UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 204 15 Office of the Inspector Genenl November 10, 2014 Report No. 4A-CF-00-14-039 MEMORANDUM FOR KATHERINE ARCHULETA Director ~ FROM : PATRlCKE.McFARLAND tf~L~ Inspector General SUBJECT: Audit ofthe Office of Personnel Management's Fiscal Year 2014 Consolidated Financial Statements This memorandum transmits KPMG LLP 's (KPMG) report on its fmancial statement audit of the Office of Personnel Management's (OPM) Fiscal Year 2014 Consolidated Financial Statements and the results ofthe Office of the Inspector General's (OIG) oversight of the audit and review of that report. OPM's consolidated financial statements include the Retirement Program, Health Benefits Program, Life Insurance Program, Revolving Fund Programs (RF) and Salaries & Expenses funds (S&E). Audit Reports on Financial Statements, Internal Controls and Compliance with Laws and Regulations The Chief Financial Officers (CFO) Act of 1990 (P.L. 101-576) requires OPM's Inspector General or an independent external auditor, as determined by the Inspector General, to audit the agency's fmancial statements in accordance with Government Auditing Standards (GAS) issued by the Comptroller General of the United States. We contracted with the independent certified public accounting finn KPMG to audit OPM's consolidated financial statements as of September 30, 2014 and for the fiscal year then ended. The contract requires that the audit be performed in accordance with general ly accepted government auditing standards and the Office of Management and Budget (OMB) Bulletin No. 14-02, Audit Requirements for Federal Financial Statements. KPMG's audit report for Fiscal Year 2014 includes: (1) opinions on the consolidated financial statements and the individual statements for the three benefit programs, (2) a report on internal controls, and (3) a report on compliance with laws and regulations. In its audit of OPM, KPMG found: • The consolidated fmancial statements were fai rly presented, in all material respects, in conformity with U.S. generally accepted accounting principles. www.opm .cov www.usajobs.cov Honorable Katherine Archuleta 2 • KPMG's report identified no material weaknesses in the internal controls. A material weakness is a deficiency, or combination of deficiencies, in internal control , such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected on a timely basis. • KPMG's report identified one significant deficiency: );> Information Systems Control Environment A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. OIG Evaluation of KPMG's Audit Performance In connection with the audit contract, we reviewed KPMG' s report and related documentation and made inquiries of its representatives regarding the audit. To fulfill our audit responsibilities under the CFO Act for ensuring the quality of the audit work performed, we conducted a review of KPMG' s audit of OPM 's Fiscal Year 201 4 Consolidated Financial Statements in accordance with GAS. Specifically, we: • provided oversight, technical advice, and liaison to KPMG auditors; • ensured that audits and audit reports were completed timely and in accordance with the requirements of Generally Accepted Government Auditing Standards (GAGAS), OMB Bulletin 14-02, and other applicable professional auditing standards; • documented oversight activities and monitored audit status; • reviewed responses to audit reports and reported significant disagreements to the audit follow-up official per OMB Circular No. A-50, Audit Follow-up; • coordinated issuance ofthe audit report; and • performed other procedures we deemed necessary. Our review, as differentiated from an audit in accordance with GAGAS , was not intended to enable us to express, and we do not express, opinions on OPM 's fmancial statements or internal controls or on whether OPM 's financial management systems substantially complied with the Federal Financial Management Improvement Act of 1996 or conclusions on compliance with laws and regulations. KPMG is responsible for the attached auditor's report dated November 7, 2014, and the conclusions expressed in the report. However, our review disclosed no instances where KPMG did not comply, in all material respects, with the generally accepted GAS. Honorable Katherine Archuleta 3 In accordance with the OMB Circular A-50 and Public Law 103-355, all audit findings must be resolved within six months of the date of this report. The OMB Circular also requires that agency management officials provide a timely response to the final audit report indicating whether they agree or disagree with the audit findings and recommendations. When management is in agreement, the response should include planned corrective actions and target dates for achieving them. If management disagrees, the response must include the basis in fact, law or regulation for the disagreement. To help ensure that the timeliness requirement for resolution is achieved, we ask that the CFO coordinate with the OPM audit follow-up office, Internal Oversight and Compliance (IOC), to provide their initial responses to us within 30 days, as outlined in OMB Circular A-50. IOC should be copied on all final report responses. Subsequent resolution activity for all audit findings should also be coordinated with IOC. The CFO should provide periodic reports through IOC to us, no less frequently than each March and September, detailing the status of corrective actions, including documentation to support this activity, until all findings have been resolved. In closing, we would like to thank OPM' s financial management staff for their professionalism, courtesy, and cooperation during KPMG' s audit and our oversight of the financial statement audit this year. If you have any questions about KPMG's audit or our oversight, please contact me at 606-1200 or you may have a member ofyour staff contact Michael R. Esser, Assistant Inspector General for Audits, at - . cc: Dennis D. Coleman Chief Financial Officer -· Deputy Chief Financial Officer KPMGLLP Suite 12000 1801 K Street, t#V Washington, DC 20006 Independent Auditors' Report Director and Inspector General U.S. Office of Personnel Management: Report on the Financial Statements We have audited the accompanying consolidated financial statements of the United States (U.S.) Office of Personnel Management (OPM), which comprise the consolidated balance sheets as of September 30, 2014 and 2013, and the related consolidated statements of net cost and changes in net position, and combined statements of budgetary resources for the years then ended, and the related notes to the consolidated financial statements (hereinafter referred to as "consolidated financial statements"). We have also audited the individual balance sheets of the Retirement, Health Benefits, and Life Insurance Programs (hereinafter referred to as the "Programs") as of September 30, 2014 and 2013, and the related individual statements of net cost, c hanges in net position, and budgetary resources for the years then ended (hereinafter referred to as the Programs' "individual financial statements"). Management 's Responsibility for the Financial Statements Management is responsible for the preparation and fair presentation of these consolidated financial statements and these Programs ' individual financial statements in accordance with U.S. generally accepted accounting principles; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of consolidated financial statements and the Programs' individual financial statements that are free from material misstatement, whether due to fraud or error. Auditors ' Responsibility Our responsibility is to express an opinion on these consolidated financial statements and on the Programs ' individual financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 14~02, Audit Requirements for Federal Financial Statements. Those standards and OMB Bulletin No. 14-02 require that we plan and perform the audits to obtain reasonable assurance about whether the consolidated financial statements and the Programs' individual financial statements are free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the consolidated financial statements and Programs' individual financial statements. The procedures selected depend on the auditors' j udgment, including the assessment of the risks of material misstatement of the consolidated financial statements and Programs' individual financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity's preparation and fair presentation of the consolidated financial statements and the Programs' individual financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity' s internal control. Accordingly, we KPMG LLP lo a Dol.....,. lirn~td lial>illly ~nerohlp, the U.S . member 1Vm ot KPMG lntemationel Coope!"'live \ KPMG lnlomttional'), a Svrioo entily. express no such opinion. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the consolidated financial statements and the Programs' individual financial statements . We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinions. Opinions on the Financial Statements In our opinion, the consol idated financial statements referred to above present fairly, in all material respects, the financial position of the U.S. Office of Personnel Management as of September 30, 2014 and 2013, and its net costs, changes in net position, and budgetary resources for the years then ended in accordance with U.S. generally accepted accounting principles. In our opinion. the Programs ' individual financial statements referred to above present fairly, in all material respects, the financial position of each of the Programs as of September 30, 2014 and 2013, and their net costs, changes in net position, and budgetary resources for the years then ended in accordance with U.S. generally accepted accounting principles. Other Matters Required Supplementary Information U.S. generally accepted accounting principles require that the information in the Management's Discussion and Analysis and Required Supplementary Information sections be presented to supplement the basic consolidated financial statements. Such information, although not a part of the basic consolidated financial statements, is required by the Federal Accounting Standards Advisory Board who considers it to be an essential part of financial reporting for placing the basic consolidated financial statements in an appropriate operational, economic, or historical context. We have applied certain limited procedures to the required supplementary information in accordance with auditing standards generally accepted in the United States of America, which consisted of inquiries of management about the methods of preparing the information and comparing the information for consistency with management' s responses to our inquiries, the basic consolidated financial statements, and other knowledge we obtained during our audits of the basic consolidated financia l statements . We do not express an opinion or provide any assurance on the information because the limited procedures do not provide us with sufficient evidence to express an opinion or provide any assurance. Supplementary and Other Information Our audits were conducted for the purpose of forming an opinion on the basic consolidated financial statements and on the Programs ' individual financ ial statements as a whole. The information in the Revolving Fund (RF) Program financial statements in the consolidating financial statements (Schedules 1 through 4), the Salaries and Expense (S&E) Fund financial statements in the consolidating financial statements (Schedules 1 through 4), the Civil Service Retirement System (CSRS) and Federal Employees Retirement System (FERS) information in the consolidating statements of net cost (Schedule 2), the Message from the Director, Message from the CFO, Transmittal from OPM's Inspector General, Other Information Section, and Appendix A are presented for purposes of additional analysis and are not a required part of the basic consolidated financial statements. The information in the RF Program financial statements, the S&E Fund financial statements, and the CSRS and FERS information in the consolidating statements of net cost is the responsibility of management and was derived from and relates directly to the underlying accounting and other records used to prepare the basic consolidated financial statements. Such infonnation has been subjected to the auditing procedures applied in the audit ofthe basic consolidated financial statements and certain additional procedures, including comparing and reconciling such information directly to the underlying accounting and other records used to prepare the basic consolidated financial statements or to the basic consolidated financial statements themselves, and other additional procedures in accordance with auditing standards generally accepted in the United States of America. In our opinion, the information in the RF Program financial statements, the S&E Fund financial statements, and the CSRS and FERS information is fairly stated in all material respects in relation to the basic consolidated financial statements as a whole. The information in the Message from the Director, Message from the CFO, Transmittal from OPM's Inspector General, Other Information Section and Appendix A has not been subjected to the auditing procedures applied in the audits of the basic consolidated financial statements, and accordingly, we do not express an opinion or provide any assurance on it. Other Reporting Required by Government Auditing Standards Internal Control Over Financial R eporting In planni ng and performing our audits of the consolidated financial statements and Programs' individual financial statements as ofand for the year ended September 30, 2014, we C<lnsidered OPM's internal controls over financial reporting to determine the audit procedures that are appropriate in the circumstances for the purpose of expressing our opinions on the consolidated fmancial statements and Programs' individual financial statements, but not for the purpose of expressing an opinion on the effectiveness of OPM's internal control. Accordingly, we do not express an opinion on the effectiveness ofOPM's internal control. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers' Financial Integrity Act of1982. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. Our consideration of internal control was for the limited purpose described in the first paragraph of this section and was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies and therefore, material weaknesses or significant deficiencies may exist that were not identified. Given these limitations, during our audit we did not identify any deficiencies in internal control that we consider to be material weaknesses. However. we did identify certain deficiencies in internal control. described in Exhibit I below that we consider to be a significant deficiency. Compliance and Other Matters As part of obtaining reasonable assurance about whether OPM's consolidated financial statements and the Programs' individual financial statements are free from material misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts and noncompliance with which could have a direct and material effect on the determination of financial statement amounts, and certain provisions of other laws and regulations specified in OMB Bulletin No. 14-02. However, providing an opinion on compliance with those provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests of compliance disclosed no instances of noncompliance or other matters that are required to be reported herein under Government Auditing Standards or OMB Bulletin No. 14-02. We also performed tests ofits compliance with certain provisions referred to in Section 803(a) ofthe Federal Financial Management Improvement Act of 1996 (FFMIA). Providing an opinion on compliance with FFMIA was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests of FFMIA djsclosed no instances in which OPM's financial management systems did not substantial ly comply with the (1) Federal fmancial management systems requirements, (2) applicable Federal accounting standards, and (3) the United States Government Standard General Ledger at the transaction level. OPM's R esp on se to Finding OPM's response to the finding identified in our audits is described in Exhibit I. OPM's response was not subjected to the auditing procedures applied in the audit of the consolidated financial statements and the Programs' indjvidual financial statements and , accordingly, we express no opinion on the response. Purpose ofthe Other R eporting R equired by Government A uditing Standards The purpose of the communication described in the Other Reporting Required by Government Auditing Standards section is solely to describe the scope of our testing of internal control and compliance and the result of that test ing, and not to provide an opinion on the effectiveness of OPM's internal control or compliance. Accordingly, this communication is not suitable for any other purpose. November 7, 2014 Exhibit I. Significant Deficiency Information Systems Control Environment Condition During FY 2014, the Office ofChieflnformationOfficer (OCIO) continued to make progress in centralizing security program functions in an effort to address deficiencies noted in its security program. However, we continue to observe control weaknesses as follows: I . The current authoritative guidance regarding two-factor authentication has not been fully applied. 2. Access rights in OPM systems are not documented and mapped to personnel roles and functions to ensure that personnel access is limited only to the functions needed to perform their job responsibilities. 3. The information security control monitoring program was not fully effective in detecting information security control weaknesses. We noted access rights in OPM systems were: • Granted to new users without following the OPM access approval process and quarterly reviews to confirm access approval were not consistently performed. • Not revoked immediately upon user separation and quarterly reviews to confirm access removal were not consistently performed. 4. The password length setting for privileged user accounts did not meet minimum OPM password length requirements. Federal Information Process Standards 200, Minimum Security Requirements for Federal Information and Information Systems , and National Institute of Standards and Technology Special Publication 800-53 Revision 4, Recommended Security Controls for Federal Information Systems, in combination, provide a framework to help ensure that appropriate security requirements and security controls are applied by agencies to all federal information and information systems. This framework includes an organizational assessment ofrisk by agencies that validates the initial security control selection and determines ifany additional controls are needed to protect organizational operations. The resulting set of security controls establishes a level of security due diligence for the organization. These conditions reduce OPM's ability to effectively manage its information system risk. Recommendations We recommend that the OCIO in coordination with the Office of the Chief Financial Officer and system owners in Program offices, ensure that resources are prioritized and assigned to: 1. Implement the current authoritative guidance regarding two-factor authentication. 2. Document and map access rights in OPM systems to personnel roles and functions, following the principle of"least privilege". 3. Enhance OPM's information security control monitoring program to detect information security control weaknesses by: • Implementing and monitoring procedures to ensure system access is appropriately granted to new users, consistent with the OPM access approval process. • Monitoring the process for the identification and removal ofseparated users to ensure that user access is removed timely upon separation; implementing procedures to ensure that user access, including user accounts and associated roles, are reviewed on a periodic basis consistent with the nature and risk of the system, and modifying any necessary accounts when identified. 4. Ensure the password length setting for privileged user accounts meet minimum OPM password length requirements. Management Response Management concurs with this finding and recommendations and will initiate appropriate corrective actions.
Audit of the Office of Personnel Management's Fiscal Year 2014 Consolidated Financial Statements
Published by the Office of Personnel Management, Office of Inspector General on 2014-11-10.
Below is a raw (and likely hideous) rendition of the original report. (PDF)