UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 Office of the Inspector General November 13, 2015 Report No. 4A-CF-00-15-027 MEMORANDUM FOR BETH F. COBERT Acting Director FROM: PATRICK E. McFARLAND Inspector General SUBJECT: Audit of the Office of Personnel Management’s Fiscal Year 2015 Consolidated Financial Statements This memorandum transmits KPMG LLP’s (KPMG) report on its financial statement audit of the Office of Personnel Management’s (OPM) Fiscal Year 2015 Consolidated Financial Statements and the results of the Office of the Inspector General’s (OIG) oversight of the audit and review of that report. OPM’s consolidated financial statements include the Retirement Program, Health Benefits Program, Life Insurance Program, Revolving Fund Programs (RF) and Salaries & Expenses funds (S&E). Audit Reports on Financial Statements, Internal Controls and Compliance with Laws and Regulations The Chief Financial Officers (CFO) Act of 1990 (P.L. 101-576) requires OPM’s Inspector General or an independent external auditor, as determined by the Inspector General, to audit the agency’s financial statements in accordance with Government Auditing Standards (GAS) issued by the Comptroller General of the United States. We contracted with the independent certified public accounting firm KPMG to audit OPM’s consolidated financial statements as of September 30, 2015 and for the fiscal year then ended. The contract requires that the audit be performed in accordance with generally accepted government auditing standards and the Office of Management and Budget (OMB) Bulletin No. 15-02, Audit Requirements for Federal Financial Statements. KPMG’s audit report for Fiscal Year 2015 includes: (1) opinions on the consolidated financial statements and the individual statements for the three benefit programs, (2) a report on internal controls, and (3) a report on compliance with laws and regulations. In its audit of OPM, KPMG found: The consolidated financial statements were fairly presented, in all material respects, in conformity with U.S. generally accepted accounting principles. www.opm.gov www.usajobs.gov Honorable Beth F. Cobert 2 KPMG’s report identified one material weakness in the internal controls: Information Systems Control Environment A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. KPMG’s report identified one significant deficiency: Entity Level Controls Over Financial Management A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. KPMG’s report identified instances of non-compliance with the Federal Financial Management Improvement Act of 1996 (FFMIA), as described in the material weakness, in which OPM’s financial management systems did not substantially comply with the Federal financial management systems requirements. The results of KPMG’s tests of FFMIA disclosed no instances in which OPM’s financial management systems did not substantially comply with applicable Federal accounting standards and the United States Government Standard General Ledger at the transaction level. OIG Evaluation of KPMG’s Audit Performance In connection with the audit contract, we reviewed KPMG’s report and related documentation and made inquiries of its representatives regarding the audit. To fulfill our audit responsibilities under the CFO Act for ensuring the quality of the audit work performed, we conducted a review of KPMG’s audit of OPM’s Fiscal Year 2015 Consolidated Financial Statements in accordance with GAS. Specifically, we: provided oversight, technical advice, and liaison to KPMG auditors; ensured that audits and audit reports were completed timely and in accordance with the requirements of Generally Accepted Government Auditing Standards (GAGAS), OMB Bulletin 15-02, and other applicable professional auditing standards; documented oversight activities and monitored audit status; reviewed responses to audit reports and reported significant disagreements to the audit follow-up official per OMB Circular No. A-50, Audit Follow-up; coordinated issuance of the audit report; and, performed other procedures we deemed necessary. Honorable Beth F. Cobert 3 Our review, as differentiated from an audit in accordance with GAGAS, was not intended to enable us to express, and we do not express, opinions on OPM’s financial statements or internal controls or on whether OPM’s financial management systems substantially complied with the Federal Financial Management Improvement Act of 1996 or conclusions on compliance with laws and regulations. KPMG is responsible for the attached auditor’s report dated November 12, 2015, and the conclusions expressed in the report. However, our review disclosed no instances where KPMG did not comply, in all material respects, with the generally accepted GAS. In accordance with the OMB Circular A-50 and Public Law 103-355, all audit findings must be resolved within six months of the date of this report. The OMB Circular also requires that agency management officials provide a timely response to the final audit report indicating whether they agree or disagree with the audit findings and recommendations. When management is in agreement, the response should include planned corrective actions and target dates for achieving them. If management disagrees, the response must include the basis in fact, law or regulation for the disagreement. To help ensure that the timeliness requirement for resolution is achieved, we ask that the CFO coordinate with the OPM audit follow-up office, Internal Oversight and Compliance (IOC), to provide their initial responses to us within 60 days from the date of this memorandum. IOC should be copied on all final report responses. Subsequent resolution activity for all audit findings should also be coordinated with IOC. The CFO should provide periodic reports through IOC to us, no less frequently than each March and September, detailing the status of corrective actions, including documentation to support this activity, until all findings have been resolved. In closing, we would like to thank OPM’s financial management staff for their professionalism during KPMG’s audit and our oversight of the financial statement audit this year. If you have any questions about KPMG’s audit or our oversight, please contact me at 606-1200, or you may have a member of your staff contact Michael R. Esser, Assistant Inspector General for Audits, at 606-2143. cc: Dennis D. Coleman Chief Financial Officer Daniel K. Marella Deputy Chief Financial Officer Donna K. Seymour Chief Information Officer Janet L. Barnes Director, Internal Oversight and Compliance KPMG LLP Suite 12000 1801 K Street, NW Washington, DC 20006 Independent Auditors’ Report Director and Inspector General United States Office of Personnel Management: Report on the Financial Statements We have audited the accompanying consolidated financial statements of the United States (U.S.) Office of Personnel Management (OPM), which comprise the consolidated balance sheets as of September 30, 2015 and 2014, and the related consolidated statements of net cost and changes in net position, and combined statements of budgetary resources for the years then ended, and the related notes to the consolidated financial statements (hereinafter referred to as “consolidated financial statements”). Additionally, we have audited the individual balance sheets of the Retirement, Health Benefits, and Life Insurance Programs (hereinafter referred to as the “Programs”) as of September 30, 2015 and 2014, and the related individual statements of net cost, changes in net position, and budgetary resources for the years then ended (hereinafter referred to as the Programs’ “individual financial statements”). Management’s Responsibility for the Financial Statements Management is responsible for the preparation and fair presentation of these consolidated financial statements and these Programs’ individual financial statements in accordance with U.S. generally accepted accounting principles; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of consolidated financial statements and the Programs’ individual financial statements that are free from material misstatement, whether due to fraud or error. Auditors’ Responsibility Our responsibility is to express an opinion on these consolidated financial statements and on the Programs’ individual financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 15-02, Audit Requirements for Federal Financial Statements. Those standards and OMB Bulletin No. 15-02 require that we plan and perform the audit to obtain reasonable assurance about whether the consolidated financial statements and the Programs’ individual financial statements are free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the consolidated financial statements and Programs’ individual financial statements. The procedures selected depend on the auditors’ judgment, including the assessment of the risks of material misstatement of the consolidated financial statements and Programs’ individual financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the consolidated financial statements and Programs’ individual financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as KPMG LLP is a Delaware limited liability partnership, the U.S. member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. evaluating the overall presentation of the consolidated financial statements and the Programs’ individual financial statements. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinions. Opinions on the Financial Statements In our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the financial position of the Office of Personnel Management of September 30, 2015 and 2014, and its net costs, changes in net position, and budgetary resources for the years then ended in accordance with U.S. generally accepted accounting principles. In our opinion, the Programs’ individual financial statements referred to above present fairly, in all material respects, the financial position of each of the Programs as of September 30, 2015 and 2014, and their net costs, changes in net position, and budgetary resources for the years then ended in accordance with U.S. generally accepted accounting principles. Other Matters Management has elected to reference to information on websites or other forms of interactive data outside the Agency Financial Report to provide additional information for the users of its financial statements. Such information is not a required part of the basic consolidated financial statements or supplementary information required by the Federal Accounting Standards Advisory Board. The information on these websites or the other interactive data has not been subjected to any of our auditing procedures, and accordingly we do not express an opinion or provide any assurance on it. Required Supplementary Information U.S. generally accepted accounting principles require that the information in the Management’s Discussion and Analysis and Required Supplementary Information sections be presented to supplement the basic consolidated financial statements and the Programs’ individual financial statements. Such information, although not a part of the basic consolidated financial statements and the Programs’ individual financial statements, is required by the Federal Accounting Standards Advisory Board, who considers it to be an essential part of financial reporting for placing the basic consolidated financial statements and the Programs’ individual financial statements in an appropriate operational, economic, or historical context. We have applied certain limited procedures to the required supplementary information in accordance with auditing standards generally accepted in the United States of America, which consisted of inquiries of management about the methods of preparing the information and comparing the information for consistency with management’s responses to our inquiries, the basic consolidated financial statements and the Programs’ individual financial statements, and other knowledge we obtained during our audits of the basic consolidated financial statements and the Programs’ individual financial statements. We do not express an opinion or provide any assurance on the information because the limited procedures do not provide us with sufficient evidence to express an opinion or provide any assurance. Supplementary and Other Information Our audits were conducted for the purpose of forming an opinion on the basic consolidated financial statements and on the Programs’ individual financial statements as a whole. The information in the Revolving Fund (RF) Program financial statements in the consolidating financial statements (Schedules 1 through 4), the Salaries and Expense (S&E) Fund financial statements in the consolidating financial statements (Schedules 1 through 4), the Civil Service Retirement System (CSRS) and Federal Employees Retirement System (FERS) information in the consolidating statements of net cost (Schedule 2), the Message from the Director, Message from the CFO, Transmittal from OPM’s Inspector General, Other Information Section, and Appendix A are presented for purposes of additional analysis and are not a required part of the basic consolidated financial statements and the Programs’ individual financial statements. The information in the RF Program financial statements, the S&E Fund financial statements, and the CSRS and FERS information in the consolidating statements of net cost is the responsibility of management and was derived from and relates directly to the underlying accounting and other records used to prepare the basic consolidated financial statements. Such information has been subjected to the auditing procedures applied in the audits of the basic consolidated financial statements and certain additional procedures, including comparing and reconciling such information directly to the underlying accounting and other records used to prepare the basic consolidated financial statements or to the basic consolidated financial statements themselves, and other additional procedures in accordance with auditing standards generally accepted in the United States of America. In our opinion, the information in the RF Program financial statements, the S&E Fund financial statements, and the CSRS and FERS information is fairly stated in all material respects in relation to the basic consolidated financial statements and the Programs’ individual financial statements as a whole. The information in the Message from the Director, Message from the CFO, Transmittal from OPM’s Inspector General, Other Information Section, and Appendix A have not been subjected to the auditing procedures applied in the audits of the basic consolidated financial statements and the Programs’ individual financial statements, and accordingly, we do not express an opinion or provide any assurance on it. Other Reporting Required by Government Auditing Standards Internal Control Over Financial Reporting In planning and performing our audits of the consolidated financial statements and the Programs’ individual financial statements as of and for the year ended September 30, 2015, we considered OPM’s internal control over financial reporting to determine the audit procedures that are appropriate in the circumstances for the purpose of expressing our opinions on the consolidated financial statements and the Programs’ individual financial statements, but not for the purpose of expressing an opinion on the effectiveness of OPM’s internal control. Accordingly, we do not express an opinion on the effectiveness of OPM’s internal control. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act of 1982. Our consideration of internal control was for the limited purpose described in the preceding paragraph and was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies and therefore, material weaknesses or significant deficiencies may exist that have not been identified. However, as described in Exhibit I, we identified certain deficiencies in internal control that we consider to be a material weakness and the deficiencies described in Exhibit II to be a significant deficiency. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis. We consider the deficiency described in Exhibit I to be a material weakness. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. We consider the deficiencies described in Exhibit II to be a significant deficiency. Compliance and Other Matters As part of obtaining reasonable assurance about whether OPM’s consolidated financial statements and the Programs’ individual financial statements are free from material misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts, and noncompliance with which could have a direct and material effect on the determination of financial statement amounts. However, providing an opinion on compliance with those provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests disclosed instances of noncompliance or other matters that are required to be reported under Government Auditing Standards or OMB Bulletin No. 15-02 as discussed in the following paragraph. We also performed tests of its compliance with certain provisions referred to in Section 803(a) of the Federal Financial Management Improvement Act of 1996 (FFMIA). Providing an opinion on compliance with FFMIA was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests of FFMIA disclosed instances, as described in finding A of Exhibit I, in which OPM’s financial management systems did not substantially comply with the Federal financial management systems requirements. The results of our tests of FFMIA disclosed no instances in which OPM’s financial management systems did not substantially comply with applicable Federal accounting standards and the United States Government Standard General Ledger at the transaction level. OPM’s Responses to Findings OPM’s responses to the findings identified in our audits are described in Exhibits I and II. OPM’s responses were not subjected to the auditing procedures applied in the audits of the consolidated financial statements and the Programs’ individual financial statements and, accordingly, we express no opinion on the responses. Purpose of the Other Reporting Required by Government Auditing Standards The purpose of the communication described in the Other Reporting Required by Government Auditing Standards section is solely to describe the scope of our testing of internal control and compliance and the result of that testing, and not to provide an opinion on the effectiveness of OPM’s internal control or compliance. Accordingly, this communication is not suitable for any other purpose. Washington, DC November 12, 2015 Exhibit I. Material Weakness A. Information Systems Control Environment Management is charged with the oversight and accountability for the governance of the information technology (IT) control environment, including general IT controls, and has not taken appropriate action to address ongoing pervasive deficiencies that have been identified in multiple information systems and reported to management as a significant deficiency or material weakness since fiscal year 2007. Despite concerted efforts by OPM’s Office of the Chief Information Officer (CIO) to make progress in addressing these long-standing findings, in fiscal year 2015, we continued to observe these long–standing findings in addition to other control weaknesses, as outlined below. Due to the persistence of a number of long-standing control weaknesses in OPM’s information security control environment, collectively, we considered these matters to be a material weakness in internal control. 1. The current authoritative guidance regarding two-factor authentication has not been fully applied. 2. Access rights in OPM systems are not documented and mapped to personnel roles and functions to ensure that personnel access is limited only to the functions needed to perform their job responsibilities. 3. The information security control monitoring program was not fully effective in detecting information security control weaknesses. We noted access rights in OPM systems were: a) Granted to new users without following the OPM access approval process and inconsistently reviewed as part of the quarterly review process to confirm access approvals. b) Not revoked immediately upon user separation and inconsistently reviewed as part of the quarterly review process to confirm access removals. c) Granted to a privileged account without following the OPM access approval process. 4. A formalized system component inventory of devices to be assessed as part of vulnerability or configuration management processes was not maintained. 5. The Plan of Action & Milestones (POA&M) or similar tracking log did not track weaknesses identified from vulnerability scans. Federal Information Process Standards 200, Minimum Security Requirements for Federal Information and Information Systems, and National Institute of Standards and Technology Special Publication 800-53 Revision 4, Recommended Security Controls for Federal Information Systems, in combination, provide a framework to help ensure that appropriate security requirements and security controls are applied by agencies to all federal information and information systems. This framework includes an organizational assessment of risk by agencies that validates the initial security control selection and determines if any additional controls are needed to protect organizational operations. The resulting set of security controls establishes a level of security due diligence for the organization. These conditions, mentioned above, reduce OPM’s ability to have an effectively managed IT security program. Therefore, this may continue to increase the risk of IT systems being compromised. Recommendations We recommend that the OCIO, in coordination with the Office of the Chief Financial Officer (OCFO) and system owners in Program offices, develop and effectively implement the necessary corrective actions to: 1. Fully implement the current authoritative guidance regarding two-factor authentication. 2. Document and map access rights in OPM systems to personnel roles and functions, following the principle of “least privilege”. 3. Enhance OPM’s information security control monitoring program to detect information security control weaknesses by: a) Implementing and monitoring procedures to ensure system access is appropriately granted to new users, consistent with the OPM access approval process. b) Monitoring the process for the identification and removal of separated users to ensure that user access is removed timely upon separation; implementing procedures to ensure that user access, including user accounts and associated roles, are periodically reviewed based on the nature and risk of the system, and promptly modifying any accounts as necessary. c) Monitoring the process for granting privileged access to ensure that accounts with elevated privileges are approved based on business needs and enforce the concept of least privilege. 4. Continue to perform, monitor, and improve its patch and vulnerability management processes, to include maintaining an accurate inventory of devices. Management Response Management concurs with the finding and recommendation. OPM will develop and implement a corrective action plan to address these deficiencies in this new fiscal year. Exhibit II. Significant Deficiency B. Entity Level Controls Over Financial Management Entity-level controls encompass the overall control environment throughout the entity. This includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance, and management concerning the entity's internal control and its importance in the entity. Entity-level controls are often categorized as environmental controls, risk assessment, monitoring, and information and communications, as defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2013 version), and the Government Accountability Office (GAO) Standard of Internal Control in the Federal Government. These controls must be effective to create and sustain an organizational structure that is conducive to reliable financial reporting. During fiscal year 2015, OPM reported a data breach which affected millions of Federal employees and government contractors. Based on our procedures to evaluate the potential impact of the data breach on OPM’s financial statements, we noted a number of control deficiencies that are pervasive throughout the agency. Specifically, we noted: 1. OPM’s risk assessment process is not designed appropriately to handle non-routine events and transactions. As a result, non-routine events and transactions that have a greater likelihood of resulting in a material misstatement in the financial statements are not always receiving an appropriate level of attention. Specifically, OPM did not fully assess and identify the risks associated with using a third party to store and maintain personally identifiable information that is a significant part of the underlying data used in calculating OPM’s actuarial liabilities. The use of a service provider extends the financial reporting control environment and OPM’s responsibilities for those relevant controls. 2. OPM’s risk assessment processes do not have a mechanism in place to identify internal and external factors/events that would prompt OPM management to perform an evaluation of non-routine events or transactions and assess the impact on the financial statements: Specifically, we noted: a) The OCFO did not identify the data breach as a significant risk to the financial statements as some of the information compromised during the data breach is used in the development of the population used in the calculation of OPM’s actuarial liabilities. b) The OCFO did not effectively communicate and coordinate with other OPM components regarding the initial evaluation of the potential impact of the data breach to the financial statements. c) Roles and responsibilities of OPM components that provide key financial and non-financial information for financial statement purposes were not clearly defined. d) The roles, responsibilities, and end-to-end processes activities between OPM components and shared-service providers are not clearly documented, communicated and monitored. In addition, there was no Authority to Operate a relevant system belonging to a shared-service provider for the period from November 29, 2014 through May 13, 2015. e) The OCFO did not properly apply Federal accounting standards when accounting for the liability related to identity monitoring, credit monitoring, identity restoration, and identity theft insurance. As a result of our observations, OPM performed an analysis to determine whether the data breach compromised the integrity of the underlying data in calculating OPM’s actuarial liabilities. Weaknesses in entity-level controls may have a pervasive effect on how OPM responds to non-routine events and transactions that have a likelihood of resulting in material misstatements in the financial statements. Consequently, misstatements in the financial statements from non-routine events and transactions may not be prevented and/or detected and corrected on a timely basis. Recommendation We recommend that OPM perform a thorough review of their entity-level controls over financial reporting and relevant activities to identify the underlying cause of these deficiencies and take the appropriate corrective actions to strengthen controls to mitigate the risk of material misstatement when non-routine events occur. Management Response Management concurs with the finding and recommendation. OPM will develop and implement a corrective action plan, including skills gap analysis and a shared services governance structure, to address these deficiencies in the first quarter of this new fiscal year.
Audit of the Office of Personnel Management's Fiscal Year 2015 Consolidated Financial Statements
Published by the Office of Personnel Management, Office of Inspector General on 2015-11-13.
Below is a raw (and likely hideous) rendition of the original report. (PDF)