UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 Office of the Inspector General November 14, 2008 Report No. 4A-CF -00-08-025 MEMORANDUM FOR HOWARD WEIZMANN ( Deputy Director ~~ FROM: PATRICKF.McFARLAND Inspector General p~ ~~ SUBJECT: Audit of the Office of Personnel Management's Fiscal Year 2008 Consolidated Financial Statements This memorandum transmits KPMG LLP's (KPMG) report on its financial statement audit of the Office of Personnel Management's (OPM) Fiscal Year 2008 Consolidated Financial Statements and the results of the Office of the Inspector General'5 (OIG) oversight of the audit and review of that report. OPM's consolidated financial statements include the Retirement Program, Health Benefits Program, Life Insurance Program, Revolving Fund Programs (RF) and Salaries & Expenses funds (S&E). Audit Reports on Financial Statements, Internal Controls and Compliance with laws and Regulations The Chief Financial Officers (CFO) Act of 1990 (P.L. 101-576) requires OPM's Inspector General or an independent external auditor, as determined by the Inspector General, to audit the agency's financial statements in accordance with Government Auditing Standards (GAS) issued by the Comptroller General of the United States. We contracted with the independent certified public accounting firm KPMG LLP to audit OPM's consolidated financial statements as of September 30, 2008 and for the fiscal year then ended. The contract requires that the audit be performed in accordance with generally accepted government auditing standards and the Office of Management and Budget (OMB) bulletin number 07-04, Audit Requirementsfor Federal Financial Statements. KPMG's audit report for Fiscal Year 2008 includes: (I) opinions on the consolidated financial statements and the individual statements for the three benefit programs, (2) a www.opm.gov ~~~._-----_._-- .- _-_ _- - - .~------- - WWW.U5ilJobs.gov HOWARD WEIZMANN . 2 report on internal controls, and (3) a report on compl ianee with laws and regulations. In its audit of OPM, KPMG found: • The consolidated financial statements were fairly presented, in all material respects, in conformity with generally accepted accounting principles. • There were no material weaknesses identified in the internal controls. A material weakness is a condition in which the design or operation of an internal control does not reduce to a relatively low level the risk that misstatements, in amounts that would be material in relation to the financial statements being audited, may occur and not be detected within a timely period. However, KPMG's report did identify two significant deficiencies: ~ Information systems general control environment, and ~ Financial management and reporting processes of the Office of the Chief Financial Officer (OCFO). (Revolving Fund Program (RF Program) and Salaries and Expenses (S&E) Fund) A significant deficiency represents a deficiency in the design or operation of internal controls that could adversely affect OPM's ability to record, process, summarize, and report financial data consistent with management assertions in the financial statements. • KPMG's report on compliance vlith certain provisions oflaws and regulations disclosed onc other matter related to the Federal Financial Management Improvement Act of 1996 (FFMIA) (RF and S&E only). DIG Evaluation of KPMG's Audit Performance In connection with the audit contract, we reviewed KPMG's report and related documentation an,! made inquiries of its representatives regarding the audit. To fulfill our audit responsibilities under the CFO Act for ensuring the quality of the audit work performed, we conducted a review ofKPMG's audit ofOPM's Fiscal Year 2008 Consolidated Financial Statements in accordance with GAS. Specifically, we: • reviewed KPMG's approach and plmming of the audit; • evaluated the qualifications and independence of its auditors; • monitored the progress of the audit at key points; • examined its working papers related to planning the audit and assessing internal controls over the financial reporting process; • reviewed KPMG's audit reports to ensurc compliance with Government Auditing Standards; • coordinated issuance of the audit report: and • performed other procedures we deemed necessary. HOW ARD WEIZMAN1\. 3 Our review, as differentiated from an audit in accordance with generally accepted government auditing standards, was not intended to enable us to express, and we do not express, opinions on OPM's financial statements or internal controls or on whether OPM's financial management systems substantially complied with FFMIA or conclusions on compliance with laws and regulations. KPMG is responsible for the attached auditor's rcpurt dated November 14, 2008, and the conclusions expressed in the report However, our review disclosed no instances where KPMG did not comply, in all material respects, with the generally accepted GAS. In accordance with the OMB Circular A-50 and Public Law ·103-355, all audit findings must be resolved within six months of the date of this report. In order to ensure audit findings are resolved within the required six-month period, we are asking that the OCFO respond directly to the OIG within 90 days of the date of this report advising us whether they agree or disagree with the audit findings and recommendations. As stated in OMB Circular A-50, where agreement is indicated, the OCFO should describe plmmed corrective action. If the OCFO disagrees with any of the audit findings and recommendations, they need to explain the reason for the disagreement and provide any additional documentation that would support their opinion. In closing, we woulcllike to congratulate OPM's financial management staff for once agail1 issuing the consolidated financial statements by the November 15 due date. Their professionalism, courtesy, and cooperation allowed us to overcome the many challenges encountered during OPM's preparation, KPMG's aUdit, and the DIG's oversight of the financial statement audit this year. If you have any questions about KPMG's audit or our oversight, please contact me or have a member of your staff contact Michael R. Esser, Assistant Inspector General for Audits, a t _ cc: Mark Reger Chief Financial Officer KPMG llP 2001 M Street, NW Washington. DC 20036 Independent Auditors' Report Acting Director and Inspector General U.S. Office of Personnel Management: We have audited the accompanying consolidated balance sheets of the United States (U.S.) Office of Personnel Management (OPM) as of September 30, 2008 and 2007, and the related consolidated statements of net cost and changes in net position, and combined statements of budgetary resources (hereinafter referred to as "consolidated financial statements"), for the years then ended. We have also audited the individual balance sheets of the Retirement, Health Benefits, and Life Insurance Programs (hereinafter referred to as the "Programs") as of September 30, 2008 and 2007, and the related individual statements of net cost, changes in net position, and budgetary resources (hereinafter referred to as the Programs' "individual financial statements"), for the years then ended. The objective of our audits was to express an opinion on the fair presentation of these consolidated and individual financial statements. In connection with our fiscal year 2008 audit, we also considered arM's and the Programs' internal controls over financial reporting and tested OPM's and the Programs' compliance with certain provisions of applicable laws, regulations, and contracts that could have a direct and material effect on these consolidated and individual financial statements. SUMMARY As stated in our opinIOn on the financial statements, we concluded that OPM's consolidated financial statements and the Programs' individual financial statements as of and for the years ended September 30, 2008 and 2007, as presented in OPM's Fiscal Year 2008 Agency Financial Report, are presented fairly, in all material respects, in confonnity with U.s. generally accepted accounting principles. As discussed in Note 17 to the financial statements, OPM changed its method of accounting for presenting distributed offsetting receipts related· to the Postal Service Retiree Health Benefits Fund in fiscal year 2008. Our consideration of internal control over financial reporting resulted in the following conditions being identified as significant deficiencies: 1. Infonnation systems general control environment. (OPM and the Programs) 2. Financial management and reporting processes of the Office of Chief Financial Officer (OCFO). (Revolving Fund Program (RF Program) and Salaries and Expenses (S&E) Fund) l<PMG LLP. a U 5_ IImiled Iiabil(ty paHl1elship. is the US member firm of KPMG Internalional, is' SWISS cooper8uve However, none of the significant deficiencies are believed to be material weaknesses. The results of our tests of compliance with certain provisions of laws, regulations, and contracts disclosed the following instance of noncompliance or other matter that are required to be reported under Government Auditing Standards, issued by the Comptroller General of the United States, and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements: 3. Other matter related to Federal Financial Management Improvement Act (RF Program and S&E Fund) The following sections discuss our opinion on OPM's consolidated financial statements and the Programs' individual ~nancial statements; our consideration of OPM's and the Programs' internal controls over financial reporting; our tests of OPM's and the Programs' compliance with certain provisions of applicable laws, regulations, and contracts; and management's and our responsibilities. OPINION ON THE FINANCIAL STATEMENTS We have audited the accompanying consolidated balance sheets of the U.S. Office of Personnel Management as of September 30, 2008 and 2007, and the related consolidated statements of net cost, changes in net position, and the combined statements of budgetary resources for the years then ended. We have also audited the individual balance sheets of the Programs as of September 30, 2008 and 2007, and the related individual statements of net cost, changes in net position, and budgetary resources for the years then ended. The Programs' individual financial statements are included in the consolidating financial statements presented in the Consolidating Financial Statements section of OPM's Fiscal Year 2008 Agency Financial Report. In our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the consolidated financial position of aPM and the financial position of each of the Programs as of September 30, 2008 and 2007, and the consolidated and individual Programs' net costs, changes in net position, and budgetary resources, for the years then ended, in confonnity with U.S. generally accepted accounting principles. As discussed in Note 17 to the financial statements, aPM changed its method of accounting for presenting distributed offsetting receipts related to the Postal Service Retiree Health Benefits Fund in fiscal year 2008. The infonnation in the Management Discussion and Analysis and Required Supplementary Information sections of OPM's Fiscal Year 2008 Agency Financial Report is not a required part of the consolidated financial statements, but is supplementary information required by U.S. generally accepted accounting principles. We have applied certain limited procedures, which consisted principally of inquiries of management regarding the methods of measurement and presentation of this infonnation. However, we did not audit this infonnation and, accordingly, we express no opinion on it. Our audits were conducted for the purpose of forming an opinion on the consolidated financial statements of aPM taken as a whole and on the Programs' individual financial statements. The individual financial statements of the RF Program and S&E Fund included in the Consolidating Financial Statements section of OPM's Fiscal Year 2008 Agency Financial Report (Schedules 1 through 4) are presented for purposes of additional analysis of the consolidated financial statements rather than to present the financial position, net costs, changes in net position, and budgetary resources of the individual RF Program and S&E Fund. The financial statements of the RF Program and S&E Fund have been subjected to the auditing procedures applied in the audit of the consolidated financial statements of aPM and, in our opinion, are fairly stated in all material aspects in relation to OPM's consolidated statements taken as a whole. In addition, the consolidating Civil Service Retirement System (CSRS) and Federal Employees Retirement System (FERS) information included in the consolidating statement of net cost (Schedule 2) is presented for purposes of additional analysis of the consolidated financial statements of OPM and the individual financial statements of the Retirement Program rather than to present the net costs of the CSRS and FERS funds. The consolidating CSRS and FERS infonnation have been subjected to the auditing procedures applied in the audit of OPM's consolidated financial statements and the individual financial statements of the Retirement Program, in our opinion is fairly stated in all material respects in relation to OPM's consolidated statements of net cost and changes in net position and combined statement of budgetary resources and the individual statements of net cost and changes in net position and combining statement of budgetary resources of the Retirement Program taken as a whole. The information in the Other Accompanying Information, and Appendix A, included in OPM's Fiscal Year 2008 Agency Financial Report, are presented for purposes of additional an~lysis and are not required as part of the consolidated financial statements. This infonnation has not been subjected to auditing procedures and, accordingly, we express no opinion on it. INTERNAL CONTROL OVER FINANCIAL REPORTING Our consideration of the internal control over financial reporting was for the limited purpose described in the Responsibilities section of this report and would not necessarily identify all deficiencies in the internal control over financial reporting that might be significant deficiencies or material weaknesses. A control deficiency exists when the design or operation of a control does not allow management or employees, in the nonnal course of perfonning their assigned functions, to prevent or detect misstatements on a timely basis. A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects OPM's or the Programs' ability to initiate, authorize, record, process, or report financial data reliably in accordance with U.S. generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of OPM's consolidated financial statements or the Programs' individual financial statements that is more than inconsequential will not be prevented or detected by OPM's or the Programs' internal control. A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected by OrM's or the Programs' internal control. In our fiscal year 2008 audit, we consider the deficiencies described in Items 1 and 2 below to be significant deficiencies in internal control over financial reporting. However, we believe that none of the significant deficiencies described below are material weaknesses. Exhibit I presents the status of prior year significant deficiencies. 1. Information systems general control environment The Office of the Chief Information Officer (OCIO) has made progress in addressing information system general control deficiencies identified in previous years. However, some deficiencies have not been fully addressed and consequently are not in full compliance with authoritative guidance. Specifically, security policies and procedures have not been updated to incorporate current authoritative guidance and the procedures performed to certify and accredit certain financial systems were not complete. In addition, we noted that application access permissions have not been fully documented to describe the functional duties the access provides to assist management in reviewing the appropriateness of system access. Also, we noted instances where background investigations and security awareness training was not completed prior to access being granted. Recommendation The acro should continue to update and implement entity-wide security policies and procedures and provide more direction and oversight to Program Offices for completing certification and accreditation requirements. In addition, documentation on application access permissions should be enhanced and linked with functional duties and procedures for granting logical access need to be refined to ensure access is granted only to authorized individuals. Management Response aPM concurs with these findings and recommendations. The Center for Information Services is updating the Information Security and Privacy Policy, approved September 28, 2007, and intends to take such additional actions as the following: • Clarifying roles and responsibilities in the certification and accreditation of systems; • Training the OPM's designated security officers in conducting certification and accreditation of systems and in the handling of plans of action and milestones ; • Reviewing and revising as necessary OPM's process for establishing new user access accounts; • Investigating tools that can be used to mask personally identifiable information in production use; • Documenting and implementing change control monitoring procedures for data base administrator activities; and • Beginning discussions with the staff of the OPM's Chief Financial Officer on how to establish and maintain functional descriptions. 2. Financial Management and Reporting Process of the Office of the Chief Financial Officer Certain deficiencies in the operation of the OCFO's internal control over financial management and reporting, affecting the accuracy of the RF Program and S&E Fund, continue to exist at OPM. The Government Financial Information System (OFIS) i:.; not designed properly to allow for: a. Capture of certain financial information and is not properly configured to produce useful financial reports that provide accurate information regarding related intragovernmental activities and balances. b. Reconciliations are not consistently or always clearly documented and are not always performed in a timely manner for the S&E Fund. c. Unidentified differences from prior years continue to exist between Treasury and OFIS. Further, because of system limitations, a number of correcting journal entries are processed. Adequate supporting documentation is not always readily available for correcting journal entries and there were instances where internal controls over processing and approving of such entries were not consistently applied. According to OMS Circular A-123, transactions should be promptly recorded, properly classified, and accounted for in order to prepare timely accounts and reliable financial and other reports. The documentation for transactions, management controls, and other significant events must be clear and readily available for documentation. Deficiencies in the ability to record, process, summarize and report financial data may misstate financial information reported in the RF Program and S&E Fund. Recommendation The OCFO should continue implementation of its corrective action plan which should reduce or eliminate the need for correcting journal entries. Further, we recommend that: 1. OPM implement a new accounting system or modifY the existing accounting system as appropriate to ensure that all financial information is properly captured and is properly configured to produce useful financial reports that provide accurate information regarding related intra-goverrunental activities and balances. 2. aPM continue to identify and correct existing differences between aPM's internal data and the information reported by Treasury. At such a time when no additional reductions can be identified, OPM should, in conjunction with appropriate oversight agencies, write down the remaining amount to clear the remaining FBWT balance. 3. aPM CFO management actively enforce procedures regarding the documentation of Salaries and Expense Fund reconciliations in accordance with guidelines outlined in the "Treasury Financial Manual" and OPM's "Cash Management Policy and Procedures." 4. aPM retain appropriate supporting documentation for correcting joumal entries and emphasis be made on the need to follow existing internal control policies and procedures. Management Response aPM acknowledges deficiencies in the GFIS system lIsed for the RF program and S&E Fund accounts and concurs with KPMG's recommendations. While aPM has developed and applies controls over journal voucher entries, the availability of supporting documentation can be improved. aPM recently selected a new system integrator and software solution, and has begun working toward implementation of the new aPM accounting system. The new system will support the capture and reporting of all financial information regarding related intra-governmental activities and balances. Additionally, aPM continues to reconcile, identify and correct differences between aPM's internal data and Treasury balances. The process and complete reconciliation has not been completed but when the process is complete an adjusting entry will be processed to \VTite-down the remaining amount to clear the fund balance with Treasury balance. aPM OCFO management will continue to enforce procedures to document timely reconciliations compliant with the Treasury Financial Manual and OPM's Cash Management Policy and Procedures. COMPLIANCE AND OTHER MATTERS The results of our tests of compliance described in the Responsibilities section of this report, exclusive of those referred to in the Federal Financial Management Improvement Act of 1996 (FFMIA), disclosed no instances of noncompliance or other matters that are required to be reported herein under Government Auditing Standards or aMB Bulletin No. 07-04. The results of our tests of FFMIA disclosed no instances in which aPM's or the Programs' financial management systems did not substantially comply with the three requirements discussed in the Responsibilities section of this report. The results of our tests did disclose one other matter regarding FFMIA related to the RF Program and S&E Funds, as described below. 3. Other matter related to Federal Financial Management Improvement Act of 1996 (FFMIA) a. United States Standard General Ledger at the Transaction Level- In accordance with OMB Circular A-127, Financial Management Systems, as amended, aPM is to record financial events consistent with the applicable definitions, attributes, and processing rules defined in the USSGL at the transaction leveL While improvements have been made, the OCFO does not consistently record RF Program and S&E Fund transactions at the USSGL level to support the RF Program and S&E Fund financial statements at the transaction leveL Recommendation We recommend that the OCFO should continue implementation of its corrective action plan over the GFIS system and related processes and procedures to enable the OCFO to account for the RF Program and S&E Fund's transactions in accordance with the USSGL at the transaction level. Management Response OPM concurs with the recommendation. The OFIS financial system cannot be reconfigured to meet fully the requirements of FFMIA. aPM recently selected a new system integrator and software solution, and has begun working toward implementation of the new aPM accounting system. The new system will support the capture and reporting of all financial infonnation regarding related intra-governmental activities and balances. OPM will ensure that the implementation of the financial system requirements are in compliance with FFMIA. * * ** * RESPONSIBILITIES Management's Responsibilities. Management is responsible for the consolidated financial statements of aPM and the individual financial statements of the Programs; establishing and maintaining effective internal control; and complying with laws, regulations, and contracts applicable to OPM. Auditors' Responsibilities. Our responsibility is to express an opinion on the fiscal year 2008 and 2007 consolidated financial statements of aPM and the individual financial statements of the Programs based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and OMB Bulletin No. 07-04. Those standards and OMB Bulletin No. 07-04 require that we plan and perfol1l1 the audits to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes consideration of internal control over financial reporting as a basis for designing audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of OPM's internal control over financial reporting. Accordingly, we express no such opinion. An audit also includes: • Examining, .on a test basis, evidence supporting the amounts and disclosures in the overall consolidated and Programs' individual financial statements; • Assessing the accounting principles used and significant estimates made by management; and • Evaluating the overall consolidated and Programs' individual financial statement presentation. We believe that our audits provide a reasonable basis for our opinion. In planning and performing our fiscal year 2008 audit, we considered OPM's internal control over financial reporting by obtaining an understanding of OPM's and the Programs' internal control, determining whether internal controls had been placed in operation, assessing control risk, and performing tests of controls as a basis for designing our auditing procedures for the purpose of expressing our opinion on the consolidated financial statements ofOPM and the individual financial statements of the Programs. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers' Financial Integrity Act of 1982. The objective of our audit was not to express an opinion on the effectiveness of OPM's or the Programs' internal control over financial reporting. Accordingly, we do not express an opinion on the effectiveness of OPM's or the Programs' internal control over financial reporting. As part of obtaining reasonable assurance about whether OPM's fiscal year 2008 consolidated and the Programs' fiscal year 2008 individual financial statements are free of material misstatement, we performed tests of OPM's and the Programs' compliance with certain provisions of laws, regulations, and contracts, noncompliance with which could have a direct and material effect on the determination of the financial statement amounts, and certain provisions of other laws and regulations specified in OMB Bulletin No. 07-04, including certain provisions referred to in Section 803(a) of FFMIA. We limited our tests of compliance to the provisions described in the preceding sentence, and we did not test compliance with all laws, regulations, and contracts applicable to aPM and the Programs. However, providing an opinion on compliance with laws, regulations, and contracts was not an objective of our audit and, accordingly, we do not express such an opinion. We noted certain additional matters that we have reported to management of OPM in a separate letter dated November 14,2008. OPM's responses to the findings identified in our audit are presented for each finding as Management Response, herein. We did not audit OPM's response and, accordingly, we express no opinionoD it. This report is intended solely for the infOlmation and use of OPM's management, OPM's Office of Inspector General, OMB, the U.S. Government Accountability Office, and the U.S. Congress and is not intended to be and should not be used by anyone other than these specified parties. November 14, 2008 Exhibit I No. Title of Finding Programl Prior Year "Current Year Factors A[fceting '. from Fund, Status Status Current FY07 Report Year Status 1 Infonnation AliI Significant Significant aPM has made Systems General Deficiency Deficiency - See continual annual Control FY 2008, improvements to Environment Condition No. I Information Systems General Control Environment, however, deficiencies still exist. 2 Financial S&E; RF Significant Significant aPM has made Management Deficiency Deficiency improvements, Reporting - See FY 2008, however, Processes of the Condition No.2 deficiencies still exist Office of the Chief because of system Financial Officer limitations. (aCFO) 1. Includes the Retirement Program, Health Benefit Program (HBP), Life Insurance Program (LP), Revolving Fund (RF) Program and Salary and Expenses (S&E) Fund.
Audit of the Office of Personnel Management's Fiscal Year 2008 Consolidated Financial Statements
Published by the Office of Personnel Management, Office of Inspector General on 2008-11-14.
Below is a raw (and likely hideous) rendition of the original report. (PDF)