oversight

Financial Management: Review of the Military Retirement Trust Fund's Actuarial Model and Related Computer Controls

Published by the Government Accountability Office on 1997-09-09.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                  United States General Accounting Office

GAO               Report to the Secretary of Defense




September 1997
                  FINANCIAL
                  MANAGEMENT
                  Review of the Military
                  Retirement Trust
                  Fund’s Actuarial Model
                  and Related Computer
                  Controls




GAO/AIMD-97-128
          United States
GAO       General Accounting Office
          Washington, D.C. 20548

          Accounting and Information
          Management Division

          B-277418

          September 9, 1997

          The Honorable William S. Cohen
          The Secretary of Defense

          Dear Mr. Secretary:

          The Department of Defense (DOD) Military Retirement Trust Fund was
          authorized by Public Law 98-94 for the accumulation of funds to finance,
          on an actuarially sound basis, DOD’s liabilities for military retirement and
          survivor benefit programs. The DOD Office of Inspector General (DOD IG)
          audited the Fund’s financial statements for fiscal years 1995 and 1996 in
          accordance with the requirements of the Chief Financial Officers (CFO) Act
          of 1990, as expanded by the Government Management Reform Act of 1994
          (GMRA), and rendered an unqualified opinion on those statements on
          May 5, 1997. Also, we will audit the consolidated financial statements of
          the federal government beginning with fiscal year 1997. With total
          actuarial liabilities of $548 billion as reported in its financial statements for
          fiscal year 1996, the Fund is expected to be material to the consolidated
          governmentwide financial statements.

          In preparation for our audit of the consolidated governmentwide financial
          statements, we contracted with an independent public accounting firm,
          KPMG Peat Marwick LLP, to review (1) the methods and assumptions
          used by the DOD Office of the Actuary to calculate the Fund’s pension
          liability as of September 30, 1996, and (2) the effectiveness of general
          electronic data processing (EDP) controls at the computer processing
          locations managed by the Defense Manpower Data Center that are
          responsible for receiving, formatting, and processing the actuarial
          information. These two areas are critical to verifying the reasonableness of
          the Fund’s reported liabilities.

          In order to rely on the work of the KPMG specialists, we

      •   evaluated the qualifications and independence of the review staff;
      •   reviewed and approved the contractor’s approach plans and work
          programs;
      •   attended key meetings between the contractor and DOD personnel; and
      •   reviewed the contractor’s working papers to determine (1) the nature,
          timing, and extent of work performed, (2) the extent of quality control
          methods used, and (3) whether evidence in the working papers supported




          Page 1                              GAO/AIMD-97-128 Military Retirement Trust Fund
                   B-277418




                   the contractor’s conclusion concerning the reliability of the Fund’s
                   actuarial liability and related computer controls.

                   We performed our oversight of KPMG’s work from November 1996
                   through May 1997, in accordance with generally accepted government
                   auditing standards. DOD provided written comments on a draft of this
                   report. These comments are presented and evaluated in the “Agency
                   Comments and Our Evaluation” section and are reprinted in appendix II.

                   To avoid duplication of effort, we made KPMG’s results available to the
                   DOD IGfor its reliance in performing the required fiscal year 1996 financial
                   statement audit and in rendering its opinion on May 5, 1997. Appendix I
                   presents KPMG’s report to us on the results of its work.


                   Based on our review, we concur with KPMG’s conclusion that the
Results in Brief   methodology and actuarial assumptions used by the DOD Office of the
                   Actuary to calculate the pension liability as of September 30, 1996, and the
                   annual actuarial activity for the Fund were reasonable and reliable.

                   We also concur with KPMG’s identification of numerous control
                   weaknesses related to (1) the data gathering and preparation process and
                   (2) EDP activities. Due to the serious nature of the computer-related
                   weaknesses identified, we agree with KPMG’s conclusion that there is a
                   lack of overall security administration and management governing access
                   to Fund data files.

                   In particular, DOD has not adequately implemented security policies and
                   procedures, controlled the ability of computer programmers to make
                   changes to systems, and controlled access to information on pension fund
                   participants. Such uncontrolled access affects other sensitive personal and
                   career-related information as well.

                   The computer that houses the Fund’s data files also stores information on
                   social security numbers, pay rates, child and spousal abuse allegations,
                   and medical test results for both active duty and retired personnel.
                   Although DOD regulations require that sensitive data be housed only on
                   computers meeting specific security guidelines, the Fund processing sites
                   reviewed by KPMG do not comply with those guidelines. Despite the
                   weaknesses identified, KPMG believed that a material misstatement of the
                   pension liability was unlikely to occur because of compensating controls




                   Page 2                             GAO/AIMD-97-128 Military Retirement Trust Fund
                           B-277418




                           that hinge largely on the experience and tenure of staff in the Office of the
                           Actuary.

                           We agree that compensating controls currently exist in the Office of the
                           Actuary but caution DOD against long-term reliance on controls that
                           depend largely on the retention of a few key employees.


Actuarial Data Gathering   Although the actuarial results were reasonable and reliable for fiscal year
and Preparation Process    1996, weaknesses exist in the controls over the data gathering and
Control Weaknesses         preparation process. Most notably, this process is not adequately
                           documented and, as a result, is heavily dependent on the knowledge of
                           experienced staff members. If significant staff changes were to occur, the
                           annual data update—which is critical to determining the pension
                           liability—might not be performed timely or correctly.

                           Also, as part of the data preparation process, the Office of the Actuary
                           must estimate the number of eligible inactive reservists because complete
                           data are not provided for inactive reservists who may have earned a vested
                           benefit but have not yet begun to receive benefit payments. Even though
                           the number is small in comparison to total retirees and such an estimate
                           probably would not materially affect the results, DOD should strive for
                           complete and accurate data in order to ensure the correct calculation of
                           its actuarial liabilities. In addition, the program used to calculate the
                           pension liability does not allow the comparison of the actual results using
                           current actuarial estimates and assumptions against the current
                           anticipated results. Such comparison is a standard actuarial process.

                           Instead, the actuary can only compare, for reasonableness, actual results
                           of the current year calculation in total against prior year valuations. As a
                           result, if prior year calculations were in error, current and future years’
                           calculations could be consistent but also incorrect. Further, no formal
                           documentation exists for this program nor for the data input process and
                           data flow organization/layout of the primary valuation spreadsheet. Here
                           again, the process is dependent on the knowledge of current key staff
                           members.


General EDP Controls       Significant weaknesses related to EDP access controls, security policies
Weaknesses                 and procedures, and program change controls expose the Fund’s systems
                           to unnecessary risk and diminish the reliability of its financial
                           management information. Access to pension fund participant information



                           Page 3                             GAO/AIMD-97-128 Military Retirement Trust Fund
B-277418




was not restricted to only those who required such access to perform their
jobs. In addition, the activities of individuals who were permitted access to
read or modify participant information were not adequately monitored.
For example, security violations were not being logged, the ability to use
previous passwords was not limited, and over 200 users were permitted to
read all data sets on the system. As a result, DOD did not have reasonable
assurance that the confidentiality of the data was protected.

Security policies and procedures were either not formalized at data
processing sites or, where they were formalized, the sites’ daily operations
were not in compliance. Many of the control features of the access control
software were not activated or the control parameters selected did not
adequately restrict access to only authorized users. For example,
procedures for both creating and deactivating user accounts were found to
be inconsistent and lacking documented guidance.

Features intended to identify users and their related computer activity
(audit trails) were not enabled; therefore, if unauthorized activity did
occur, there would be no system-generated audit trail to assist in a
subsequent investigation. For example, 22 systems users were able to
delete and modify files within a component of the operating system that is
intended to serve as an audit trail for security-related events. As a result,
they could inactivate the parameter that enables the auditing of security
events. Typically, system users would not be able to change or delete the
audit trail function.

There were no formal controls governing how changes to systems could
be made or who could make them. For the application system that
calculates the pension liability, no comprehensive change management
process has been developed. For the operating systems, although a change
management process exists, it lacks procedures to ensure that changes are
documented, tested, reviewed, and approved. Consequently, changes
could be introduced to the operating system that would facilitate
unauthorized access and those changes may not be detected promptly.

DOD has not developed, tested, and implemented a comprehensive disaster
recovery plan at the sites that process Fund data. Should a disaster occur,
DOD has no assurance that the computer facilities and operations or the
actuarial operations necessary to support the Fund could be restored in a
timely manner. The Fund may be at further risk since the application that
performs the actuarial calculations—an application that may be sensitive




Page 4                             GAO/AIMD-97-128 Military Retirement Trust Fund
                      B-277418




                      to date changes—has not yet been assessed for Year 2000 impact.1 In
                      assessing risk, DOD must determine the impact of the year 2000 on its
                      systems and applications and initiate realistic contingency plans to ensure
                      continuity of business processes if systems or applications fail to operate
                      at the turn of the century.


                      We concur with all of the recommendations made by KPMG to address the
Recommendations       actuarial process and EDP general controls weaknesses identified during
                      the review. To improve the actuarial process, we recommend that you
                      ensure that the Office of the Actuary

                  •   documents annual data preparation and processing steps in a formal,
                      detailed manual;
                  •   determines the availability of complete data on inactive reservists;
                  •   tests a sample of current valuation results independently from prior year
                      results; and
                  •   evaluates the efficiency of using the current spreadsheet analyses and
                      documents those analyses.

                      To address the EDP general controls weaknesses, we recommend that you
                      ensure that the Defense Manpower Data Center

                  •   modifies the security program’s parameters to ensure participants’ data
                      and actuarial programs are protected and that security requirements
                      comply with regulations;
                  •   implements security features and parameters to ensure that unauthorized
                      access to systems is reduced and that audit trails are activated and
                      protected from unauthorized editing;
                  •   develops (or modifies) and implements security policies and procedures to
                      ensure that (1) all users are authorized and have only the necessary access
                      to facilities and data, (2) such access is reviewed periodically and removed
                      promptly when warranted, and (3) access violations are researched;
                  •   develops and implements comprehensive change management procedures
                      governing changes to both the Fund’s application programs and related
                      operating systems;
                  •   designs, develops, tests, and implements a comprehensive disaster
                      recovery plan; and

                      1
                       The Year 2000 problem is rooted in the way dates are recorded and computed in many computer
                      systems. For the past several decades, systems have typically used two digits to represent the year,
                      such as “97” representing 1997. With this two-digit format, the year 2000 is indistinguishable from 1900,
                      2001 from 1901, and so forth. As a result, system or application programs that use dates to perform
                      calculations, comparisons, or sorting may generate incorrect results when working with years after
                      1999.



                      Page 5                                          GAO/AIMD-97-128 Military Retirement Trust Fund
                         B-277418




                     •   formally assesses and documents the risk of the Year 2000 impact on the
                         actuarial application and prepares contingency plans, if needed, to ensure
                         operations are not disrupted.

                         In addition, KPMG made other suggestions to address less significant
                         weaknesses and provided them to DOD personnel under separate cover. We
                         concur with those suggestions as well.


                         In written comments on a draft of this report, DOD concurred with our
Agency Comments          recommendations to improve its actuarial process and EDP general
and Our Evaluation       controls. DOD’s response (see appendix II) cited numerous planned
                         corrective actions to address the individual components of those
                         recommendations. DOD’s corrective action plan addresses the weaknesses
                         cited in our report.


                         You are required by 31 U.S.C. 720 to submit a written statement on actions
                         taken on these recommendations to the Senate Committee on
                         Governmental Affairs and the House Committee on Government Reform
                         and Oversight within 60 days of the date of this report. You must also send
                         a written statement to the House and Senate Committees on
                         Appropriations with the agency’s first request for appropriations made
                         over 60 days after the date of this report.

                         We are sending copies of this report to the Chairmen and Ranking
                         Minority Members of the Senate Committee on Armed Services, the House
                         Committee on National Security, the Senate Committee on Governmental
                         Affairs, and the House Committee on Government Reform and Oversight
                         and the Director of the Office of Management and Budget. We are also
                         sending copies to the Acting Under Secretary of Defense (Comptroller)




                         Page 6                            GAO/AIMD-97-128 Military Retirement Trust Fund
B-277418




and the DOD Inspector General. Copies will be made available to others
upon request. Please contact Molly Boyle, Assistant Director, Defense
Audits, on (202) 512-9524 if you or your staff have any questions.

Sincerely yours,




Gene L. Dodaro
Assistant Comptroller General




Page 7                           GAO/AIMD-97-128 Military Retirement Trust Fund
Appendix I

Review of the Military Retirement Trust
Fund’s Actuarial Model




               Page 8        GAO/AIMD-97-128 Military Retirement Trust Fund
Appendix I
Review of the Military Retirement Trust
Fund’s Actuarial Model




Page 9                                    GAO/AIMD-97-128 Military Retirement Trust Fund
Appendix I
Review of the Military Retirement Trust
Fund’s Actuarial Model




Page 10                                   GAO/AIMD-97-128 Military Retirement Trust Fund
Appendix I
Review of the Military Retirement Trust
Fund’s Actuarial Model




Page 11                                   GAO/AIMD-97-128 Military Retirement Trust Fund
Appendix I
Review of the Military Retirement Trust
Fund’s Actuarial Model




Page 12                                   GAO/AIMD-97-128 Military Retirement Trust Fund
Appendix I
Review of the Military Retirement Trust
Fund’s Actuarial Model




Page 13                                   GAO/AIMD-97-128 Military Retirement Trust Fund
Appendix I
Review of the Military Retirement Trust
Fund’s Actuarial Model




Page 14                                   GAO/AIMD-97-128 Military Retirement Trust Fund
Appendix I
Review of the Military Retirement Trust
Fund’s Actuarial Model




Page 15                                   GAO/AIMD-97-128 Military Retirement Trust Fund
Appendix I
Review of the Military Retirement Trust
Fund’s Actuarial Model




Page 16                                   GAO/AIMD-97-128 Military Retirement Trust Fund
Appendix I
Review of the Military Retirement Trust
Fund’s Actuarial Model




Page 17                                   GAO/AIMD-97-128 Military Retirement Trust Fund
Appendix II

Comments From the Department of Defense




              Page 18     GAO/AIMD-97-128 Military Retirement Trust Fund
Appendix II
Comments From the Department of Defense




Page 19                              GAO/AIMD-97-128 Military Retirement Trust Fund
Appendix II
Comments From the Department of Defense




Page 20                              GAO/AIMD-97-128 Military Retirement Trust Fund
Appendix II
Comments From the Department of Defense




Page 21                              GAO/AIMD-97-128 Military Retirement Trust Fund
           Appendix II
           Comments From the Department of Defense




(919066)   Page 22                              GAO/AIMD-97-128 Military Retirement Trust Fund
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested