United States General Accounting Office GAO Report to the Ranking Minority Member, Committee on Banking and Financial Services, House of Representatives August 1997 FEDERAL RESERVE BANKS Internal Controls Over Cash at Atlanta, Los Angeles, and Philadelphia Banks GAO/AIMD-97-127 United States GAO General Accounting Office Washington, D.C. 20548 Accounting and Information Management Division B-276265 August 28, 1997 The Honorable Henry B. Gonzalez Ranking Minority Member Committee on Banking and Financial Services House of Representatives Dear Mr. Gonzalez: This letter responds to your request that we review the work done by the Federal Reserve’s external auditor (Coopers & Lybrand L.L.P.) in reporting on the effectiveness of the internal control structure over financial reporting for cash at the Atlanta and Philadelphia Federal Reserve Banks, and the Los Angeles Branch. The external auditor’s work was conducted in response to a previous GAO recommendation that the Federal Reserve Board of Governors obtain an external examination of internal controls over cash operations at the Los Angeles Branch.1 Coopers & Lybrand reported that management for each of the three banks fairly stated their assertions that the banks maintained effective internal controls over financial reporting and safeguarding for coin and currency as of the date of management’s assertion on the effectiveness of the internal controls.2 You asked us to review the work done by the Federal Reserve’s external auditor including the scope of its work and the conclusions reached. Accordingly, our objective was to determine whether the work was conducted in accordance with applicable professional standards and supported the auditor’s opinions on managements’ assertions on the effectiveness of the internal controls over cash operations. In our September 1996 report, we also recommended that the Federal Reserve Board consider annual examinations of internal controls at each Federal Reserve Bank. In this regard, Federal Reserve officials advised us that they intend to include internal control examinations as a component of the annual financial statement audits of the Federal Reserve Banks. 1 Federal Reserve Banks: Inaccurate Reporting of Currency at the Los Angeles Branch (GAO/AIMD-96-146, September 30, 1996). 2 Managements’ assertions and the auditor’s reports as originally issued only specifically stated financial reporting controls. Based on our inquiries about this language and the scope of the auditor’s work, managements’ assertions and the auditor’s reports were appropriately reissued to also include safeguarding of cash. The revision conformed the reports to the reporting language suggested by a May 1994 addendum to the control criteria used by management and the auditor that is discussed in the background section of this report. Page 1 GAO/AIMD-97-127 Federal Reserve Banks B-276265 Our review disclosed no instances in which Coopers & Lybrand’s work to Results in Brief support its opinions on the effectiveness of the internal control structures over financial reporting and safeguarding for coin and currency at the Atlanta and Philadelphia Federal Reserve Banks, and the Los Angeles Branch did not comply, in all material respects, with the American Institute of Certified Public Accountants’ (AICPA) Attestation Standards. Coopers & Lybrand obtained and documented an understanding of the internal control policies and procedures, developed by the Federal Reserve Banks, to manage and account for each of the four main cash operating functions: receiving/shipping, currency processing, vault, and cash administration. Coopers & Lybrand also performed tests and other procedures in support of its evaluation of the design and operating effectiveness of the internal controls in order to form an opinion about the reliability of management’s assertion. Background Cash Operations at the The Federal Reserve, as the United States’ central bank, has primary Federal Reserve responsibility for maintaining the nation’s cash supply. In carrying out this responsibility, Federal Reserve Banks perform various cash-related functions to meet the needs of the depository institutions served by the Federal Reserve Banks. At the 37 Federal Reserve Banks and Branches which make up the Federal Reserve System, the cash operations function is responsible for shipping cash to meet the needs of depository institutions, receiving shipments of new currency from the Bureau of Engraving and Printing, new coin from the U.S. Mint, and incoming deposits of excess and unfit currency and coin from depository institutions. In addition to maintaining custodial controls over the cash in its possession, each Federal Reserve Bank and Branch processes currency received from circulation and records and summarizes the various accounting transactions associated with these activities. While the 37 Federal Reserve Banks and Branches perform the same cash-related functions, they may use different systems and processes to manage and account for the cash under their control. The Federal Reserve Banks and Branches in three of the System’s 12 districts—Atlanta, Philadelphia, and San Francisco—use the Cash Automation System (CAS) to manage and account for cash under their control. CAS is an electronic Page 2 GAO/AIMD-97-127 Federal Reserve Banks B-276265 inventory system which, among other features, tracks coin and currency activities and balances by denomination and identifies bank operating units with custodial responsibility for cash. Certain data maintained in CAS are used to provide daily updates to the bank’s general ledger system. CAS data are also used by bank officials to prepare monthly currency activity reports. These reports, which track each Federal Reserve Bank’s monthly currency activities and end-of-month vault balance, are used by the Federal Reserve Board to monitor currency activities across the Federal Reserve System. Internal Control Issues In September 1996, we reported on the results of a review of currency Regarding Currency activity reports prepared by the Los Angeles Branch. The review Reporting at the Los responded to concerns about reported inaccuracies in certain of the bank’s monthly currency activity reports. The review’s objectives were to Angeles Branch determine the nature of currency reporting inaccuracies and review actions intended to resolve them. Our review found that certain data needed for the October through December 1995 currency activity reports were forced to ensure that the reports agreed with the Los Angeles Branch’s end-of-month balance sheet. As a result, analysis by a bank analyst showed that receipts from circulation were understated by $5.8 million in October, overstated by $61.8 million in November and understated by $111 million in December. Our review noted problems with the reporting of currency activities which raised concern about the quality of the Los Angeles Reserve Branch’s internal control environment and potential CAS system limitations which could affect currency accounting and reporting. In response to the review’s findings and recommendations, the Federal Reserve Board took a number of immediate actions specific to the Los Angeles Branch including (1) revising policies and procedures for preparing the monthly currency activity report, (2) conducting an unannounced 100-percent count of the Los Angeles Branch’s currency and coin holdings and comparing the results to the bank’s balance sheet, and (3) conducting an internal review of the bank’s cash operations and related financial records. The Federal Reserve Board reported that (1) the results of the physical count confirmed that the Los Angeles Branch’s balance sheet accurately reflected its currency and coin holdings and (2) its examiners found that the accounting for the cash handled by the bank was accurate and that proper safeguards and controls existed to ensure the integrity of the bank’s financial records. Page 3 GAO/AIMD-97-127 Federal Reserve Banks B-276265 In addition to actions addressing the Los Angeles Branch’s currency reporting and controls, the Federal Reserve Board arranged for an external examination of internal control over cash operations at certain banks that use CAS to manage and account for cash operations—the subject of this report. External Review of Cash Our September 1996 report recommended that, given the problems in Operations at Three preparing the currency activity report using CAS data in Los Angeles, the Federal Reserve Banks Federal Reserve Board require an external review of internal controls. In response to our recommendation, the Federal Reserve Board hired Coopers & Lybrand L.L.P., an independent public accounting firm, to examine and report on managements’ assertions about the effectiveness of the internal control structure over financial reporting and safeguarding3 for cash at three banks—the Federal Reserve Bank of Atlanta’s Home Office, the Federal Reserve Bank of San Francisco’s Los Angeles Branch, and the Federal Reserve Bank of Philadelphia. These banks represent 3 of the 12 cash operations located in the Reserve System which use CAS to provide inventory and management control and accounting for cash-related activities. Table 1 provides 1996 currency data on the relative size and volume of currency processing activities at the 3 locations covered by Coopers & Lybrand’s external examinations, the 12 which use CAS, and the entire 37 banks and branches. 3 An entity’s internal control structure over financial reporting includes those policies and procedures that pertain to an entity’s ability to record, process, summarize, and report financial data consistent with the assertions embodied in the entity’s financial statements. Safeguarding of assets refers to those controls designed to provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of an entity’s assets that could have a material effect on the financial statements. Page 4 GAO/AIMD-97-127 Federal Reserve Banks B-276265 Table 1: Comparative Federal Reserve Currency Activity Data for 1996a In billions Federal Reserve locations using CAS All 37 Federal 3 locations All 12 locations Reserve Banks examined using CAS and Branches Total value of currency Received $ 94.7 $ 181.5 $ 591.2 Processed $ 76.3 $ 143.8 $ 377.3 Destroyed $ 30.6 $ 59.1 $ 149.0 Shipped $ 63.9 $ 119.4 $ 422.0 On-hand at year-end $ 12.1 $ 23.5 $ 100.3 Average daily value of currency Received $ 0 .376 $ 0 .720 $ 2.3 Processed $ 0 .303 $ 0 .571 $ 1.5 Destroyed $ 0 .121 $ 0 .235 $ 0.6 Shipped $ 0 .254 $ 0 .474 $ 1.7 Total currency notes Received 5.7 11.7 35.0 Processed 4.2 8.8 23.6 Destroyed 1.5 3.5 8.7 Shipped 4.1 8.1 25.7 On-hand at year-end 0.8 1.6 5.1 Average daily currency notes Received 0 .023 0 .047 0 .139 Processed 0 .017 0 .035 0 .093 Destroyed 0 .006 0 .014 0 .035 Shipped 0 .016 0 .032 0 .102 a The currency activity data was compiled by GAO based on data provided by the Federal Reserve Board. Currency received includes deposits of excess and unfit currency from depository institutions as well as new currency received from the Bureau of Engraving and Printing. The data have not been verified and are provided for informational purposes only. The data exclude coin held under the control of Federal Reserve Banks. As of December 31, 1996, the coin held by all Federal Reserve Banks was $591 million; by the 12 Federal Reserve locations using CAS, $199 million; and by 3 Federal Reserve locations examined by Coopers & Lybrand, $76 million. The objective of Coopers & Lybrand’s examinations was to opine on whether managements’ assertions on the effectiveness of internal controls were fairly stated based on the internal control criteria used by management. In performing its examinations and concluding on the reliability of managements’ assertions, Coopers & Lybrand performed an attest engagement which is governed by the AICPA’s Attestation Standards. The attestation standards provide both general and specific guidance which is intended to enhance the consistency and quality of these engagements. The attestation standards consist of general, fieldwork, and Page 5 GAO/AIMD-97-127 Federal Reserve Banks B-276265 reporting standards which apply to all attestation engagements and individual standards which apply to specific types of attestation engagements. The attestation standards supplement existing auditing standards by reenforcing the need for technical competence, independence in attitude, due professional care, adequate planning and supervision, sufficient evidence, and appropriate reporting. In addition to the general, fieldwork, and reporting attestation standards, Coopers & Lybrand’s examination at the three Reserve Banks was also subject to requirements of a specific attestation standard—Statement on Standards for Attestation Engagements No. 2, Reporting on an Entity’s Internal Control Structure Over Financial Reporting. This standard provides guidance on planning, conducting, and reporting on the engagement, including evaluating the design and operating effectiveness of internal controls. A key provision of the standard is that management use reasonable control criteria which have been established by a recognized body in evaluating the internal control structure’s effectiveness. This requirement ensures that management uses commonly understood and/or accepted control criteria in concluding on the internal control structure’s effectiveness and that the practitioner uses the same criteria in forming an opinion on management’s assertion. Management for each of the Federal Reserve Banks covered by Coopers & Lybrand’s examinations based their assessments of internal control effectiveness on criteria contained in the Internal Control-Integrated Framework issued in September 1992 by the Committee on Sponsoring Organizations of the Treadway Commission (COSO). To develop a broad understanding of internal control and establish standards for assessing its effectiveness, COSO developed a structured approach—the Integrated Framework—which defines internal control and describes how it relates to an entity’s operations. Internal control represents the process, designed and operated by an entity’s management and personnel, to provide reasonable assurance that fundamental organizational objectives are achieved. The Integrated Framework describes internal control in terms of objectives, essential components of internal control, and criteria for assessing internal control effectiveness. Internal control objectives—what internal controls are intended to achieve—fall into three distinct but overlapping categories: operations—relating to effective and efficient use of an entity’s resources; financial reporting—relating to preparing reliable financial statements; and compliance—relating to an entity’s compliance with laws and Page 6 GAO/AIMD-97-127 Federal Reserve Banks B-276265 regulations. Safeguarding controls are a subcategory within each of these control objectives. Safeguarding controls—those designed to prevent or promptly detect unauthorized acquisition, use, or disposition of an entity’s resources—are primarily operations controls. However, certain aspects of safeguarding controls can also be considered compliance and financial reporting controls. When legal or regulatory requirements apply to use of resources, operations controls designed to safeguard the efficient and effective use of resources also address compliance objectives. Similarly, objectives designed to ensure that losses associated with the use or disposition of resources are properly recognized and reflected in the entity’s financial statements also address financial reporting objectives. In May 1994, COSO issued an addendum to its Integrated Framework to provide specific reporting guidance on controls concerning safeguarding of assets.4 COSO stated that there is a reasonable expectation that a management report will cover not only controls to help ensure that transactions involving an entity’s assets are properly reflected in the financial statements, but also controls to help prevent or promptly detect unauthorized acquisition, use, or disposition of the underlying assets. COSO believes it is important that this expectation be met. The addendum provided suggested wording for management’s report on internal control over financial reporting to also specifically state safeguarding of assets when covered by management’s report. Internal control, as described in the Integrated Framework, consists of five essential and interrelated components: control environment, risk assessment, control activities, information and communication, and monitoring. The control environment represents the control consciousness of an entity, its management, and staff. Risk assessment refers to the awareness and management of relevant internal and external risk associated with achieving established objectives. Control activities represent the operating policies and procedures designed to help ensure that management’s directives—desired actions intended to address risks—are carried out. Information and communication refers to the need for relevant and useful information to be communicated promptly to management and staff for use in carrying out their responsibilities. The monitoring component refers to the need to monitor and assess over time the effectiveness of internal control policies and procedures in achieving their intended objectives. 4 Internal Control - Integrated Framework: Addendum to “Reporting to External Parties,” May 1994, COSO. Page 7 GAO/AIMD-97-127 Federal Reserve Banks B-276265 The nature and extent to which an entity’s internal control structure incorporates the five control components represent criteria that can be used in assessing the internal control effectiveness of operating, financial reporting, and compliance controls. Management can assess and report on the effectiveness of any of the three categories of control objectives. Internal controls can be judged effective if, for each category of control objective reported on, management has reasonable assurance that each of the five control components has been effectively incorporated into the entity’s internal control structure. COSO recognized that determining effectiveness was a subjective judgment. Similarly, with respect to effectiveness of safeguarding controls, controls can be judged effective if management has reasonable assurance that unauthorized acquisition, use, or disposition of an entity’s assets that could have a material effect on the financial statements are being prevented or detected promptly. For each examination, Coopers & Lybrand concluded that Federal Reserve Results of External Bank management fairly stated its assertion that the bank maintained an Reviews of Control effective internal control structure over financial reporting and Over Cash Operations safeguarding for cash as of the date specified by management based on criteria established in the Internal Control—Integrated Framework issued by COSO. Coopers & Lybrand’s examinations were conducted at different times during the late summer and fall of 1996 because management for each of the three Reserve Banks made their assertions about the effectiveness of internal controls as of different specified dates (Atlanta, September 30, 1996; Los Angeles, August 31, 1996; and Philadelphia, October 31, 1996). In making an assertion as of a point in time, the scope of management’s assessment of internal controls is limited to the design and operating effectiveness of internal controls in place on the date of management’s assertion. In addition to its positive conclusions on the reliability of management’s assertion on the effectiveness of financial reporting and safeguarding controls, Coopers & Lybrand’s report contains standard language related to the inherent limitations in any internal control structure and projections of results of any internal control structure evaluation to other periods. This language, required by the AICPA’s Attestation Standards, is intended to remind readers that (1) internal controls, no matter how well designed and operated, can provide only reasonable assurance that internal control objectives are achieved, and (2) projections of the results of any internal Page 8 GAO/AIMD-97-127 Federal Reserve Banks B-276265 control structure evaluation to any other period is subject to the risk that the internal control structure may be inadequate because of changes in conditions, or the degree of adherence to policies and procedures may deteriorate. To perform our work, we met with Federal Reserve officials and the Scope and Coopers & Lybrand partner and audit manager responsible for the Methodology examination and discussed the nature of the examination of internal controls over financial reporting and safeguarding for cash. We also discussed the applicable attestation standards and internal control criteria used by the firm in conducting the examination. We reviewed the applicable attestation standards and evaluation criteria (Internal Control—Integrated Framework issued by COSO) used by the bank’s management and Coopers & Lybrand to assess the effectiveness of internal controls over financial reporting and safeguarding for cash. We also reviewed the Coopers & Lybrand working papers supporting its opinions on internal controls at the Atlanta, Los Angeles, and Philadelphia Federal Reserve Banks. We looked for evidence that the work had been planned and performed in accordance with applicable attestation standards. We also looked for evidence that Coopers & Lybrand’s work addressed the applicable internal control criteria. Where necessary, we obtained additional understanding of the procedures performed through discussions with the partner and audit manager of Coopers & Lybrand. Where Coopers & Lybrand’s working papers indicated that it used work performed by the Federal Reserve Banks’ General Auditors with respect to electronic data processing controls, we conducted interviews with the General Auditor staff for the three banks and Federal Reserve Automation Services and reviewed their applicable internal audit working papers. We visited the Atlanta, Los Angeles, and Philadelphia banks to enhance our understanding of the respective internal control structures over financial reporting and safeguarding for cash. During our visits, which took place during April and May 1997, we observed the processes and internal controls in the respective bank’s cash department that had been identified and documented by Coopers & Lybrand, and held discussions with management and staff of the cash department and the internal audit department. Page 9 GAO/AIMD-97-127 Federal Reserve Banks B-276265 We performed our work from January 1997 through June 1997. Our review was performed in accordance with generally accepted government auditing standards. We requested comments on a draft of this report from the Federal Reserve System Board of Governors. On August 1, 1997, the Board of Governors of the Federal Reserve System provided us with comments that are included in appendix II and discussed in the agency comments section of this report. In performing its examinations, Coopers & Lybrand (1) obtained an External Auditor’s understanding of the procedures and internal controls, (2) evaluated the Procedures design effectiveness of the controls, (3) tested and evaluated the operating effectiveness of the controls, and (4) formed opinions about whether managements’ assertions regarding the effectiveness of the internal controls were fairly stated, in all material respects, based on the COSO control criteria. Internal controls usually involve two elements: a policy establishing what should be done and procedures to effect the policy. The procedures include a range of activities such as approvals, authorizations, verifications, reconciliations, physical security, and separation of duties. Coopers & Lybrand found that the Federal Reserve has developed custody control standards and procedures that provide a framework for establishing systems of internal controls to protect cash processed and stored at the banks. Coopers & Lybrand’s working papers described the cash operating process the banks followed in managing, controlling, and accounting for cash operations. This process is broken down into four major areas: (1) receiving/shipping of cash, (2) processing of currency to check the accuracy of deposits from depository institutions, identify counterfeit currency, and determine the currency’s fitness for recirculation, (3) vault storage of cash, and (4) cash administration. The cash operations followed by the banks are discussed in more detail in appendix I. Coopers & Lybrand’s work focused on the internal controls designed to properly record, process, and summarize transactions to permit the preparation of reliable financial statements and to maintain accountability for assets (financial reporting controls) and safeguard assets against loss from unauthorized acquisition, use, or disposition (safeguarding controls). These controls include two categories of information system control Page 10 GAO/AIMD-97-127 Federal Reserve Banks B-276265 activities5 which serve to ensure completeness, accuracy, and validity of the financial information in the system. In order to determine whether the internal controls provided reasonable assurance that losses or misstatements material in relation to the financial statements would be prevented or detected as of the date of management’s assertion, Coopers & Lybrand tested the operating effectiveness of the internal controls. The testing methods included observation, inquiry, and inspection. No one specific control test is necessary, applicable, or equally effective in every circumstance. Generally, a combination of these types of control tests is performed to provide the necessary level of assurance. The types of tests performed for each control activity are determined by the auditor using professional judgment and depend on the nature of the control to be tested and the timing of the control test. For example, documentation of some control activities may not be available or relevant and evidence about the effectiveness of operation is obtained through observation or inquiry. Also, some activities, such as those relating to the resolution of exception items, may not occur on the date that the auditor is conducting the tests. In those cases, the auditor needs to inquire about the procedures performed when exceptions occur. Observation tests are conducted by observing entity personnel actually performing control activities in the normal course of their duties. For example, Coopers & Lybrand observed the physical separation between the carriers and the receiving and shipping teams, the use of locks and seals on the containers used for storing currency, and the preparation of the end of day proof by each of the teams. In currency processing, Coopers & Lybrand observed preparation of the processing unit proof, transfer of currency to and from the processing teams, and processing team operations. Observation of processing operations documented in their working papers included the handling of currency rejected by the high speed machine and its processing on the slower speed machine, and the physical transfer of rejected currency from the processing team to the cancellation team. Inquiry tests are conducted by making either oral or written inquiries of entity personnel involved in the application of specific control activities to 5 General controls are the policies and procedures that apply to the entity’s overall computer operations and create the environment which ensures the continued, proper operation of the application systems. Application controls include computerized steps within the application software and related manual procedures to provide reasonable assurance of accurate and reliable processing. Page 11 GAO/AIMD-97-127 Federal Reserve Banks B-276265 determine what they do or how they perform the specific control activity. For example, Coopers & Lybrand’s inquiries of bank personnel included asking about procedures performed when containers stored in the vault are found to have broken seals and when discrepancies in shipments are reported by the depository institutions. Inspection tests are conducted by examining documents and records for evidence (such as the existence of initials, signatures, or other indications) that a control activity was applied to those documents and records. Coopers & Lybrand used inspection to test controls such as the daily reconciliation of CAS and the general ledger system, the end of day proofs prepared by each team, vault inventories, and monitoring logs prepared by cash department management personnel. Similarly, Coopers & Lybrand tested computer controls through observation, inquiry, and inspection. For example, they observed the enforcement of physical access controls such as logging of visitors and video surveillance. They asked management about the control procedures over changes to the CAS program code and corroborated the information they were given by interviewing system users and application developers. They inspected a system log to verify that backup tapes were being produced on schedule. For many of the computer controls tests in their work program, Coopers & Lybrand consulted with Federal Reserve Bank’s General Auditors to gain an understanding of the computer controls and/or examined their working papers to further corroborate information that Coopers & Lybrand obtained through observation, inquiry, and inspection. In addition to other tests conducted by inspection, observation, and inquiry, the banks’ internal audit working papers evidenced tests based upon independent verification of compliance with computer control procedures. For example, the General Auditors for the Federal Reserve Bank in Philadelphia selected five days of work for each of five cash processing rooms and examined system reports and manual logs to verify that the high-speed currency processing machines were tested daily and that they returned acceptable results before being put into production. Page 12 GAO/AIMD-97-127 Federal Reserve Banks B-276265 The results of our review disclosed no instances in which Coopers & Results of GAO’s Lybrand did not comply, in all material respects, with the AICPA’s Review of Coopers & Attestation Standards in the work described above. We found that Coopers Lybrand’s & Lybrand’s working papers adequately documented that it had planned, performed and supervised the work. The working papers contained Examination evidence that the auditor had an appropriate level of knowledge about the Federal Reserve Banks and had considered relevant work from prior years’ audits, such as descriptions of the internal control structure. The scope of the examination was detailed in a written engagement letter. We found that the work was performed by staff who were independent with respect to the Federal Reserve Banks and had adequate experience. Also, the working papers evidenced that the staff had been properly supervised. For example, key working papers were reviewed by the Audit Manager and Partner. We found that Coopers & Lybrand used audit tools to assist it in documenting the internal controls for each of the processes included in cash operations. For example, its auditors prepared worksheets which identified internal control objectives, the related risks and the control activities designed to address the objectives. Also, they prepared work programs which described the procedures to be performed to test the control activities, and they documented the results of their tests in written working papers. They used similar audit tools for their review of computer controls, documenting in their working papers the control objectives to be tested, the procedures performed, and their conclusions. In accordance with the attestation standards, the working papers contained written assertions made by management about the effectiveness of the bank’s internal controls and contained a written management representation letter. In commenting on a draft of this report, the Board of Governors of the Agency Comments Federal Reserve System fully concurred with our conclusion on Coopers & Lybrand’s work. The Board of Governors indicated that our conclusions are consistent with those of the Board’s Inspector General. Also, the Board of Governors noted that the financial controls in each Reserve Bank’s operations, including cash, will be evaluated on an ongoing basis as part of Coopers & Lybrand’s audit procedures in order to render an opinion on the financial statements. Further, the cash operations controls are reviewed regularly by the Banks’ internal auditors, the Board’s financial examiners, Board staff who conduct periodic operations reviews of Page 13 GAO/AIMD-97-127 Federal Reserve Banks B-276265 Reserve Bank cash functions, and the Department of Treasury reviews of currency destruction activities. We are sending copies of this report to the Chairman of the Board of Governors of the Federal Reserve System; the Secretary of the Treasury; the Chairman of the House Committee on Banking and Financial Services; the Chairman and Ranking Minority Member of the Senate Committee on Banking, Housing, and Urban Affairs; and the Director of the Office of Management and Budget. Copies will be made available to others upon request. Please contact me at (202) 512-9406 if you or your staff have any questions. Major contributors to this report are listed in appendix III. Sincerely yours, Robert W. Gramling Director, Corporate Audits and Standards Page 14 GAO/AIMD-97-127 Federal Reserve Banks Page 15 GAO/AIMD-97-127 Federal Reserve Banks Contents Letter 1 Appendix I 18 Cash Operations at the Atlanta, Los Angeles, and Philadelphia Federal Reserve Banks Appendix II 24 Comments From the Board of Governors of the Federal Reserve System Appendix III 27 Major Contributors to This Report Table Table 1: Comparative Federal Reserve Currency Activity Data for 5 1996 Abbreviations AICPA American Institute of Certified Public Accountants CAS Cash Automation System COSO Committee on Sponsoring Organizations of the Treadway Commission IAS Integrated Accounting System Page 16 GAO/AIMD-97-127 Federal Reserve Banks Page 17 GAO/AIMD-97-127 Federal Reserve Banks Appendix I Cash Operations at the Atlanta, Los Angeles, and Philadelphia Federal Reserve Banks As the United States’ central bank, the Federal Reserve has primary responsibility for maintaining the nation’s cash supply. In carrying out this responsibility, Federal Reserve Banks perform various cash-related operations. At the 37 Federal Reserve Banks and Branches, the cash operations function is responsible for receiving new coin from the U.S. Mint, new currency from the Bureau of Engraving and Printing, cash from depository institutions, currency processing, safeguarding cash held on deposit, and shipping cash to meet the needs of depository institutions. In addition, Federal Reserve Banks must record and summarize the various accounting transactions associated with their cash-related activities. While each Federal Reserve Bank performs the same basic cash-related functions, banks may use different systems and procedures to manage and account for the cash under their control. Federal Reserve Banks in Atlanta, Los Angeles, and Philadelphia use the Cash Automation System (CAS) to provide inventory, safeguarding, and accounting control over currency processing. CAS is an electronic inventory system which, among other features, tracks coin and currency activities and balances by denomination, and identifies bank operating units with custodial responsibility for cash. Certain data maintained in CAS are used to provide daily updates to the Federal Reserve’s general ledger system. CAS data are also used by Federal Reserve officials to prepare monthly currency activity reports. In addition to CAS, the three Federal Reserve Banks use procedural controls to safeguard cash and account for processing-related activities. These controls include restricted access, joint custody, segregation of processing-related duties, video surveillance cameras, supervisory review, and monitoring. Presented below is a general description of the cash operations functions at the three Federal Reserve Banks examined by Coopers & Lybrand. While the description focuses on currency operations, the handling and control procedures over coin are similar to those for currency, with a few notable differences. For example, coins are handled in bags and their content is verified through a weighing process, while currency notes received from depository institutions are individually checked by high-speed equipment for accuracy, fitness, and authenticity. Also, coin is stored in a separate vault from currency. Each work day, depository institutions may notify Federal Reserve Banks Receiving/Shipping electronically of currency that they are depositing with or ordering from each bank. The notification includes the dollar amount and Page 18 GAO/AIMD-97-127 Federal Reserve Banks Appendix I Cash Operations at the Atlanta, Los Angeles, and Philadelphia Federal Reserve Banks denominational breakdown for the deposit or order. The cash is transported between the Federal Reserve Banks and depository institutions by armored carriers which enter the bank buildings through secured entrances. To ensure the integrity of the currency received from or transferred to the carriers, the Federal Reserve Banks use a minimum of two-person receiving or shipping teams. These teams are always physically separated from the carriers as shipments are unloaded or loaded by the carriers. For example, carriers unload or load the currency into a glass-walled room (sometimes called an anteroom) which is bordered on one end by the carriers’ entrance and on the other end by the receiving or shipping room. Each anteroom has two sets of locking doors on either end. The receiving or shipping team cannot enter the anteroom when the carrier is unloading or loading currency. Currency transfers are accepted on a “said to contain”1 basis. Carriers verify currency transfers by checking the number and denomination of currency bags to see if they match the stated contents on the manifests. When currency is received by a Federal Reserve Bank, the receiving team counts the number of bags received from each depository institution and independently compares this to the carrier’s manifest before accepting the currency from the carrier. Subsequently, the receiving team counts the bundles2 of currency to verify the total amount received. These counts of the number of bundles received for each denomination are performed independently by each team member. The team members then independently put their counts into CAS where they are compared to each other and to the deposit notification received from the depository institution. If the counts match, the depository institution automatically receives credit for the shipment. If the counts do not match, the difference is investigated and must be resolved before the end of day closeout or reconciliation process can be completed. After the counts are completed, the currency is transferred to a vault in a sealed container3 where it is safeguarded until it goes through currency processing. When currency is being shipped to fill an order, the currency is transferred from the vault to a shipping team. The shipping team inspects the integrity of the seals on the containers prior to accepting accountability for the 1 “Said to contain” means that the carrier accepts responsibility only for the number of sealed bags, without regard to the amounts contained in the bags. The carrier is not responsible for any differences that either the Federal Reserve Bank or depository institution identifies unless the integrity of the bag seals was compromised while under the carrier’s responsibility. 2 A bundle consists of 10 straps of 100 notes each. 3 The seal numbers are entered into CAS to track the container. Page 19 GAO/AIMD-97-127 Federal Reserve Banks Appendix I Cash Operations at the Atlanta, Los Angeles, and Philadelphia Federal Reserve Banks currency. The shipping team prepares the order by placing the currency in sealed bags. The team members independently count the order and put their counts into CAS where they are compared to each other and to the order notification received electronically from the depository institution. Because the carrier accepts the shipment on a said-to-contain basis, any discrepancies subsequently identified by the depository institution in the amounts of currency in the bags must be resolved with the Federal Reserve Bank that filled the order. At the end of each shift, each receiving and shipping team prepares a daily proof to ensure that all of the currency transferred to the team from a carrier or the vault is accounted for either in the team’s ending inventory or through transfers to the vault or carriers. Currency received from depository institutions is processed to check the Currency Processing accuracy of the deposit, identify counterfeit currency, and determine the currency’s fitness. The processing takes place in glass-walled rooms which have numerous surveillance cameras and locked doors that enable the processing team to control access to each room and its contents. Processing teams are composed of either two or three members who share joint custody and accountability for the team’s currency holdings and processing activities. On a scheduled basis, the processing machines are tested to ensure they are performing within established tolerance levels. The tests consist of running currency test decks through the machines to determine whether they are correctly counting the notes, identifying and rejecting different denominations and counterfeit currency, and identifying and shredding soiled currency. Testing is performed by trained currency processing staff who are not directly involved in routine processing activities. The test results are tracked through automated output reports which are reviewed by the test operator and management. If the test results indicate the need for service, site engineers are available to service the machines. Test decks are only used for a specified number of tests after which the test decks are destroyed. Custody of the test decks is tracked in the CAS inventory and access is restricted through the use of locked storage containers. All currency received from circulation is processed initially on a high-speed machine which counts the notes and tests for denomination, soil level, and authenticity. One of three things can happen to individual currency notes as they are processed on the high-speed machine. Currency Page 20 GAO/AIMD-97-127 Federal Reserve Banks Appendix I Cash Operations at the Atlanta, Los Angeles, and Philadelphia Federal Reserve Banks which passes the machine’s various tests is considered fit for recirculation and is repackaged with a new currency strap which identifies the Federal Reserve Bank, the processing team, and the date the currency was processed. Currency failing only the soil test is shredded on-line by the high-speed machine which generates output reports that track the number and denomination of currency shredded during the shift. The high-speed machine also rejects currency for incorrect denomination, questionable soil levels, and/or potential counterfeit. This currency undergoes further processing to check denomination and authenticity on a slower speed machine. Differences in count are tracked by the automated output reports and recorded in CAS as adjustments4 to the depository institution’s deposit. Depository institutions are notified—via a written adjustment advice—of changes to their previously recorded deposit amounts. Rejected currency is transferred to a slower machine for further processing and inspection along with the straps that identify the depository institution that packaged the currency. The operator enters the rejected currency into the slower speed machine where it is retested for denomination, soil level, and counterfeit. Currency which passes the retests is shredded on-line and tracked in automated output reports. Currency which fails any one of the retests is rejected by the slower speed machine. The rejects, along with the cause for the rejections, are tracked and separately reported in automated output reports. These reports are also used to adjust the depository institution’s account with the Federal Reserve Bank for the amount of the difference. Currency rejected by the slower speed machine is sorted for off-line destruction or transfer. Counterfeit items are stamped “Counterfeit” and transferred daily from the processing team to independent clerks who examine, count, and collect counterfeit currency for shipment to the U.S. Secret Service for follow-up and analysis. Currency rejected for denomination and soil level is transferred daily to a separate team for cancellation and subsequent off-line destruction. In the presence of the processing team, a cancellation team counts and accepts the transfer of the rejected currency for cancellation. The transfer is recorded in the CAS system. The team takes the rejected currency in a locked container to a cancellation room where the currency is cancelled by punching bank-specific-shaped holes into the currency. The cancellation process is monitored by an independent observer who also monitors the transfer of the cancelled currency to a separate off-line destruction team. Upon 4 Within established time frames, the credit given a depository institution when its deposit is received by the Federal Reserve Bank is subject to adjustment based on the results of processing the currency. Page 21 GAO/AIMD-97-127 Federal Reserve Banks Appendix I Cash Operations at the Atlanta, Los Angeles, and Philadelphia Federal Reserve Banks verification and approval by the off-line destruction team, the transfer of cancelled currency is recorded in CAS. Off-line destruction occurs periodically throughout the week and is monitored by an independent observer who counts the number and denomination of the currency straps to be destroyed and matches it to the strap count performed by the off-line destruction team. In addition, the destruction team and independent observer follow prescribed policies which include sample counts of individual low value currency notes and a 100 percent count of higher value currency notes. Once this count is completed, the off-line destruction team, along with the independent observer, takes the cancelled currency to a special room where it is destroyed in a shredder. Once all currency has been destroyed, the destruction team and the independent observer inspect the shredder to ensure that all cancelled currency was destroyed. Following the off-line destruction, the team generates from CAS a certificate of destruction based on the earlier currency transferred to the off-line destruction team. The certificate of destruction is signed by the team and the observer and forwarded to Cash Administration for use in the end-of-day reconciliation. At the end of each shift, each processing team prepares its unit proof. The proof is designed to ensure that the processing team can account for the team’s currency holdings and processing activities by tracking the value of its beginning and ending inventory, its currency transfers in and out, and any adjustments arising during processing. After the team completes and accepts the proof data, it is transmitted electronically to CAS where it is compared to related currency data entered into CAS during the shift. If the proof data balance and agree with related currency data in CAS, the unit proof is accepted. If the proof data do not agree with related currency data in CAS, the processing team must request management assistance to identify and resolve differences. The Federal Reserve Banks use vaults to safeguard the currency they hold. Vault Storage The vault is a separate room within the cash department and a record is maintained of all persons who enter and exit the vault each day. Access to the vault may also be restricted through the use of keys or swipe cards. When stored in the vault, currency of the same denomination is stacked in locked containers. Cash department employees have a set of locks with their own personal key or combination. The employees use these locks to secure the containers for which they are accountable. In addition to the locks, each two-person team secures the containers with two Page 22 GAO/AIMD-97-127 Federal Reserve Banks Appendix I Cash Operations at the Atlanta, Los Angeles, and Philadelphia Federal Reserve Banks prenumbered seals. In some Federal Reserve Banks, the locks are removed while the containers are stored in the vault. When this occurs, the integrity of the seals is verified when accountability for the container is transferred to another team. In some Federal Reserve Banks, accountability for the currency is transferred to vault custodians when the currency is stored in the vault. In other Federal Reserve Banks, accountability for currency stored in the vault stays with either the receiving or shipping team, and the vault custodians serve more of an administrative function. In both cases, the vault custodians periodically conduct a rack count of the currency in the vault (i.e., daily in Atlanta and Los Angeles, weekly in Philadelphia) and reconcile the count to CAS. The custodians also prepare a daily proof at the end of each day to ensure that all transfers of currency in and out of the vault match shipping, receiving and high-speed processing records. The Cash Administration independent proof clerk is responsible for Cash Administration producing the department proof, the daily reconciliation of CAS and the Integrated Accounting System (IAS),5 and submitting manual entries to the IAS. All manual IAS entries must balance and be reviewed and approved by management. Before the department proof can be produced, CAS is used to verify that all teams have produced their final unit proofs, and the cash department inventory and transaction totals agree. The department proof lists all of the transactions and current inventory balances for each of the department’s teams (receiving, shipping, processing, and vault). The independent proof clerk then compares the department inventory total to the calculated balance from CAS. The calculated balance is determined by taking the ending inventory from the previous day and adding/subtracting for the current day’s transactions. The two totals must be equal. Throughout the day, transactions from CAS are automatically uploaded and posted to IAS. The daily reconciliation of CAS and IAS involves the comparison of the end-of-day department inventory totals from CAS to the total reflected in IAS. The two totals must be equal. Periodically, the independent proof clerk performs a blind confirmation of the reconciliation in which the clerk is “locked out” of IAS and submits the CAS balances to the accounting department for reconciliation. The daily reconciliations of CAS and IAS are reviewed and approved by cash administration management. 5 IAS is the Federal Reserve’s general ledger system. Page 23 GAO/AIMD-97-127 Federal Reserve Banks Appendix II Comments From the Board of Governors of the Federal Reserve System Page 24 GAO/AIMD-97-127 Federal Reserve Banks Appendix II Comments From the Board of Governors of the Federal Reserve System Page 25 GAO/AIMD-97-127 Federal Reserve Banks Appendix II Comments From the Board of Governors of the Federal Reserve System Page 26 GAO/AIMD-97-127 Federal Reserve Banks Appendix III Major Contributors to This Report John J. Reilly, Assistant Director Accounting and Christine A. Robertson, Assistant Director Information C. Les Thompson, Assistant Director Management Division, Washington, D.C. Sharon S. Kittrell, Auditor Atlanta Field Office (917761) Page 27 GAO/AIMD-97-127 Federal Reserve Banks Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with "info" in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov PRINTED ON RECYCLED PAPER United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested
Federal Reserve Banks: Internal Controls Over Cash at Atlanta, Los Angeles, and Philadelphia Banks
Published by the Government Accountability Office on 1997-08-28.
Below is a raw (and likely hideous) rendition of the original report. (PDF)