Exhibit I – Reportable Conditions

U.S. Department of Commerce
Independent Auditors' Report
Exhibit I – Reportable Conditions

Financial Management Systems Need Improvement (Repeat Condition Since 1998)

For many years, the U.S. Department of Commerce (Department) Office of Inspector General (OIG), U.S. Government Accountability Office (GAO), and departmental selfassessments have identified weaknesses in the Department’s information technology (IT) and financial systems controls. Our fiscal year 2005 assessment of the Department’s general IT and financial systems controls, performed in support of the fiscal year 2005 consolidated financial statement audit, found that although the Department needs to make further progress with its general IT control environment, progress has been made in addressing many prior weaknesses. For example, during FY 2005 Commerce took several positive steps with its IT control processes, not only to improve controls and processes, but also to help address previously reported IT control weaknesses, including an IT security material weakness reported under the Federal Managers’ Financial Integrity Act (FMFIA).

As in FY 2004, Commerce continued to focus on improving the Department’s information security certification and accreditation program, which is a key information security management and technical control process. Additionally, in June 2005, the Department successfully met its goal of publishing a major revision to the Department of Commerce IT Security Program Policy and Minimum Implementation Standards. The guidance defines updated DOC mandatory minimally acceptable standards for the implementation of effective IT security programs at all bureaus and operating units. The newly published version incorporates, by reference, the most current Public Laws, Federal requirements, and Departmental policies and procedures affecting security of Federal information systems. It also includes recommended management practices of the Federal government and private industry.

Despite these improvements, we continued to identify weaknesses in general IT controls that we consider to be a reportable condition as defined by the American Institute of Certified Public Accountants. As part of the Department’s fiscal year 2005 FMFIA evaluation, the Department determined (and the OIG also confirmed) that a material weakness, related to IT information security, continues to exist.

Effective general IT controls add assurance that data used to prepare and report financial information and statements is complete, reliable, and has integrity. Our fiscal year 2005 IT assessment was focused on the general IT controls over the Department’s major financial management systems and supporting network infrastructure, using GAO’s Federal Information System Controls Audit Manual (FISCAM) as a guide. The six FISCAM general IT control review elements, and our related findings, are as follows:

• Entity-wide security program. An entity-wide security program for security planning and management is the foundation of an organization’s information security control structure. The program should provide a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of computer-related security controls.
  
  Although the Department has made improvements in this area, our audit identified that entity-wide security can still be improved at several bureaus, primarily in the areas of: (1) updating system security plans, (2) execution of non-disclosure agreements by contractors, and (3) security awareness and specialized security training. We also noted that during the year one bureau had not re-certified a system after a major upgrade.
  
  Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, provides key guidance for establishing and maintaining an entity-wide information security program. Collectively, the identified entity-wide security planning and management issues, coupled with the access control issues described below, reduce the overall effectiveness of the entity-wide security programs for the individual bureaus and operating units, and the overall Department. The Department of Commerce IT Security Program Policy and Minimum Implementation Standards, reiterates OMB Circular A-130 guidance, and implements key elements of such guidance as Department-wide policy.
  
• Security access controls. In close concert with an organization’s entity-wide information security program, access controls for general support systems and financial systems should provide reasonable assurance that computer resources such as data files, application programs, and computer-related facilities and equipment are protected against unauthorized modification, disclosure, loss, or impairment. Access controls are facilitated by an organization’s entity-wide security program. Such controls include physical controls and logical controls.
  
  The objectives of limiting access are to ensure that users have only the access needed to perform their duties; that access to very sensitive resources, such as security software programs, is limited to very few individuals; and that employees are restricted from performing incompatible functions or functions beyond their responsibility. This is reiterated by Federal guidelines. For example, OMB Circular A-130 and supporting National Institute of Standards and Technology (NIST) security publications provide guidance related to the maintenance of technical access controls. In addition, the Department of Commerce IT Security Program Policy and Minimum Implementation Standards contain many requirements for operating Department IT devices in a secure manner.
  
  During fiscal year 2005, we noted that access controls should be improved at all Department bureaus, primarily in the areas of improved: (1) management of user accounts, (2) logical controls for network and remote access, (3) requirements for obtaining signed user Rules of Behavior, and (4) technical controls for system devices to protect against vulnerabilities associated with malicious threats and attacks. We recognize that the Department and its bureaus have some compensating controls in place to help reduce the risk of the identified vulnerabilities, and we have considered such compensating controls as part of our overall consolidated financial statement audit.
  
• Application software development and change control. The primary focus of application software development and change control is on controlling the changes that are made to software systems in operation. Establishing controls over the modification of application software programs ensures that only authorized programs and authorized modifications are implemented. This is accomplished by instituting policies, procedures, and techniques to determine that all programs and program modifications are properly authorized, tested, and approved, and that access to and distribution of programs is carefully controlled. Without proper controls, there is a risk that security features could be inadvertently or deliberately omitted or turned off, or that processing irregularities or malicious code could be introduced into the IT environment.
  
  During fiscal year 2005, we noted that application software development and change controls should be improved at three bureaus, primarily in the areas of better: (1) processes for the removal of unauthorized personal and public software, (2) monitoring of access to the production environment, and (3) tracking of access to software libraries.
  
• System software. System software is a set of programs designed to operate and control the processing activities of computer equipment. System software helps control the input, processing, output, and data storage associated with all of the applications that run on a system. Controls over access to and modification of system software are essential in providing reasonable assurance that operating system-based security controls are not compromised and that the system will not be impaired.
  
  During fiscal year 2005, we noted that system software controls should be improved at two bureaus, primarily in the areas of: (1) restricting and monitoring the use of system software, and (2) improving patch management processes.
  
• Segregation of duties. Work responsibilities should be segregated so that an individual does not control more than one critical function within a process. Inadequately segregated duties increase the risk that erroneous or fraudulent transactions could be processed, improper program changes could be implemented, and computer resources could be damaged or destroyed. Key areas of concern for segregation of duties involves duties among major operating and programming activities, including duties performed by users, application programmers, and data center staff. Policies outlining individual responsibilities should be documented, communicated, and enforced. The prevention and/or detection of unauthorized or erroneous actions by personnel require effective supervision and review by management, as well as formal operating procedures.
  
  During fiscal year 2005, we noted that controls over segregation of duties should be improved at two bureaus, primarily related to segregating key IT functions and better documentation of IT-related position descriptions.
  
• Service continuity. Losing the capability to process, retrieve, and protect information maintained electronically can significantly affect an agency’s ability to accomplish its mission. For this reason, an agency should have: (1) procedures in place to protect information resources and minimize the risk of unplanned interruptions, and (2) a plan to recover critical operations should interruptions occur.
  
  During fiscal year 2005, we noted that service continuity controls should be improved at several Department bureaus, primarily in the areas of: (1) testing disaster recovery and continuity plans, (2) procuring alternate processing sites, (3) including key elements, such as emergency processing priorities, in documented plans, and (4) providing for the regular maintenance and testing of data center environmental controls. We also noted that one bureau had not conducted a business impact analysis as a part of their contingency planning activities.

Recommendations

Specific recommendations are included in a separate limited distribution IT general controls report, issued as part of the fiscal year 2005 consolidated financial statement audit. The Department should monitor bureau actions to ensure effective implementation of our recommendations.

Management’s Response

Management agreed with our findings, conclusions, and recommendations related to improving the Department’s financial management systems controls. The Department is in the process of finalizing corrective action plans to address the recommendations presented in the separate limited distribution IT general controls report.

Accounting for NIST Construction-In-Progress Needs Improvement

During our audit, the NIST Finance Division (NIST Finance) informed us that its Construction-in-Process (CIP) account did not reconcile to the dollar amount of active CIP projects. NIST determined that its CIP account was overstated by approximately $127 million, related to (1) costs incurred on fiscal year 2004 and prior projects that had since been completed and not transferred to a completed property account, and (2) costs recorded in CIP that were not capitalizable. A detailed analysis of this issue, performed by NIST and its consultants, was hindered because NIST did not maintain documentation to support costs incurred in the CIP account prior to fiscal year 1999. NIST ultimately determined that $68 million should be transferred to completed projects with the associated $6 million of accumulated depreciation added to the general ledger and $59 million should be expensed. The expense adjustment relates to over eight years of costs incurred associated with the Construction of Research Facilities (CRF) appropriation that were recorded in CIP, even though the CRF appropriation includes funding for noncapitalizable items (such as routine repairs and maintenance expenditures for existing facilities). Adjustments were made to NIST’s CIP account in FY 2005 to correct the Department’s consolidated financial statements for these misstatements.

The CIP accounting issues occurred because NIST did not have sufficient controls in place to segregate capitalizable versus non-capitalizable costs. Prior to March 31, 2005, NIST did not have a policy requiring a periodic reconciliation of the CIP account balance, by project, to active construction project files maintained by the NIST facilities management personnel in Gaithersburg, Maryland and Boulder, Colorado. NIST also did not have a procedure to annually validate the status of project balances in the CIP account.

Recommendations

We recommend that the NIST Chief Financial Officer (CFO) establish and enforce routine controls to ensure that completed construction projects are removed timely from CIP and only capitalizable costs are added to NIST’s CIP balance. Specifically:

• A routine process should be established that requires communication between NIST Finance and NIST facilities management personnel in Gaithersburg, Maryland and Boulder, Colorado regarding the status of active construction projects to ensure that completed projects are transferred from CIP into completed asset accounts, timely.
• The NIST CFO and Chief Facilities Management Officer should coordinate efforts to ensure that NIST Finance is performing timely quarterly reconciliations of CIP cost reports to ensure that all costs in the CIP account are capitalizable and relate to active construction projects. Additionally, they should also coordinate efforts to ensure that NIST facilities management personnel in Gaithersburg, Maryland and Boulder, Colorado is maintaining complete and current project files and is communicating timely capitalization information to NIST Finance.
• NIST Finance should finalize and implement policies and procedures relating to accounting and reporting of CIP costs. These policies and procedures should incorporate all aspects of accounting for and managing CIP costs, including reviewing appropriation and budget language, monitoring and validating project activities, performing timely quarterly reconciliations, and performing proper capitalization.

Management’s Response

Management agreed with our findings, conclusions, and recommendations related to improving NIST’s accounting for CIP. The Department is in the process of finalizing corrective action plans to address the above recommendations.