial reporting.  Consequently, we do not provide an opinion thereon.

Our consideration of internal control over financial reporting would not necessarily disclose all matters in the internal control over financial reporting that might be reportable conditions.  Under standards issued by the American Institute of Certified Public Accountants, reportable conditions are matters coming to our attention relating to significant deficiencies in the design or operation of the internal control over financial reporting that, in our judgment, could adversely affect the Department’s ability to record, process, summarize, and report financial data consistent with the assertions by management in the financial statements.  Material weaknesses are reportable conditions in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements, in amounts that would be material in relation to the financial statements being audited, may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.  Because of inherent limitations in any internal control, misstatements due to error or fraud may occur and not be detected.

We noted, and the reports of other auditors identified, certain matters, described in Exhibits I, II, and III, involving the internal control over financial reporting and its operation that we consider to be reportable conditions.  Exhibit I is an overview of the reportable conditions (including material weaknesses) identified by the Department’s component auditors, and includes an explanation of how we treated these component-level reportable conditions at the Department level.  Exhibit II provides the details of the Department-wide reportable conditions that we believe to be material weaknesses.  Exhibit III presents the other Department-wide reportable condition.  Exhibit IV presents the status of prior year Department-wide reportable conditions.

As discussed in our Independent Accountants’ Report on Financial Statements, the scope of our work and that of the other auditors was not sufficient to express an opinion on the financial statements of the Department as of and the year ended September 30, 2004, and accordingly, other matters involving internal control over financial reporting may have been identified and reported had we and the other auditors been able to perform all procedures necessary to express an opinion.

Additional Required Procedures

With respect to internal control over Required Supplementary Stewardship Information, other auditors were unable to apply certain procedures required by OMB Bulletin No. 01-02 because of limitations on the scope of the audit of OJP’s financial statements, as discussed in our Independent Accountants’ Report on Financial Statements, dated November 12, 2004.  Further, our and the other auditors’ procedures were not designed to provide assurance on internal control over Required Supplementary Stewardship Information, and, accordingly, we do not provide an opinion thereon.  Moreover, other matters involving internal control over Required Supplementary Stewardship Information may have been identified and reported had we and the other auditors been able to perform all procedures necessary to express an opinion on the financial statements of the Department as of and for the year ended September 30, 2004.

With respect to performance measures determined by management to be key and reported in the Management’s Discussion and Analysis section of the Department’s Fiscal Year 2004 Performance and Accountability Report, other auditors were unable to apply certain procedures required by OMB Bulletin No. 01-02 because of limitations on the scope of the audit of OJP’s financial statements, as discussed in our Independent Accountants’ Report on Financial Statements, dated November 12, 2004.  Further, our and the other auditors’ procedures were not designed to provide assurance on internal control over reported performance measures, and, accordingly, we do not provide an opinion thereon.  Moreover, other matters involving internal control over reported performance measures may have been identified and reported had we and the other auditors been able to perform all procedures necessary to express an opinion on the financial statements of the Department as of and for the year ended September 30, 2004.

______________________________

This report is intended solely for the information and use of the management of the US Department of Justice, the US Department of Justice Office of the Inspector General, the OMB, the Government Accountability Office, and Congress, and is not intended to be and should not be used by anyone other than these specified parties.

KPMG LLP

November 12, 2004

Exhibit I

OVERVIEW OF REPORTABLE CONDITIONS (INCLUDING MATERIAL WEAKNESSES)

The following table summarizes the 23 reportable conditions identified by the Department’s component auditors.  The component auditors also considered 10 of  these reportable conditions to be material weaknesses.  We analyzed these component-level material weaknesses and reportable conditions to determine their effect on the Department’s internal control over financial reporting and concluded that they comprise three Department-wide reportable conditions, the first two of which we also consider to be material weaknesses.

Department  Reportable Conditions Noted During Fiscal Year 2004		D O J	O B D s	A F F	F B I	D E A	O J P	A T F (1)	U S MS	B O P	F P I	W C F	I N S (2)
Fundamental changes are needed in the components’ internal control to ensure financial information can be provided timely to manage the Department’s programs and to prepare its financial statements within the accelerated reporting deadlines of OMB.		M	R		M M		M M M R	M	M R R			R	N/A
Improvements are needed in a component’s grant accounting and monitoring policies and procedures.		M					M
Improvements are needed in the Departments’ and components’ financial systems general and application controls.		R	R	R	R	R	M	R	M	R	R	R	N/A
Total Material Weaknesses Reported by Components’ Auditors	FY 2004	10	0	0	2	0	5	1	2	0	0	0	N/A
	FY 2003	9	1	1	2	0	0	0	1	0	0	1	3
Total Reportable Conditions Reported by Components’ Auditors	FY 2004	13	2	1	1	1	1	1	2	1	1	2	N/A
	FY 2003	10	1	0	0	2	1	1	1	2	1	0	1
Offices, Boards and Divisions (OBDs); Assets Forfeiture Fund and Seized Asset Deposit Fund (AFF); Federal Bureau of Investigation (FBI); Drug Enforcement Administration (DEA); Office of Justice Programs (OJP); Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF); United States Marshals Service (USMS); Federal Bureau of Prisons (BOP); Federal Prison Industries, Inc. (FPI); Working Capital Fund (WCF); and the Immigration and Naturalization Service (INS). (1) - Pursuant to the Homeland Security Act of 2002, the operations and funds of the US Department of the Treasury’s  ATF were transferred to the Department on January 24, 2003. (2) - Pursuant to the Homeland Security Act of 2002, the operations of the INS were transferred to the Department of Homeland Security (DHS) on March 1, 2003. M – Material weakness R – Reportable condition

In Exhibits II and III we discuss in detail the  three Department-wide reportable conditions, the first two of which we consider to be material weaknesses as noted above.  Because of the frequency with which these conditions were found within the Department’s components, we recommend Department-wide corrective actions.

Exhibit II

MATERIAL WEAKNESSES

We and other auditors continue to identify weaknesses in the Department’s and components’ financial management systems and internal controls, financial accounting practices to adhere to generally accepted accounting principles (GAAP), and the financial statement preparation processes that, if not addressed, will continue to present a major challenge to meeting the reporting requirements of OMB.

Financial Management Systems and Internal Controls

Components’ financial management systems are not integrated or are not configured to support financial management and reporting and the related internal controls are not sufficient, in some respects, to provide reasonable assurance that (1) transactions are recorded accurately and in a timely manner, and (2) adequate documentation exists to support the recorded amounts.  Specifically, we and other auditors noted the following financial management system deficiencies (the effects of which were adjusted in the components’ financial statements, as appropriate):

As indicated above, certain components’ financial management systems and related internal controls do not provide an adequate level of reasonable assurance that financial transactions are properly recorded,

processed, summarized, and documented to permit the preparation of financial statements in accordance with generally accepted accounting principles.  This condition places added importance on the financial analysis and analytical review aspects of the quality assurance procedures at the end of each quarter, and, particularly, at the end of the fiscal year, to detect and correct misstatements in the financial statements.  The limited amount of time available to the components’ staffs at the end of each financial reporting period for performing financial analyses and analytical reviews increases the risk that errors existing in the components’ financial statements will not be detected and corrected prior to final issuance.

Financial Accounting in Accordance with Statements of Federal Financial Accounting Standards (SFFAS) and OMB Bulletin No. 01-09, Form and Content of Agency Financial Statements

The components did not adequately record financial transactions throughout the year in accordance with Federal accounting standards.  Components’ financial accounting and reporting practices must be properly designed to (1) satisfy both budgetary and accrual accounting requirements, and (2) provide for the accurate and timely recording of transactions on a regular basis.  Components must eliminate their tendency to collect, analyze, and adjust financial information at the end of the fiscal year as part of the financial reporting process.  This is especially true now that OMB’s accelerated financial statement preparation requirements have taken effect.  We and other auditors identified the following weaknesses in the components’ financial accounting practices (the effects of which were adjusted in the components’ financial statements, as appropriate):

Improvements are still needed in the components’ day-to-day adherence to the standardized accounting policies and procedures, as set forth in the Department’s Financial Statement Requirements and Preparation Guide, to ensure accuracy and consistency in the Department’s consolidated financial statements.  Absent improvements in their financial management and accounting practices, components will continue to be challenged to prepare accurate financial statements in accordance with generally accepted accounting principles in a timely manner.

Financial Reporting Processes

The Department’s components do not adequately obtain, record, analyze, reconcile, and adjust financial information throughout the year, increasing the risk that errors in the financial statements will not be detected timely.  There is also a shortage of trained financial management personnel available to perform certain internal control functions related to the financial reporting process.  We and other auditors noted the following financial reporting weaknesses:

• Internal controls over financial reporting:  The identification of material weaknesses in OJP’s financial management system controls, grant accounting and monitoring, maintenance of documentation for significant transactions, and processes to ensure financial reporting is consistent with generally accepted accounting principles (all discussed elsewhere in this Independent Accountants’ Report on Internal Control over Financial Reporting) is indicative of an overall weakness in the cross-cutting elements of OJP’s internal controls over financial reporting.  OJP management had not performed a comprehensive risk assessment, analyzed the possible effects of the risks, and designed and implemented controls to address those risks.  OJP appears to lack sufficient and properly-trained accounting staff to perform these functions, relies heavily on contract personnel to support critical financial and information technology functions, and lacks appropriate monitoring procedures to oversee the contract personnel’s work.  The lack of financial reporting controls resulted in material misstatements in OJP’s financial statements and increases the risk that additional misstatements could occur and not be detected.
  
  
• Timeliness of financial reporting and reliability of financial systems and statements:  The USMS’s core financial management system lacks integrated subsidiary ledgers for certain material account balances.  Time-consuming manual procedures are needed to compensate for financial system deficiencies; internal controls are lacking to ensure that financial reports can be prepared timely and accurately; and the USMS’s staff resources are not sufficient to assure adequate documentation is created for all adjustments and crosswalks between the general ledger and the financial statements.  Consequently, financial statement amounts cannot be traced to the general ledger without explanations by the USMS’s staff.  The USMS’s quarterly financial statements did not comply, in many respects, with the Department’s form and content requirements.  As a result, the agency’s auditors and the Department’s Office of the Inspector General spent considerable time performing quality assurance reviews that should have been performed by USMS staff.  Moreover, the USMS failed to meet certain Departmental reporting deadlines and was late in meeting some of the agreed-upon dates for providing documentation to the auditors.  Finally, audit trails were lacking in support of certain compiled information underlying the USMS’s financial statements.
  
  
• Trading Partner Codes:  The FBI’s controls over the use and entering of trading partner codes are not adequate to ensure transactions are recorded under the proper accounts or applied to the proper purchase documents.
  
  

Improvements are still needed in the components’ internal controls over the financial reporting process.  Inadequate, outdated, and, in some cases, non-integrated financial management systems do not provide for certain automated financial transaction processing activities to support management’s need for timely and accurate financial information.  In some cases, components do not have sufficient financial management resources to review accounting transactions and summary-level financial information to ensure the accuracy of amounts entering into the financial statements.  This inhibits management’s ability to assess financial reporting risk; design, communicate, and implement appropriate control activities; and monitor the financial reporting process.

Recommendations

We recommend that the Department:

1. Continue with the initiative to improve the Department-wide internal control program, with an emphasis on timely monitoring of financial controls by management.  Communicate the importance of financial reporting monitoring controls in the next update to the Department’s Financial Statement Requirements and Preparation Guide.  Enlist the support of the Department’s senior management in ensuring that direct responsibility for the implementation of and adherence to financial monitoring controls is clearly communicated to and affixed with senior management at each component.

   Management Response:

   DOJ Management concurs with the recommendation.  The Department’s CFO will emphasize the importance of improving internal controls through the Department’s Financial Managers Council and the financial statements working group meetings.  The Department will incorporate this guidance in the Financial Statement Requirements and Preparation Guide, and require senior management in the Department’s components to implement the identified review and monitoring program.

2. Assess the adequacy and completeness of the Department’s accounting and financial reporting policies and procedures in the areas of: (a) budgetary accounting (e.g., obligations/deobligations, unfilled customer orders), (b) property management (e.g., real property, construction work-in-progress, leasehold improvements, subsidiary property records, loss on disposal of assets), (c) accounts payable (e.g., accrual estimates, receipt and acceptance, unbilled goods and services), (d) advances to and from others, including under reimbursable agreements, and (e) expense and revenue recognition.  Based on the results of this assessment, determine the need to issue new guidance and/or reiterate to components the existing policies for those areas in which the components’ auditors identified internal control weaknesses related to the recording of transactions and the reporting of financial results.

   Management Response:

   DOJ Management concurs with the recommendation.  JMD will continue to develop and enforce the existing accounting policy that requires components to perform reliable financial accounting and reporting throughout the fiscal year.  JMD will ensure that accounting policies exist for budgetary transactions, property management, obligation accruals, and revenue recognition.  JMD will emphasize the need to update current policies and procedures at the Financial Managers Council meetings and in the Financial Statement Requirements and Preparation Guide.

3. Continue efforts to implement a Department-wide integrated financial management system that is in compliance with the US Government Standard General Ledger, conforms with the financial management systems requirements of the Joint Financial Management Improvement Program, and can accommodate the requirements of applicable Federal accounting standards.  Proceed with implementation of a financial statement consolidation package to automate the compilation of the Department-wide financial statements.

   Management Response:

   DOJ Management concurs with the recommendation.  The Department is committed to implementing an integrated financial management system that is in compliance with federal financial management systems requirements and applicable federal accounting standards, addressing the functionality proposed by the audit report recommendations.  The Department selected CGI-AMS, Inc. as the commercial off-the-shelf (COTS) Financial Management System product.  The Department components are scheduled to begin implementation in FY 2006.  The Product Acceptance Testing will be completed in the first quarter of FY 2005. 

4. Maintain a commitment to ensure that components have committed sufficient resources to the financial reporting monitoring process.  Develop training for components’ program and finance staff on the responsibilities for internal control and financial management.  The training should also include a detailed discussion on the Department’s consolidated accounting and reporting requirements and emphasize that components’ financial statements are significant segments of the Department’s consolidated financial statements.

   Management Response:

   DOJ Management concurs with the recommendation.  In order to meet financial management requirements, the Department is committed to human capital initiatives that provide for the hiring of sufficient resources, with the right skills.  In addition, the Department will instruct all components to train employees of the requirements of the audit, including the significance of the consolidated financial statements.

Other auditors identified weaknesses in OJP’s grant accounting and monitoring policies and procedures related to data quality, monitoring, and the methodology used to calculate grant accrual and advance amounts, as described below.

Weaknesses Were Noted in the Quality of Grantee Financial Status Reports and Data

Other auditors identified discrepancies between the grantee information that OJP uses to prepare its financial statements and the information reported by grantees in response to audit confirmation requests.  Some of the discrepancies were determined to be errors in OJP’s data, however, the majority were not resolved during the audit timeframe.  Other auditors noted the following discrepancies:

• Some award amounts on grantee confirmations did not agree with the amount included in the subsidiary ledger data download.
  
  
• The paid amount did not agree with the subsidiary ledger data download for certain confirmations.
  
  
• The Federal share of outlays amounts on the SF-269, Financial Status Report, did not agree with Federal share amount recorded in the subsidiary ledger data download for certain confirmations.
  
  
• The Automated Clearing House (ACH) Vendor/Miscellaneous Payment Enrollment Forms did not match bank routing and account information recorded in OJP’s Integrated Financial Management Information System (IFMIS) for certain confirmations received.

Incorrect award, disbursement, and Federal share of outlays amounts in the subsidiary ledger and IFMIS would result in incorrect grant accrual calculations and a misstatement of undelivered orders, advances, accounts payable, and expenses on the financial statements.  Incorrect ACH information in IFMIS could result in payments to incorrect recipients.

Improvements Are Needed in OJP’s Grant Monitoring Procedures

In reviewing OJP’s procedures for monitoring the accuracy of data provided by grantees (upon which data OJP relies in calculating its grant accrual, advance, and expense amounts), other auditors noted a lack of timely follow-up on grant monitoring issues identified, a lack of consideration of the impact of these issues on OJP’s financial statements, and the exclusion of some grant programs from the monitoring plan.

OJP did not follow up on and resolve site visit and Single Audit Act findings within its policy time requirements.  Other auditors noted the following types of compliance exceptions for the site visit results they reviewed:

• OJP did not always issue a follow-up letter within the prescribed timeframe after completion of the site visit.
  
  
• OJP could not provide adequate evidence that it followed-up with grantees on site visit findings when the grantees did not respond within the specified 30-day time period.
  
  
• Corrective action plan letters were not submitted within the required timeframe as a result of Single Audit Act reviews.
  
  
• OJP did not initiate correspondence with the grantee and the Office of the Inspector General within the 45-day time period following the Single Audit Act report issuance date.
  
  
• OJP could not demonstrate that it followed up with Single Audit Act grantees that did not respond within 45 days.
  
  
• OJP could not demonstrate that it responded to the grantee’s corrective action plan within seven days.
  
  
• OJP did not track the dollar errors related to inaccurate SF-269s noted through its site visit monitoring procedures.
  
  
• OJP did not include the State Criminal Alien Assistance Program (SCAAP), Bulletproof Vest Partnership (BVP), and South West Border Prosecution Initiative (SWBPI) grants in its monitoring plan.

Untimely follow-up increases the risk that unallowable or inaccurate expenditures are not identified and resolved.  Because OJP does not assess the dollar impact on its financial statements of findings noted during its monitoring procedures, the risk of material misstatements is increased.

Weaknesses Exist in OJP’s Grant Accrual and Advance Methodology

Like other Federal agencies, OJP does not require grantees to submit SF-269s until 45 days after quarter-end. Accordingly, OJP relies on a grant accrual methodology to estimate advances, accounts payable, and grant expense at the end of each quarter.  The other auditors noted that OJP could not provide support to validate its grant accrual methodology.  As a result, OJP could not support assumptions used in the calculations.  Moreover, the other auditors determined that certain assumptions related to the characteristics of the grant and the grantees’ spending behavior under the grants appeared to be contradicted by the results of OJP’s monitoring of the grantees and relevant data contained in the grantees’ SF-269 reports.

Because OJP did not validate its grant accrual methodology and refine its calculation to obtain a reasonable estimate for the advance or expense amounts related to grantee’s spending patterns or draw-down behavior, there is increased risk of misstatements or inaccurate estimates in the financial statements.

Recommendations

We recommend that the Department:

5. Direct OJP management to implement policies and procedures related to the quality of grantee data, including: (a) ensuring grantee data recorded in IFMIS is complete, accurate, and valid (specifically with respect to the input of grant awards, subsequent adjustments, and ACH data and SF-269 information), (b) performing periodic monitoring of information in IFMIS to verify that information is current and accurate, (c) establish formal data quality procedures to review all grants regularly to ensure that grants are coded correctly in IFMIS,  (d) establish formal review procedures to ensure that appropriate grants are included in the grant accrual calculation, and (e) implement continuous training of Control Desk staff to prepare them to recognize and code grants correctly, particularly with respect to distinguishing block grants from discretionary grants.

   Management Response:

   DOJ management concurs with the recommendation.  During FY 2005, OJP will establish policies and procedures that will require a monthly reconciliation of the Cost Posting (CP) Module and General Ledger (GL) balances.  Training will be provided to individuals who enter grant awards and subsequent adjustments, ACH data, and SF-269 information into IFMIS.  To ensure that entries into IFMIS are valid, OJP will establish a team to perform periodic monitoring of information entered into the accounting system.  The team will analyze the differences between the CP Module and the General Ledger, taking the appropriate action to resolve any differences.  The review will entail examining all transactions in excess of $1 million and a sample of transactions that were under $1 million to ensure that all transactions are entered into the accounting system correctly. Evidence to support the examination will be maintained for audit.

6. Direct OJP management to implement policies and procedures related to grant monitoring, including: (a) improving the monitoring procedures used to capture data that would quantify the effects of errors in grantees’ SF-269 data or OJP’s own data, (b) following up with grantees based on level of priority and in accordance with the timeframes established in its policy for site visit and Single Audit Act-identified issues, and (c) developing a monitoring program that includes assessing the risk of potential improper payments under grant programs, as well as non-grant payments.

   Management Response:

   DOJ Management concurs with the recommendation.   Effective October 1, 2004, while conducting site visits to grantee organizations, the Monitoring Division, Office of the Comptroller, will track and report on the accuracy of the “Federal Share of Outlays” that is reported by grantees as one field on the SF-269, to better assess the impact on the grant accrual.  Documentation of this review will be maintained for audit.  In addition, OJP will increase its resources to conduct quarterly excess cash reviews.  Documentation of these reviews will be maintained for audit.  During FY 2005, OJP will also consider shortening the timeframe for submission of SF-269’s from 45 days after the end of the quarter to 30 days.  In addition, during FY 2005, OJP will ensure that financial policies and procedures are consistent with GAAP.  As part of the corrective action plan, OJP will designate resources from the Training and Policy Division who will review, analyze, report, and train the appropriated OJP employees on new and revised government-wide financial management laws, rules, regulations, policies, and guidelines. 

7. Direct OJP management to implement policies and procedures related to the grant accrual and advance calculation methodology, including (a) evaluating the assumptions utilized in the grant accrual and advance calculation methodology at the program level, and (b) analyzing the methodology for reasonableness at appropriate intervals, with documentation maintained to support the analyses.

   Management Response:

   DOJ Management concurs with the recommendation.  During the first quarter of FY 2005, OJP will analyze its grant accrual methodology.  If the analysis supports a change to the grant accrual methodology, changes will be made to better reflect a more reasonable estimate.  To ensure the new accrual methodology continues to be accurate, OJP will analyze the methodology on a quarterly basis, adjusting the estimated balances, as needed.  Documentation of this analysis and subsequent adjustment will be maintained for audit purposes. 

Exhibit III

REPORTABLE CONDITION

In performing procedures on the components’ financial management information systems, we and other component auditors considered the Government Accountability Office’s (GAO) Federal Information System Controls Audit Manual; the Department’s Order No. 2640.2E, Information Technology Security; OMB Circular No. A-130, Management of Federal Information Resources; and technical publications issued by the National Institute of Standards and Technology (NIST).  The FBI’s auditors reviewed the FBI’s information systems control environment and reported their detailed findings to the Office of the Inspector General in a separate limited distribution report.  The following table depicts the more significant weaknesses identified by the auditors on the 10 Department reporting components for FY 2004.  Following the table, we present some of the specific conditions reported by the components’ auditors.

General & Application Control Weaknesses	O B D S	A F F	F B I	D E A	O J P	A T F	U S M S	B O P	F P I	W C F
Entity-wide Security	X	X	X		X			X		X
Access Controls	X	X	X	X	X	X	X	X		X
Application Software Development and Change Controls/System Development Life Cycle (SDLC)	X	X	X		X			X		X
Service Continuity					X		X	X
Segregation of Duties	X	X					X			X
System Software							X
Application Controls	X		X		X		X	X	X

OBDs – Weaknesses were identified in the Financial Management Information System’s (FMIS2) implementation of OBDs’ entity-wide security program planning, management of logical access controls, management of change control, segregation of duties, and logical access over the US Trustees’ Automated Case Management System (ACMS) application.

AFF – The FMIS2 weaknesses identified at OBDs also impact AFF’s financial management information systems because AFF uses FMIS2 as its accounting system.

FBI – The weaknesses identified in the above table could compromise the agency’s ability to ensure security over sensitive programmatic or financial data, the reliability of its financial reporting, and compliance with applicable laws and regulations.  In addition, weaknesses were determined to continue to exist in the FBI’s property management and financial management applications.

DEA – Improvements are needed in DEA’s Firebird Network user account administration; access to the Federal Financial System (FFS) is not removed in a timely manner for terminated or transferring

employees; and DEA’s policy and implemented control procedures for the identification and disabling of inactive user accounts are not in compliance with Department standards.  DEA’s user account administration for FFS and Firebird was also noted in the prior year.

OJP – Weaknesses were identified in the overall entity-wide security program and access controls, system change control procedures for applications and system software, system interfaces, and service continuity.  Many of these weaknesses had not been corrected from prior years.

ATF – General access controls vulnerabilities were still noted, including controls over financial network operating systems, access controls over various financial and operational databases, and operating system-level vulnerabilities on two servers that impact the processing of financial data.

USMS – Weaknesses in the general network control environment continue to exist in the areas of segregation of duties, access controls, and system software for the general support systems.  In addition, contingency plans have not been fully developed for the Marshals Network, the Financial Management System and the Standardized Tracking Accounting and Reporting System under guidelines provided by the Department’s standards.

BOP – Improvements are needed in the overall entity-wide security program, access controls, system change control procedures, and service continuity.  A number of weaknesses in each of these areas existed in prior years.  In addition, the FMIS2 weaknesses identified at OBDs also apply to BOP because BOP uses the FMIS2 accounting system maintained by OBDs.

FPI – An excessive number of users were identified with access to sensitive transactions and segregation of duty conflicts exist among various accounting functions of the system. Also, an excessive number of users have the ability to perform activities, there are developers with update access in the production environment, and the proposed strategy to restrict access was not fully implemented.

WCF – The FMIS2 weaknesses identified at OBDs also impact WCF’s financial management information systems because WCF uses FMIS2 as its accounting system.

The weaknesses identified by components’ auditors in the components’ general and application controls increase the risk that programs and data processed on components’ information systems are not adequately protected from unauthorized access or service disruption.

Recommendation

We recommend that the Department:

8. Require the components’ Chief Information Officers (CIO) to submit corrective action plans that address the weaknesses identified above.  The action plans should focus on correcting deficiencies in entity-wide security, access controls, application software development and change controls/SDLC, service continuity, segregation of duties, system software, and other specific application control weaknesses discussed in the component auditors’ reports on internal control.  The corrective action plans should include a timeline that establishes when major events must be completed, and the Department’s CIO should monitor components’ efforts to correct deficiencies and hold them accountable for meeting the action plan timelines.

   Management Response:

   DOJ Management concurs with the recommendation.  The CIO is committed to the implementation of corrective actions that provide adequate security controls and protect sensitive information. The corrective action plan will include timeframes for correcting major events.  The CIO will monitor components’ efforts to correct deficiencies and ensure that components are held accountable for meeting the action plan timelines. 

Exhibit IV

STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS

As required by Government Auditing Standards and OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, we have reviewed the status of the Department’s corrective actions with respect to prior years’ findings and recommendations.  The following table summarizes the prior year findings and provides our assessment of the progress that the Department has made in correcting the reportable conditions.  We have also provided the Office of the Inspector General report number by which the recommendation is monitored for audit follow-up.

Report	Reportable Conditions in FY 2003	Status
01-07 (2000) 02-06 (2001) 03-11 (2002) 04-13 (2003)	Material Weakness: Improvements are needed in the Department’s Financial accounting and reporting (wording updated in FY 2002). Recommendations: Emphasize the proper processing and recording of financial transactions in accordance with generally accepted accounting principles and monitor components’ efforts to eliminate the weaknesses.	In Process
01-07 (2000) 04-13 (2003)	Reportable Condition: Improvements are needed in components’ general and application controls over financial management systems and the general controls at the Department’s data centers (wording updated in FY 2003). Recommendations: Implement corrective actions identified in data center reports and monitor components’ efforts to correct control deficiencies at the component level.	In Process (a)

(a)          – The reportable condition at the Department’s data centers was closed in FY 2004.

 

Return to Index Page