U.S. Department of Labor -- DOL Annual Report, Fiscal Year 2008

May 9, 2009

Find It! | A to Z Index |

DOL Home > About DOL > 2008 PAR > Independent Auditors' Report

DOL Annual Report, Fiscal Year 2008
Performance and Accountability Report

Independent Auditors' Report

Secretary and Inspector General
U.S. Department of Labor:

We have audited the accompanying consolidated balance sheets of the U.S. Department of Labor (DOL) as of September 30, 2008 and 2007; the related consolidated statements of net cost and changes in net position, and combined statements of budgetary resources for the years then ended; and the statements of social insurance as of September 30, 2008, 2007, and 2006 (hereinafter referred to as "consolidated financial statements"). The objective of our audits was to express an opinion on the fair presentation of these consolidated financial statements. In connection with our fiscal year 2008 audit, we also considered DOL's internal controls over financial reporting and tested DOL's compliance with certain provisions of applicable laws, regulations, contracts, and grant agreements that could have a direct and material effect on these consolidated financial statements.

We have also examined DOL's compliance with section 803a of the Federal Financial Management Improvement Act of 1996 (FFMIA) as of September 30, 2008.

SUMMARY

As stated in our opinion on the consolidated financial statements, we concluded that the consolidated financial statements present fairly, in all material respects, the financial position of DOL as of September 30, 2008 and 2007; its net costs, changes in net position, and budgetary resources for the years then ended; and the financial condition of its social insurance program as of September 30, 2008, 2007, and 2006, in conformity with U.S. generally accepted accounting principles.

As discussed in our opinion on the consolidated financial statements, the statements of social insurance present the actuarial present value of DOL's future expenditures to be paid to or on behalf of participants, estimated future income to be received from excise taxes, and estimated expenditures for administrative costs and interest payments during a projection period ending in 2040.

Also as discussed in our opinion on the consolidated financial statements, in fiscal year 2008, DOL changed the financial statement presentation of its custodial activities from a principal financial statement to a disclosure in the accompanying notes to the consolidated financial statements.

Our consideration of internal control over financial reporting resulted in the following conditions being identified as significant deficiencies:

Lack of Adequate Controls over Access to Key Financial and Support Systems
Weakness Noted over Payroll Accounting
Lack of Segregation of Duties over Journal Entries

However, none of the significant deficiencies are believed to be material weaknesses.

The results of our tests of compliance with certain provisions of laws, regulations, contracts, and grant agreements disclosed one instance of Anti-Deficiency Act noncompliance that is required to be reported under Government Auditing Standards, issued by the Comptroller General of the United States, and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements.

As stated in our opinion on DOL's compliance with FFMIA, we concluded that DOL complied, in all material respects, with the requirements of FFMIA as of September 30, 2008.

The following sections discuss our opinion on DOL's consolidated financial statements; our consideration of DOL's internal controls over financial reporting; our tests of DOL's compliance with certain provisions of applicable laws, regulations, contracts, and grant agreements; and management's and our responsibilities.

OPINION ON THE FINANCIAL STATEMENTS

We have audited the accompanying consolidated balance sheets of the U.S. Department of Labor as of September 30, 2008 and 2007; the related consolidated statements of net cost and changes in net position, and the combined statements of budgetary resources for the years then ended; and the statements of social insurance as of September 30, 2008, 2007, and 2006. The accompanying statements of social insurance as of September 30, 2004 and 2005 were not audited by us and, accordingly, we do not express an opinion on them.

In our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the financial position of the U.S. Department of Labor as of September 30, 2008 and 2007; its net costs, changes in net position, and budgetary resources for the years then ended; and the financial condition of its social insurance program as of September 30, 2008, 2007, and 2006, in conformity with U.S. generally accepted accounting principles.

As discussed in Note 1-W to the consolidated financial statements, the statements of social insurance present the actuarial present value of DOL's future expenditures to be paid to or on behalf of participants, estimated future income to be received from excise taxes, and estimated expenditures for administrative costs and interest payments during a projection period ending in 2040. In preparing the statements of social insurance, management considers and selects assumptions and data that it believes provide a reasonable basis for the assertions in the statements. However, because of the large number of factors that affect the statement of social insurance and the fact that future events and circumstances can not be known with certainty, there will be differences between the estimates in the statement of social insurance and the actual results, and those differences may be material.

Also as discussed in Note 1-B to the consolidated financial statements, in fiscal year 2008, DOL changed the financial statement presentation of its custodial activities from a principal financial statement to a disclosure in the accompanying notes to the consolidated financial statements. DOL revised its fiscal year 2007 consolidated financial statements and notes to conform to this fiscal year 2008 presentation.

The information in the Management's Discussion and Analysis, Required Supplementary Information, and Required Supplementary Stewardship Information sections is not a required part of the consolidated financial statements, but is supplementary information required by U.S. generally accepted accounting principles. We have applied certain limited procedures, which consisted principally of inquiries of management regarding the methods of measurement and presentation of this information. However, we did not audit this information and, accordingly, we express no opinion on it.

The information in the Secretary's Message, Performance Section, Other Accompanying Information and Appendices are presented for purposes of additional analysis and are not required as part of the consolidated financial statements. This information has not been subjected to auditing procedures and, accordingly, we express no opinion on it.

INTERNAL CONTROL OVER FINANCIAL REPORTING

Our consideration of the internal control over financial reporting was for the limited purpose described in the Responsibilities section of this report and would not necessarily identify all deficiencies in the internal control over financial reporting that might be significant deficiencies or material weaknesses.

A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects DOL's ability to initiate, authorize, record, process, or report financial data reliably in accordance with U.S. generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of DOL's consolidated financial statements that is more than inconsequential will not be prevented or detected by DOL's internal control. A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected by DOL's internal control.

In our fiscal year 2008 audit, we consider the deficiencies, described in Exhibit I, to be significant deficiencies in internal control over financial reporting. However, we believe that none of the significant deficiencies presented in Exhibit I are material weaknesses.

We noted certain additional matters that we will report to management of DOL in a separate letter.

COMPLIANCE AND OTHER MATTERS

The results of certain of our tests of compliance as described in the Responsibilities section of this report, exclusive of those referred to in FFMIA, disclosed one instance of Anti-deficiency Act noncompliance that is required to be reported herein under Government Auditing Standards or OMB Bulletin No. 07-04, and is described in Exhibit II.

The results of our other tests of compliance as described in the Responsibilities section of this report, exclusive of those referred to in FFMIA, disclosed no instances of noncompliance or other matters that are required to be reported herein under Government Auditing Standards or OMB Bulletin No. 07-04.

Other Matters. DOL is currently reviewing two incidents regarding potential violations of the Anti-deficiency Act. As of the date of this report, no final noncompliance determination has been made.

We noted certain additional matters that we will report to management of DOL in a separate letter.

OPINION ON COMPLIANCE WITH FFMIA

DOL represented that, in accordance with the provisions and requirements of FFMIA, the Secretary of Labor determined that the DOL's financial management systems are in substantial compliance with FFMIA.

We have examined the U.S. Department of Labor's compliance with section 803a of the Federal Financial Management Improvement Act of 1996 as of September 30, 2008. Under section 803a of FFMIA, the U.S. Department of Labor's financial management systems are required to substantially comply with (1) Federal financial management systems requirements, (2) applicable Federal accounting standards, and (3) the United States Government Standard General Ledger at the transaction level. We used OMB's Revised Implementation Guidance for the Federal Financial Management Improvement Act, dated January 4, 2001, to determine compliance.

In our opinion, the U.S. Department of Labor complied, in all material respects, with the aforementioned requirements as of September 30, 2008.

RESPONSIBILITIES

Management's Responsibilities. Management is responsible for the consolidated financial statements; establishing and maintaining effective internal control; and complying with laws, regulations, contracts, and grant agreements applicable to DOL.

Auditors' Responsibilities. Our responsibility is to express an opinion on the consolidated financial statements of DOL based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and OMB Bulletin No. 07-04. Those standards and OMB Bulletin No. 07-04 require that we plan and perform the audits to obtain reasonable assurance about whether the consolidated financial statements are free of material misstatement. An audit includes consideration of internal control over financial reporting as a basis for designing audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of DOL's internal control over financial reporting. Accordingly, we express no such opinion.

An audit also includes:

Examining, on a test basis, evidence supporting the amounts and disclosures in the consolidated financial statements;
Assessing the accounting principles used and significant estimates made by management; and
Evaluating the overall consolidated financial statement presentation.

We believe that our audits provide a reasonable basis for our opinion.

In planning and performing our fiscal year 2008 audit, we considered DOL's internal control over financial reporting by obtaining an understanding of DOL's internal control, determining whether internal controls had been placed in operation, assessing control risk, and performing tests of controls as a basis for designing our auditing procedures for the purpose of expressing our opinion on the consolidated financial statements. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers' Financial Integrity Act of 1982. The objective of our audit was not to express an opinion on the effectiveness of DOL's internal control over financial reporting. Accordingly, we do not express an opinion on the effectiveness of DOL's internal control over financial reporting.

As part of obtaining reasonable assurance about whether DOL's fiscal year 2008 consolidated financial statements are free of material misstatement, we performed tests of DOL's compliance with certain provisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on the determination of the consolidated financial statement amounts, and certain provisions of other laws and regulations specified in OMB Bulletin No. 07-04, including the provisions referred to in section 803(a) of FFMIA.We limited our tests of compliance to the provisions described in the preceding sentence, and we did not test compliance with all laws, regulations, contracts, and grant agreements applicable to DOL. However, providing an opinion on compliance with laws, regulations, contracts, and grant agreements was not an objective of our audit and, accordingly, we do not express such an opinion.

Our responsibility also included expressing an opinion on DOL's compliance with FFMIA section 803a requirements as of September 30, 2008, based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and the standards applicable to attestation engagements contained in Government Auditing Standards issued by the Comptroller General of the United States, and accordingly, included examining, on a test basis, evidence about DOL's compliance with the requirements of FFMIA section 803a and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Our examination does not provide a legal determination on DOL's compliance with specified requirements.

______________________________

DOL's response to the findings identified in our audit is presented in Exhibit I. We did not audit DOL's response and, accordingly, we express no opinion on it.

This report is intended solely for the information and use of DOL's management, DOL's Office of Inspector General, OMB, the U.S. Government Accountability Office, and the U.S. Congress and is not intended to be and should not be used by anyone other than these specified parties.

November 14, 2008

1. Lack of Adequate Controls over Access to Key Financial and Support Systems

In fiscal year (FY) 2007, we reported a significant deficiency related to the lack of adequate controls over access to key financial and support systems.

The Office of the Inspector General (OIG) recommended that management:

Identify key financial information technology (IT) controls and incorporate them into the U.S. Department of Labor's (DOL) internal control and Office of Management and Budget (OMB) Circular No. A-123 testing process, to ensure that these controls are documented and operating effectively during the year.
Coordinate efforts among the DOL agencies to develop and/or enforce procedures and controls to address access control weaknesses in current financial management systems.

During our FY 2008 audit, we noted that DOL identified and tested key IT controls as part of its OMB Circular No. A-123 testing process. Specifically, we noted that the testing included following up on certain prior year IT findings and testing the design and operating effectiveness of certain key current year controls. Certain parts of the OMB Circular A-123 IT testing were performed concurrently with our IT testing and were not completed in time for us to assess the adequacy of the process.

Additionally, we noted that 30 prior year findings related to access controls have not been corrected by management (5 in the Office of the Chief Financial Officer (OCFO), 11 in the Employment and Training Administration (ETA), 4 in the Office of the Assistant Secretary for Administration and Management (OASAM), and 10 in the Employment Standards Administration (ESA)). In addition, in FY 2008, we identified access control weaknesses that resulted in 14 new findings (2 in the OCFO, 2 in ETA, 1 in OASAM, and 9 in ESA). The specific nature of these weaknesses, their causes, and the systems impacted has been communicated separately to management.

In summary, we noted issues with account management, configuration management, and review of system audit logs in our FY 2008 testing of DOL's IT systems, that present more than a remote likelihood that a misstatement of DOL's financial statements that is more than inconsequential will not be prevented or detected. As such, we believe that these new weaknesses and the uncorrected prior year control weaknesses represent a significant deficiency over access to key financial and support systems. Specifically, the following control weaknesses were present in multiple financial systems across various DOL agencies.

Account Management:
- Account management controls such as user access request, modification, and termination procedures were not documented;
- Account management controls were not performed, such as incomplete or missing access request, modification, and termination forms;
- Periodic user account reviews or re-certifications were not performed;
- Generic accounts existed on systems;
- Access authorization, recertification, and periodic reviews of data center access were not consistent with policies;
- Certain terminated personnel had active system accounts, and in some cases, terminated employees accessed systems after their termination date; and
- Certain human resources personnel had access to create and approve personnel action requests on their own.
Configuration Management:
- Technical security standards and policies need to be updated and implemented to include stronger logical access security controls. Specifically, patches were not applied to systems in a timely manner; unnecessary services were not disabled; and access to sensitive files, directories, or software was not restricted;
- Production servers were not configured in accordance with baseline configurations or to the most appropriate settings;
- Password settings do not comply with the Office of the Chief Information Officer Computer Security Handbook; and
- Inactive accounts were not disabled or deleted in a timely manner.
Review of System Audit Logs:
- Audit logs monitoring user and administrator activity, changes to security profiles, remote access logs, access to sensitive directories, and failed login attempts are not reviewed, or documentation of audit log reviews was not maintained;
- Audit log review procedures were not documented and finalized;
- Audit logs were not secured against editing by system administrators; and
- Application-level audit logs (e.g., significant transactions and changes to sensitive tables) were not proactively reviewed.

These findings are the result of weaknesses in the implementation and monitoring of Departmental processes and procedures. Certain parts of management's OMB Circular No. A-123 IT testing were not completed in time for us to assess whether the process was adequate or addressed our recommendation. While the agencies closed 24 prior year findings, they have not invested the necessary level of effort or properly allocate their resources to ensure that policies are designed and operating effectively. These access control weaknesses could result in users with inappropriate access to financial systems; inefficient processes; lack of completeness, accuracy, or integrity of financial data; and/or undetected unusual activity within financial systems.

Based on these facts noted as part of our FY 2008 audit, we consider the recommendation related to testing key financial IT controls as part of the OMB Circular No. A-123 testing process resolved and open. However, we have revised the status of the recommendation related to coordinating efforts among the DOL agencies to develop and/or enforce procedures and controls to address access control weaknesses in current financial management systems from resolved and open to unresolved.

Management's Response: DOL maintains policies, procedures and standards for management, operational, and technical controls that collectively provide compound safeguards and redundant security measures to ensure the integrity of DOL financial systems. Additionally, of the 44 open notifications of findings and recommendations (NOFRs) auditors issued to four DOL agencies in this draft audit report, none concluded that the cited weakness in agency-level access controls in and of itself amounted to a "significant deficiency."

In FY 2008, DOL Management continued to focus on aggressive remediation efforts resulting in substantial improvements to the Department's overall IT control environment, resulting in closure of 24 prior year audit findings. Additionally, the OCIO security monitoring program was enhanced to identify deficiencies requiring agency corrective action and target areas for additional oversight and monitoring.

Although fully supportive of the need for continual improvement of IT controls, management maintains that the controls inherent to specific applications, as well as manual, and other compensating controls already in place, are sufficiently designed and effective to prevent or detect any unauthorized access to DOL financial systems. As such, management believes that the likelihood of a misstatement of DOL's financial statement is remote.

In FY 2009, management plans to further strengthen its monitoring program by establishing a Department-wide comprehensive strategy to address the identified conditions associated with access controls and configuration management procedures and working directly with the agencies to implement the objectives and milestones for this strategy (FY 2009 Q2). We will also complete quarterly security control testing to measure the effectiveness of the agencies implementation of the access control and configuration management procedures (FY 2009 Q2 — Q4).

Further, the auditors have represented that a detailed report will be issued in December 2008 that will provide the in-depth analysis performed in support of its conclusions. Management will be able to provide a more in-depth response at that time.

Regarding A-123 related recommendation, the OMB Circular No. A-123 IT testing was performed on a timely basis to meet all A-123 requirements, although certain of the testing may not have been completed on a timeframe to enable KPMG to adequately review the work. For FY 2009, we will accelerate the A-123 testing. Timing of the testing will depend on when the agency documentation is available, and as constrained by the availability of funding due to the restrictions of the continuing resolution.

Auditor Response: The details of all our FY 2008 IT findings and recommendations were provided to DOL management through the NOFR process. While we did not identify any individual finding as a significant deficiency, we evaluated the combination of certain findings, in accordance with auditing standards generally accepted in the United States of America, to conclude that a significant deficiency does exist. Although management stated that they do not concur with our recommendations, they plan on taking steps to address them. Therefore, these recommendations are considered resolved and open.

2. Weakness Noted over Payroll Accounting

During FY 2006, the U.S. Department of Agriculture's (USDA) Office of Chief Financial Officer (OCFO)/National Finance Center (NFC) processed DOL's payroll. The Fiscal Year 2006 — Office of the Chief Financial Officer/National Finance Center General Control Review dated September 21, 2006, and issued by the USDA's Office of Inspector General (Report No. 11401-24-FM) reported a qualified opinion regarding the effectiveness of NFC's internal controls for the period October 1, 2005, through June 30, 2006. During FY 2006, DOL did not have policies and procedures in place to reconcile the payroll information it submitted to the NFC to that received and processed by the NFC.

For each FY 2006 pay period, DOL submitted to the NFC payroll information that included all DOL employees for the period, along with their hours worked, leave used, and other payroll related information for the period. The NFC processed the payroll for DOL each period and made available for download a Detail Pay and Deduct Register report for each DOL Human Resources office. We noted that DOL did not utilize these reports to perform reviews or reconciliations of data processed by the NFC, and no other controls were in place during the year to ensure that the information that was submitted to NFC via Time and Attendance records was reconciled to what was shown as paid in the Detail Pay and Deduct Register.

We recommended that management develop and implement policies and procedures to reconcile payroll information provided to the NFC to the payroll information processed by the NFC each pay period. These reconciliations should be documented, reviewed, approved by an appropriate supervisor, and maintained.

During FY 2007, the NFC continued to process DOL's payroll. The Fiscal Year 2007 — Office of the Chief Financial Officer/National Finance Center General Control Review dated September 27, 2007, and issued by the USDA's Office of Inspector General (Report No. 11401-26-FM) reported a qualified opinion regarding the effectiveness of NFC's internal controls for the period July 1, 2006, through June 30, 2007.

As part of DOL's corrective action plan for FY 2007, the OCFO's PeoplePower Task Force created a Time and Attendance Reconciliation Report based on the NFC's Detail Pay and Deduct Register to be used to reconcile information sent to NFC to that received and processed by NFC. In March 2007, the DOL OCFO issued policies and procedures that state that each DOL Human Resource office should review the Time and Attendance Reconciliation Reports each pay period and research and resolve differences identified. No offices that we tested complied with the new OCFO procedures, but two offices that we tested performed their own reconciliation procedures.

During FY 2008, the OCFO issued revised policies and procedures dated October 23, 2007, requiring a review of the Time and Attendance Reconciliation Reports, and implemented these policies and procedures. The OCFO also performed monitoring department-wide to ensure that the reviews were completed, documented, and approved by an appropriate supervisor, and maintained. However, we noted that the reconciliation tested from the Atlanta processing center did not contain a signature to validate the review. In addition, the Time and Attendance Reconciliation Reports do not contain a space for the date of the review; therefore, the timeliness of the reconciliations and certifications was not verifiable.

The policies and procedures issued and the related reviews and audits appeared to reconcile and certify time and attendance records only. When we requested supporting documentation for the reviews of other NFC inputs and outputs (e.g., Gross Pay and Benefit Withholdings), we noted that the five agencies selected for testwork were able to provide the Detail Pay and Deduct Register report; however, the agencies could not provide evidence of review or recalculations of payroll-related items other than time and attendance. Therefore, we can not conclude that such reviews and recalculations were completed. The lack of compensating reconciliation controls around the NFC compensation outputs increases the risk that payroll-related line items may be misstated due to errors in payroll processing by NFC.

Federal agencies that use external service providers, such as the NFC, should have controls in place to ensure the accuracy of processing outputs. As stated by the USDA OIG in its FY 2008 Report No. 11401-28-FM, "The accuracy and reliability of data processed by OCFO/NFC and the resultant reports rests with the customer agency and any compensating controls implemented by the agencies."

OMB Circular No. 123, Management's Responsibility for Internal Control, states, "Application control should be designed to ensure that transactions are properly authorized and processed accurately and that the data is valid and complete. Controls should be established at an application's interfaces to verify inputs and outputs, such as edit checks."

Additionally, per the Government Accountability Office's (GAO) Standards for Internal Control in the Federal Government, "Internal control should generally be designed to assure that ongoing monitoring occurs in the course of normal operations. It is performed continually and is ingrained in the agency's operations. It includes regular management and supervisory activities, comparisons, reconciliations, and other actions people take in performing their duties."

DOL's policies and procedures do not provide adequate guidance on the need for agencies to review payroll related items other than time and attendance records. Therefore, even though the Detail Pay and Deduct Register reports are being generated, no requirement exists for agencies to review all payroll information in the reports. In addition, the OCFO does not have a process in place to monitor the completion of the reviews of payroll-related items other than time and attendance.

As such, we consider the recommendation we made in FY 2006 as resolved and open. To close this recommendation in the future, the DOL OCFO should (a) ensure that Human Resource offices are reconciling all payroll information, not only time and attendance records, provided to the NFC to the payroll information processed by the NFC for each pay period, (b) ensure that these reconciliations are documented, reviewed, and approved by an appropriate supervisor, and maintained, and (c) update DOL's current policies and procedures to reflect these changes.

Management Response: The FY 2006 and FY 2007 audits focused on reconciliation of time and attendance. Accordingly, management made considerable progress in this area by implementing and monitoring procedures requiring reconciliation of time and attendance data. We also implemented improved procedures to reconcile payroll data provided by NFC to that recorded in DOLAR$, another critical payroll reconciliation. The updated finding for FY 2008 states that DOL does not review or recalculate other elements of pay, such as gross pay and withholdings. However, while certain agencies may not have conducted such reviews, we found that major agencies (such as ETA, ESA and BLS) are performing various analytical reviews to validate bi-weekly gross payroll and use these procedures to detect variances from prior periods or from budgeted amounts. We also understand that the ultimate check and balance on payroll are the employees themselves as every employee is responsible for ensuring that all aspects of their salary and deductions are correct.

In FY 2009, the OCFO will work to enhance existing policy and procedures and analytical controls, and will expand such controls throughout all DOL agencies. The OCFO will also implement procedures to verify and recalculate a sample of payroll transactions recorded throughout the fiscal year, and will develop and utilize change reports for purposes of identifying unusual fluctuations in payroll totals. These procedures will be developed and implemented by March 31, 2009.

Auditor Response: DOL indicated above that several of its agencies are performing analytical reviews to validate bi-weekly gross payroll; however, DOL did not provide us evidence of these activities during our FY 2008 audit procedures. Although management stated that they do not completely concur with our recommendations, they plan on taking steps to address them. Therefore, these recommendations are considered resolved and open.

3. Lack of Segregation of Duties over Journal Entries

During the FY 2006 audit, we noted that accounting staff from all DOL agencies were able to prepare and enter journal entries into the Department of Labor Accounting and Related Systems (DOLAR$) without approval.

We recommended that management reconfigure DOLAR$ so that journal entries entered into the DOLAR$ general ledger system and its successor system are required to be approved electronically by an individual other than the prepared before posting. We also recommended that agencies implement manual compensating review controls until system controls have been implemented.

During FY 2007, we found that management had not reconfigured DOLAR$ so that journal entries entered into it are required to be approved electronically by an individual other than the preparer before posting because DOL plans on implementing a new general ledger system by October 2009. In addition, although the OCFO had developed department-wide manual policies and procedures designed to ensure the segregation of journal entry preparation and approval authority, we noted that a number of journal entries did not have supporting documentation evidencing management review and approval.

During the FY 2008 audit, we noted that management implemented new department-wide manual policies and procedures designed to ensure the segregation of journal entry preparation and approval authority. However, we noted that the OCFO did not provide documentation for 134 of 215 journal entries that we selected for review, from the period October 1, 2007, to June 30, 2008, to support that these journal entries were reviewed by a supervisor or someone other than the preparer before they were posted to DOLAR$. The OCFO considers 39 of the 134 exceptions noted to be exempt from department-wide policies and procedures over manual journal entries because they are generated by internally-developed programs, which are discussed below in more detail.

Furthermore, we noted that 8 journal entries were posted to DOLAR$ prior to review and approval as evidenced by the signatures on the cover sheets of the journal entries.

We also noted that certain transactions posted in DOLAR$ related to non-expenditure transfers erroneously impact expended and unexpended appropriations balances. To ensure that these balances are correctly reported at fiscal year end, the OCFO uses an internally-developed program to generate a manual journal entry to reverse the erroneous components of the transfer entries. However, OCFO staff did not update the program to capture and correct such errors made in FY 2008 transfer entries. As a result, the balances of expended appropriations and unexpended appropriations at fiscal year end were initially misstated by approximately $716 million, and the OCFO posted an auditor-proposed adjustment in November to correct the error. OCFO supervisors did not identify this error since management consider the related journal entries to be part of an automated process that is not subject to the department-wide policies and procedures that require manual journal entries to be reviewed by a supervisor or someone other than the preparer before they are posted to DOLAR$.

By posting transactions without proper review and approval and allowing individuals the authority to prepare and approve their own transactions in DOLAR$, there is an increased risk that a material error would not be prevented or detected and corrected in a timely manner.

In addition, management represented that the new core financial management system, to be implemented in October 2009, will require electronic approval by someone other than the preparer before journal entries are posted. As a result, we were again informed that DOL does not plan to implement the recommendation to reconfigure DOLAR$ so that journal entries entered into DOLAR$ are approved electronically by an individual other than the preparer before posting.

Per GAO's Standards of Internal Control in the Federal Government, "Key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error or fraud. This should include separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets. No one individual should control all key aspects of a transaction or event."

Since management provided their timeframes to implement the new general ledger system that requires electronic approval by someone other than the preparer before journal entries are posted, we consider the corrective action recommendation we made in FY 2007 resolved and open. To close the recommendation, management needs to ensure that the new core financial management system is configured, upon implementation, so that journal entries entered into it are required to be approved electronically by an individual other than the preparer.

Because management does not monitor DOL employees' compliance with the OCFO policies and procedures in place that require all journal entries to be properly prepared, supported, and approved before posting to DOLAR$ and that proper segregation of duties is in place related to the preparation and posting of journal entries, we consider the manual control recommendation made in FY 2006 as unresolved. To close this recommendation, management should (a) monitor DOL employees' compliance with the department-wide policies and procedures in place for documenting the review of all journal entries prior to posting in DOLAR$, (b) update the department-wide policies and procedures to require that manual journal entries generated by internally-developed programs be reviewed and approved by a supervisor or someone other than the preparer before they are posted to DOLAR$, and (c) design and implement detective controls that require supervisors to periodically generate and review activity reports that list all journal entries posted to DOLAR$. These controls should ensure that all journal entries that are posted are appropriate, supported, and documented.

Management Response: We analyzed the sample results cited in this finding, and found that not all transactions selected were manual entries subject to the standard, department-wide journal entry procedures referred to and tested by the auditors. In fact, a number of these transactions were recorded in DOLAR$ via an automated process, or were related to unique activities of DOL agencies, for which different procedures have been put into place. In both scenarios, the auditors assumed that such transactions should have been documented and reviewed similar to journal entries processed in accordance with the department-wide journal entry procedure. Furthermore, we maintain that the internal control standards allow for different types of controls, both preventive and detective in nature, which may be used to perform the authorization, recording, and review of transactions, and the segregation of duties among these functions. Certain transactions were included as exceptions simply because the review function was performed as a separate process after the transaction was recorded in DOLAR$, rather than simultaneous with posting.

We do not agree with the auditor's statement that "management does not monitor DOL's compliance with policies and procedures". We believe that there is disagreement with what transactions are subject to these requirements. That said, we will look to clarifying which transactions are subject to preventive and/or detective controls and update the policies accordingly. Knowing that DOL plans to implement the new core financial system in FY 2010, we will not consider reconfiguring DOLAR$ at this point in its lifespan. However, the OCFO will issue written guidelines and minimum requirements for documenting the authorization, recording and review functions for transactions posted outside of the automated interfaces, and for the segregation of duties among these functions. The OCFO will periodically monitor compliance with existing policies and procedures by testing samples of transactions posted throughout the fiscal year. Our assessment and written procedures will be completed by March 31, 2009, and sampling will begin thereafter.

Auditor Response: We believe that the results of our audit procedures and the misstatement identified support our conclusion that a significant deficiency exists in this area. Although management stated that they do not completely concur with our recommendations, they plan on taking steps to address them. Therefore, these recommendations are considered resolved and open.

1. Anti-deficiency Act

During FY 2008, DOL management concluded that an Anti-deficiency Act violation had occurred. The total amount of the violation was $39,450,476. The Secretary of Labor has reported the violation to the President of the United States, the President of the Senate, the Speaker of the House of Representatives, and the Comptroller General of the United States, as required by 31 U.S.C. section 1351.

The violation occurred in the Employment and Training Administration Community Service Employment for Older Americans account (160175) in connection with the Senior Community Service Employment Program in each of fiscal years 2003 through 2008, covering appropriations enacted for FY 2001 through FY 2005. These violations relate to the reobligation of expired funds for FY 2001 through FY 2005, beyond the period allowed for new obligations, as established in DOL's annual appropriation for this program.