oversight

Federal Reserve Banks: Internal Controls Over Cash at Atlanta, Los Angeles, and Philadelphia Banks

Published by the Government Accountability Office on 1997-08-28.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                  United States General Accounting Office

GAO               Report to the Ranking Minority Member,
                  Committee on Banking and Financial
                  Services, House of Representatives


August 1997
                  FEDERAL RESERVE
                  BANKS
                  Internal Controls Over
                  Cash at Atlanta,
                  Los Angeles, and
                  Philadelphia Banks




GAO/AIMD-97-127
      United States
GAO   General Accounting Office
      Washington, D.C. 20548

      Accounting and Information
      Management Division

      B-276265

      August 28, 1997

      The Honorable Henry B. Gonzalez
      Ranking Minority Member
      Committee on Banking and Financial Services
      House of Representatives

      Dear Mr. Gonzalez:

      This letter responds to your request that we review the work done by the
      Federal Reserve’s external auditor (Coopers & Lybrand L.L.P.) in reporting
      on the effectiveness of the internal control structure over financial
      reporting for cash at the Atlanta and Philadelphia Federal Reserve Banks,
      and the Los Angeles Branch. The external auditor’s work was conducted
      in response to a previous GAO recommendation that the Federal Reserve
      Board of Governors obtain an external examination of internal controls
      over cash operations at the Los Angeles Branch.1 Coopers & Lybrand
      reported that management for each of the three banks fairly stated their
      assertions that the banks maintained effective internal controls over
      financial reporting and safeguarding for coin and currency as of the date
      of management’s assertion on the effectiveness of the internal controls.2

      You asked us to review the work done by the Federal Reserve’s external
      auditor including the scope of its work and the conclusions reached.
      Accordingly, our objective was to determine whether the work was
      conducted in accordance with applicable professional standards and
      supported the auditor’s opinions on managements’ assertions on the
      effectiveness of the internal controls over cash operations.

      In our September 1996 report, we also recommended that the Federal
      Reserve Board consider annual examinations of internal controls at each
      Federal Reserve Bank. In this regard, Federal Reserve officials advised us
      that they intend to include internal control examinations as a component
      of the annual financial statement audits of the Federal Reserve Banks.



      1
       Federal Reserve Banks: Inaccurate Reporting of Currency at the Los Angeles Branch
      (GAO/AIMD-96-146, September 30, 1996).
      2
       Managements’ assertions and the auditor’s reports as originally issued only specifically stated
      financial reporting controls. Based on our inquiries about this language and the scope of the auditor’s
      work, managements’ assertions and the auditor’s reports were appropriately reissued to also include
      safeguarding of cash. The revision conformed the reports to the reporting language suggested by a
      May 1994 addendum to the control criteria used by management and the auditor that is discussed in
      the background section of this report.



      Page 1                                                   GAO/AIMD-97-127 Federal Reserve Banks
                         B-276265




                         Our review disclosed no instances in which Coopers & Lybrand’s work to
Results in Brief         support its opinions on the effectiveness of the internal control structures
                         over financial reporting and safeguarding for coin and currency at the
                         Atlanta and Philadelphia Federal Reserve Banks, and the Los Angeles
                         Branch did not comply, in all material respects, with the American
                         Institute of Certified Public Accountants’ (AICPA) Attestation Standards.

                         Coopers & Lybrand obtained and documented an understanding of the
                         internal control policies and procedures, developed by the Federal
                         Reserve Banks, to manage and account for each of the four main cash
                         operating functions: receiving/shipping, currency processing, vault, and
                         cash administration. Coopers & Lybrand also performed tests and other
                         procedures in support of its evaluation of the design and operating
                         effectiveness of the internal controls in order to form an opinion about the
                         reliability of management’s assertion.



Background

Cash Operations at the   The Federal Reserve, as the United States’ central bank, has primary
Federal Reserve          responsibility for maintaining the nation’s cash supply. In carrying out this
                         responsibility, Federal Reserve Banks perform various cash-related
                         functions to meet the needs of the depository institutions served by the
                         Federal Reserve Banks. At the 37 Federal Reserve Banks and Branches
                         which make up the Federal Reserve System, the cash operations function
                         is responsible for shipping cash to meet the needs of depository
                         institutions, receiving shipments of new currency from the Bureau of
                         Engraving and Printing, new coin from the U.S. Mint, and incoming
                         deposits of excess and unfit currency and coin from depository
                         institutions. In addition to maintaining custodial controls over the cash in
                         its possession, each Federal Reserve Bank and Branch processes currency
                         received from circulation and records and summarizes the various
                         accounting transactions associated with these activities.

                         While the 37 Federal Reserve Banks and Branches perform the same
                         cash-related functions, they may use different systems and processes to
                         manage and account for the cash under their control. The Federal Reserve
                         Banks and Branches in three of the System’s 12 districts—Atlanta,
                         Philadelphia, and San Francisco—use the Cash Automation System (CAS)
                         to manage and account for cash under their control. CAS is an electronic




                         Page 2                                    GAO/AIMD-97-127 Federal Reserve Banks
                          B-276265




                          inventory system which, among other features, tracks coin and currency
                          activities and balances by denomination and identifies bank operating
                          units with custodial responsibility for cash. Certain data maintained in CAS
                          are used to provide daily updates to the bank’s general ledger system. CAS
                          data are also used by bank officials to prepare monthly currency activity
                          reports. These reports, which track each Federal Reserve Bank’s monthly
                          currency activities and end-of-month vault balance, are used by the
                          Federal Reserve Board to monitor currency activities across the Federal
                          Reserve System.


Internal Control Issues   In September 1996, we reported on the results of a review of currency
Regarding Currency        activity reports prepared by the Los Angeles Branch. The review
Reporting at the Los      responded to concerns about reported inaccuracies in certain of the
                          bank’s monthly currency activity reports. The review’s objectives were to
Angeles Branch            determine the nature of currency reporting inaccuracies and review
                          actions intended to resolve them. Our review found that certain data
                          needed for the October through December 1995 currency activity reports
                          were forced to ensure that the reports agreed with the Los Angeles
                          Branch’s end-of-month balance sheet. As a result, analysis by a bank
                          analyst showed that receipts from circulation were understated by
                          $5.8 million in October, overstated by $61.8 million in November and
                          understated by $111 million in December. Our review noted problems with
                          the reporting of currency activities which raised concern about the quality
                          of the Los Angeles Reserve Branch’s internal control environment and
                          potential CAS system limitations which could affect currency accounting
                          and reporting.

                          In response to the review’s findings and recommendations, the Federal
                          Reserve Board took a number of immediate actions specific to the Los
                          Angeles Branch including (1) revising policies and procedures for
                          preparing the monthly currency activity report, (2) conducting an
                          unannounced 100-percent count of the Los Angeles Branch’s currency and
                          coin holdings and comparing the results to the bank’s balance sheet, and
                          (3) conducting an internal review of the bank’s cash operations and
                          related financial records. The Federal Reserve Board reported that (1) the
                          results of the physical count confirmed that the Los Angeles Branch’s
                          balance sheet accurately reflected its currency and coin holdings and
                          (2) its examiners found that the accounting for the cash handled by the
                          bank was accurate and that proper safeguards and controls existed to
                          ensure the integrity of the bank’s financial records.




                          Page 3                                    GAO/AIMD-97-127 Federal Reserve Banks
                          B-276265




                          In addition to actions addressing the Los Angeles Branch’s currency
                          reporting and controls, the Federal Reserve Board arranged for an
                          external examination of internal control over cash operations at certain
                          banks that use CAS to manage and account for cash operations—the
                          subject of this report.


External Review of Cash   Our September 1996 report recommended that, given the problems in
Operations at Three       preparing the currency activity report using CAS data in Los Angeles, the
Federal Reserve Banks     Federal Reserve Board require an external review of internal controls. In
                          response to our recommendation, the Federal Reserve Board hired
                          Coopers & Lybrand L.L.P., an independent public accounting firm, to
                          examine and report on managements’ assertions about the effectiveness of
                          the internal control structure over financial reporting and safeguarding3
                          for cash at three banks—the Federal Reserve Bank of Atlanta’s Home
                          Office, the Federal Reserve Bank of San Francisco’s Los Angeles Branch,
                          and the Federal Reserve Bank of Philadelphia.

                          These banks represent 3 of the 12 cash operations located in the Reserve
                          System which use CAS to provide inventory and management control and
                          accounting for cash-related activities. Table 1 provides 1996 currency data
                          on the relative size and volume of currency processing activities at the 3
                          locations covered by Coopers & Lybrand’s external examinations, the 12
                          which use CAS, and the entire 37 banks and branches.




                          3
                           An entity’s internal control structure over financial reporting includes those policies and procedures
                          that pertain to an entity’s ability to record, process, summarize, and report financial data consistent
                          with the assertions embodied in the entity’s financial statements. Safeguarding of assets refers to those
                          controls designed to provide reasonable assurance regarding prevention or timely detection of
                          unauthorized acquisition, use, or disposition of an entity’s assets that could have a material effect on
                          the financial statements.



                          Page 4                                                   GAO/AIMD-97-127 Federal Reserve Banks
                                       B-276265




Table 1: Comparative Federal Reserve
Currency Activity Data for 1996a       In billions
                                                                    Federal Reserve locations using CAS                  All 37 Federal
                                                                            3 locations        All 12 locations         Reserve Banks
                                                                             examined               using CAS            and Branches
                                       Total value of currency
                                       Received                                   $ 94.7                 $ 181.5                  $ 591.2
                                       Processed                                  $ 76.3                 $ 143.8                  $ 377.3
                                       Destroyed                                  $ 30.6                  $ 59.1                  $ 149.0
                                       Shipped                                    $ 63.9                 $ 119.4                  $ 422.0
                                       On-hand at year-end                        $ 12.1                  $ 23.5                  $ 100.3
                                       Average daily value of
                                       currency
                                       Received                                 $ 0 .376                $ 0 .720                    $ 2.3
                                       Processed                                $ 0 .303                $ 0 .571                    $ 1.5
                                       Destroyed                                $ 0 .121                $ 0 .235                    $ 0.6
                                       Shipped                                  $ 0 .254                $ 0 .474                    $ 1.7
                                       Total currency notes
                                       Received                                      5.7                     11.7                    35.0
                                       Processed                                     4.2                      8.8                    23.6
                                       Destroyed                                     1.5                      3.5                     8.7
                                       Shipped                                       4.1                      8.1                    25.7
                                       On-hand at year-end                           0.8                      1.6                     5.1
                                       Average daily
                                       currency notes
                                       Received                                   0 .023                   0 .047                  0 .139
                                       Processed                                  0 .017                   0 .035                  0 .093
                                       Destroyed                                  0 .006                   0 .014                  0 .035
                                       Shipped                                    0 .016                   0 .032                  0 .102
                                       a
                                        The currency activity data was compiled by GAO based on data provided by the Federal
                                       Reserve Board. Currency received includes deposits of excess and unfit currency from
                                       depository institutions as well as new currency received from the Bureau of Engraving and
                                       Printing. The data have not been verified and are provided for informational purposes only. The
                                       data exclude coin held under the control of Federal Reserve Banks. As of December 31, 1996,
                                       the coin held by all Federal Reserve Banks was $591 million; by the 12 Federal Reserve locations
                                       using CAS, $199 million; and by 3 Federal Reserve locations examined by Coopers & Lybrand,
                                       $76 million.



                                       The objective of Coopers & Lybrand’s examinations was to opine on
                                       whether managements’ assertions on the effectiveness of internal controls
                                       were fairly stated based on the internal control criteria used by
                                       management. In performing its examinations and concluding on the
                                       reliability of managements’ assertions, Coopers & Lybrand performed an
                                       attest engagement which is governed by the AICPA’s Attestation Standards.

                                       The attestation standards provide both general and specific guidance
                                       which is intended to enhance the consistency and quality of these
                                       engagements. The attestation standards consist of general, fieldwork, and



                                       Page 5                                                GAO/AIMD-97-127 Federal Reserve Banks
B-276265




reporting standards which apply to all attestation engagements and
individual standards which apply to specific types of attestation
engagements. The attestation standards supplement existing auditing
standards by reenforcing the need for technical competence,
independence in attitude, due professional care, adequate planning and
supervision, sufficient evidence, and appropriate reporting.

In addition to the general, fieldwork, and reporting attestation standards,
Coopers & Lybrand’s examination at the three Reserve Banks was also
subject to requirements of a specific attestation standard—Statement on
Standards for Attestation Engagements No. 2, Reporting on an Entity’s
Internal Control Structure Over Financial Reporting. This standard
provides guidance on planning, conducting, and reporting on the
engagement, including evaluating the design and operating effectiveness of
internal controls. A key provision of the standard is that management use
reasonable control criteria which have been established by a recognized
body in evaluating the internal control structure’s effectiveness. This
requirement ensures that management uses commonly understood and/or
accepted control criteria in concluding on the internal control structure’s
effectiveness and that the practitioner uses the same criteria in forming an
opinion on management’s assertion. Management for each of the Federal
Reserve Banks covered by Coopers & Lybrand’s examinations based their
assessments of internal control effectiveness on criteria contained in the
Internal Control-Integrated Framework issued in September 1992 by the
Committee on Sponsoring Organizations of the Treadway Commission
(COSO).

To develop a broad understanding of internal control and establish
standards for assessing its effectiveness, COSO developed a structured
approach—the Integrated Framework—which defines internal control and
describes how it relates to an entity’s operations. Internal control
represents the process, designed and operated by an entity’s management
and personnel, to provide reasonable assurance that fundamental
organizational objectives are achieved. The Integrated Framework
describes internal control in terms of objectives, essential components of
internal control, and criteria for assessing internal control effectiveness.

Internal control objectives—what internal controls are intended to
achieve—fall into three distinct but overlapping categories:
operations—relating to effective and efficient use of an entity’s resources;
financial reporting—relating to preparing reliable financial statements;
and compliance—relating to an entity’s compliance with laws and



Page 6                                    GAO/AIMD-97-127 Federal Reserve Banks
B-276265




regulations. Safeguarding controls are a subcategory within each of these
control objectives. Safeguarding controls—those designed to prevent or
promptly detect unauthorized acquisition, use, or disposition of an entity’s
resources—are primarily operations controls. However, certain aspects of
safeguarding controls can also be considered compliance and financial
reporting controls. When legal or regulatory requirements apply to use of
resources, operations controls designed to safeguard the efficient and
effective use of resources also address compliance objectives. Similarly,
objectives designed to ensure that losses associated with the use or
disposition of resources are properly recognized and reflected in the
entity’s financial statements also address financial reporting objectives.

In May 1994, COSO issued an addendum to its Integrated Framework to
provide specific reporting guidance on controls concerning safeguarding
of assets.4 COSO stated that there is a reasonable expectation that a
management report will cover not only controls to help ensure that
transactions involving an entity’s assets are properly reflected in the
financial statements, but also controls to help prevent or promptly detect
unauthorized acquisition, use, or disposition of the underlying assets. COSO
believes it is important that this expectation be met. The addendum
provided suggested wording for management’s report on internal control
over financial reporting to also specifically state safeguarding of assets
when covered by management’s report.

Internal control, as described in the Integrated Framework, consists of five
essential and interrelated components: control environment, risk
assessment, control activities, information and communication, and
monitoring. The control environment represents the control
consciousness of an entity, its management, and staff. Risk assessment
refers to the awareness and management of relevant internal and external
risk associated with achieving established objectives. Control activities
represent the operating policies and procedures designed to help ensure
that management’s directives—desired actions intended to address
risks—are carried out. Information and communication refers to the need
for relevant and useful information to be communicated promptly to
management and staff for use in carrying out their responsibilities. The
monitoring component refers to the need to monitor and assess over time
the effectiveness of internal control policies and procedures in achieving
their intended objectives.



4
Internal Control - Integrated Framework: Addendum to “Reporting to External Parties,” May 1994,
COSO.



Page 7                                                GAO/AIMD-97-127 Federal Reserve Banks
                       B-276265




                       The nature and extent to which an entity’s internal control structure
                       incorporates the five control components represent criteria that can be
                       used in assessing the internal control effectiveness of operating, financial
                       reporting, and compliance controls. Management can assess and report on
                       the effectiveness of any of the three categories of control objectives.
                       Internal controls can be judged effective if, for each category of control
                       objective reported on, management has reasonable assurance that each of
                       the five control components has been effectively incorporated into the
                       entity’s internal control structure. COSO recognized that determining
                       effectiveness was a subjective judgment. Similarly, with respect to
                       effectiveness of safeguarding controls, controls can be judged effective if
                       management has reasonable assurance that unauthorized acquisition, use,
                       or disposition of an entity’s assets that could have a material effect on the
                       financial statements are being prevented or detected promptly.


                       For each examination, Coopers & Lybrand concluded that Federal Reserve
Results of External    Bank management fairly stated its assertion that the bank maintained an
Reviews of Control     effective internal control structure over financial reporting and
Over Cash Operations   safeguarding for cash as of the date specified by management based on
                       criteria established in the Internal Control—Integrated Framework issued
                       by COSO.

                       Coopers & Lybrand’s examinations were conducted at different times
                       during the late summer and fall of 1996 because management for each of
                       the three Reserve Banks made their assertions about the effectiveness of
                       internal controls as of different specified dates (Atlanta, September 30,
                       1996; Los Angeles, August 31, 1996; and Philadelphia, October 31, 1996). In
                       making an assertion as of a point in time, the scope of management’s
                       assessment of internal controls is limited to the design and operating
                       effectiveness of internal controls in place on the date of management’s
                       assertion.

                       In addition to its positive conclusions on the reliability of management’s
                       assertion on the effectiveness of financial reporting and safeguarding
                       controls, Coopers & Lybrand’s report contains standard language related
                       to the inherent limitations in any internal control structure and projections
                       of results of any internal control structure evaluation to other periods.
                       This language, required by the AICPA’s Attestation Standards, is intended to
                       remind readers that (1) internal controls, no matter how well designed and
                       operated, can provide only reasonable assurance that internal control
                       objectives are achieved, and (2) projections of the results of any internal



                       Page 8                                    GAO/AIMD-97-127 Federal Reserve Banks
              B-276265




              control structure evaluation to any other period is subject to the risk that
              the internal control structure may be inadequate because of changes in
              conditions, or the degree of adherence to policies and procedures may
              deteriorate.


              To perform our work, we met with Federal Reserve officials and the
Scope and     Coopers & Lybrand partner and audit manager responsible for the
Methodology   examination and discussed the nature of the examination of internal
              controls over financial reporting and safeguarding for cash. We also
              discussed the applicable attestation standards and internal control criteria
              used by the firm in conducting the examination. We reviewed the
              applicable attestation standards and evaluation criteria (Internal
              Control—Integrated Framework issued by COSO) used by the bank’s
              management and Coopers & Lybrand to assess the effectiveness of
              internal controls over financial reporting and safeguarding for cash.

              We also reviewed the Coopers & Lybrand working papers supporting its
              opinions on internal controls at the Atlanta, Los Angeles, and Philadelphia
              Federal Reserve Banks. We looked for evidence that the work had been
              planned and performed in accordance with applicable attestation
              standards. We also looked for evidence that Coopers & Lybrand’s work
              addressed the applicable internal control criteria. Where necessary, we
              obtained additional understanding of the procedures performed through
              discussions with the partner and audit manager of Coopers & Lybrand.
              Where Coopers & Lybrand’s working papers indicated that it used work
              performed by the Federal Reserve Banks’ General Auditors with respect to
              electronic data processing controls, we conducted interviews with the
              General Auditor staff for the three banks and Federal Reserve Automation
              Services and reviewed their applicable internal audit working papers.

              We visited the Atlanta, Los Angeles, and Philadelphia banks to enhance
              our understanding of the respective internal control structures over
              financial reporting and safeguarding for cash. During our visits, which
              took place during April and May 1997, we observed the processes and
              internal controls in the respective bank’s cash department that had been
              identified and documented by Coopers & Lybrand, and held discussions
              with management and staff of the cash department and the internal audit
              department.




              Page 9                                    GAO/AIMD-97-127 Federal Reserve Banks
                     B-276265




                     We performed our work from January 1997 through June 1997. Our review
                     was performed in accordance with generally accepted government
                     auditing standards. We requested comments on a draft of this report from
                     the Federal Reserve System Board of Governors. On August 1, 1997, the
                     Board of Governors of the Federal Reserve System provided us with
                     comments that are included in appendix II and discussed in the agency
                     comments section of this report.

                     In performing its examinations, Coopers & Lybrand (1) obtained an
External Auditor’s   understanding of the procedures and internal controls, (2) evaluated the
Procedures           design effectiveness of the controls, (3) tested and evaluated the operating
                     effectiveness of the controls, and (4) formed opinions about whether
                     managements’ assertions regarding the effectiveness of the internal
                     controls were fairly stated, in all material respects, based on the COSO
                     control criteria. Internal controls usually involve two elements: a policy
                     establishing what should be done and procedures to effect the policy. The
                     procedures include a range of activities such as approvals, authorizations,
                     verifications, reconciliations, physical security, and separation of duties.

                     Coopers & Lybrand found that the Federal Reserve has developed custody
                     control standards and procedures that provide a framework for
                     establishing systems of internal controls to protect cash processed and
                     stored at the banks. Coopers & Lybrand’s working papers described the
                     cash operating process the banks followed in managing, controlling, and
                     accounting for cash operations. This process is broken down into four
                     major areas: (1) receiving/shipping of cash, (2) processing of currency to
                     check the accuracy of deposits from depository institutions, identify
                     counterfeit currency, and determine the currency’s fitness for
                     recirculation, (3) vault storage of cash, and (4) cash administration. The
                     cash operations followed by the banks are discussed in more detail in
                     appendix I.

                     Coopers & Lybrand’s work focused on the internal controls designed to
                     properly record, process, and summarize transactions to permit the
                     preparation of reliable financial statements and to maintain accountability
                     for assets (financial reporting controls) and safeguard assets against loss
                     from unauthorized acquisition, use, or disposition (safeguarding controls).
                     These controls include two categories of information system control




                     Page 10                                   GAO/AIMD-97-127 Federal Reserve Banks
B-276265




activities5 which serve to ensure completeness, accuracy, and validity of
the financial information in the system.

In order to determine whether the internal controls provided reasonable
assurance that losses or misstatements material in relation to the financial
statements would be prevented or detected as of the date of management’s
assertion, Coopers & Lybrand tested the operating effectiveness of the
internal controls. The testing methods included observation, inquiry, and
inspection.

No one specific control test is necessary, applicable, or equally effective in
every circumstance. Generally, a combination of these types of control
tests is performed to provide the necessary level of assurance. The types
of tests performed for each control activity are determined by the auditor
using professional judgment and depend on the nature of the control to be
tested and the timing of the control test. For example, documentation of
some control activities may not be available or relevant and evidence
about the effectiveness of operation is obtained through observation or
inquiry. Also, some activities, such as those relating to the resolution of
exception items, may not occur on the date that the auditor is conducting
the tests. In those cases, the auditor needs to inquire about the procedures
performed when exceptions occur.

Observation tests are conducted by observing entity personnel actually
performing control activities in the normal course of their duties. For
example, Coopers & Lybrand observed the physical separation between
the carriers and the receiving and shipping teams, the use of locks and
seals on the containers used for storing currency, and the preparation of
the end of day proof by each of the teams. In currency processing,
Coopers & Lybrand observed preparation of the processing unit proof,
transfer of currency to and from the processing teams, and processing
team operations. Observation of processing operations documented in
their working papers included the handling of currency rejected by the
high speed machine and its processing on the slower speed machine, and
the physical transfer of rejected currency from the processing team to the
cancellation team.

Inquiry tests are conducted by making either oral or written inquiries of
entity personnel involved in the application of specific control activities to

5
 General controls are the policies and procedures that apply to the entity’s overall computer
operations and create the environment which ensures the continued, proper operation of the
application systems. Application controls include computerized steps within the application software
and related manual procedures to provide reasonable assurance of accurate and reliable processing.



Page 11                                                 GAO/AIMD-97-127 Federal Reserve Banks
B-276265




determine what they do or how they perform the specific control activity.
For example, Coopers & Lybrand’s inquiries of bank personnel included
asking about procedures performed when containers stored in the vault
are found to have broken seals and when discrepancies in shipments are
reported by the depository institutions.

Inspection tests are conducted by examining documents and records for
evidence (such as the existence of initials, signatures, or other indications)
that a control activity was applied to those documents and records.
Coopers & Lybrand used inspection to test controls such as the daily
reconciliation of CAS and the general ledger system, the end of day proofs
prepared by each team, vault inventories, and monitoring logs prepared by
cash department management personnel.

Similarly, Coopers & Lybrand tested computer controls through
observation, inquiry, and inspection. For example, they observed the
enforcement of physical access controls such as logging of visitors and
video surveillance. They asked management about the control procedures
over changes to the CAS program code and corroborated the information
they were given by interviewing system users and application developers.
They inspected a system log to verify that backup tapes were being
produced on schedule.

For many of the computer controls tests in their work program, Coopers &
Lybrand consulted with Federal Reserve Bank’s General Auditors to gain
an understanding of the computer controls and/or examined their working
papers to further corroborate information that Coopers & Lybrand
obtained through observation, inquiry, and inspection. In addition to other
tests conducted by inspection, observation, and inquiry, the banks’
internal audit working papers evidenced tests based upon independent
verification of compliance with computer control procedures. For
example, the General Auditors for the Federal Reserve Bank in
Philadelphia selected five days of work for each of five cash processing
rooms and examined system reports and manual logs to verify that the
high-speed currency processing machines were tested daily and that they
returned acceptable results before being put into production.




Page 12                                    GAO/AIMD-97-127 Federal Reserve Banks
                      B-276265




                      The results of our review disclosed no instances in which Coopers &
Results of GAO’s      Lybrand did not comply, in all material respects, with the AICPA’s
Review of Coopers &   Attestation Standards in the work described above. We found that Coopers
Lybrand’s             & Lybrand’s working papers adequately documented that it had planned,
                      performed and supervised the work. The working papers contained
Examination           evidence that the auditor had an appropriate level of knowledge about the
                      Federal Reserve Banks and had considered relevant work from prior
                      years’ audits, such as descriptions of the internal control structure. The
                      scope of the examination was detailed in a written engagement letter. We
                      found that the work was performed by staff who were independent with
                      respect to the Federal Reserve Banks and had adequate experience. Also,
                      the working papers evidenced that the staff had been properly supervised.
                      For example, key working papers were reviewed by the Audit Manager
                      and Partner.

                      We found that Coopers & Lybrand used audit tools to assist it in
                      documenting the internal controls for each of the processes included in
                      cash operations. For example, its auditors prepared worksheets which
                      identified internal control objectives, the related risks and the control
                      activities designed to address the objectives. Also, they prepared work
                      programs which described the procedures to be performed to test the
                      control activities, and they documented the results of their tests in written
                      working papers. They used similar audit tools for their review of computer
                      controls, documenting in their working papers the control objectives to be
                      tested, the procedures performed, and their conclusions. In accordance
                      with the attestation standards, the working papers contained written
                      assertions made by management about the effectiveness of the bank’s
                      internal controls and contained a written management representation
                      letter.


                      In commenting on a draft of this report, the Board of Governors of the
Agency Comments       Federal Reserve System fully concurred with our conclusion on Coopers &
                      Lybrand’s work. The Board of Governors indicated that our conclusions
                      are consistent with those of the Board’s Inspector General. Also, the Board
                      of Governors noted that the financial controls in each Reserve Bank’s
                      operations, including cash, will be evaluated on an ongoing basis as part of
                      Coopers & Lybrand’s audit procedures in order to render an opinion on
                      the financial statements. Further, the cash operations controls are
                      reviewed regularly by the Banks’ internal auditors, the Board’s financial
                      examiners, Board staff who conduct periodic operations reviews of




                      Page 13                                   GAO/AIMD-97-127 Federal Reserve Banks
B-276265




Reserve Bank cash functions, and the Department of Treasury reviews of
currency destruction activities.


We are sending copies of this report to the Chairman of the Board of
Governors of the Federal Reserve System; the Secretary of the Treasury;
the Chairman of the House Committee on Banking and Financial Services;
the Chairman and Ranking Minority Member of the Senate Committee on
Banking, Housing, and Urban Affairs; and the Director of the Office of
Management and Budget. Copies will be made available to others upon
request.

Please contact me at (202) 512-9406 if you or your staff have any questions.
Major contributors to this report are listed in appendix III.

Sincerely yours,




Robert W. Gramling
Director, Corporate Audits
  and Standards




Page 14                                  GAO/AIMD-97-127 Federal Reserve Banks
Page 15   GAO/AIMD-97-127 Federal Reserve Banks
Contents



Letter                                                                                            1


Appendix I                                                                                       18

Cash Operations at
the Atlanta, Los
Angeles, and
Philadelphia Federal
Reserve Banks
Appendix II                                                                                      24

Comments From the
Board of Governors of
the Federal Reserve
System
Appendix III                                                                                     27

Major Contributors to
This Report
Table                   Table 1: Comparative Federal Reserve Currency Activity Data for           5
                          1996




                        Abbreviations

                        AICPA     American Institute of Certified Public Accountants
                        CAS       Cash Automation System
                        COSO      Committee on Sponsoring Organizations of the Treadway
                                       Commission
                        IAS       Integrated Accounting System


                        Page 16                                GAO/AIMD-97-127 Federal Reserve Banks
Page 17   GAO/AIMD-97-127 Federal Reserve Banks
Appendix I

Cash Operations at the Atlanta, Los Angeles,
and Philadelphia Federal Reserve Banks

                     As the United States’ central bank, the Federal Reserve has primary
                     responsibility for maintaining the nation’s cash supply. In carrying out this
                     responsibility, Federal Reserve Banks perform various cash-related
                     operations. At the 37 Federal Reserve Banks and Branches, the cash
                     operations function is responsible for receiving new coin from the U.S.
                     Mint, new currency from the Bureau of Engraving and Printing, cash from
                     depository institutions, currency processing, safeguarding cash held on
                     deposit, and shipping cash to meet the needs of depository institutions. In
                     addition, Federal Reserve Banks must record and summarize the various
                     accounting transactions associated with their cash-related activities. While
                     each Federal Reserve Bank performs the same basic cash-related
                     functions, banks may use different systems and procedures to manage and
                     account for the cash under their control.

                     Federal Reserve Banks in Atlanta, Los Angeles, and Philadelphia use the
                     Cash Automation System (CAS) to provide inventory, safeguarding, and
                     accounting control over currency processing. CAS is an electronic
                     inventory system which, among other features, tracks coin and currency
                     activities and balances by denomination, and identifies bank operating
                     units with custodial responsibility for cash. Certain data maintained in CAS
                     are used to provide daily updates to the Federal Reserve’s general ledger
                     system. CAS data are also used by Federal Reserve officials to prepare
                     monthly currency activity reports. In addition to CAS, the three Federal
                     Reserve Banks use procedural controls to safeguard cash and account for
                     processing-related activities. These controls include restricted access,
                     joint custody, segregation of processing-related duties, video surveillance
                     cameras, supervisory review, and monitoring.

                     Presented below is a general description of the cash operations functions
                     at the three Federal Reserve Banks examined by Coopers & Lybrand.
                     While the description focuses on currency operations, the handling and
                     control procedures over coin are similar to those for currency, with a few
                     notable differences. For example, coins are handled in bags and their
                     content is verified through a weighing process, while currency notes
                     received from depository institutions are individually checked by
                     high-speed equipment for accuracy, fitness, and authenticity. Also, coin is
                     stored in a separate vault from currency.


                     Each work day, depository institutions may notify Federal Reserve Banks
Receiving/Shipping   electronically of currency that they are depositing with or ordering from
                     each bank. The notification includes the dollar amount and



                     Page 18                                   GAO/AIMD-97-127 Federal Reserve Banks
Appendix I
Cash Operations at the Atlanta, Los Angeles,
and Philadelphia Federal Reserve Banks




denominational breakdown for the deposit or order. The cash is
transported between the Federal Reserve Banks and depository
institutions by armored carriers which enter the bank buildings through
secured entrances. To ensure the integrity of the currency received from
or transferred to the carriers, the Federal Reserve Banks use a minimum
of two-person receiving or shipping teams. These teams are always
physically separated from the carriers as shipments are unloaded or
loaded by the carriers. For example, carriers unload or load the currency
into a glass-walled room (sometimes called an anteroom) which is
bordered on one end by the carriers’ entrance and on the other end by the
receiving or shipping room. Each anteroom has two sets of locking doors
on either end. The receiving or shipping team cannot enter the anteroom
when the carrier is unloading or loading currency. Currency transfers are
accepted on a “said to contain”1 basis. Carriers verify currency transfers by
checking the number and denomination of currency bags to see if they
match the stated contents on the manifests.

When currency is received by a Federal Reserve Bank, the receiving team
counts the number of bags received from each depository institution and
independently compares this to the carrier’s manifest before accepting the
currency from the carrier. Subsequently, the receiving team counts the
bundles2 of currency to verify the total amount received. These counts of
the number of bundles received for each denomination are performed
independently by each team member. The team members then
independently put their counts into CAS where they are compared to each
other and to the deposit notification received from the depository
institution. If the counts match, the depository institution automatically
receives credit for the shipment. If the counts do not match, the difference
is investigated and must be resolved before the end of day closeout or
reconciliation process can be completed. After the counts are completed,
the currency is transferred to a vault in a sealed container3 where it is
safeguarded until it goes through currency processing.

When currency is being shipped to fill an order, the currency is transferred
from the vault to a shipping team. The shipping team inspects the integrity
of the seals on the containers prior to accepting accountability for the


1
 “Said to contain” means that the carrier accepts responsibility only for the number of sealed bags,
without regard to the amounts contained in the bags. The carrier is not responsible for any differences
that either the Federal Reserve Bank or depository institution identifies unless the integrity of the bag
seals was compromised while under the carrier’s responsibility.
2
 A bundle consists of 10 straps of 100 notes each.
3
 The seal numbers are entered into CAS to track the container.



Page 19                                                   GAO/AIMD-97-127 Federal Reserve Banks
                      Appendix I
                      Cash Operations at the Atlanta, Los Angeles,
                      and Philadelphia Federal Reserve Banks




                      currency. The shipping team prepares the order by placing the currency in
                      sealed bags. The team members independently count the order and put
                      their counts into CAS where they are compared to each other and to the
                      order notification received electronically from the depository institution.
                      Because the carrier accepts the shipment on a said-to-contain basis, any
                      discrepancies subsequently identified by the depository institution in the
                      amounts of currency in the bags must be resolved with the Federal
                      Reserve Bank that filled the order.

                      At the end of each shift, each receiving and shipping team prepares a daily
                      proof to ensure that all of the currency transferred to the team from a
                      carrier or the vault is accounted for either in the team’s ending inventory
                      or through transfers to the vault or carriers.


                      Currency received from depository institutions is processed to check the
Currency Processing   accuracy of the deposit, identify counterfeit currency, and determine the
                      currency’s fitness. The processing takes place in glass-walled rooms which
                      have numerous surveillance cameras and locked doors that enable the
                      processing team to control access to each room and its contents.
                      Processing teams are composed of either two or three members who share
                      joint custody and accountability for the team’s currency holdings and
                      processing activities.

                      On a scheduled basis, the processing machines are tested to ensure they
                      are performing within established tolerance levels. The tests consist of
                      running currency test decks through the machines to determine whether
                      they are correctly counting the notes, identifying and rejecting different
                      denominations and counterfeit currency, and identifying and shredding
                      soiled currency. Testing is performed by trained currency processing staff
                      who are not directly involved in routine processing activities. The test
                      results are tracked through automated output reports which are reviewed
                      by the test operator and management. If the test results indicate the need
                      for service, site engineers are available to service the machines. Test decks
                      are only used for a specified number of tests after which the test decks are
                      destroyed. Custody of the test decks is tracked in the CAS inventory and
                      access is restricted through the use of locked storage containers.

                      All currency received from circulation is processed initially on a
                      high-speed machine which counts the notes and tests for denomination,
                      soil level, and authenticity. One of three things can happen to individual
                      currency notes as they are processed on the high-speed machine. Currency



                      Page 20                                        GAO/AIMD-97-127 Federal Reserve Banks
Appendix I
Cash Operations at the Atlanta, Los Angeles,
and Philadelphia Federal Reserve Banks




which passes the machine’s various tests is considered fit for recirculation
and is repackaged with a new currency strap which identifies the Federal
Reserve Bank, the processing team, and the date the currency was
processed. Currency failing only the soil test is shredded on-line by the
high-speed machine which generates output reports that track the number
and denomination of currency shredded during the shift. The high-speed
machine also rejects currency for incorrect denomination, questionable
soil levels, and/or potential counterfeit. This currency undergoes further
processing to check denomination and authenticity on a slower speed
machine. Differences in count are tracked by the automated output
reports and recorded in CAS as adjustments4 to the depository institution’s
deposit. Depository institutions are notified—via a written adjustment
advice—of changes to their previously recorded deposit amounts.

Rejected currency is transferred to a slower machine for further
processing and inspection along with the straps that identify the
depository institution that packaged the currency. The operator enters the
rejected currency into the slower speed machine where it is retested for
denomination, soil level, and counterfeit. Currency which passes the
retests is shredded on-line and tracked in automated output reports.
Currency which fails any one of the retests is rejected by the slower speed
machine. The rejects, along with the cause for the rejections, are tracked
and separately reported in automated output reports. These reports are
also used to adjust the depository institution’s account with the Federal
Reserve Bank for the amount of the difference.

Currency rejected by the slower speed machine is sorted for off-line
destruction or transfer. Counterfeit items are stamped “Counterfeit” and
transferred daily from the processing team to independent clerks who
examine, count, and collect counterfeit currency for shipment to the U.S.
Secret Service for follow-up and analysis. Currency rejected for
denomination and soil level is transferred daily to a separate team for
cancellation and subsequent off-line destruction. In the presence of the
processing team, a cancellation team counts and accepts the transfer of
the rejected currency for cancellation. The transfer is recorded in the CAS
system. The team takes the rejected currency in a locked container to a
cancellation room where the currency is cancelled by punching
bank-specific-shaped holes into the currency. The cancellation process is
monitored by an independent observer who also monitors the transfer of
the cancelled currency to a separate off-line destruction team. Upon


4
 Within established time frames, the credit given a depository institution when its deposit is received
by the Federal Reserve Bank is subject to adjustment based on the results of processing the currency.



Page 21                                                  GAO/AIMD-97-127 Federal Reserve Banks
                Appendix I
                Cash Operations at the Atlanta, Los Angeles,
                and Philadelphia Federal Reserve Banks




                verification and approval by the off-line destruction team, the transfer of
                cancelled currency is recorded in CAS.

                Off-line destruction occurs periodically throughout the week and is
                monitored by an independent observer who counts the number and
                denomination of the currency straps to be destroyed and matches it to the
                strap count performed by the off-line destruction team. In addition, the
                destruction team and independent observer follow prescribed policies
                which include sample counts of individual low value currency notes and a
                100 percent count of higher value currency notes. Once this count is
                completed, the off-line destruction team, along with the independent
                observer, takes the cancelled currency to a special room where it is
                destroyed in a shredder. Once all currency has been destroyed, the
                destruction team and the independent observer inspect the shredder to
                ensure that all cancelled currency was destroyed. Following the off-line
                destruction, the team generates from CAS a certificate of destruction based
                on the earlier currency transferred to the off-line destruction team. The
                certificate of destruction is signed by the team and the observer and
                forwarded to Cash Administration for use in the end-of-day reconciliation.

                At the end of each shift, each processing team prepares its unit proof. The
                proof is designed to ensure that the processing team can account for the
                team’s currency holdings and processing activities by tracking the value of
                its beginning and ending inventory, its currency transfers in and out, and
                any adjustments arising during processing. After the team completes and
                accepts the proof data, it is transmitted electronically to CAS where it is
                compared to related currency data entered into CAS during the shift. If the
                proof data balance and agree with related currency data in CAS, the unit
                proof is accepted. If the proof data do not agree with related currency data
                in CAS, the processing team must request management assistance to
                identify and resolve differences.


                The Federal Reserve Banks use vaults to safeguard the currency they hold.
Vault Storage   The vault is a separate room within the cash department and a record is
                maintained of all persons who enter and exit the vault each day. Access to
                the vault may also be restricted through the use of keys or swipe cards.
                When stored in the vault, currency of the same denomination is stacked in
                locked containers. Cash department employees have a set of locks with
                their own personal key or combination. The employees use these locks to
                secure the containers for which they are accountable. In addition to the
                locks, each two-person team secures the containers with two



                Page 22                                        GAO/AIMD-97-127 Federal Reserve Banks
                      Appendix I
                      Cash Operations at the Atlanta, Los Angeles,
                      and Philadelphia Federal Reserve Banks




                      prenumbered seals. In some Federal Reserve Banks, the locks are
                      removed while the containers are stored in the vault. When this occurs,
                      the integrity of the seals is verified when accountability for the container is
                      transferred to another team.

                      In some Federal Reserve Banks, accountability for the currency is
                      transferred to vault custodians when the currency is stored in the vault. In
                      other Federal Reserve Banks, accountability for currency stored in the
                      vault stays with either the receiving or shipping team, and the vault
                      custodians serve more of an administrative function. In both cases, the
                      vault custodians periodically conduct a rack count of the currency in the
                      vault (i.e., daily in Atlanta and Los Angeles, weekly in Philadelphia) and
                      reconcile the count to CAS. The custodians also prepare a daily proof at the
                      end of each day to ensure that all transfers of currency in and out of the
                      vault match shipping, receiving and high-speed processing records.


                      The Cash Administration independent proof clerk is responsible for
Cash Administration   producing the department proof, the daily reconciliation of CAS and the
                      Integrated Accounting System (IAS),5 and submitting manual entries to the
                      IAS. All manual IAS entries must balance and be reviewed and approved by
                      management. Before the department proof can be produced, CAS is used to
                      verify that all teams have produced their final unit proofs, and the cash
                      department inventory and transaction totals agree. The department proof
                      lists all of the transactions and current inventory balances for each of the
                      department’s teams (receiving, shipping, processing, and vault). The
                      independent proof clerk then compares the department inventory total to
                      the calculated balance from CAS. The calculated balance is determined by
                      taking the ending inventory from the previous day and adding/subtracting
                      for the current day’s transactions. The two totals must be equal.

                      Throughout the day, transactions from CAS are automatically uploaded and
                      posted to IAS. The daily reconciliation of CAS and IAS involves the
                      comparison of the end-of-day department inventory totals from CAS to the
                      total reflected in IAS. The two totals must be equal. Periodically, the
                      independent proof clerk performs a blind confirmation of the
                      reconciliation in which the clerk is “locked out” of IAS and submits the CAS
                      balances to the accounting department for reconciliation. The daily
                      reconciliations of CAS and IAS are reviewed and approved by cash
                      administration management.


                      5
                       IAS is the Federal Reserve’s general ledger system.



                      Page 23                                                GAO/AIMD-97-127 Federal Reserve Banks
Appendix II

Comments From the Board of Governors of
the Federal Reserve System




              Page 24        GAO/AIMD-97-127 Federal Reserve Banks
Appendix II
Comments From the Board of Governors of
the Federal Reserve System




Page 25                                   GAO/AIMD-97-127 Federal Reserve Banks
Appendix II
Comments From the Board of Governors of
the Federal Reserve System




Page 26                                   GAO/AIMD-97-127 Federal Reserve Banks
Appendix III

Major Contributors to This Report


                       John J. Reilly, Assistant Director
Accounting and         Christine A. Robertson, Assistant Director
Information            C. Les Thompson, Assistant Director
Management Division,
Washington, D.C.
                       Sharon S. Kittrell, Auditor
Atlanta Field Office




(917761)               Page 27                                  GAO/AIMD-97-127 Federal Reserve Banks
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested