DOL Annual Report, Fiscal Year
Performance and Accountability Report
Independent Auditors' Report
Secretary and Inspector General
U.S. Department of Labor:
We have audited the accompanying consolidated balance sheets of the U.S. Department of Labor (DOL) as of September 30, 2009 and 2008; the related consolidated statements of net cost and changes in net position, and combined statements of budgetary resources for the years then ended; and the statements of social insurance as of September 30, 2009, 2008, 2007, and 2006 (hereinafter referred to as “consolidated financial statements”). The objective of our audits was to express an opinion on the fair presentation of these consolidated financial statements. In connection with our fiscal year 2009 audit, we also considered DOL's internal control over financial reporting and tested DOL's compliance with certain provisions of applicable laws, regulations, contracts, and grant agreements that could have a direct and material effect on these consolidated financial statements.
We have also examined DOL's compliance with section 803a of the Federal Financial Management Improvement Act of 1996 (FFMIA) as of September 30, 2009.
As stated in our opinion on the consolidated financial statements, we concluded that DOL's consolidated financial statements present fairly, in all material respects, the financial position of DOL as of September 30, 2009 and 2008; its net costs, changes in net position, and budgetary resources for the years then ended; and the financial condition of its social insurance program as of September 30, 2009, 2008, 2007, and 2006, in conformity with U.S. generally accepted accounting principles.
As discussed in our opinion on the consolidated financial statements, the statements of social insurance present the actuarial present value of DOL's future expenditures to be paid to or on behalf of participants, estimated future income to be received from excise taxes, and estimated expenditures for administrative costs during a projection period ending in 2040.
Also as discussed in our opinion on the consolidated financial statements, in fiscal year 2009, DOL adopted new accounting and reporting requirements for fiduciary activities and changed the presentation of its statements of social insurance.
Our consideration of internal control over financial reporting resulted in identifying certain deficiencies that we consider to be significant deficiencies, as follows:
- Lack of Adequate Controls over Access to Key Financial and Support Systems
- Weakness Noted over Payroll Accounting
- Lack of Segregation of Duties over Journal Entries
- Lack of Sufficient Controls over Financial Statement Preparation
We did not identify any deficiencies in internal control over financial reporting that we consider to be material weaknesses as defined in the Internal Control over Financial Reporting section of this report.
The results of our tests of compliance with certain provisions of laws, regulations, contracts, and grant agreements disclosed no instances of noncompliance and one other matter that are required to be reported herein under Government Auditing Standards and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements, as amended.
As stated in our opinion on DOL's compliance with FFMIA, we concluded that DOL complied, in all material respects, with the requirements of FFMIA as of September 30, 2009.
The following sections discuss our opinion on DOL's consolidated financial statements; our consideration of DOL's internal control over financial reporting; our tests of DOL's compliance with certain provisions of applicable laws, regulations, contracts, and grant agreements; and management's and our responsibilities.
OPINION ON THE FINANCIAL STATEMENTS
We have audited the accompanying consolidated balance sheets of the U.S. Department of Labor as of September 30, 2009 and 2008; the related consolidated statements of net cost and changes in net position, and the combined statements of budgetary resources for the years then ended; and the statements of social insurance as of September 30, 2009, 2008, 2007, and 2006. The accompanying statement of social insurance as of September 30, 2005 was not audited by us and, accordingly, we do not express an opinion on it.
In our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the financial position of the U.S. Department of Labor as of September 30, 2009 and 2008; its net costs, changes in net position, and budgetary resources for the years then ended; and the financial condition of its social insurance program as of September 30, 2009, 2008, 2007, and 2006, in conformity with U.S. generally accepted accounting principles.
As discussed in Note 1-W to the consolidated financial statements, the statements of social insurance present the actuarial present value of DOL's future expenditures to be paid to or on behalf of participants, estimated future income to be received from excise taxes, and estimated expenditures for administrative costs during a projection period ending in 2040. In preparing the statements of social insurance, management considers and selects assumptions and data that it believes provide a reasonable basis for the assertions in the statements. However, because of the large number of factors that affect the statement of social insurance and the fact that future events and circumstances can not be known with certainty, there will be differences between the estimates in the statement of social insurance and the actual results, and those differences may be material.
Also as discussed in Note 1-B to the consolidated financial statements, DOL changed its method of reporting fiduciary activities to adopt the provisions of the Federal Accounting Standards Advisory Board's Statement of Federal Financial Accounting Standards (SFFAS) No. 31, Accounting for Fiduciary Activities, effective October 1, 2008.
Also as discussed in Note 1-W to the consolidated financial statements, in fiscal year 2009, DOL changed the presentation of its statements of social insurance to remove estimated interest payments from the statements. DOL revised its fiscal years 2005 through 2008 consolidated financial statements to conform to this fiscal year 2009 presentation.
The information in the Management's Discussion and Analysis, Required Supplementary Information, and Required Supplementary Stewardship Information sections is not a required part of the consolidated financial statements, but is supplementary information required by U.S. generally accepted accounting principles. We have applied certain limited procedures, which consisted principally of inquiries of management regarding the methods of measurement and presentation of this information. However, we did not audit this information and, accordingly, we express no opinion on it.
The information in the Secretary's Message, Performance Section, and Other Accompanying Information are presented for purposes of additional analysis and are not required as part of the consolidated financial statements. This information has not been subjected to auditing procedures and, accordingly, we express no opinion on it.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Our consideration of the internal control over financial reporting was for the limited purpose described in the Responsibilities section of this report and was not designed to identify all deficiencies in the internal control over financial reporting that might be deficiencies, significant deficiencies, or material weaknesses.
A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected on a timely basis.
In our fiscal year 2009 audit, we did not identify any deficiencies in internal control over financial reporting that we consider to be material weaknesses as defined above. However, we identified certain deficiencies in internal control over financial reporting that we consider to be significant deficiencies and that are described in Exhibit I.
We noted certain additional matters that we will report to management of DOL in a separate letter.
COMPLIANCE AND OTHER MATTERS
The results of our tests of compliance described in the Responsibilities section of this report, exclusive of those referred to in FFMIA, disclosed no instances of noncompliance that are required to be reported herein under Government Auditing Standards or OMB Bulletin No. 07-04, as amended.
Other Matters. DOL is currently reviewing one incident regarding a potential violation of the Anti-deficiency Act. As of the date of this report, no final noncompliance determination has been made.
We noted certain additional matters that we will report to management of DOL in a separate letter.
OPINION ON COMPLIANCE WITH FFMIA
DOL represented that, in accordance with the provisions and requirements of FFMIA, the Secretary of Labor determined that the DOL's financial management systems are in substantial compliance with FFMIA.
We have examined the U.S. Department of Labor's compliance with section 803a of the Federal Financial Management Improvement Act of 1996 as of September 30, 2009. Under section 803a of FFMIA, the U.S. Department of Labor's financial management systems are required to substantially comply with (1) Federal financial management systems requirements, (2) applicable Federal accounting standards, and (3) the United States
Government Standard General Ledger at the transaction level. We used OMB's Revised Implementation Guidance for the Federal Financial Management Improvement Act, dated January 4, 2001, to determine compliance.
In our opinion, the U.S. Department of Labor complied, in all material respects, with the aforementioned requirements as of September 30, 2009.
Management's Responsibilities. Management is responsible for the consolidated financial statements; establishing and maintaining effective internal control; and complying with laws, regulations, contracts, and grant agreements applicable to DOL.
Auditors' Responsibilities. Our responsibility is to express an opinion on the fiscal year 2009 and 2008 consolidated financial statements of DOL based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and OMB Bulletin No. 0704, as amended. Those standards and OMB Bulletin No. 07-04, as amended, require that we plan and perform the audits to obtain reasonable assurance about whether the consolidated financial statements are free of material misstatement. An audit includes consideration of internal control over financial reporting as a basis for designing audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of DOL's internal control over financial reporting. Accordingly, we express no such opinion.
An audit also includes:
- Examining, on a test basis, evidence supporting the amounts and disclosures in the consolidated financial statements;
- Assessing the accounting principles used and significant estimates made by management; and
- Evaluating the overall consolidated financial statement presentation.
We believe that our audits provide a reasonable basis for our opinion.
In planning and performing our fiscal year 2009 audit, we considered DOL's internal control over financial reporting by obtaining an understanding of DOL's internal control, determining whether internal controls had been placed in operation, assessing control risk, and performing tests of controls as a basis for designing our auditing procedures for the purpose of expressing our opinion on the consolidated financial statements. We did not test all controls relevant to operating objectives as broadly defined by the Federal Managers' Financial Integrity Act of 1982. The objective of our audit was not to express an opinion on the effectiveness of DOL's internal control over financial reporting. Accordingly, we do not express an opinion on the effectiveness of DOL's internal control over financial reporting.
As part of obtaining reasonable assurance about whether DOL's fiscal year 2009 consolidated financial statements are free of material misstatement, we performed tests of DOL's compliance with certain provisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on the determination of the consolidated financial statement amounts, and certain provisions of other laws and regulations specified in OMB Bulletin No. 07-04, as amended. We limited our tests of compliance to the provisions described in the preceding sentence, and we did not test compliance with all laws, regulations, contracts, and grant agreements applicable to DOL. However, providing an opinion on compliance with laws, regulations, contracts, and grant agreements was not an objective of our audit and, accordingly, we do not express such an opinion.
Our responsibility also included expressing an opinion on DOL's compliance with FFMIA section 803a requirements as of September 30, 2009, based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and the standards applicable to attestation engagements contained in Government Auditing Standards issued by the Comptroller General of the United States, and accordingly, included examining, on a test basis, evidence about DOL's compliance with the requirements of FFMIA section 803a and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Our examination does not provide a legal determination on DOL's compliance with specified requirements.
DOL's response to the findings identified in our audit is presented in Exhibit I. We did not audit DOL's response and, accordingly, we express no opinion on it.
This report is intended solely for the information and use of DOL's management, DOL's Office of Inspector General, OMB, the U.S. Government Accountability Office, and the U.S. Congress and is not intended to be and should not be used by anyone other than these specified parties.
November 15, 2009
1. Lack of Adequate Controls over Access to Key Financial and Support Systems
In fiscal years (FY) 2006 through 2008, we reported a significant deficiency relating to the lack of adequate controls over access to key financial and support systems.
We recommended that management:
- Identify key financial information technology (IT) controls and incorporate them into the U.S. Department of Labor's (DOL) internal control and Office of Management and Budget (OMB) Circular No. A-123 testing process, to ensure that these controls are documented and operating effectively during the year.
- Coordinate efforts among the DOL agencies to develop and/or enforce procedures and controls to address access control weaknesses in current financial management systems.
During the FY 2008 audit, we noted that while DOL identified and tested key IT controls as part of its OMB Circular No. A-123 testing process, certain parts of the testing were performed concurrently with our IT testing and were not completed in time for us to assess the adequacy of the process. During our FY 2009 audit, we noted that DOL continued to identify and test key IT controls as part of its OMB Circular No. A-123 testing process, including follow-up on certain prior year IT findings and testing of the design and operating effectiveness of certain key current year controls during the year. Additionally, DOL provided the OMB Circular No. A-123 testing results timely throughout the year.
In response to the second recommendation, we noted that the Office of the Chief Information Officer (OCIO) updated Volume 1, Access Controls, of the DOL Computer Security Handbook in December 2008 and in May 2009. The updates to this volume required agencies to be compliant with the latest standards set forth by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Systems.
However, we noted that 25 prior year findings related to access controls have not been corrected (4 in the Office of the Chief Financial Officer (OCFO), 9 in the Employment and Training Administration (ETA), 3 in the Office of the Assistant Secretary for Administration and Management (OASAM), and 9 in the Employment Standards Administration (ESA)). Additionally, we noted two prior year findings that were not corrected until the third and fourth quarters of FY 2009 (1 in ETA and 1 ESA). In FY 2009, we identified access control weaknesses that resulted in 11 new findings (1 in OCFO, 7 in ETA, 1 in OASAM, and 2 in ESA). Additionally, we issued one new finding that was subsequently corrected in the third quarter of FY 2009 (in ESA). The specific nature of these weaknesses, their causes, and the systems impacted by them has been communicated separately to management.
In summary, we noted issues with account management, configuration management, and review of system audit logs in our FY 2009 testing of DOL's IT systems. While these issues are less severe than a material weakness, we determined that they are important enough to merit attention by those charged with governance. As such, we believe that these new weaknesses and the uncorrected prior year control weaknesses represent a significant deficiency over access to key financial and support systems. Specifically, the following control weaknesses were present in one or more financial systems across various DOL agencies.
- Account Management
- Account management controls were not performed, such as incomplete or missing access request, modification, and termination forms;
- User accounts are not timely removed for separated users;
- Periodic user account reviews or re-certifications were not performed;
- Generic accounts existed on a system without a proper business justification for approximately half of the fiscal year;
- Access authorization, modification, termination, recertification, and periodic reviews of data center access were not consistent with policies; and
- Certain terminated personnel had active system accounts, and in some cases, terminated employees accessed systems after their termination date.
- Configuration Management
- Technical security standards and policies need to be updated and implemented to include stronger logical access security controls. Specifically, patches were not applied to systems in a timely manner; unnecessary services were not disabled; and access to sensitive files, directories, or software was not restricted;
- Production servers were not configured in accordance with baseline configurations or to the most appropriate settings;
- Password settings do not comply with the DOL Computer Security Handbook;
- Inactive accounts were not disabled or deleted in a timely manner; and
- Certain human resources personnel had access to create and approve personnel action requests on their own.
- Review of System Audit Logs
- Audit logs monitoring user and administrator activity, changes to security profiles, remote access logs, access to sensitive directories, and failed login attempts are not reviewed, or documentation of audit log reviews was not maintained;
- Audit log review procedures were not documented and finalized;
- Audit logs were not secured against editing by system administrators; and
- Application-level audit logs (e.g., significant transactions and changes to sensitive tables) were not proactively reviewed.
These findings are a result of issues in the implementation and monitoring of Departmental procedures and controls. While the DOL agencies closed 17 prior year access control findings, they have not invested the necessary level of effort and resources to ensure that policies and procedures are designed and operating effectively. These access control weaknesses could result in users with inappropriate access to financial systems; inefficient processes; lack of completeness, accuracy, or integrity of financial data; and/or undetected unusual activity within financial systems.
Based on these facts noted as part of our FY 2009 audit, we consider the recommendation related to testing key financial IT controls as part of the OMB Circular No. A-123 testing process closed. However, we consider the recommendation related to coordinating efforts among the DOL agencies to develop and/or enforce procedures and controls to address access control weaknesses in current financial management systems unresolved. To close this recommendation, the Chief Information Officer should (a) coordinate efforts among the DOL agencies to develop procedures and controls to address access control weaknesses in current financial management systems, (b) monitor the agencies' progress to ensure that procedures and controls are appropriately implemented and maintained, and (c) ensure that sufficient resources are available to develop, implement, and monitor the procedures and controls that address access control weaknesses.
Management's Response: The Office of the Assistant Secretary for Administration and Management (OASAM) does not concur with this determination. DOL management asserts DOL policies, procedures and standards for management, operational, and technical controls are adequate and collectively provide compound safeguards and redundant security measures to ensure the integrity of DOL financial systems. Further, the controls inherent to specific applications are sufficiently designed and effective to prevent or detect any unauthorized access to DOL financial systems.
The report, as presented, does not adequately represent the operating environments of the systems audited, nor does it accurately relay the risk associated with the identified vulnerabilities. In general, risk levels are inflated based on the nature of the weaknesses noted. For example, an account which is disabled, but not deleted, does not represent a high risk as portrayed in the audit review. A disabled account does not permit unauthorized access to a system. Additionally, the findings do not represent a systemic deficiency which, when taken in aggregate, could adversely impact financial business processing.
As mentioned in the FY 2008 management response to this issue, a Department-wide comprehensive strategy was established to address the identified conditions. The following milestones were achieved in FY 2009:
- Revised access control policy to strengthen account management procedures by requiring agencies to conduct semiannual account reviews;
- Developed FY 2009 Security Testing and Evaluation plan that included access control and configuration management focused quarterly reviews; and
- Implemented automated configuration management tool, Secure Elements C5, to measure agency compliance with configuration management requirements.
The implemented strategy above attests to management's serious commitment to safeguard DOL information and information systems. In FY 2010, management will continue to deploy processes and procedures aimed at enhancing and strengthening the overall security posture of DOL's computer security program.
Auditor Response: The details of our FY 2009 IT findings and recommendations were provided to DOL management through the established Notification of Findings and Recommendations process. While we did not identify any individual finding as a significant deficiency, we evaluated the combination of certain findings, in accordance with auditing standards generally accepted in the United States of America, to conclude that a significant deficiency does exist, taking into consideration that certain findings, when assessed in aggregate, identified deficiencies in both detective and preventive access controls related to one or more financial systems. Although management stated that they do not concur with our recommendations, they plan on taking steps to address them. Therefore, these recommendations are considered resolved and open. FY 2010 audit procedures will determine whether these recommendations have been adequately addressed and can be considered closed.
2. Weakness Noted over Payroll Accounting
During FYs 2006 through 2009, DOL used the U.S. Department of Agriculture's (USDA) Office of Chief Financial Officer (OCFO)/National Finance Center (NFC) to process its payroll. For each pay period, DOL submitted to the NFC payroll information that included all DOL employees for the period, along with their hours worked, leave used, and other payroll related information for the period. The NFC processed the payroll for DOL each period and made available for download a Detail Pay and Deduct Register report for each DOL Human Resources office.
In FY 2006, we noted that DOL did not utilize the Detail Pay and Deduct Register reports to perform reviews or reconciliations of data processed by the NFC, and no other controls were in place during the year to ensure that the information that was submitted to NFC via Time and Attendance records was reconciled to what was shown as paid in the Detail Pay and Deduct Register.
We recommended that management develop and implement policies and procedures to reconcile payroll information provided to the NFC to the payroll information processed by the NFC each pay period. These reconciliations should be documented, reviewed, approved by an appropriate supervisor, and maintained.
As part of DOL's corrective action plan for FY 2007, the OCFO's PeoplePower Task Force created a Time and Attendance Reconciliation Report, and the DOL OCFO issued policies and procedures that stated that each DOL Human Resource office should review the Time and Attendance Reconciliation Reports each pay period and research and resolve differences identified. No offices that we tested in FY 2007 complied with the new OCFO procedures, but two offices that we tested performed their own reconciliation procedures.
During FY 2008, the OCFO issued revised policies and procedures dated October 23, 2007, requiring a review of the Time and Attendance Reconciliation Reports, and implemented these policies and procedures. The OCFO also performed monitoring department-wide to ensure that the reviews were completed, documented, and approved by an appropriate supervisor, and maintained. However, we noted that the reconciliation tested from the Atlanta processing center did not contain a signature to validate the review. In addition, the Time and Attendance Reconciliation Reports do not contain a space for the date of the review; therefore, the timeliness of the reconciliations and certifications was not verifiable.
The policies and procedures issued and the related reviews and audits appeared to reconcile and certify time and attendance records only. When we requested supporting documentation for the reviews of other NFC inputs and outputs (e.g., Gross Pay and Benefit Withholdings), we noted that the five agencies selected for FY 2008 testwork were able to provide the Detail Pay and Deduct Register report; however, the agencies could not provide evidence of review or recalculations of payroll-related items other than time and attendance. Therefore, we could not conclude that such reviews and recalculations were completed.
In FY 2009, DOL issued revised policies and procedures with an effective date of July 24, 2009, to provide guidance on the need for agencies to review payroll-related items other than time and attendance records. In addition to the revised policies issued, OCFO management has represented that they have also implemented a procedure to monitor the completion of the reviews of payroll-related items other than time and attendance. Since the revised policies and procedures were not effective until the last quarter of FY 2009, our testwork focused on the time and attendance reconciliation policies that were effective for the first three quarters (i.e., the majority) of FY 2009, and we did not test the revised procedures implemented in July 2009.
We selected a sample of 8 time and attendance reconciliations from various agencies, none of which were provided to us. We also noted that the OCFO had requested 38 sample items from the Human Resource offices to monitor compliance with policies and procedures. The OCFO only received 6 of the 38 sample items requested. As a result, we noted that insufficient evidence exists to determine that the preparation and review of payroll-related items, including time and attendance, were completed.
The lack of compensating reconciliation controls around the NFC compensation outputs increases the risk that payroll-related line items may be misstated due to errors in payroll processing by NFC.
Federal agencies that use external service providers, such as the NFC, should have controls in place to ensure the accuracy of processing outputs. As stated by the USDA OIG in its FY 2009 Report No. 11401-30-FM, “The accuracy and reliability of data processed by NFC and the resultant reports ultimately rests with the customer agency and any compensating controls implemented by such agencies.”
OMB Circular No. 123, Management's Responsibility for Internal Control, states, “Application control should be designed to ensure that transactions are properly authorized and processed accurately and that the data is valid and complete. Controls should be established at an application's interfaces to verify inputs and outputs, such as edit checks.”
Additionally, per the Government Accountability Office's (GAO) Standards for Internal Control in the Federal Government, “Internal control should generally be designed to assure that ongoing monitoring occurs in the course of normal operations. It is performed continually and is ingrained in the agency's operations. It includes regular management and supervisory activities, comparisons, reconciliations, and other actions people take in performing their duties.”
Based on our FY 2009 audit results, we consider the recommendation we made in FY 2006 as resolved and open. To close this recommendation in the future, the DOL OCFO should (a) ensure that Human Resource offices are reconciling all payroll information, not only time and attendance records, provided to the NFC to the payroll information processed by the NFC for each pay period and (b) ensure that these reconciliations are documented, reviewed, and approved by an appropriate supervisor, and maintained.
Management's Response: Over the past two years, management has made considerable progress in the area of payroll processing. First, we implemented policies and procedures requiring reconciliation of time and attendance data. We also implemented procedures to reconcile payroll data provided by the National Finance Center (NFC) to that recorded in DOLAR$, another critical reconciliation of payroll information. In FY 2009, OCFO modified a payroll exception report developed in prior years, the Payroll/Time & Attendance Reconciliation Report. This report was improved in that it now lists both input and output discrepancies noted for each payroll period. The report is distributed to each Human Resources Office (HRO) on the Monday following each pay period. OCFO procedures require the HROs to review all discrepancies listed on the reports and complete a certification by the second Friday after each pay period. The certifications require signatures of the preparer and an HR supervisor, and discrepancies are required to be resolved by the end of the following pay period.
In July 2009, OCFO initiated procedures to monitor HRO compliance with the new certification process. OCFO performed independent reviews for a sample of the certifications, ensuring that the certification forms were properly completed, approved, and included all information listed on the reconciliation reports. OCFO reviews also included a determination as to whether reported discrepancies were subsequently resolved and corrected. Since the implementation of these procedures, OCFO has been successful in ensuring that HROs are completing and documenting the reconciliations in a timely fashion. We believe that the recommendations made by the auditors are fully resolved, and anticipate closure of this finding in the FY 2010 audit.
Auditor Response: As indicated above, DOL could not provide supporting documentation for any of the reconciliations we selected for our testing. However, since management addressed our recommendations by implementing additional procedures during the last quarter of FY 2009, we consider these recommendations resolved and open. FY 2010 audit procedures will determine whether these recommendations have been adequately addressed and can be considered closed.
3. Lack of Segregation of Duties over Journal Entries
During the FY 2006 audit, we noted that accounting staff from all DOL agencies were able to prepare and enter journal entries into the Department of Labor Accounting and Related Systems (DOLAR$) without approval. Although the OCFO had developed Department-wide manual policies and procedures designed to ensure the segregation of journal entry preparation and approval authority in the second quarter of FY 2007, which was revised and reissued in the second quarter of FY 2008, the same lack of supporting documentation evidencing management review and approval was noted during the FYs 2007 and 2008 audits.
During the course of the FYs 2006, 2007, and 2008 audits, we issued several recommendations to the OCFO, including the FY 2007 recommendation that management reconfigure DOLAR$ (and its successor system) so that journal entries entered into the DOLAR$ general ledger system (and its successor system) are required to be approved electronically by an individual other than the preparer before posting. We also recommended that:
- Agencies implement manual compensating review controls until system controls have been implemented.
- OCFO management monitor DOL employees' compliance with the Department wide-policies and procedures in place for documenting the review of all journal entries.
- OCFO management design and implement detective controls that require supervisors to periodically generate and review activity reports that list all journal entries posted to DOLAR$.
During FY 2009, we tested a sample of 622 journal entries recorded from October 1, 2008 through September 30, 2009. For 55 of these journal entries, the OCFO did not provide support evidencing that they had been reviewed by a supervisor or someone other than the preparer before they were posted to DOLAR$. DOL management indicated that 24 of the 55 exceptions noted should not be subject to the OCFO policy since they are related to recording commitments and sub-allocations and are subject to other review controls in the budget office; however, no documentation was provided by the OCFO to support that these entries were reviewed by the budget office staff. In addition, the OCFO written policy does not exempt these types of entries from the journal entry review procedures.
Furthermore, we noted that 20 journal entries were posted to DOLAR$ prior to review and approval as evidenced by the signature on the cover sheets of the journal entries.
We also noted during our review of DOL's June 30, 2009 consolidated financial statements that the OCFO staff made certain adjustments to the Combined Statement of Budgetary Resources (SBR) for a total of approximately $1.3 billion without posting these adjustments into DOLAR$ in the form of journal entries (i.e., top-side adjustments). No evidence existed to support that appropriate management personnel reviewed and approved these adjustments. In addition, DOL's current policies and procedures do not specifically cover top-side adjustment entries.
By posting transactions and making adjustments to the consolidated financial statements without proper review and approval and allowing individuals the authority to prepare and approve their own transactions in DOLAR$, there is an increased risk that a material error would not be prevented or detected and corrected in a timely manner. In addition, there is a risk that employees are not following policies and management is unaware of their non-compliance.
In addition, OCFO management represented that the New Core Financial Management System (NCFMS), to be implemented in January 2010 to replace DOLAR$, will require electronic approval by someone other than the preparer before journal entries are posted. As a result, we were again informed that DOL does not plan to implement the recommendation to reconfigure DOLAR$ so that journal entries entered into DOLAR$ are approved electronically by an individual other than the preparer before posting.
Per GAO's Standards of Internal Control in the Federal Government, “Key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error or fraud. This should include separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets. No one individual should control all key aspects of a transaction or event.”
Because management provided timeframes to implement the new general ledger system that requires electronic approval by someone other than the preparer before journal entries are posted, we consider the recommendation we made in FY 2007 resolved and open. To close the recommendation, management must ensure that the NCFMS is configured, upon implementation, so that journal entries entered into it are required to be approved electronically by an individual other than the preparer.
Because OCFO management does not consistently monitor DOL employees' compliance with the OCFO policies and procedures in place that require all journal entries to be properly prepared, supported, and approved before posting to DOLAR$ and that proper segregation of duties is in place related to the preparation and posting of journal entries, we consider the manual control recommendation made in FY 2006 as unresolved. To close this recommendation, management should (a) develop and implement procedures to monitor DOL agencies to determine they are in compliance with OCFO policies and procedures related to journal entries, (b) design and implement detective controls that require supervisors to periodically generate and review activity reports that list all journal entries posted to DOLAR$, and (c) revise the department-wide policies and procedures to require that all manual entries, including top-side adjustment entries, be documented and reviewed and approved by a supervisor or someone other than the preparer before the financial statements are adjusted. These controls should ensure that all journal entries and top-side adjustments that are posted are appropriate, supported, and documented.
Management's Response: With respect to existing policies and procedures over journal entries, we disagree with the auditor's conclusion that prior year issues remain unresolved. OCFO has significantly improved the documentation and approval requirements over journal entries. Additional procedures were implemented in January 2009 to ensure that journal entries recorded in DOLAR$ are sufficiently reviewed and approved, and that adequate segregation of duties exists over the authorization, recording, and review and approval functions. During the year, OCFO conducted independent reviews of journal entries recorded by ETA, OJC, OCFO, and other agencies, and provided guidance to those agencies. With the recent policy revisions and other OCFO actions taken since this finding originated, we believe that OCFO has appropriate monitoring procedures in place to ensure that journal entries recorded by DOL agencies are subjected to sufficient segregation of duties and review and approval procedures.
We understand that many of the “errors” described by the auditors pertain specifically to entries made by ETA to record commitments and sub-allocations. The auditors contend that these transactions are recorded in DOLAR$ without proper review and approval or without appropriate segregation of duties. In fact, these transactions are initiated and authorized by different individuals prior to being recorded in DOLAR$, and are subjected to certain detective controls after recording to ensure accuracy. Commitments are recorded by the Budget Office only upon receipt of an EPS-generated document that records the initial request for funds and the subsequent approval by the program office. Sub-allocations are prepared by a budget analyst and are reviewed and approved by the Budget Officer prior to being recorded in DOLAR$. Subsequently, ETA's Budget Office utilizes two reports which act as detective controls to ensure the accuracy and completeness of allocations and commitments recorded in DOLAR$. Since these transactions are initiated, authorized, recorded, and reviewed by different individuals, we believe that the segregation of duties is intact and that existing review procedures ensure that amounts recorded in DOLAR$ are accurate and complete.
With respect to the new financial system, NCFMS, the system requires that the posting and approval functions for all journal entries be performed electronically and by separate individuals. All journal entries are held in suspense and are not recorded until electronic approval is received from the designated supervisor.
Based on these facts, we believe that the FY 2006 recommendation should be considered resolved, and that this finding does not rise to the level of a significant deficiency. At most it should be considered a management advisory comment.
Auditor Response: We believe that the results of our audit procedures support our conclusion that a significant deficiency exists in this area. As a result, we consider the system-related recommendation resolved and open and the remaining recommendations unresolved pending completion of a corrective action plan and timeframes for implementation.
4. Lack of Sufficient Controls over Financial Statement Preparation
During our review of DOL's June 30, 2009 and September 30, 2009 draft consolidated financial statements, we noted the following errors and omissions that were not detected by the OCFO's review of the draft financial statements:
- The balance of distributed offsetting receipts reported in DOL's SBR as of June 30, 2009 and September 30, 2009 was understated by $22.5 billion and $197 million, respectively.
- Total unobligated balances available and unobligated balances not available reported in DOL's SBR as of September 30, 2009 were misstated by $2.5 billion due to a classification error that caused this amount to be reported as unobligated balances not available instead of unobligated balances available.
- The OCFO removed estimated interest payments from the Statement of Social Insurance for fiscal year 2009 and revised its fiscal years 2005 through 2008 consolidated financial statements to conform to this fiscal year 2009 presentation. However, the OCFO did not include a footnote disclosure in DOL's September 30, 2009 draft consolidated financial statements to explain the changes made to the presentation of the statement.
- The earned revenue reported in Note 15 of the consolidated financial statements for one of DOL's agencies was initially overstated by $44.7 million. This intra-departmental amount was incorrectly reported as earned revenue instead of a non-expenditure transfer. This error had no impact on the consolidated statements of net cost because it was eliminated during consolidation.
- Note 18D was initially incomplete as it did not include a reconciliation of distributed offsetting receipts from the SBR to the Budget of the United States Government.
- The unobligated balance available reported in Note 2 is understated by $151 million as of September 30, 2009. This understatement is due to a classification error that is offset by overstatements of $69 million in obligated balance not yet disbursed and $82 million in unobligated balance unavailable. This classification error had no impact on the total Fund Balance with Treasury reported in Note 2.
Except for condition no. 6 related to Fund Balance with Treasury, the above errors were subsequently corrected by management in the final FY 2009 consolidated financial statements.
In addition, the OCFO did not complete the September 30, 2009 SBR to SF-133, Report on Budget Execution and Budgetary Resources (SF-133), reconciliation and research identified differences timely. The OCFO reconciliation was not completed until after the OCFO prepared two drafts of DOL's consolidated financial statements.
Furthermore, the OCFO did not provide us a complete set of DOL's September 30, 2009 draft consolidated financial statements and trial balances in a timely manner.
The above issues occurred because the OCFO did not perform a sufficiently detailed review of the consolidated financial statements to ensure that misstatements, errors, and omissions related to the statements, notes, required supplementary information, and required supplementary stewardship information were detected and corrected and that the draft financial statements were submitted timely. In addition, the U.S. Department of Labor Manual Series (DLMS) does not include specific guidance on the review procedures of the consolidated financial statements that would guide DOL supervisors during their reviews. Specifically related to condition no. 1, OCFO policy does not require the quarterly reconciliation of distributed offsetting receipts reported on DOL's SBR to distributed offsetting receipts reported on the U.S. Department of the Treasury's Quarterly Distributed Offsetting Receipts by Department Report. These issues resulted in the need to correct the consolidated financial statements prior to final submission, causing delays in the financial reporting process.
U.S. Government Accountability Office's (GAO), Standards for Internal Control in the Federal Government (Standards), states, “Internal control should generally be designed to assure that ongoing monitoring occurs in the course of normal operations. It is performed continually and is ingrained in the agency's operations. It includes regular management and supervisory activities, comparisons, reconciliations, and other actions people take in performing their duties.”
Office of Management and Budget (OMB) Circular No. A-123, Management's Responsibility for Internal Control, states “The agency head must establish controls that reasonably ensure that obligations and costs are in compliance with applicable laws; funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation; and revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports...”
Statement of Federal Financial Accounting Concepts No.1, Objectives of Federal Financial Reporting, paragraph 163 states, “Financial reports should be consistent over time; that is, once an accounting principle or reporting method is adopted, it should be used for all similar transactions and events unless there is good cause to change.”
OMB Circular No. A-136, Financial Reporting Requirements, section II.4.9.34, discusses the required financial statement note that explains the differences between the SBR and the Budget of the United States Government. “At a minimum, agencies should display the material differences for comparable line items related to budgetary resources, obligations, distributed offsetting receipts and outlays.”
We recommend that the Chief Financial Officer (a) implement procedures to require that OCFO staff reconcile the amount of distributed offsetting receipts reported on DOL's quarterly SBR to distributed offsetting receipts reported on Treasury's Quarterly Distributed Offsetting Receipts by Department Report, (b) ensure that OCFO personnel perform a more detailed review of all financial information in the Performance and Accountability Report (PAR) including financial statements, notes, supplementary information, and supplementary stewardship information, (c) complete the quarterly reconciliations of the SBR to SF-133, including the completion of documented supervisory reviews over these reconciliations, by a certain date that facilitates timely identification and correction of potential SBR misstatements. and (d) update DLMS to include guidance for DOL supervisors to follow during their financial statement reviews, including procedures for comparing financial data reported on the different statements and notes to ensure accuracy and consistency.
Management's Response: We believe that this finding overstates certain facts, and that the actual events that occurred do not warrant issuance of a significant deficiency. The quarterly and year-end financial statements are subjected to a draft and final submission process, and it is normal and appropriate for various analyses and reviews of draft financial statements to result in subsequent corrections and adjustments in the finals. At yearend, due to the tight deadlines for submission of the audit and year-end statements, the OCFO's reviews of the draft financial statements typically overlap with those of the auditors, and we believe it overstates the facts to conclude that our processes would not have detected many of the issues identified in this finding. The OCFO has the right to make corrections to draft financial statements until the final opinion is issued by the independent auditors. Furthermore, the auditor was made aware of all corrections to financial statements in all drafts submitted.
In regards to the offsetting receipts, OCFO does not concur with the auditor's statement that reconciliations of distributed offsetting receipts are not performed and does not believe there were any delays in the financial reporting process caused by this issue. The $197 million understatement was a result of the attempt to verify and reconcile FMS reported amounts to amounts recorded in DOL's general ledger. The understated amount quoted for June 30, 2009 is incorrect, a fact that the OCFO determined by subsequent reconciliation to the amount reported on the FMS website. FMS subsequently changed the amount reported for June 30, 2009. We also note
that OCFO was not made aware that FMS had established a website for distributed offsetting receipts until after the June 30, 2009 unaudited interim statements were submitted to OMB.
As to the other matters mentioned by the auditors: (1) OCFO was aware of a discrepancy in unobligated balances but did not include changes to draft financial statements until it was able to sufficiently investigate the cause and accurately quantify the adjustment required; (2) the proposed changes for the Statement of Social Insurance were provided to the auditor in May 2009, and the related disclosures were included in subsequent draft financial statements; (3) intra-departmental transfers were originally recorded in accordance with the SF 132 presentation, and were corrected after consultation with OMB to insure proper treatment; and (4) OCFO believes that entire amount of distributed offsetting receipts was not material and, accordingly, Note 18D as presented in the original draft was in accordance with OMB guidance. OMB Circular No. A-136, as cited by the auditors, only requires disclosures of material differences.
While we do not concur with the auditor's description of the facts or their resulting conclusions, we do acknowledge that the time frames for financial reporting, especially at year end, put significant pressure on those involved in preparation and review of the financial statements. We agree that enhancing certain processes, and changing the frequency and/or timing of certain reconciliations, would alleviate some of the pressure and improve timeliness. Therefore, we will review existing procedures utilized in the preparation and review of quarterly and year-end financial statements, including the footnotes, and will identify areas in need of improvement. We will also look at the numerous reviews and reconciliations currently performed by the OCFO and other agencies, and will consider the need for increased frequency and stepped up time frames. Revised procedures will be developed and implemented accordingly, and will be updated in the DLMS if necessary by June 30, 2010.
Auditor Response: Although the OCFO stated that it does not concur with our comments, the OCFO will be taking steps to address our recommendations. Therefore, we consider these recommendations resolved and open. FY 2010 audit procedures will determine whether these recommendations have been adequately addressed and can be considered closed.