oversight

Audit of the Office of Personnel Management's Fiscal Year 2014 Consolidated Financial Statements

Published by the Office of Personnel Management, Office of Inspector General on 2014-11-10.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                             UNITED STATES OFFICE OF PERSONNEL MANAGEMENT 

                                                   Washington, DC 204 15 


  Office of the
Inspector Genenl                           November 10, 2014
                                                                             Report No. 4A-CF-00-14-039


             MEMORANDUM FOR KATHERINE ARCHULETA
                            Director                                                            ~
             FROM : 	                   PATRlCKE.McFARLAND                   tf~L~
                                        Inspector General

             SUBJECT: 	                 Audit ofthe Office of Personnel Management's Fiscal Year
                                        2014 Consolidated Financial Statements


             This memorandum transmits KPMG LLP 's (KPMG) report on its fmancial statement
             audit of the Office of Personnel Management's (OPM) Fiscal Year 2014 Consolidated
             Financial Statements and the results ofthe Office of the Inspector General's (OIG)
             oversight of the audit and review of that report. OPM's consolidated financial statements
             include the Retirement Program, Health Benefits Program, Life Insurance Program,
             Revolving Fund Programs (RF) and Salaries & Expenses funds (S&E).

             Audit Reports on Financial Statements, Internal Controls and Compliance
             with Laws and Regulations

             The Chief Financial Officers (CFO) Act of 1990 (P.L. 101-576) requires OPM's Inspector
             General or an independent external auditor, as determined by the Inspector General, to
             audit the agency's fmancial statements in accordance with Government Auditing
             Standards (GAS) issued by the Comptroller General of the United States. We contracted
             with the independent certified public accounting finn KPMG to audit OPM's consolidated
             financial statements as of September 30, 2014 and for the fiscal year then ended. The
             contract requires that the audit be performed in accordance with general ly accepted
             government auditing standards and the Office of Management and Budget (OMB) Bulletin
             No. 14-02, Audit Requirements for Federal Financial Statements.

             KPMG's audit report for Fiscal Year 2014 includes: (1) opinions on the consolidated
             financial statements and the individual statements for the three benefit programs, (2) a
             report on internal controls, and (3) a report on compliance with laws and regulations. In
             its audit of OPM, KPMG found:

                   • 	 The consolidated fmancial statements were fai rly presented, in all material
                       respects, in conformity with U.S. generally accepted accounting principles.




        www.opm .cov 	                                                                            www.usajobs.cov
Honorable Katherine Archuleta                                                                  2


   • 	 KPMG's report identified no material weaknesses in the internal controls.

       A material weakness is a deficiency, or combination of deficiencies, in internal
       control , such that there is a reasonable possibility that a material misstatement of
       the entity's financial statements will not be prevented, or detected and corrected
       on a timely basis.

   • 	 KPMG's report identified one significant deficiency:

               );> 	   Information Systems Control Environment

       A significant deficiency is a deficiency, or combination of deficiencies, in internal
       control that is less severe than a material weakness, yet important enough to merit
       attention by those charged with governance.

OIG Evaluation of KPMG's Audit Performance

In connection with the audit contract, we reviewed KPMG' s report and related documentation
and made inquiries of its representatives regarding the audit. To fulfill our audit
responsibilities under the CFO Act for ensuring the quality of the audit work performed, we
conducted a review of KPMG' s audit of OPM 's Fiscal Year 201 4 Consolidated Financial
Statements in accordance with GAS. Specifically, we:

   • 	 provided oversight, technical advice, and liaison to KPMG auditors;

   • 	 ensured that audits and audit reports were completed timely and in accordance 

       with the requirements of Generally Accepted Government Auditing Standards 

       (GAGAS), OMB Bulletin 14-02, and other applicable professional auditing 

       standards; 


   • 	 documented oversight activities and monitored audit status;

   • 	 reviewed responses to audit reports and reported significant disagreements to the
       audit follow-up official per OMB Circular No. A-50, Audit Follow-up;

   • 	 coordinated issuance ofthe audit report; and

   • 	 performed other procedures we deemed necessary.

Our review, as differentiated from an audit in accordance with GAGAS , was not intended
to enable us to express, and we do not express, opinions on OPM 's fmancial statements or
internal controls or on whether OPM 's financial management systems substantially
complied with the Federal Financial Management Improvement Act of 1996 or
conclusions on compliance with laws and regulations. KPMG is responsible for the
attached auditor's report dated November 7, 2014, and the conclusions expressed in the
report. However, our review disclosed no instances where KPMG did not comply, in all
material respects, with the generally accepted GAS.
Honorable Katherine Archuleta                                                              3


In accordance with the OMB Circular A-50 and Public Law 103-355, all audit findings
must be resolved within six months of the date of this report. The OMB Circular also
requires that agency management officials provide a timely response to the final audit
report indicating whether they agree or disagree with the audit findings and
recommendations. When management is in agreement, the response should include
planned corrective actions and target dates for achieving them. If management disagrees,
the response must include the basis in fact, law or regulation for the disagreement.

To help ensure that the timeliness requirement for resolution is achieved, we ask that the
CFO coordinate with the OPM audit follow-up office, Internal Oversight and Compliance
(IOC), to provide their initial responses to us within 30 days, as outlined in OMB Circular
A-50. IOC should be copied on all final report responses. Subsequent resolution activity
for all audit findings should also be coordinated with IOC. The CFO should provide
periodic reports through IOC to us, no less frequently than each March and September,
detailing the status of corrective actions, including documentation to support this activity,
until all findings have been resolved.

In closing, we would like to thank OPM' s financial management staff for their
professionalism, courtesy, and cooperation during KPMG' s audit and our oversight of the
financial statement audit this year.

If you have any questions about KPMG's audit or our oversight, please contact me at
606-1200 or you may have a member ofyour staff contact Michael R. Esser, Assistant
Inspector General for Audits, at -     .

cc: Dennis D. Coleman
    Chief Financial Officer



   -·­
   Deputy Chief Financial Officer
                                KPMGLLP
                                 Suite 12000
                                 1801 K Street, t#V
                                 Washington, DC 20006




                                         Independent Auditors' Report


Director and Inspector General
U.S. Office of Personnel Management:

Report on the Financial Statements

We have audited the accompanying consolidated financial statements of the United States (U.S.) Office of
Personnel Management (OPM), which comprise the consolidated balance sheets as of September 30, 2014
and 2013, and the related consolidated statements of net cost and changes in net position, and combined
statements of budgetary resources for the years then ended, and the related notes to the consolidated financial
statements (hereinafter referred to as "consolidated financial statements"). We have also audited the
individual balance sheets of the Retirement, Health Benefits, and Life Insurance Programs (hereinafter
referred to as the "Programs") as of September 30, 2014 and 2013, and the related individual statements of
net cost, c hanges in net position, and budgetary resources for the years then ended (hereinafter referred to as
the Programs' "individual financial statements").

Management 's Responsibility for the Financial Statements

Management is responsible for the preparation and fair presentation of these consolidated financial
statements and these Programs ' individual financial statements in accordance with U.S. generally accepted
accounting principles; this includes the design, implementation, and maintenance of internal control relevant
to the preparation and fair presentation of consolidated financial statements and the Programs' individual
financial statements that are free from material misstatement, whether due to fraud or error.

Auditors ' Responsibility

Our responsibility is to express an opinion on these consolidated financial statements and on the Programs '
individual financial statements based on our audits. We conducted our audits in accordance with auditing
standards generally accepted in the United States of America; the standards applicable to financial audits
contained in Government Auditing Standards issued by the Comptroller General of the United States; and
Office of Management and Budget (OMB) Bulletin No. 14~02, Audit Requirements for Federal Financial
Statements. Those standards and OMB Bulletin No. 14-02 require that we plan and perform the audits to
obtain reasonable assurance about whether the consolidated financial statements and the Programs'
individual financial statements are free from material misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the
consolidated financial statements and Programs' individual financial statements. The procedures selected
depend on the auditors' j udgment, including the assessment of the risks of material misstatement of the
consolidated financial statements and Programs' individual financial statements, whether due to fraud or
error. In making those risk assessments, the auditor considers internal control relevant to the entity's
preparation and fair presentation of the consolidated financial statements and the Programs' individual
financial statements in order to design audit procedures that are appropriate in the circumstances, but not for
the purpose of expressing an opinion on the effectiveness of the entity' s internal control. Accordingly, we

                                KPMG LLP lo a Dol.....,. lirn~td lial>illly ~nerohlp,
                                the U.S . member 1Vm ot KPMG lntemationel Coope!"'live
                                \ KPMG lnlomttional'), a Svrioo entily.
express no such opinion. An audit also includes evaluating the appropriateness of accounting policies used
and the reasonableness of significant accounting estimates made by management, as well as evaluating the
overall presentation of the consolidated financial statements and the Programs' individual financial
statements .
We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our
audit opinions.
Opinions on the Financial Statements

In our opinion, the consol idated financial statements referred to above present fairly, in all material respects,
the financial position of the U.S. Office of Personnel Management as of September 30, 2014 and 2013, and
its net costs, changes in net position, and budgetary resources for the years then ended in accordance with
U.S. generally accepted accounting principles.

In our opinion. the Programs ' individual financial statements referred to above present fairly, in all material
respects, the financial position of each of the Programs as of September 30, 2014 and 2013, and their net
costs, changes in net position, and budgetary resources for the years then ended in accordance with U.S.
generally accepted accounting principles.

Other Matters

Required Supplementary Information
U.S. generally accepted accounting principles require that the information in the Management's Discussion
and Analysis and Required Supplementary Information sections be presented to supplement the basic
consolidated financial statements. Such information, although not a part of the basic consolidated financial
statements, is required by the Federal Accounting Standards Advisory Board who considers it to be an
essential part of financial reporting for placing the basic consolidated financial statements in an appropriate
operational, economic, or historical context. We have applied certain limited procedures to the required
supplementary information in accordance with auditing standards generally accepted in the United States of
America, which consisted of inquiries of management about the methods of preparing the information and
comparing the information for consistency with management' s responses to our inquiries, the basic
consolidated financial statements, and other knowledge we obtained during our audits of the basic
consolidated financia l statements . We do not express an opinion or provide any assurance on the information
because the limited procedures do not provide us with sufficient evidence to express an opinion or provide
any assurance.

Supplementary and Other Information
Our audits were conducted for the purpose of forming an opinion on the basic consolidated financial
statements and on the Programs ' individual financ ial statements as a whole. The information in the Revolving
Fund (RF) Program financial statements in the consolidating financial statements (Schedules 1 through 4),
the Salaries and Expense (S&E) Fund financial statements in the consolidating financial statements
(Schedules 1 through 4), the Civil Service Retirement System (CSRS) and Federal Employees Retirement
System (FERS) information in the consolidating statements of net cost (Schedule 2), the Message from the
Director, Message from the CFO, Transmittal from OPM's Inspector General, Other Information Section,
and Appendix A are presented for purposes of additional analysis and are not a required part of the basic
consolidated financial statements.

The information in the RF Program financial statements, the S&E Fund financial statements, and the CSRS
and FERS information in the consolidating statements of net cost is the responsibility of management and
was derived from and relates directly to the underlying accounting and other records used to prepare the
basic consolidated financial statements. Such infonnation has been subjected to the auditing procedures
applied in the audit ofthe basic consolidated financial statements and certain additional procedures, including
comparing and reconciling such information directly to the underlying accounting and other records used to
prepare the basic consolidated financial statements or to the basic consolidated financial statements
themselves, and other additional procedures in accordance with auditing standards generally accepted in the
United States of America. In our opinion, the information in the RF Program financial statements, the S&E
Fund financial statements, and the CSRS and FERS information is fairly stated in all material respects in
relation to the basic consolidated financial statements as a whole.

The information in the Message from the Director, Message from the CFO, Transmittal from OPM's
Inspector General, Other Information Section and Appendix A has not been subjected to the auditing
procedures applied in the audits of the basic consolidated financial statements, and accordingly, we do not
express an opinion or provide any assurance on it.

Other Reporting Required by Government Auditing Standards
Internal Control Over Financial R eporting
In planni ng and performing our audits of the consolidated financial statements and Programs' individual
financial statements as ofand for the year ended September 30, 2014, we C<lnsidered OPM's internal controls
over financial reporting to determine the audit procedures that are appropriate in the circumstances for the
purpose of expressing our opinions on the consolidated fmancial statements and Programs' individual
financial statements, but not for the purpose of expressing an opinion on the effectiveness of OPM's internal
control. Accordingly, we do not express an opinion on the effectiveness ofOPM's internal control. We did
not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers'
Financial Integrity Act of1982.

A deficiency in internal control exists when the design or operation of a control does not allow management
or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct,
misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in
internal control, such that there is a reasonable possibility that a material misstatement of the entity's
financial statements will not be prevented, or detected and corrected, on a timely basis. A significant
deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a
material weakness, yet important enough to merit attention by those charged with governance.

Our consideration of internal control was for the limited purpose described in the first paragraph of this
section and was not designed to identify all deficiencies in internal control that might be material weaknesses
or significant deficiencies and therefore, material weaknesses or significant deficiencies may exist that were
not identified. Given these limitations, during our audit we did not identify any deficiencies in internal control
that we consider to be material weaknesses. However. we did identify certain deficiencies in internal control.
described in Exhibit I below that we consider to be a significant deficiency.

Compliance and Other Matters
As part of obtaining reasonable assurance about whether OPM's consolidated financial statements and the
Programs' individual financial statements are free from material misstatement, we performed tests of its
compliance with certain provisions of laws, regulations, contracts and noncompliance with which could have
a direct and material effect on the determination of financial statement amounts, and certain provisions of
other laws and regulations specified in OMB Bulletin No. 14-02. However, providing an opinion on
compliance with those provisions was not an objective of our audit, and accordingly, we do not express such
an opinion. The results of our tests of compliance disclosed no instances of noncompliance or other matters
that are required to be reported herein under Government Auditing Standards or OMB Bulletin No. 14-02.

We also performed tests ofits compliance with certain provisions referred to in Section 803(a) ofthe Federal
Financial Management Improvement Act of 1996 (FFMIA). Providing an opinion on compliance with
FFMIA was not an objective of our audit, and accordingly, we do not express such an opinion. The results
of our tests of FFMIA djsclosed no instances in which OPM's financial management systems did not
substantial ly comply with the (1) Federal fmancial management systems requirements, (2) applicable Federal
accounting standards, and (3) the United States Government Standard General Ledger at the transaction
level.

OPM's R esp on se to Finding

OPM's response to the finding identified in our audits is described in Exhibit I. OPM's response was not
subjected to the auditing procedures applied in the audit of the consolidated financial statements and the
Programs' indjvidual financial statements and , accordingly, we express no opinion on the response.

Purpose ofthe Other R eporting R equired by Government A uditing Standards

The purpose of the communication described in the Other Reporting Required by Government Auditing
Standards section is solely to describe the scope of our testing of internal control and compliance and the
result of that test ing, and not to provide an opinion on the effectiveness of OPM's internal control or
compliance. Accordingly, this communication is not suitable for any other purpose.



November 7, 2014
Exhibit I.       Significant Deficiency

Information Systems Control Environment

Condition

During FY 2014, the Office ofChieflnformationOfficer (OCIO) continued to make progress in centralizing
security program functions in an effort to address deficiencies noted in its security program. However, we
continue to observe control weaknesses as follows:

I . 	 The current authoritative guidance regarding two-factor authentication has not been fully applied.

2. 	 Access rights in OPM systems are not documented and mapped to personnel roles and functions to ensure
     that personnel access is limited only to the functions needed to perform their job responsibilities.

3. 	 The information security control monitoring program was not fully effective in detecting information
     security control weaknesses. We noted access rights in OPM systems were:

    • 	 Granted to new users without following the OPM access approval process and quarterly reviews to
        confirm access approval were not consistently performed.

    • 	 Not revoked immediately upon user separation and quarterly reviews to confirm access removal were
        not consistently performed.

4. 	 The password length setting for privileged user accounts did not meet minimum OPM password length
     requirements.

Federal Information Process Standards 200, Minimum Security Requirements for Federal Information and
Information Systems , and National Institute of Standards and Technology Special Publication 800-53
Revision 4, Recommended Security Controls for Federal Information Systems, in combination, provide a
framework to help ensure that appropriate security requirements and security controls are applied by agencies
to all federal information and information systems. This framework includes an organizational assessment
ofrisk by agencies that validates the initial security control selection and determines ifany additional controls
are needed to protect organizational operations. The resulting set of security controls establishes a level of
security due diligence for the organization. These conditions reduce OPM's ability to effectively manage its
information system risk.

Recommendations

We recommend that the OCIO in coordination with the Office of the Chief Financial Officer and system
owners in Program offices, ensure that resources are prioritized and assigned to:

1. 	 Implement the current authoritative guidance regarding two-factor authentication.

2. 	 Document and map access rights in OPM systems to personnel roles and functions, following the
     principle of"least privilege".
3. 	 Enhance OPM's information security control monitoring program to detect information security control
     weaknesses by:

   • 	 Implementing and monitoring procedures to ensure system access is appropriately granted to new
       users, consistent with the OPM access approval process.

   • 	 Monitoring the process for the identification and removal ofseparated users to ensure that user access
       is removed timely upon separation; implementing procedures to ensure that user access, including
       user accounts and associated roles, are reviewed on a periodic basis consistent with the nature and
       risk of the system, and modifying any necessary accounts when identified.

4. 	 Ensure the password length setting for privileged user accounts meet minimum OPM password length
     requirements.

Management Response
Management concurs with this finding and recommendations and will initiate appropriate corrective actions.