MANAGEMENT LETTER REPORT FISCAL YEAR 2008 FINANCIAL STATEMENT AUDIT Cotton & Company LLP audited Fiscal Year (FY) 2008 financial statements of the U.S. Equal Employment Opportunity Commission (EEOC), and this document discusses eight matters involving internal control that warrant management attention. The status of management’s actions on prior-year recommendations is in the appendix. 1. BUDGETARY POSTING LOGIC We identified three instances of invalid budgetary posting logic during FY 2008 testing, two of which are repeat conditions from FY 2007 (a and b, below): a. EEOC did not record a budgetary payable to recognize the budgetary effect of a capital lease liability as of September 30, 2008. The United States Standard General Ledger (USSGL), as published by the Financial Management Service of the Department of the Treasury, states: …the agency must have sufficient budgetary resources up front to cover the present value of the lease payments discounted using the Treasury interest rates. The USSGL goes on to require that Delivered Orders – Obligations, Unpaid, be credited to recognize the budgetary payable when the capital lease liability is recorded. FY 2008 corrective actions were not successfully completed to resolve the issue. EEOC personnel stated that when capital leases were originally entered into, budget authority was not obligated to cover the entire value of the capital lease liability. Thus, they obligate and expend money each year to cover lease payments for that year. b. EEOC posted invalid recoveries of prior-year obligations. When correcting administrative data in Momentum, EEOC personnel processed deobligations of prior-year obligations, resulting in postings to GL Accounts 4871 (Downward Adjustments of Prior Year Undelivered Orders) and 4971 (Downward Adjustments of Prior Year Delivered Orders – Unpaid). Because the intent was not to actually deobligate funds, but change administrative data, recoveries of prior-year obligations should not have been generated. We also identified instances in which recoveries were mistakenly generated when payments were made. Accruals were reversed to pay vendor invoices, resulting in postings to GL Account 4971. As payments were made on these items, recoveries of prior-year obligations should not have been generated. The USSGL defines amounts recorded in GL Account 4871 as: The amount of recoveries during the fiscal year resulting from downward adjustments to USSGL account 4801, “Undelivered Orders - Obligations, Unpaid,” that were originally recorded in a prior fiscal year. Additionally, the USSGL defines amounts recorded in GL Account 4971 as: The amount of recoveries that were originally recorded in a prior fiscal year during the fiscal year resulting from downward adjustments to USSGL account 4901, “Delivered Orders - Obligations, Unpaid. c. EEOC did not reduce budgetary revenue when processing yearend deferred revenue accrual. EEOC’s Revolving Fund (RF) provides employment law training to customers for a set fee that customers are required to pay in advance. EEOC records these fees as earned revenue in both the budgetary and proprietary accounts at the time registrations are received, rather than when the training event occurs and the revenue has been earned. We identified this condition during the FY 2007 audit and included this improper accounting treatment in the FY 2007 Management Letter and the FY 2008 internal control report. EEOC processed a yearend accrual in FY 2008 to properly recognize revenue that had been collected but not yet earned as deferred revenue. When this entry was processed, amounts were moved from GL Account 5200 (Revenue from Services Provided) and posted to GL Account 2320 (Deferred Revenue). Spending authority from offsetting collections (budgetary revenue) was not, however, reduced to recognize that the revenue was not earned and thus did not represent budget authority. The USSGL prescribes the following entry for recording deferred revenue: To record revenue received in advance. Budgetary Entry None Proprietary Entry Debit 1010 Fund Balance With Treasury Credit 2320 Other Deferred Revenue A budgetary entry should not be recorded when recording deferred revenue. Thus, budgetary revenue should have been reduced along with proprietary revenue when the yearend accrual was posted. Recommendation We recommend that the Office of the Chief Financial Officer (OCFO) implement training procedures to ensure that all financial personnel are familiar with budgetary accounting and reporting guidelines published by the Department of Treasury to ensure that all transactions are properly recorded. Management Response Management did not agree with the finding or recommendation. Management stated: Our review of the SGL indicated that the budgetary accounts were already recorded in Momentum at the time of the receipt of cash - the accounts that were posted in Momentum are: Budgetary Accounts (USSGL transaction code C116): DR 4261 and CR 4060 Proprietary Accounts: DR 1010 and CR 5200 We recorded the Deferred Revenue at September 30 by DR 5200 and CR 2320 – Other Deferred Revenue. No budgetary entry needed to be done at the time of recognizing the deferred revenue because the budgetary accounts were already affected at the time of the cash receipts. Auditor Comment As stated in the Management Response, budgetary revenue was recorded in the general ledger at the time cash was received and proprietary revenue was posted. However, this budgetary revenue should not have been recorded at 9/30/08. Per the USSGL, no budgetary entry should be posted when deferred revenue is recorded. As a result, when processing the yearend adjustment to move revenue from earned to deferred, EEOC should have also processed an entry to reverse the budgetary entry that was posted when the earned revenue was recorded during the year. Not posting a reversal of the budgetary entry that was previously recorded caused EEOC to overstate budgetary revenue, as of 9/30/08. As such, this finding is still considered unresolved. 2. SUPPORTING DOCUMENTATION FOR TRANSACTIONS EEOC personnel were unable to locate sufficient supporting documentation for several sample items selected for testing during FY 2008: a. OCFO personnel could not provide support for two expense transactions and one undelivered order (UDO) balance selected for yearend testing and could only provide partial documentation for a second UDO balance selected for yearend testing. b. Office of Human Resources (OHR) personnel could not provide sufficient documentation to support an increase in the annual leave balance of a separated employee that resulted in an increased lump-sum payment to the employee after separation. GAO’s Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1), page 15, states: …all transactions and other significant events need to be clearly documented and the documentation should be readily available for examination. Recommendation We recommend that: a. OCFO review and revise controls in place to ensure that documentation for all transactions is maintained and is readily available for review. b. OHR obtain and file all documentation supporting personnel and payroll actions taken and ensure that this information is readily available for review upon request. Management Response Management concurs with the finding and recommendation a. No comment was received from management regarding finding and recommendation b. 3. CONTROLS OVER PROPERTY AND EQUIPMENT Controls over property and equipment (P&E) were not effective in some instances. We identified the following conditions: a. The Office of Information Technology (OIT) could not physically locate a server. OIT personnel were unable to locate a Dell Server that was recorded in the property subsidiary ledger and the general ledger at September 30, 2008, stating that the item may have been in transit to EEOC’s new headquarters office. We were unable to confirm the existence of the asset prior to the end of our field work. GAO’s Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1), page 14, states: An agency must establish physical control to secure and safeguard vulnerable assets. b. Inaccurate and incomplete property information was recorded in the general ledger. We identified the following inaccuracies in our review of P&E general ledger accounts: Accumulated amortization for internal-use software in the Period 12 trial balance exceeded the acquisition cost. EEOC personnel did not reconcile the property subsidiary ledger to the general ledger before yearend and before providing these items for audit. This anomaly was not detected until we brought it to management’s attention. An asset not meeting the $25,000 capitalization threshold was recorded as a capitalized asset in the general ledger. EEOC personnel did not review the property subsidiary ledger before yearend, and this error was not detected until we brought it to management’s attention. An asset was erroneously posted to the general ledger twice. EEOC personnel mistakenly concluded that an asset had not been posted during conversion from Integrated Financial Management System (IFMS) to Momentum. Therefore, they processed a journal voucher (JV) entry to add the asset to the general ledger. We identified this item as already recorded in the general ledger when the JV was posted. Two assets that met the capitalization threshold were acquired in FY 2008 and recorded in the general ledger, but were not entered into the property subsidiary ledger until after September 30, 2008. This resulted in a difference between the general and subsidiary ledgers at yearend. GAO’s Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1), page 15, states that control activities should be in place: …to ensure that all transactions are completely and accurately recorded. c. Property certifications were not submitted in accordance with EEOC policy. Many offices did not report on results of their physical inventories in a timely manner or at all. Thirteen offices submitted the property certification after the required due date, and three offices did not submit them at all. This condition was noted in FY 2007. FY 2008 corrective actions were not successfully completed to resolve this issue. GAO’s Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1), page 18, states: Information should be recorded and communicated to management and others within the entity who need it and in a form and within a time frame that enables them to carry out their internal control and other responsibilities. Recommendation We recommend that OCFO: a. Implement training procedures to ensure that all personnel are aware of EEOC policies and procedures over capitalized equipment to ensure that information recorded in the general ledger and subsidiary ledger is accurate. b. Review and refine controls over the reconciliation of the property subsidiary ledger to the general ledger to ensure that differences are identified and resolved in a timely manner. c. Report offices that do not submit property certifications in accordance with established policy to the Office of the Chair and require that delinquent offices explain why certifications were not returned within the required timeframe. Management Response Management concurs with the findings and recommendations. 4. CONTROLS OVER UNDELIVERED ORDERS AND ACCOUNTS PAYABLE We identified several instances of invalid UDO and accounts payable balances during FY 2008 testing. We selected a sample of 60 aged accounts payable during FY 2008. EEOC personnel stated that 8 of these items were no longer valid, because they were residual amounts left over from payments already made or were old payables no longer needed. OMB Circular A-136, Financial Reporting Requirements, Section 3, Balance Sheet, defines an accounts payable as: ...amounts owed by the reporting entity for goods and services received from other entities... We selected a sample of 52 UDOs for testing during FY 2008—23 during our review of aged UDOs and 29 as part of our substantive sample of UDOs. EEOC personnel stated that 15 of the aged items were no longer valid, because the recorded UDO balance was not needed at year end and should have been deobligated, or because the goods or services were received, thus the amount should have been accrued as of September 30, 2008. Additionally, we determined that 3 of the UDOs selected as part of our substantive sample of UDOs were invalid, because goods or services were received during FY 2008, and thus accruals should have been processed to record these items as delivered orders – unpaid. OMB Circular A-11, Preparation, Submission, and Execution of the Budget, Section 20, Terms and Concepts defines an obligation as: …a binding agreement that will result in outlays, immediately or in the future. This condition was noted during the FY 2007 audit. FY 2008 corrective actions were not successfully completed to resolve this issue. During FY 2008, EEOC transitioned from IFMS to Momentum. As a result of this transition, the review of outstanding accounts payable and UDOs was not performed until yearend and was not due from all EEOC offices until October 31, 2008. Many of the responses we received indicated that invalid items were being closed as part of this review and would be closed as of October 31, 2008. We considered these items to be invalid as of the September 30 fiscal yearend date. Recommendation We recommend that OCFO: a. Revise review procedures over aged accounts payable and UDOs to require that all EEOC offices respond by the fiscal year end to ensure that invalid items are identified and deobligated before yearend financial reports are prepared. b. Review and refine controls over the accrual process to ensure that accruals are processed to recognize goods and services that have been received. c. Implement procedures requiring EEOC personnel to identify accounts payable over 3 months old and determine their continued validity. If valid, we recommend that EEOC personnel contact vendors to obtain invoices and ensure timely liquidation. If invalid, we recommend that EEOC personnel remove payable amounts from the accounting system. Management Response Management concurs with the findings and recommendations. 5. QUALITY CONTROL PROCEDURES OVER FINANCIAL STATEMENTS EEOC’s quality control procedures over compilation and presentation of financial statements and related footnote disclosures were insufficient to detect errors, omissions, and inconsistencies in the reported information. During our review of the FY 2008 financial statements and the Performance Accountability Report (PAR), we identified the following: The following footnote disclosures were not presented in accordance with OMB Circular A-136: o The Earmarked Funds Footnote (Note 15) did not present assets, liabilities, net position, costs, and revenues for earmarked funds as required. o The Accounts Receivable Footnote (Note 3) did not present the methodology used to calculate the allowance for doubtful accounts as required. o The Undelivered Orders Footnote (Note 2) did not present all undelivered orders as required. Certain FY 2007 information reported in the footnote disclosures did not tie to audited FY 2007 information, and explanations were not provided in the footnotes. In addition, some footnote disclosures and amounts contained mathematical errors, were reported with incomplete data, and were inconsistent with other disclosures. Information on some supporting schedules did not tie to the trial balance or to the footnotes. EEOC was unable to provide support to adequately explain a prior-period adjustment. While most of these errors were corrected after we brought them to the attention of management, it is the responsibility of the reporting agency, not the external auditor, to ensure that information reported in the financial statements is accurate, complete, and presented in accordance with applicable guidelines. OMB Circular A-127, Federal Financial Systems, Section 6 – Policy, states that federal financial systems: …shall provide complete, reliable, consistent, timely and useful financial management information…. Recommendation We recommend that OCFO improve quality control procedures for reviewing final versions of financial statements and related footnotes prior to submission to auditors, to ensure that financial information to be reported in PARs is complete, accurate, consistent, and timely. Management Response Management concurs with the findings and recommendations. 6. SECURITY VIOLATIONS REVIEW EEOC did not review security violations for the Federal Personnel/Process System (FPPS), Hyperion, and Momentum systems proactively and in a timely manner. Management has not established policies for reviewing security violations for outsourced systems and for reviewing them in a timely manner. EEOC places responsibility of security violation reviews on the National Business Center (NBC). NBC, however, does not perform security violation reviews at the application level for the outsourced system. Reviews performed by NBC cover only the infrastructure and operating system portions for which it is responsible. Its reviews do not include applications, which are the responsibility of EEOC. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 1, Recommended Security Controls for Federal Information Systems: AU-6 – Audit Monitoring, Analysis, and Reporting, provides the following guidance: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions. Organizations increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information. Recommendation We recommend that EEOC management develop and implement policies and procedures for ensuring that application security violations for outsourced applications are appropriately reviewed and reported. Management Response Management concurs with the findings and recommendations. 7. SEGREGATION OF DUTIES EEOC has not formally identified and documented incompatible duties for the FPPS and Momentum applications. Management was unable to provide documentation regarding an analysis of what roles should be segregated because of incompatible job functions. NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems (July 2008), provides the following guidance: AC-5.1: The organization establishes appropriate divisions of responsibility and separates duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals. IT Governance Institute, CoBIT 4.1, PO 4.11, Segregation of Duties, provides the following additional guidance: Implement a division of roles and responsibilities that reduces the possibility for a single individual to compromise a critical process. Make sure that personnel are performing only authorized duties relevant to their respective jobs and positions. Recommendation We recommend that EEOC develop policies for formally analyzing and reviewing all roles to identify incompatible duties. Additionally, we recommend that EEOC develop and document a process outlining functions that have been identified as having incompatible abilities. The results should be incorporated into the account request process to ensure individuals are not requesting incompatible duties. Management Response Management concurs with the findings and recommendations. 8. APPLICATION CONTROLS REVIEW EEOC did not have controls to ensure that management appropriately reviewed, documented, and addressed client-control considerations for the FPPS, Hyperion, and Momentum applications. These applications are addressed by a Statement of Auditing Standards (SAS) 70 Type II report. Client controls, identified in the SAS 70 reports, highlight user-organization internal control responsibilities that the outsourced-provider relies upon to achieve a secure operating environment. These represent, at a minimum, controls for which EEOC is responsible to ensure that outsourced applications and data are protected adequately. EEOC does not have a process to ensure that these controls are in place. NIST SP 800-53 Revision 1, Recommended Security Controls for Federal Information Systems, SA-9 External Information System Services, provides the following guidance: The organization: (i) requires that providers of external information system services employ adequate security controls in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, guidance, and established service-level agreements; and (ii) monitors security control compliance. Ultimately, the responsibility for adequately mitigating risks to organization’s operations and assets and to individuals arising from use of external information system services remains with the authorizing official, not with the service provider. Recommendation We recommend that EEOC develop policies and procedures for reviewing SAS 70 reports for outsourced systems and ensuring that all appropriate security and management personnel are involved in the application review process, especially the SAS 70 reviews. We recommend that security and management personnel be involved in the control design and implementation process. Management Response Management concurs with the findings and recommendations. APPENDIX STATUS OF MANAGEMENT'S ACTIONS ON PRIOR-YEAR RECOMMENDATIONS FISCAL YEAR 2008 FINANCIAL STATEMENT AUDIT U.S. EQUAL EMPLOYMENT OPPORTUNITY COMMISSION See Attachment 2 for Management responses to unresolved prior year findings and recommendations. Status as of Recommendation November 7, 2008 FY 2007 conditions related to Budgetary Posting Logic: Unresolved. Repeat conditions in FY 2008. a. We recommend that the Office of the Chief Financial Officer (OCFO) implement training procedures to ensure that all financial personnel are familiar with accounting and reporting guidelines published by the Department of Treasury to ensure that all transactions are properly recorded. b. We recommend that EEOC review the posting logic within Momentum to ensure that only valid postings are made when Modified payment transactions are processed. We also recommend that recommendation to EEOC consider implementing procedures to periodically address new accounting analyze GL postings to ensure that the desired effect is being system. achieved within the financial systems. FY 2007 condition related to Controls over Capital Leases: We recommend that OCFO review and revise procedures in place over Unresolved. Modified recording and disposing of capital leases to ensure that all capital repeat condition in FY assets are properly recorded in FAS and that supporting documentation 2008. for all transactions posted is maintained and is readily available for review. FY 2007 condition related to Improper Revenue Recognition: We recommend that OCFO coordinate with the Director of RFD to establish procedures to recognize revenue on a full accrual basis Unresolved. Repeat consistent with generally accepted accounting principles. We condition. Included in recommend that training service revenue be recognized when earned, FY 2008 internal control regardless of when the cash payment takes place. Customer payments report. received in advance should be recorded as deferred revenue to recognize a liability for the future provision of services. FY 2005 through 2007 conditions related to Outstanding Accounts Payable and Undelivered Order (UDO) Balances: a. We recommend that the Chief Financial Officer (CFO) Unresolved. Repeat continue to refine the accounts payable and UDO review condition in FY 2008. process implemented during FY 2007 to ensure that all recorded balances at year end are valid. b. We recommend that the OCFO implement procedures requiring EEOC personnel to contact vendors to obtain Unresolved. Repeat invoices for accounts payable that are over 3 months old to condition in FY 2008. ensure timely liquidation of recorded payables. FY 2006 and 2007 conditions related to Quality Assurance Unresolved. Repeat Procedures over the Financial Statements: condition in FY 2008. We recommend that the OCFO improve quality control procedures for reviewing final versions of the financial statements and related footnotes to ensure that financial information to be reported in the PAR is complete, accurate, consistent, and timely. FY 2006 and 2007 conditions related to Physical Inventory of Accountable Property: a. We recommend that EEOC establish policies and procedures Unresolved. Repeat requiring the OCFO to notify the Division Director responsible Condition in FY 2008. for any office not submitting “property certifications.” Upon notification from the OCFO, the Division Director should be given 30 days to either provide the property certification or provide a written explanation as to why the property certification cannot be completed. Completed. We recommend that EEOC implement policies and procedures to ensure that all Forms 629 (Report of Loss, Theft or Incident) are provided to the Security Specialist in a timely manner to ensure that all losses are promptly reported and investigated. FY 2007 condition related to Internal-Use Software: We recommend that OCFO coordinate with OIT to improve communication among divisions to ensure that requested information is received in a timely manner. We also recommend that OCFO and Completed. OIT coordinate to ensure that documentation supporting inquiries made and costs incurred is maintained and is readily available for review. FY 2007 condition related to Segregation of Duties over Cash Receipts: We recommend that OCFO coordinate with the Director of the Revolving Fund Division (RFD) to segregate potentially incompatible Completed. functions at the contractor office assigned to handle cash receipts by making assignments to prevent a single individual from opening mail, entering transactions in the general ledger, and processing bank deposits. FY 2007 condition related to Background Investigations: We recommended that EEOC complete background investigations for all employees and contractors, as appropriate, in accordance with Unresolved. federal guidelines and recommendations, as well as EEOC department guidelines and document, record, and maintain evidence of these investigations. FY 2007 condition related to Outsourced System Account Administration: We recommended that EEOC develop, document, and implement Unresolved. policies and procedures for reviewing user accounts on FPPS. We also recommended that EEOC review user listings against terminated and separated employee listings on a continual basis to ensure that only appropriate users have active accounts. FY 2006 and 2007 conditions related to Network Password Weaknesses: We recommend that OIT revise its policy for password minimum length, expiration/change interval, and account lockout to adhere to industry best practices. We also recommended that EEOC implement the strengthened password policies in the system and ensure that they comply with industry best practices. We recommended the following changes to strengthen network password controls: Completed. Password minimum length = 6 to 18 (18 for administrative accounts) Password expiration = 30 to 90 days (30 for administrative accounts) User lockout = minimum of 12 hours or until reset FY 2006 and 2007 conditions related to Removal of System Access for Terminated Employees and Inactive Accounts: We recommended that OIT develop and implement procedures to guide the review of network accounts for inactivity. The procedures should Completed. define an allowable number of days before the account is removed or disabled. The allowable time period should be based on industry standards. FY 2006 and 2007 conditions related to Internal Penetration Results: We recommended that OIT develop full standard configurations for the platforms in use and ensure that these configurations meet Completed. recommendations of industry best practices, NIST, and NSA and are applied to all machines sitting on the network. We also recommended that OIT ensure that users and administrators are properly trained on the use of strong password for all accounts. FY 2006 and 2007 condition related to Vulnerability Assessment Results: We recommended that OIT ensure that the necessary software patches and security hot-fixes are installed on the network in a timely manner. We recommended that OIT update its baseline configuration document Completed. for the network and ensure that these configurations comply with the industry best practices, NIST, and NSA. The strengthened configurations should then be applied to all machines sitting on the EEOC network. FY 2007 condition related to Security Program Plan: We recommended that EEOC update the IT security program plan to Completed. include the following key areas: Personnel Security Technical Security System Interconnection/Information Sharing FY 2007 condition related to Certification and Accreditation: We recommended that EEOC conduct risk assessments and ST&Es for Completed. outsourced-system-control areas for which EEOC is responsible as part of a comprehensive C&A process. FY 2007 condition related to Whole Disk Encryption: We recommended that EEOC implement whole disk encryption for all mobile devices/computers in accordance with federal regulations and Completed. guidelines. If data are determined to be non-sensitive, the agency deputy secretary or designee must verify this in writing. FY 2007 condition related to Access Authorization Documentation: We recommended that EEOC develop, document, and implement policies and procedures to collect access request forms from all users, Completed. including users located in field offices. We also recommended that EEOC revise its current policies for reviewing account access to require that these forms be maintained on file for future reference.
Report 2008-006- FIN - MANAGEMENT LETTER REPORT FISCAL YEAR 2008 FINANCIAL STATEMENT AUDIT
Published by the Equal Employment Opportunity Commission, Office of Inspector General on 2008-10-01.
Below is a raw (and likely hideous) rendition of the original report. (PDF)