oversight

Audit of the Office of Personnel Management's Fiscal Year 2008 Consolidated Financial Statements

Published by the Office of Personnel Management, Office of Inspector General on 2008-11-14.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
                                                Washington, DC 20415


  Office of the
Inspector General
                                            November 14, 2008



                                                                            Report No. 4A-CF -00-08-025


            MEMORANDUM FOR HOWARD WEIZMANN                                                             (
                           Deputy Director                                             ~~
            FROM:	                   PATRICKF.McFARLAND
                                     Inspector General              p~
                                                                       ~~
            SUBJECT:	                Audit of the Office of Personnel Management's Fiscal Year
                                     2008 Consolidated Financial Statements


            This memorandum transmits KPMG LLP's (KPMG) report on its financial statement
            audit of the Office of Personnel Management's (OPM) Fiscal Year 2008 Consolidated
            Financial Statements and the results of the Office of the Inspector General'5 (OIG)
            oversight of the audit and review of that report. OPM's consolidated financial statements
            include the Retirement Program, Health Benefits Program, Life Insurance Program,
            Revolving Fund Programs (RF) and Salaries & Expenses funds (S&E).

            Audit Reports on Financial Statements, Internal Controls and Compliance
            with laws and Regulations

            The Chief Financial Officers (CFO) Act of 1990 (P.L. 101-576) requires OPM's Inspector
            General or an independent external auditor, as determined by the Inspector General, to
            audit the agency's financial statements in accordance with Government Auditing
            Standards (GAS) issued by the Comptroller General of the United States. We contracted
            with the independent certified public accounting firm KPMG LLP to audit OPM's
            consolidated financial statements as of September 30, 2008 and for the fiscal year then
            ended. The contract requires that the audit be performed in accordance with generally
            accepted government auditing standards and the Office of Management and Budget
            (OMB) bulletin number 07-04, Audit Requirementsfor Federal Financial Statements.

            KPMG's audit report for Fiscal Year 2008 includes: (I) opinions on the consolidated
            financial statements and the individual statements for the three benefit programs, (2) a




        www.opm.gov	
                       ~~~._-----_._--                .-   _-_   _- - - ­           .~-------                  -
                                                                                                WWW.U5ilJobs.gov
HOWARD WEIZMANN .                                                                            2


report on internal controls, and (3) a report on compl ianee with laws and regulations. In
its audit of OPM, KPMG found:

   •	   The consolidated financial statements were fairly presented, in all material

        respects, in conformity with generally accepted accounting principles.


   •	   There were no material weaknesses identified in the internal controls. A material
        weakness is a condition in which the design or operation of an internal control
        does not reduce to a relatively low level the risk that misstatements, in amounts
        that would be material in relation to the financial statements being audited, may
        occur and not be detected within a timely period.

        However, KPMG's report did identify two significant deficiencies:

               ~	   Information systems general control environment, and
               ~	   Financial management and reporting processes of the Office of the
                    Chief Financial Officer (OCFO). (Revolving Fund Program (RF
                    Program) and Salaries and Expenses (S&E) Fund)

        A significant deficiency represents a deficiency in the design or operation of
        internal controls that could adversely affect OPM's ability to record, process,
        summarize, and report financial data consistent with management assertions in the
        financial statements.

   •	   KPMG's report on compliance vlith certain provisions oflaws and regulations

        disclosed onc other matter related to the Federal Financial Management

        Improvement Act of 1996 (FFMIA) (RF and S&E only).


DIG Evaluation of KPMG's Audit Performance

In connection with the audit contract, we reviewed KPMG's report and related documentation
an,! made inquiries of its representatives regarding the audit. To fulfill our audit
responsibilities under the CFO Act for ensuring the quality of the audit work performed, we
conducted a review ofKPMG's audit ofOPM's Fiscal Year 2008 Consolidated Financial
Statements in accordance with GAS. Specifically, we:

   •	   reviewed KPMG's approach and plmming of the audit;
   •	   evaluated the qualifications and independence of its auditors;
   •	   monitored the progress of the audit at key points;
   •	   examined its working papers related to planning the audit and assessing internal
        controls over the financial reporting process;
   •	   reviewed KPMG's audit reports to ensurc compliance with Government Auditing
        Standards;
   •	   coordinated issuance of the audit report: and
   •	   performed other procedures we deemed necessary.
HOW ARD WEIZMAN1\.                                                                     3


Our review, as differentiated from an audit in accordance with generally accepted
government auditing standards, was not intended to enable us to express, and we do not
express, opinions on OPM's financial statements or internal controls or on whether OPM's
financial management systems substantially complied with FFMIA or conclusions on
compliance with laws and regulations. KPMG is responsible for the attached auditor's
rcpurt dated November 14, 2008, and the conclusions expressed in the report However,
our review disclosed no instances where KPMG did not comply, in all material respects,
with the generally accepted GAS.

In accordance with the OMB Circular A-50 and Public Law ·103-355, all audit findings
must be resolved within six months of the date of this report. In order to ensure audit
findings are resolved within the required six-month period, we are asking that the OCFO
respond directly to the OIG within 90 days of the date of this report advising us whether
they agree or disagree with the audit findings and recommendations. As stated in OMB
Circular A-50, where agreement is indicated, the OCFO should describe plmmed corrective
action. If the OCFO disagrees with any of the audit findings and recommendations, they
need to explain the reason for the disagreement and provide any additional documentation
that would support their opinion.

In closing, we woulcllike to congratulate OPM's financial management staff for once
agail1 issuing the consolidated financial statements by the November 15 due date. Their
professionalism, courtesy, and cooperation allowed us to overcome the many challenges
encountered during OPM's preparation, KPMG's aUdit, and the DIG's oversight of the
financial statement audit this year. If you have any questions about KPMG's audit or our
oversight, please contact me or have a member of your staff contact Michael R. Esser,
Assistant Inspector General for Audits, a t _

cc:	 Mark Reger
     Chief Financial Officer
                            KPMG llP
                            2001 M Street, NW
                            Washington. DC 20036




                              Independent Auditors' Report

Acting Director and Inspector General
U.S. Office of Personnel Management:

We have audited the accompanying consolidated balance sheets of the United States
(U.S.) Office of Personnel Management (OPM) as of September 30, 2008 and 2007, and
the related consolidated statements of net cost and changes in net position, and combined
statements of budgetary resources (hereinafter referred to as "consolidated financial
statements"), for the years then ended. We have also audited the individual balance
sheets of the Retirement, Health Benefits, and Life Insurance Programs (hereinafter
referred to as the "Programs") as of September 30, 2008 and 2007, and the related
individual statements of net cost, changes in net position, and budgetary resources
(hereinafter referred to as the Programs' "individual financial statements"), for the years
then ended.

The objective of our audits was to express an opinion on the fair presentation of these
consolidated and individual financial statements. In connection with our fiscal year 2008
audit, we also considered arM's and the Programs' internal controls over financial
reporting and tested OPM's and the Programs' compliance with certain provisions of
applicable laws, regulations, and contracts that could have a direct and material effect on
these consolidated and individual financial statements.

SUMMARY

As stated in our opinIOn on the financial statements, we concluded that OPM's
consolidated financial statements and the Programs' individual financial statements as of
and for the years ended September 30, 2008 and 2007, as presented in OPM's Fiscal
Year 2008 Agency Financial Report, are presented fairly, in all material respects, in
confonnity with U.s. generally accepted accounting principles.

As discussed in Note 17 to the financial statements, OPM changed its method of
accounting for presenting distributed offsetting receipts related· to the Postal Service
Retiree Health Benefits Fund in fiscal year 2008.

Our consideration of internal control over financial reporting resulted in the following
conditions being identified as significant deficiencies:

1.	    Infonnation systems general control environment. (OPM and the Programs)

2.	    Financial management and reporting processes of the Office of Chief Financial
       Officer (OCFO). (Revolving Fund Program (RF Program) and Salaries and
       Expenses (S&E) Fund)



                             l<PMG LLP. a U 5_ IImiled Iiabil(ty paHl1elship. is the US
                             member firm of KPMG Internalional, is' SWISS cooper8uve
However, none of the significant deficiencies are believed to be material
weaknesses.

The results of our tests of compliance with certain provisions of laws, regulations, and
contracts disclosed the following instance of noncompliance or other matter that are
required to be reported under Government Auditing Standards, issued by the Comptroller
General of the United States, and Office of Management and Budget (OMB) Bulletin No.
07-04, Audit Requirements for Federal Financial Statements:

3.	    Other matter related to Federal Financial Management Improvement Act (RF
       Program and S&E Fund)

The following sections discuss our opinion on OPM's consolidated financial statements
and the Programs' individual ~nancial statements; our consideration of OPM's and the
Programs' internal controls over financial reporting; our tests of OPM's and the
Programs' compliance with certain provisions of applicable laws, regulations, and
contracts; and management's and our responsibilities.

OPINION ON THE FINANCIAL STATEMENTS

We have audited the accompanying consolidated balance sheets of the U.S. Office of
Personnel Management as of September 30, 2008 and 2007, and the related consolidated
statements of net cost, changes in net position, and the combined statements of budgetary
resources for the years then ended. We have also audited the individual balance sheets of
the Programs as of September 30, 2008 and 2007, and the related individual statements of
net cost, changes in net position, and budgetary resources for the years then ended. The
Programs' individual financial statements are included in the consolidating financial
statements presented in the Consolidating Financial Statements section of OPM's Fiscal
Year 2008 Agency Financial Report.

In our opinion, the consolidated financial statements referred to above present fairly, in
all material respects, the consolidated financial position of aPM and the financial
position of each of the Programs as of September 30, 2008 and 2007, and the
consolidated and individual Programs' net costs, changes in net position, and budgetary
resources, for the years then ended, in confonnity with U.S. generally accepted
accounting principles.

As discussed in Note 17 to the financial statements, aPM changed its method of
accounting for presenting distributed offsetting receipts related to the Postal Service
Retiree Health Benefits Fund in fiscal year 2008.

The infonnation in the Management Discussion and Analysis and Required
Supplementary Information sections of OPM's Fiscal Year 2008 Agency Financial
Report is not a required part of the consolidated financial statements, but is
supplementary information required by U.S. generally accepted accounting principles.
We have applied certain limited procedures, which consisted principally of inquiries of
management regarding the methods of measurement and presentation of this infonnation.
However, we did not audit this infonnation and, accordingly, we express no opinion on it.

Our audits were conducted for the purpose of forming an opinion on the consolidated
financial statements of aPM taken as a whole and on the Programs' individual financial
statements. The individual financial statements of the RF Program and S&E Fund
included in the Consolidating Financial Statements section of OPM's Fiscal Year 2008
Agency Financial Report (Schedules 1 through 4) are presented for purposes of additional
analysis of the consolidated financial statements rather than to present the financial
position, net costs, changes in net position, and budgetary resources of the individual RF
Program and S&E Fund. The financial statements of the RF Program and S&E Fund
have been subjected to the auditing procedures applied in the audit of the consolidated
financial statements of aPM and, in our opinion, are fairly stated in all material aspects
in relation to OPM's consolidated statements taken as a whole.

In addition, the consolidating Civil Service Retirement System (CSRS) and Federal
Employees Retirement System (FERS) information included in the consolidating
statement of net cost (Schedule 2) is presented for purposes of additional analysis of the
consolidated financial statements of OPM and the individual financial statements of the
Retirement Program rather than to present the net costs of the CSRS and FERS funds.
The consolidating CSRS and FERS infonnation have been subjected to the auditing
procedures applied in the audit of OPM's consolidated financial statements and the
individual financial statements of the Retirement Program, in our opinion is fairly stated
in all material respects in relation to OPM's consolidated statements of net cost and
changes in net position and combined statement of budgetary resources and the individual
statements of net cost and changes in net position and combining statement of budgetary
resources of the Retirement Program taken as a whole.

The information in the Other Accompanying Information, and Appendix A, included in
OPM's Fiscal Year 2008 Agency Financial Report, are presented for purposes of
additional an~lysis and are not required as part of the consolidated financial statements.
This infonnation has not been subjected to auditing procedures and, accordingly, we
express no opinion on it.

INTERNAL CONTROL OVER FINANCIAL REPORTING

Our consideration of the internal control over financial reporting was for the limited
purpose described in the Responsibilities section of this report and would not necessarily
identify all deficiencies in the internal control over financial reporting that might be
significant deficiencies or material weaknesses.

A control deficiency exists when the design or operation of a control does not allow
management or employees, in the nonnal course of perfonning their assigned functions,
to prevent or detect misstatements on a timely basis. A significant deficiency is a control
deficiency, or combination of control deficiencies, that adversely affects OPM's or the
Programs' ability to initiate, authorize, record, process, or report financial data reliably in
accordance with U.S. generally accepted accounting principles such that there is more
than a remote likelihood that a misstatement of OPM's consolidated financial statements
or the Programs' individual financial statements that is more than inconsequential will
not be prevented or detected by OPM's or the Programs' internal control. A material
weakness is a significant deficiency, or combination of significant deficiencies, that
results in more than a remote likelihood that a material misstatement of the financial
statements will not be prevented or detected by OrM's or the Programs' internal control.

In our fiscal year 2008 audit, we consider the deficiencies described in Items 1 and 2
below to be significant deficiencies in internal control over financial reporting. However,
we believe that none of the significant deficiencies described below are material
weaknesses. Exhibit I presents the status of prior year significant deficiencies.

1.	 Information systems general control environment

The Office of the Chief Information Officer (OCIO) has made progress in addressing
information system general control deficiencies identified in previous years. However,
some deficiencies have not been fully addressed and consequently are not in full
compliance with authoritative guidance. Specifically, security policies and procedures
have not been updated to incorporate current authoritative guidance and the procedures
performed to certify and accredit certain financial systems were not complete. In
addition, we noted that application access permissions have not been fully documented to
describe the functional duties the access provides to assist management in reviewing the
appropriateness of system access. Also, we noted instances where background
investigations and security awareness training was not completed prior to access being
granted.

Recommendation

The acro should continue to update and implement entity-wide security policies and
procedures and provide more direction and oversight to Program Offices for completing
certification and accreditation requirements. In addition, documentation on application
access permissions should be enhanced and linked with functional duties and procedures
for granting logical access need to be refined to ensure access is granted only to
authorized individuals.

Management Response

aPM concurs with these findings and recommendations. The Center for Information
Services is updating the Information Security and Privacy Policy, approved September
28, 2007, and intends to take such additional actions as the following:

   •	  Clarifying roles and responsibilities in the certification and accreditation of
       systems;
    •	 Training the OPM's designated security officers in conducting certification and
       accreditation of systems and in the handling of plans of action and milestones ;
   •	 Reviewing and revising as necessary OPM's process for establishing new user
      access accounts;
   •	 Investigating tools that can be used to mask personally identifiable information in
      production use;
   •	 Documenting and implementing change control monitoring procedures for data
      base administrator activities; and
   •	 Beginning discussions with the staff of the OPM's Chief Financial Officer on how
      to establish and maintain functional descriptions.

2.	 Financial Management and Reporting Process of the Office of the Chief
    Financial Officer

Certain deficiencies in the operation of the OCFO's internal control over financial
management and reporting, affecting the accuracy of the RF Program and S&E Fund,
continue to exist at OPM. The Government Financial Information System (OFIS) i:.; not
designed properly to allow for:

a.	 Capture of certain financial information and is not properly configured to produce
    useful financial reports that provide accurate information regarding related
    intragovernmental activities and balances.
b.	 Reconciliations are not consistently or always clearly documented and are not always
    performed in a timely manner for the S&E Fund.
c.	 Unidentified differences from prior years continue to exist between Treasury and
    OFIS.

Further, because of system limitations, a number of correcting journal entries are
processed. Adequate supporting documentation is not always readily available for
correcting journal entries and there were instances where internal controls over
processing and approving of such entries were not consistently applied.

According to OMS Circular A-123, transactions should be promptly recorded, properly
classified, and accounted for in order to prepare timely accounts and reliable financial
and other reports. The documentation for transactions, management controls, and other
significant events must be clear and readily available for documentation.

Deficiencies in the ability to record, process, summarize and report financial data may
misstate financial information reported in the RF Program and S&E Fund.

Recommendation

The OCFO should continue implementation of its corrective action plan which should
reduce or eliminate the need for correcting journal entries. Further, we recommend that:


1.	 OPM implement a new accounting system or modifY the existing accounting system
    as appropriate to ensure that all financial information is properly captured and is
   properly configured to produce useful financial reports that provide accurate
   information regarding related intra-goverrunental activities and balances.
2.	 aPM continue to identify and correct existing differences between aPM's internal
    data and the information reported by Treasury. At such a time when no additional
    reductions can be identified, OPM should, in conjunction with appropriate oversight
    agencies, write down the remaining amount to clear the remaining FBWT balance.
3.	 aPM CFO management actively enforce procedures regarding the documentation of
    Salaries and Expense Fund reconciliations in accordance with guidelines outlined in
    the "Treasury Financial Manual" and OPM's "Cash Management Policy and
    Procedures."
4.	 aPM retain appropriate supporting documentation for correcting joumal entries and
    emphasis be made on the need to follow existing internal control policies and
    procedures.

Management Response

aPM acknowledges deficiencies in the GFIS system lIsed for the RF program and S&E
Fund accounts and concurs with KPMG's recommendations. While aPM has developed
and applies controls over journal voucher entries, the availability of supporting
documentation can be improved. aPM recently selected a new system integrator and
software solution, and has begun working toward implementation of the new aPM
accounting system. The new system will support the capture and reporting of all
financial information regarding related intra-governmental activities and balances.
Additionally, aPM continues to reconcile, identify and correct differences between
aPM's internal data and Treasury balances. The process and complete reconciliation has
not been completed but when the process is complete an adjusting entry will be processed
to \VTite-down the remaining amount to clear the fund balance with Treasury balance.
aPM OCFO management will continue to enforce procedures to document timely
reconciliations compliant with the Treasury Financial Manual and OPM's Cash
Management Policy and Procedures.

COMPLIANCE AND OTHER MATTERS

The results of our tests of compliance described in the Responsibilities section of this
report, exclusive of those referred to in the Federal Financial Management Improvement
Act of 1996 (FFMIA), disclosed no instances of noncompliance or other matters that are
required to be reported herein under Government Auditing Standards or aMB Bulletin
No. 07-04.

The results of our tests of FFMIA disclosed no instances in which aPM's or the
Programs' financial management systems did not substantially comply with the three
requirements discussed in the Responsibilities section of this report. The results of our
tests did disclose one other matter regarding FFMIA related to the RF Program and S&E
Funds, as described below.
3.	 Other matter related to Federal Financial Management Improvement Act of
    1996 (FFMIA)

a.	 United States Standard General Ledger at the Transaction Level-

   In accordance with OMB Circular A-127, Financial Management Systems, as
   amended, aPM is to record financial events consistent with the applicable definitions,
   attributes, and processing rules defined in the USSGL at the transaction leveL While
   improvements have been made, the OCFO does not consistently record RF Program
   and S&E Fund transactions at the USSGL level to support the RF Program and S&E
   Fund financial statements at the transaction leveL

Recommendation

We recommend that the OCFO should continue implementation of its corrective action
plan over the GFIS system and related processes and procedures to enable the OCFO to
account for the RF Program and S&E Fund's transactions in accordance with the USSGL
at the transaction level.

Management Response

OPM concurs with the recommendation. The OFIS financial system cannot be
reconfigured to meet fully the requirements of FFMIA. aPM recently selected a new
system integrator and software solution, and has begun working toward implementation
of the new aPM accounting system. The new system will support the capture and
reporting of all financial infonnation regarding related intra-governmental activities and
balances. OPM will ensure that the implementation of the financial system requirements
are in compliance with FFMIA.

                                       * * ** *
RESPONSIBILITIES

Management's Responsibilities. Management is responsible for the consolidated
financial statements of aPM and the individual financial statements of the Programs;
establishing and maintaining effective internal control; and complying with laws,
regulations, and contracts applicable to OPM.

Auditors' Responsibilities. Our responsibility is to express an opinion on the fiscal year
2008 and 2007 consolidated financial statements of aPM and the individual financial
statements of the Programs based on our audits. We conducted our audits in accordance
with auditing standards generally accepted in the United States of America; the standards
applicable to financial audits contained in Government Auditing Standards, issued by the
Comptroller General of the United States; and OMB Bulletin No. 07-04. Those standards
and OMB Bulletin No. 07-04 require that we plan and perfol1l1 the audits to obtain
reasonable assurance about whether the financial statements are free of material
misstatement. An audit includes consideration of internal control over financial reporting
as a basis for designing audit procedures that are appropriate in the circumstances, but not
for the purpose of expressing an opinion on the effectiveness of OPM's internal control
over financial reporting. Accordingly, we express no such opinion.

An audit also includes:

•	 Examining, .on a test basis, evidence supporting the amounts and disclosures in the
   overall consolidated and Programs' individual financial statements;
•	 Assessing the accounting principles used and significant estimates made by
   management; and
•	 Evaluating the overall consolidated and Programs' individual financial statement
   presentation.

We believe that our audits provide a reasonable basis for our opinion.

In planning and performing our fiscal year 2008 audit, we considered OPM's internal
control over financial reporting by obtaining an understanding of OPM's and the
Programs' internal control, determining whether internal controls had been placed in
operation, assessing control risk, and performing tests of controls as a basis for designing
our auditing procedures for the purpose of expressing our opinion on the consolidated
financial statements ofOPM and the individual financial statements of the Programs. We
did not test all internal controls relevant to operating objectives as broadly defined by the
Federal Managers' Financial Integrity Act of 1982. The objective of our audit was not to
express an opinion on the effectiveness of OPM's or the Programs' internal control over
financial reporting. Accordingly, we do not express an opinion on the effectiveness of
OPM's or the Programs' internal control over financial reporting.

As part of obtaining reasonable assurance about whether OPM's fiscal year 2008
consolidated and the Programs' fiscal year 2008 individual financial statements are free
of material misstatement, we performed tests of OPM's and the Programs' compliance
with certain provisions of laws, regulations, and contracts, noncompliance with which
could have a direct and material effect on the determination of the financial statement
amounts, and certain provisions of other laws and regulations specified in OMB Bulletin
No. 07-04, including certain provisions referred to in Section 803(a) of FFMIA. We
limited our tests of compliance to the provisions described in the preceding sentence, and
we did not test compliance with all laws, regulations, and contracts applicable to aPM
and the Programs. However, providing an opinion on compliance with laws, regulations,
and contracts was not an objective of our audit and, accordingly, we do not express such
an opinion.

We noted certain additional matters that we have reported to management of OPM in a
separate letter dated November 14,2008.
OPM's responses to the findings identified in our audit are presented for each finding as
Management Response, herein. We did not audit OPM's response and, accordingly, we
express no opinionoD it.

This report is intended solely for the infOlmation and use of OPM's management, OPM's
Office of Inspector General, OMB, the U.S. Government Accountability Office, and the
U.S. Congress and is not intended to be and should not be used by anyone other than
these specified parties.




November 14, 2008
                                                                                         Exhibit I

  No.    Title of Finding      Programl      Prior Year    "Current Year       Factors A[fceting '.
               from                  Fund,      Status         Status              Current
          FY07 Report                                                            Year Status
  1     Infonnation           AliI           Significant   Significant        aPM has made
        Systems General                      Deficiency    Deficiency - See   continual annual
        Control                                            FY 2008,           improvements to
        Environment                                        Condition No. I    Information Systems
                                                                              General Control
                                                                              Environment,
                                                                              however,
                                                                              deficiencies still
                                                                              exist.
  2     Financial             S&E; RF        Significant   Significant        aPM has made
        Management                           Deficiency    Deficiency         improvements,
        Reporting                                          - See FY 2008,     however,
        Processes of the                                   Condition No.2     deficiencies still exist
        Office of the Chief                                                   because of system
        Financial Officer                                                     limitations.
        (aCFO)




1. Includes the Retirement Program, Health Benefit Program (HBP), Life Insurance Program
   (LP), Revolving Fund (RF) Program and Salary and Expenses (S&E) Fund.