GSA Logo
Performance and Accountability Report Fiscal Year 2007
Financial Section
GSA Home | Table of Contents | Management | Performance | Financial | Other

Report of Independent Auditors - Transaction Level Errors

Underlying transaction level errors during our interim controls tests included instances of both overstatements and understatements of: 1) UDOs, which represent GSA's obligations to vendors for goods and services ordered on behalf of customer agencies; and 2) DOs, which represent GSA's obligations to vendors for goods and services received. The design of GSA’s internal control over the management of obligations are not adequate to ensure recorded obligations are valid and complete to determine the timely removal of liquidated obligations and the accurate classification between undelivered orders and accounts payable at year-end. In our interim sample of 45 obligation transactions, we noted 14 errors.

PwC also reviewed Reimbursable Work Authorization agreements (RWAs) for FBF and noted instances in which RWAs did not have adequate documentation to support a valid UFCO balance. There were also instances of long outstanding and inactive RWAs. In our interim sample of 45 UFCO transactions, we noted four errors.

In response to the design weakness and accounting errors determined through PwC's interim audit tests, PBS management developed a remediation plan to conduct a full management review of a statistical sample of its UDO, DO, and UFCO transactions as of July 31, 2007, and a second statistical sample of September transactions. The sampling was undertaken to identify incorrect transactions and correct the September 30, 2007, UDO, DO, and UFCO account balances.

As described in the following table, management's statistical sampling revealed significant transaction-level errors that misstated the originally recorded balances. Based upon the extrapolation of the sampling error rates to the eptember 30, 2007, balances, as well as transactions assumed to be 100% in error for statistical sampling purposes, management recorded the following adjustments.

ADJUSTMENTS BASED ON STATISTICAL SAMPLING RESULTS
Population Sampled
by Management 		Adjustments Needed to Correct Errors
in Budgetary Account Balances
(dollars in millions)
UDOs $74
DOs $37
UFCOs $165

PwC tested a subset of 45 transactions that were subject to management's statistical sampling process and noted one error in this test of 45 transactions which was subject to the additional level of scrutiny by FBF management. Furthermore, PwC also performed tests of controls over the cut-off of UDOs reported at year end. In the sample of UDOs we tested, we noted two out of six UDO transactions were executed in fiscal year 2007, but not entered into the financial system until fiscal year 2008. Corrections were made for these items as a result of our review.

Our control evaluation demonstrated that while policies and processes have been implemented, and monitoring of down-stream control processes was performed by PBS’ financial management community, there exists a need for further evaluation and improvement of FBF's controls over UDOs, DOs, and UFCOs. PBS needs to continue to drive financial management and reporting initiatives and improvements throughout the various regional offices and districts. Continuation of these practices, without the institution of sufficient routine and mitigating controls, will continue to heighten PBS' risk that material errors will not be prevented or detected in its budgetary accounts in interim and annual financial reports.

According to OMB Circular No. A-123, Management's Responsibility for Internal Control:

  • The control environment is the organizational structure and culture created by management and employees to sustain organizational support for effective internal control. Within the organizational structure, management must clearly: define areas of authority and responsibility; appropriately delegate the authority and responsibility throughout the agency; and establish a suitable hierarchy for reporting. Management’s commitment to establishing and maintaining effective internal control should cascade down and permeate the organization’s control environment which will aid in the successful implementation of internal control systems.
  • Control activities include policies, procedures and mechanisms in place to help ensure that agency objectives are met. Several examples include: proper segregation of duties (separate personnel with authority to authorize a transaction, process the transaction, and review the transaction); physical controls over assets (limited access to inventories or equipment); proper authorization; and appropriate documentation and access to that documentation. Application control should be designed to ensure that transactions are properly authorized and processed accurately and that the data is valid and complete.
  • Monitoring the effectiveness of internal control should occur in the normal course of business. In addition, periodic reviews, reconciliations or comparisons of data should be included as part of the regular assigned duties of personnel. Periodic assessments should be integrated as part of management’s continuous monitoring of internal control, which should be ingrained in PBS' operations. If an effective continuous monitoring program is in place, it can level the resources needed to maintain effective internal controls throughout the year.
  • Deficiencies identified whether through internal review or by an external audit should be evaluated and corrected. A systematic process should be in place for addressing deficiencies.

A goal of the Chief Financial Officers (CFO) Act is to improve accounting and financial management practices by providing management with the full range of information needed for day-to-day management. The Federal Financial Management Improvement Act of 1996 (FFMIA) builds on the foundation laid by the CFO Act by emphasizing the need for agencies to have financial management systems that can generate reliable, useful, and timely information with which to make fully informed decisions and to ensure accountability on an ongoing basis. Specifically, section 803(a) of the FFMIA requires each agency to implement and maintain systems that comply substantially with: (1) the Federal financial management systems requirements; (2) the applicable Federal accounting standards; and (3) the United States Standard General Ledger at the transaction level.

Recommendation:

We recommend that PBS:

  • Perform a critical analysis of the transaction level control activities and monitoring controls used for substantiating FBF's budgetary transactions. This analysis should include a variety of criteria, including dollar thresholds, risk, type, complexity, activity, and populations of transactions not subject to management review.
  • If changes to underlying transaction level or monitoring controls are not implemented, PBS should perform ongoing statistical sampling of its budgetary transactions to address the identified control weaknesses.
  • Ensure compliance with policies and procedures to prepare and monitor budgetary accounting and reporting on a routine basis, which includes supervisory reviews, analytical procedures, and data validation, and ensure that activities are in compliance with the applicable guidance.
  • Expand upon the implementation of OMB Circular A-123 to address root causes of budgetary reporting control weaknesses across the breadth and depth of the financial reporting process -- from the level of transaction initiation, through all processing and monitoring activities, through the preparation of interim and annual financial reports. Effective remediation should be instituted to implement needed reforms to the control environment, risk assessment processes, control activities, information and communication, and monitoring elements of GSA's integrated internal control system. GSA's assessment and remediation should encompass operating activities that may occur indirectly or outside of the finance function -- such as contract management -- but which have a direct and fundamental impact upon the complete, accurate, and reliable reporting of transaction-level information.

Management's Response:

We are encouraged by the fact that the Federal Acquisition Service has successfully addressed the recommendations noted in the prior year's reportable condition and is not noted in this year's significant deficiency. Additionally, the Public Building Service has declining statistical error projections over budgetary populations in prior year samplings. However, more work remains. We plan to review our existing corrective action plans on this subject as well as our auditor's recommendations and develop revised corrective action plans to further improve our internal control in this area.

GSA needs to strengthen system access, separation of duties, and monitoring controls

Significant Deficiency

During fiscal year 2007, testing evidenced security weaknesses across the Office of the Chief Information Officer (OCIO) and the PBS. Specifically, control deficiencies were identified that indicate the need for continued progress to address weaknesses within GSA's logical access controls, segregation of duties, and monitoring of user actions. These control deficiencies create exposure risks and vulnerability to financial data and OCFO system operations. Similar weaknesses were identified and subsequently corrected in different applications and Service Lines in prior year audits. Our testing indicated the following:

  1. Inadequate procedures for granting access and maintaining completed access authorizations:
    • Policies and procedures did not exist for performing periodic user recertification for the Inventory Reporting Information System (IRIS) and the RWA Entry and Tracking Application (RETA).
    • Accounts for separated users were not removed in a timely manner from IRIS and the Region 6 Local Area Network (LAN).
    • Access authorizations were not properly completed for operating system and standard user logical access to the Region 6 LAN.
  2. Weak segregation of user and administrator duties:
    • Administrator accounts with access to the Oracle environment in IRIS were shared by multiple individuals with little accountability for user actions.
    • Administrator accounts in IRIS were not restricted from accessing production data.
  3. Weak monitoring of application and system audit trails and violation reports of user actions:
    • The logging capability and review process for IRIS and the System for Tracking and Administering Real Property (STAR) logs needs enhancement.
    • Procedures did not exist for performing a periodic, documented review of user security monitoring and violation reports for the Region 6 LAN.
    • Monitoring of administrator security logs and violation reports were not performed and documented for the Region 6 LAN.
  4. Documentation provided to support that controls over Access Controls, System Software, Service Continuity, and Segregation of Duties for the OCIO Enterprise Infrastructure Operations (EIO) LAN were operating effectively was incomplete and did not provide evidence on the operational effectiveness of all EIO controls. Controls within Security Planning were tested with no noted deficiencies.

These weaknesses expose GSA’s financial management systems and resources to the following risks:

  • Failure to maintain documentation of user authorizations and performance of recertification procedures presents the risk that unauthorized users can have access to the applications that is not commensurate with their current job responsibilities, and potentially affect the integrity of the financial data.
  • Failure to remove accounts upon separation presents the risk that unauthorized users can have access to the applications, and potentially affect the confidentiality and integrity of the financial data.
  • Lack of enforcement of separation of duties policies and procedures exposes the applications to the risk that certain users (IT management staff and end users) could obtain the ability to perform multiple critical system maintenance tasks and initiate and approve transactions without adequate oversight and limitations. This violation of the concept of “least privilege” may lead to an environment more conducive to fraudulent activity and/or inaccurate processing of financial data, ultimately affecting the integrity of the financial statements.
  • Allowing administrator accounts with shared passwords creates an environment where malicious or inadvertent activity could occur with little or no individual accountability or audit trail. Multiple users accessing sensitive system functions under the same user account detracts from the ability to trace system events and actions to specific users. This creates a risk from a financial reporting perspective if the application feeds financial data to the general ledger, and ultimately the financial statements.
  • Without a timely and formal review of user activity logs and violation reports, critical financial data may be corrupted, potentially affecting the financial statements. Furthermore, the lack of formal review of these logs invites the possibility of improper user activity going undetected or uncorrected.

The combination of these risks results in users having potentially unauthorized and unmonitored access to the applications that support financial line items, and potentially having the ability to perform unauthorized transactions and updates without being detected.

Recommendation:

The OCIO, OCFO, and PBS management should coordinate an implementation plan Agency-wide to strengthen general and application security controls by taking actions to improve:

  • Procedures for performing user access recertification;
  • Completion and maintenance of access authorizations;
  • Procedures for removing user access for separated individuals;
  • Access role structures to ensure compliance with separation of duties and least privilege policies; and
  • Monitoring and review of user and administrator security logs and violation reports.

Management's Response:

GSA Management is currently reviewing the details and findings supporting this significant deficiency and will have detailed corrective action plans drafted by calendar year-end. As noted in the Follow-up on Previous Report section of this report, we have closed similar issues in other systems that were reviewed in prior year audits and anticipate employing those procedures for the systems noted in this year's significant deficiency.

*   *   *

A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected by the GSA's, the FBF's, and the ASF's internal control.

Our consideration of internal control was for the limited purpose described in the Internal Control section of this report and would not necessarily identify all deficiencies in internal control that might be significant deficiencies or material weaknesses. We did not identify any deficiencies in internal control that we consider to be material weaknesses, as defined above.

As required by Government Auditing Standards, our discussion of significant deficiencies within this report includes management's response to our recommendations. Management describes corrective actions it has taken subsequent to our performance of internal control testing. We have not performed additional procedures to validate the corrective actions management has described.

 

< Previous Page | Next Page >