oversight

Audit of the Office of Personnel Management's Fiscal Year 2009 Consolidated Financial Statements

Published by the Office of Personnel Management, Office of Inspector General on 2009-11-13.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
                                                 Washington, DC 20415

                                              November 13, 2009
  Office of the
Inspector General




                                                                          Report No. 4A-CF-00-09-037


             MEMORANDUM FOR JOHN BERRY
                            Director                                                               A
             FROM: 	                  PATRTCKE.McFARLAND                 ff";-: J £:1//~·                         I
                                      Inspector General                 ? ~
             SUBJECT: 	               Audit of the Office of Personnel Management's Fiscal Year
                                      2009 Consolidated Financial Statements


             This memorandum transmits KPMG LLP's (KPMG) report on its financial statement
             audit of the Office of Personnel Management's (OPM) Fiscal Year 2009 Consolidated
             Financial Statements and the results of the Office of the Inspector General's (OIG)
             oversight of the audit and review of that rep0I1. aPM' s consolidated financial slatemepts
             include the Retirement Program, Health Benefits Program, Life Insurance Program,
             Revolving Fund Programs (RF) and Salaries & Expenses funds (S&E).

             Audit Reports on Financial Statements, Internal Controls and Compliance
             with Laws and Regulations

             The Chief Financial Officers (CFO) Act of 1990 (PL. 10] -576) requires OPM's Inspector
             General or an independent external auditor, as determined by the Inspector General, to
             audit the agency's financial statements in accordance with Government Auditing
             Standards (GAS) issued by the Comptroller General of the United States. We contracted
             with the independent certified public accounting finn KPMG LLP to audit OPM's
             consolidated financial statements as of September 30, 2009 and for the fiscal year then
             ended. The contract requires that the audit be performed in accordance with generally
             accepted government auditing standards and the Office of Management and Budget
             (OMB) bulletin number 07-04, Audit Requirementsfor Federal Financial Statements.

             KPMG's audit rep0l1 for Fiscal Year 2009 includes: (l) opinions on the consolidated
             financial statements and the individual statements for the three benefit programs, (2) a




                                                                                                www.usajobs.gov
JOHN BERRY                                                                                      2


report on internal controls, and (3) a report on compji(,ll1ce vvith laws and regulations. In
its audit of OPM, KPMG found:

   • 	 The consolidated financial statements were fairly presented, in all material 

       respects, in conformity .with generally accepted accounting principles. 


   • 	 There were no material weaknesses identified in the internal controls. A material
       weakness is a deficiency, or combination of deficiencies, in internal control, such
       that there is a reasonable possibility that a material misstatement of the entity's
       financial statements will not be prevented, or detected and corrected on a timely
       basis.

         However, KPMG's report did identify two significant deficiencies:

                >-   Information systems general control environment (OrM and the
                     Programs), and
                »    financial management and reporting processes of the Office of the
                     Chief Financial Officer (OCrO). (Rf Program and S&E Fund)

         A significant deficiency is a deficiency, or combination of deficiencies, in internal
         control that is less severe than a material weakness, yet important enough to fnel'll
         attention by those charged with governance.

    • 	 KPMG's report on compliance with certain provisions of laws and regulations 

        disclosed one other matter related to the Federal Financial Management 

        Improvement Act of 1996 (FFMIA). (RF Program and S&E Fund) 


DIG Evaluation of KPMG's Audit Performance

In connection with the audit contract, we reviewed KPMG's report and related documentation
and made inquiries of its representatives regarding the audit. To fulfill our audit
responsibilities under the CFO Act for ensuring the quality of the audit work performed . we
conducted a review ofKPMG's audit of OPM's Fiscal Year 2009 Consolidated Financial
Statements in accordance with GAS. Specifically, we:

    •	  reviewed KPMG's approach and planning of the audit;
    •	  evaluated the qualifications and independence of its auditors;
    •	  monitored the progress of the audit at key points;
    •	  examined its working papers related to planning the audit and assessing internal
        controls over the financial reporting process;
    • 	 reviewed KPMG's audit reports to ensure compliance with Government Auditing
        Standards;
    • 	 coordinated issuance of the audit report; and
    • 	 performed other procedures we deemed necessary.
JOHN BERRY


Our review, as differentiated [rom an audit in accordance with generally accepted
government auditing standards, was not intended to enable us to express, and we do not
express, opinions on OPM's financial statements or internal controls or on whether OPM's
financial management systems substantially complied with FFMIA or conclusions on
compliance with laws and regulations. KPMG is responsible for the attached auditor's
report dated November 10, 2009, and the conclusions expressed in the report. How'ever,
our review disclosed no instances where KPMG did not comply, in all material respects,
with the generally accepted GAS.

In accordance with the OMB Circular A-50 and Public Lmv 103-355, all audit findings
must be resolved within six months of the date of this report. ]n order to ensure audit
                                                                                acro
findings are resolved within the required six-month period, we me asking that the
respond directly to the OIG within 90 days of the date of this report advising us whether
they agree or disagree with the audit findings and recommendations. As slaled in OMB
Circular A-50, where agreement is indicated, the OCFO should describe planned corrective
action. If the OeFO disagrees with any of the audit findings and recommendations, they
need to explain the reason for thc disagreement and provide any additional documentation
that would support their opinion.

In closing, we would like to congratulate OPM's financial management staff for once
agnin issuing the consolidated financial statements by the November] 6 due date. Their
professionalism, comtcsy, and cooperation allowed us to overcome the many challenges
cncountered during OPM's preparation, KPMG's audit, anel the OIG's oversight of the
financini statement audit this year. If you have any questions about KPMG's audit or our
oversight, please contact me or have a member of your staff contact Micbael R. Esser,
Assistantlnspcclor General for Audits, at 606-2143.

cc: 	Mark Reger
     Chief Financial Officer
                             KPMG LLP
                             2001 M Street. NW
                             Washington, DC 20036




                                Independent Auditors' Report


Director and Inspector General 

U,S. Office of Personnel Management: 


We have audited the accompanying consolidated balance sheets of the United States
(U.S.) Office of Personnel Management (OPM) as of September 30, 2009 and 2008, and
the related consolidated statements of net cost and changes in net position, and combined
statements of budgetary resources (hereinafter referred to as "consolidated financial
statements"), for the years then ended. We have also audited the individual balance
sheets of the Retirement, Health Benefits, and Life Insurance Programs (hereinafter
referred to as the "Programs") as of September 30, 2009 and 2008, and the related
individual statements of net cost, changes in net position, and budgetary resources
(hereinafter referred to as the Programs' "individual financial statements"), for the years
then ended.

The objective of our audits was to express an opinion on the fair presentation of these
consolidated and individual financial statements. In connection with our fiscal year 2009
audit, we also considered OPM's and the Programs' internal controls over financial
reporting and tested OPM's and the Programs' compliance with certain provisions of
applicable laws, regulations, and contracts that could have a direct and material effect on
these consolidated and individual financial statements.

SUMMARY

As stated in our OpIniOn on the financial statements, we concluded that OPM's
consolidated financial statements and the Programs' individual financial statements as of
and for the years ended September 30, 2009 and 2008, are presented Hiidy, in all material
respects, in conformity with U.S. generally accepted accounting principles.

Our consideration of internal control over financial reporting resulted in identifying
certain deficiencies that we consider to be significant deficiencies, as follows:

1. 	   Information systems general control environment. (OPM and the Programs)

2. 	   Financial management and reporting processes of the Office of Chief Financial
       Officer (OCFO). (Revolving Fund Program (RF Program) and Salaries and
       Expenses (S&E) Fund)

We did not identify any deficiencies in internal control over financial reporting that we
consider to be material weaknesses as defined in the Internal Control Over Financial
Reporting section of this report.



                              I ~, " , I I ~ I .   I', J   ,   I I'.   J   I       .' ~ ,•. '"   L- ,- '.   "I
                             r""',,     •• ; :ll    .' ~q~':', I~.I,           .   I' '11,1      I ~ .•.. _:,    ,",'
The results of our tests of compliance with certain provisions of laws, regulations, and
contracts disclosed the following instance of noncompliance or other matter that is
required to be reported under Government Auditing Standard'), issued by the Comptroller
General of the United States, and Office of Management and Budget (OMS) Bulletin No.
07-04, Audit Requirements.fin· F~deral Financial Statements, as amended:

3. 	   Other matter related to Federal Financial Management Improvement Act (RF
       Program and S&E Fund)

The following sections discuss our opinion on OPM's consolidated financial statements
and the Programs' individual financial statements; our consideration of OPM's and the
Programs' internal controls over financial reporting; our tests of OPM's and the
Programs' compliance with certain provisions of applicable laws, regulations, and
contracts; and management's and our responsibilities.

OPINION ON THE FINANCIAL STATEMENTS

We have audited the accompanying consolidated balance sheets of the U.S. Office of
Personnel Management as of September 30, 2009 and 2008, and the related consolidated
statements of net cost, changes in net position. and the combined statements of budgetary
resources for the years then ended. We have also audited the individual balance sheets of
the Programs as of September 30, 2009 and 2008, and the related individual statements of
net cost, changes in net position, and budgetary resources for the years then ended. The
Programs' individual financial statements are included in the consolidating financial
statements presented in the Consolidating Financial Statements section of OPM's Fiscal
Year 2009 Agency Financial Report.

In our opinion, the consolidated financial statements referred to above present fairly, in
all material respects, the consolidated financial position of OPM and the financial
position of each of the Programs as of September 30, 2009 and 2008, and the
consolidated and individual Programs' net costs, changes in net position, and budgetary
resources, for the years then ended, in conformity with U.S. generally accepted
accounting principles.

The infonnation in the Management Discllssion and Analysis and Required
Supplementary Infonnation sections of OPM's Fiscal Year 2009 Agency Financial
Report is not a required part of the consolidated financial statements, but is
supplementary infonnation required by U.S. generally accepted accounting principles.
We have applied certain limited procedures, which consisted principally of inquiries of
management regarding the methods of measurement and presentation of this information.
However, we did not audit this infonnation and, accordingly, we express no opinion on it.

Our audits were conducted for the purpose of forming an opinion on the consolidated
financial statements of aPM taken as a whole and on the Programs' individual financial
statements. The individual financial statements of the RF Program and S&E Fund
included in the Consolidating Financial Statements section of OPM's Fiscal Year 2009
Agency Financial Report (Schedules 1 through 4) are presented for purposes of additional
analysis of the consolidated financial statements rather than to present the financial
position, net costs, changes in net position, and budgetary resources of the individual RF
Program and S&E Fund. The financial statements of the RF Program and S&E Fund
have been subjected to the auditing procedures applied in the audit of the consolidated
financial statements of OPM and, in our opinion, are fairly stated in all material aspects
in relation to OPM's consolidated statements taken as a whole.

In addition, the Civil Service Retirement System (CSRS) and Federal Employees
Retirement System (FERS) statement of net cost infOtmation included in the
consolidating statement of net cost (Schedule 2) is presented for purposes of additional
analysis of the consolidated financial statements of OPM and the individual financial
statements of the Retirement Program rather than to present the net costs of the CSRS
and FERS funds. The CSRS and FERS statement of net cost information has been
subjected to the auditing procedures applied in the audit of OPM's consolidated financial
statements and the individual financial statements of the Retirement Program, and in our
opinion is fairly stated in all material respects in relation to OPM's consolidated
statements of net cost and the individual statement of net cost of the Retirement Program
taken as a whole.

The information in the Other Accompanying Information, and Appendix A, included in
OPM's Fiscal Year 2009 Agency Financial Report, are presented for purposes of
additional analysis and are not required as part of the consolidated financial statements.
This information has not been subjected to auditing procedures and, accordingly, we
express no opinion on it.

INTERNAL CONTROL OVER FINANCIAL REPORTING

Our consideration of the internal control over financial reporting was for the limited
purpose described in the Responsibi lities section of this report and would not necessarily
identify all deficiencies in the internal control over financial reporting that might be
deficiencies, significant deficiencies or material weaknesses.

A deficiency in internal control exists when the design or operation of a control does not
allow management or employees, in the nonnal course of performing their assigned
functions, to prevent or detect misstatements on a timely basis. A significant deficiency
is a deficiency, or combination of deficiencies, in internal control that is less severe than
a material weakness, yet important enough to merit attention by those charged with
governance. A material weakness is a deficiency, or combination of deficiencies, in
internal control, such that there is a reasonable possibility that a material misstatement of
the entity's financial statements will not be prevented, or detected and corrected on a
timely basis.

[n our fiscal year 2009 audit, we did not identify any deficiencies in internal control over
financial reporting that we consider to be material weaknesses as defined above.
However, we identified certain deficiencies in internal control over financial reporting
that we consider to be significant deficiencies and that are described in Items 1 and 2
below. Exhibit 1 presents the status of prior year significant deficiencies.

I. 	 Information systems   gener~1   control environment

Information system general control deficiencies identified in previous years related to
OPM and the Programs continue to persist or have not been fully addressed and
consequently are not in full compliance with authoritative guidance. Specifically, security
policies and procedures, including drafting risk assessment and security plans, have not
been updated to incorporate current authoritative guidance, sufficient independent
oversight of certain certification and accreditation activities are not consistently
perfOlmed, and the procedures performed to certify and accredit certain financial systems
were not complete. In addition, we noted that application access penn iss ions have not
been fully documented to describe the functional duties the access provides to assist
management in reviewing the appropriateness of system access, instances where
background investigations and security awareness training was not completed prior to
access being granted, and certain weaknesses in granting access to application and
physical access to system resources. Finally, we found that the Plans of Actions and
Milestones (POA&M) were not always accurate and complete.

Recommendation

The ocro should continue to update and implement entity-wide security policies and
procedures and provide more direction and oversight to Program Offices for completing
and appropriately overseeing certification and accreditation requirements and activities.
In addition, documentation on application access permissions should be enhanced and
linked with functional duties and procedures for granting logical and physical access
needs to be refined to ensure access is granted only to authorized individuals. Finally,
policies and procedures should be developed and implemented to ensure POA&Ms are
accurate and complete.

Management Response

OPM concurs with these findings and recommendations. The Center for Infonnation
Services intends to take such additional actions as the following:

   • 	 Clarifying roles and responsibilities in the certification and accreditation of
       systems;
   • 	 Training the OPM's designated security officers in conducting certification and
       accreditation of systems and in the handling of plans of action and milestones;
   • 	 Reviewing and revising as necessary OPM's process for establishing new user
       access accounts;
   • 	 Investigating tools that can be used to mask personally identifiable infonnation in
       production use;
   • 	 Documenting and implementing change control monitoring procedures for data
       base administrator activities; and
   • 	 Beginning discussions with the staff of the OPM's Chief Financial Officer on how
       to establish and maintain functional descriptions.

2. 	 Financial Management and Reporting Process of the Office of the Chief
     Financial Officer

Certain deficiencies in the operation of the OCFO's internal control over financial
management and reporting, affecting the accuracy of the RF Program and S&E Fund,
continue to exist at OPM. The Government Financial Infonnation System (GFIS) is not
designed properly to allow for:

a. Capture of certain financial infonnation and is not properly configured to produce
   useful financial reports that provide accurate infonnation regarding related
   intragovemmental activities and balances.
b. Reconciliations are not consistently or always clearly documented and are not always
   perfonned in a timely manner for the S&E Fund.
c. Unidentified differences from prior years continue to exist between Treasury and
   GFIS.

According to OMB Circular A~ 123, transactions should be promptly recorded, properly
classified, and accounted for in order to prepare timely accounts and reliable financial
and other reports. The documentation for transactions, management controls, and other
significant events must be clear and readily available for documentation.

Deficiencies in the ability to record, process, summarize and report financial data may
misstate financial infonnation reported in the RF Program and S&E Fund.

Recommendation

The OeFO should continue implementation of its corrective action plan which should
reduce or eliminate the need for correcting journal entries. Further, we recommend that

l. 	 OPM complete the implementation of a new accounting system to ensure that all
     financial infonnation is properly captured and is properly configured to produce
     useful financial reports that provide accurate information regarding related intra~
     governmental activities and balances.
2. 	 OPM continue to identify and correct existing differences between OPM's internal
     data and the intonnation reported by Treasury. At such a time when no additional
     reductions can be identified, OPM should, in conjunction with appropriate oversight
     agencies, write down the remaining amount to clear the remaining Fund Balance with
     Treasury balance.
3. 	 OPM CFO management actively enforce procedures regarding the documentation of
     Salaries and Expense Fund reconciliations in accordance with guidelines outlined in
   the "Treasury Financial Manual" and OPM's "Cash Management Policy and
   Procedures. "

Management Response

OPM acknowledges deficiencies in the GFIS system used for the Revolving Fund and
Salaries and Expenses accounts and concurs with KPMG's recommendations. Beginning
in fiscal year 2010, OPM migrated to a new software solution. OPM worked throughout
FY 2009 towards the deployment of the new OPM accounting system. Extensive data
cleanup was pet'fonned within FY 2009 in preparation for transferring balances between
the old and new systems. The new system supports the capture and reporting of all
financial information regarding related intra-governmental activities and balances.
Additionally, OPM continues to reconcile, identify and correct differences between
OPM's internal data and Treasury balances, processing adjusting entries as needed. OPM
OCFO management will continue to enhance and enforce procedures to document timely
reconciliations compliant with the Treasury Financial Manual and OPM's Cash
Management Policy and Procedures.

COMPLIANCE AND OTHER MATTERS

The results of our tests of compliance described in the Responsibilities section of this
report, exclusive of those referred to in the Federal Financial Management Improvement
Act of 1996 (FFMIA), disclosed no instances of noncompliance or other matters that are
required to be reported herein under Government A ltdiring Standards or OMB Bulletin
No. 07-04.

The results of our tests of FFMIA disclosed no instances in which OPM's or the
Programs' financial management systems did not substantially comply with the three
requirements discussed in the Responsibilities section of this report. The results of our
tests did disclose one other matter regarding FFMIA related to the RF Program and S&E
Funds, as described below.

   3. Other matter related to Federal Financial Management Improvement Act of
   1996 (FFMIA)

   United States Standard General Ledger

   In accordance with OMB Circular A-127, Financial Management Systems, as
   amended, OPM is to record financial events consistent with the applicable definitions,
   attributes, and processing rules defined in the United States Standard General Ledger
   at the transaction level. The OCFO does not consistently record RF Program and
   S&E Fund transactions at the United States Standard General Ledger transaction
   level.
Recommendation

We recommend that the OCFO should continue implementation of a new accounting
system to replace the GFIS system and related processes and procedures to enable the
OCFO to account for'the RF Program and S&E Fund's transactions in accordance with
the United States Standard General Ledger at the transaction level.

Management Response

OPM concurs with the recommendation. The GFIS financial system could not be
configured to fully meet the requirements of FFMIA. OPM's new accounting system,
Consolidated Business Information System (CBIS) was deployed for the RF program and
the S&E Fund accounts on October I, 2009. CBIS is designed and configured to
properly capture and report all financial data necessary to provide accurate information
regarding related intra-governmental activities at the transaction level. OPM will ensure
that the implementations of the financial system requirements are in compliance with
FFMIA.

                                        * * *   :I<   *
RESPONSIBILITIES

Management's Responsibilities. Management is responsible for the consolidated
financial statements of OPM and the individual financial statements of the Programs;
establishing and maintaining effective internal control; and complying with laws,
regulations, and contracts applicable to OPM.

Auditors' Responsibilities. Our responsibility is to express an opinion on the fiscal year
2009 and 2008 consolidated financial statements of OPM and the individual financial
statements of the Programs based on our audits. We conducted our audits in accordance
with auditing standards generally accepted in the United States of America; the standards
applicable to financial audits contained in Government Auditing Standards, issued by the
Comptroller General of the United States; and OMS Bulletin No. 07-04. Those standards
and OMS Bulletin No. 07-04 require that we plan and perform the audits to obtain
reasonable assurance about whether the financial statements are free of material
misstatement. An audit includes consideration of internal control over financial reporting
as a basis for designing audit procedures that are appropriate in the circumstances, but not
for the purpose of expressing an opinion on the effectiveness of OPM's internal control
over financial reporting. Accordingly, we express no such opinion.

An audit also includes:

• 	 Examining, on a test basis, evidence supporting the amounts and disclosures in the
    overall consolidated OPM financial statements and Programs' individual financial
    statements;
• 	 Assessing the accounting principles used and significant estimates made by
    management; and
• 	 Evaluating the overall consolidated aPM financial statements and Programs'
    individual financial statemen, presentation.

We believe that our audits provide a reasonable basis for our opinion.

In planning and performing our fiscal year 2009 audit, we considered OPM's internal
control over financial reporting by obtaining an understanding of OPM's and the
Programs' internal control, determining whether internal controls had been placed in
operation, assessing control risk, and performing tests of controls as a basis for designing
our auditing procedures for the purpose of expressing our opinion on the consolidated
financial statements of OPM and the individual financial statements of the Programs. We
did not test all internal controls relevant to operating objectives as broadly defined by the
Federal Managers' Financial Integrity Act of 1982. The objective of our audit was not to
express an opinion on the effectiveness of OPM's or the Programs' internal control over
financial reporting. Accordingly, we do not express an opinion on the effectiveness of
OPM's or the Programs' internal control over financial reporting.

As part of obtaining reasonable assurance about whether OPM's fiscal year 2009
consolidated and the Programs' fiscal year 2009 individual financial statements are free
of material misstatement, we performed tests of OPM's and the Programs' compliance
with certain provisions of laws, regulations, and contracts, noncompliance with which
could have a direct and material effect on the determination of the financial statement
amounts, and certain provisions of other laws and regulations specified in OMB Bulletin
No. 07-04, including certain provisions referred to in Section 803(a) of FFMIA. We
limited our tests of compliance to the provisions described in the preceding sentence, and
we did not test compliance with all laws, regulations, and contracts applicable to OPM
and the Programs. However, providing an opinion on compliance with laws, regulations,
and contracts was not an objective of our audit and, accordingly, we do not express such
an optlllon.

We noted certain additional matters that we have reported to management of OPM in a
separate letter dated November 10, 2009.



OPM's responses to the findings identified in our audit are presented for each finding as
Management Response, herein. We did not audit OPM's response and, accordingly, we
express no opinion on it.
This repolt is intended solely for the information and use of OPM's management, OPM's
Office ofInspector General, OMB, the U.S. Government Accountability Office, and the
U.S. Congress and is not intended to be and should not be used by anyone other than
these specified parties.




November 10, 2009
                                                                                           Exhibit I

 No.     Title   ()r Filldin~    Program/    Prior Year       Current Year        Factors Affecting
                 r.·om             Fund        Status            Status               Current
          (0'\"08 Hcport                                                            Yeal" Status
 I     Inrormation              All (A)     Signiticant    Significant          OPM has made
       Systems General                      Deficiency     Deficiency - See     continual annual
       Control                                             FY 2009,             improvements to
       Environment                                         Condition No. I      Information Systems
                                                                                General Control
                                                                                Environment,
                                                                                however,
                                                                                deficiencies still
                                                                                exist.
 2     Financial                S&E; RF     Significant    Signi ficant         OPM has made
       Management                           Deficiency     Deficiency           improvcments,
       Reporting                                           - Sec FY 2009,       however,
       Processes of the                                    Condition No.2       deficiencies still exist
       Office of the Chief                                                      because of system
       Financial Officer                                                        limitations.
       (OCFO)




(A) Includes the Retirement Program, Heallh Benent Program .(HBP), Lire Insurance Program (LP),
Revolving Fund (RF) Program and Salary and Expenses (S&E) Fund