Exhibit I – Reportable Conditions
U.S. Department of Commerce
Independent Auditors' Report
Exhibit I – Reportable Conditions
Financial Management Systems Need Improvement (Repeat Condition Since 1998)
For many years, the U.S. Department of Commerce (Department) Office of Inspector
General (OIG), U.S. Government Accountability Office (GAO), and departmental selfassessments
have identified weaknesses in the Department’s information technology (IT)
and financial systems controls. Our fiscal year 2005 assessment of the Department’s
general IT and financial systems controls, performed in support of the fiscal year 2005
consolidated financial statement audit, found that although the Department needs to make
further progress with its general IT control environment, progress has been made in
addressing many prior weaknesses. For example, during FY 2005 Commerce took
several positive steps with its IT control processes, not only to improve controls and
processes, but also to help address previously reported IT control weaknesses, including
an IT security material weakness reported under the Federal Managers’ Financial
Integrity Act (FMFIA).
As in FY 2004, Commerce continued to focus on improving the Department’s
information security certification and accreditation program, which is a key information
security management and technical control process. Additionally, in June 2005, the
Department successfully met its goal of publishing a major revision to the Department of
Commerce IT Security Program Policy and Minimum Implementation Standards. The
guidance defines updated DOC mandatory minimally acceptable standards for the
implementation of effective IT security programs at all bureaus and operating units. The
newly published version incorporates, by reference, the most current Public Laws,
Federal requirements, and Departmental policies and procedures affecting security of
Federal information systems. It also includes recommended management practices of the
Federal government and private industry.
Despite these improvements, we continued to identify weaknesses in general IT controls
that we consider to be a reportable condition as defined by the American Institute of
Certified Public Accountants. As part of the Department’s fiscal year 2005 FMFIA
evaluation, the Department determined (and the OIG also confirmed) that a material
weakness, related to IT information security, continues to exist.
Effective general IT controls add assurance that data used to prepare and report financial
information and statements is complete, reliable, and has integrity. Our fiscal year 2005
IT assessment was focused on the general IT controls over the Department’s major
financial management systems and supporting network infrastructure, using GAO’s
Federal Information System Controls Audit Manual (FISCAM) as a guide. The six
FISCAM general IT control review elements, and our related findings, are as follows:
- Entity-wide security program. An entity-wide security program for security
planning and management is the foundation of an organization’s information security
control structure. The program should provide a framework and continuing cycle of
activity for managing risk, developing security policies, assigning responsibilities,
and monitoring the adequacy of computer-related security controls.
Although the Department has made improvements in this area, our audit identified
that entity-wide security can still be improved at several bureaus, primarily in the
areas of: (1) updating system security plans, (2) execution of non-disclosure
agreements by contractors, and (3) security awareness and specialized security
training. We also noted that during the year one bureau had not re-certified a system
after a major upgrade.
Office of Management and Budget (OMB) Circular A-130, Management of Federal
Information Resources, provides key guidance for establishing and maintaining an
entity-wide information security program. Collectively, the identified entity-wide
security planning and management issues, coupled with the access control issues
described below, reduce the overall effectiveness of the entity-wide security programs
for the individual bureaus and operating units, and the overall Department. The
Department of Commerce IT Security Program Policy and Minimum Implementation
Standards, reiterates OMB Circular A-130 guidance, and implements key elements of
such guidance as Department-wide policy.
- Security access controls. In close concert with an organization’s entity-wide
information security program, access controls for general support systems and
financial systems should provide reasonable assurance that computer resources such
as data files, application programs, and computer-related facilities and equipment are
protected against unauthorized modification, disclosure, loss, or impairment. Access
controls are facilitated by an organization’s entity-wide security program. Such
controls include physical controls and logical controls.
The objectives of limiting access are to ensure that users have only the access needed
to perform their duties; that access to very sensitive resources, such as security
software programs, is limited to very few individuals; and that employees are
restricted from performing incompatible functions or functions beyond their
responsibility. This is reiterated by Federal guidelines. For example, OMB Circular
A-130 and supporting National Institute of Standards and Technology (NIST) security
publications provide guidance related to the maintenance of technical access controls.
In addition, the Department of Commerce IT Security Program Policy and Minimum
Implementation Standards contain many requirements for operating Department IT
devices in a secure manner.
During fiscal year 2005, we noted that access controls should be improved at all
Department bureaus, primarily in the areas of improved: (1) management of user
accounts, (2) logical controls for network and remote access, (3) requirements for
obtaining signed user Rules of Behavior, and (4) technical controls for system devices
to protect against vulnerabilities associated with malicious threats and attacks. We
recognize that the Department and its bureaus have some compensating controls in
place to help reduce the risk of the identified vulnerabilities, and we have considered such compensating controls as part of our overall consolidated financial statement
audit.
- Application software development and change control. The primary focus of
application software development and change control is on controlling the changes
that are made to software systems in operation. Establishing controls over the
modification of application software programs ensures that only authorized programs
and authorized modifications are implemented. This is accomplished by instituting
policies, procedures, and techniques to determine that all programs and program
modifications are properly authorized, tested, and approved, and that access to and
distribution of programs is carefully controlled. Without proper controls, there is a
risk that security features could be inadvertently or deliberately omitted or turned off,
or that processing irregularities or malicious code could be introduced into the IT
environment.
During fiscal year 2005, we noted that application software development and change
controls should be improved at three bureaus, primarily in the areas of better: (1)
processes for the removal of unauthorized personal and public software, (2)
monitoring of access to the production environment, and (3) tracking of access to
software libraries.
- System software. System software is a set of programs designed to operate and
control the processing activities of computer equipment. System software helps
control the input, processing, output, and data storage associated with all of the
applications that run on a system. Controls over access to and modification of system
software are essential in providing reasonable assurance that operating system-based
security controls are not compromised and that the system will not be impaired.
During fiscal year 2005, we noted that system software controls should be improved
at two bureaus, primarily in the areas of: (1) restricting and monitoring the use of
system software, and (2) improving patch management processes.
- Segregation of duties. Work responsibilities should be segregated so that an
individual does not control more than one critical function within a process.
Inadequately segregated duties increase the risk that erroneous or fraudulent
transactions could be processed, improper program changes could be implemented,
and computer resources could be damaged or destroyed. Key areas of concern for
segregation of duties involves duties among major operating and programming
activities, including duties performed by users, application programmers, and data
center staff. Policies outlining individual responsibilities should be documented,
communicated, and enforced. The prevention and/or detection of unauthorized or
erroneous actions by personnel require effective supervision and review by
management, as well as formal operating procedures.
During fiscal year 2005, we noted that controls over segregation of duties should be
improved at two bureaus, primarily related to segregating key IT functions and better
documentation of IT-related position descriptions.
- Service continuity. Losing the capability to process, retrieve, and protect
information maintained electronically can significantly affect an agency’s ability to
accomplish its mission. For this reason, an agency should have: (1) procedures in
place to protect information resources and minimize the risk of unplanned
interruptions, and (2) a plan to recover critical operations should interruptions occur.
During fiscal year 2005, we noted that service continuity controls should be improved
at several Department bureaus, primarily in the areas of: (1) testing disaster recovery
and continuity plans, (2) procuring alternate processing sites, (3) including key
elements, such as emergency processing priorities, in documented plans, and (4)
providing for the regular maintenance and testing of data center environmental
controls. We also noted that one bureau had not conducted a business impact analysis
as a part of their contingency planning activities.
Recommendations
Specific recommendations are included in a separate limited distribution IT general
controls report, issued as part of the fiscal year 2005 consolidated financial statement
audit. The Department should monitor bureau actions to ensure effective implementation
of our recommendations.
Management’s Response
Management agreed with our findings, conclusions, and recommendations related to
improving the Department’s financial management systems controls. The Department is
in the process of finalizing corrective action plans to address the recommendations
presented in the separate limited distribution IT general controls report.
Accounting for NIST Construction-In-Progress Needs Improvement
During our audit, the NIST Finance Division (NIST Finance) informed us that its
Construction-in-Process (CIP) account did not reconcile to the dollar amount of active
CIP projects. NIST determined that its CIP account was overstated by approximately
$127 million, related to (1) costs incurred on fiscal year 2004 and prior projects that had
since been completed and not transferred to a completed property account, and (2) costs
recorded in CIP that were not capitalizable. A detailed analysis of this issue, performed
by NIST and its consultants, was hindered because NIST did not maintain documentation
to support costs incurred in the CIP account prior to fiscal year 1999. NIST ultimately
determined that $68 million should be transferred to completed projects with the
associated $6 million of accumulated depreciation added to the general ledger and $59 million should be expensed. The expense adjustment relates to over eight years of costs
incurred associated with the Construction of Research Facilities (CRF) appropriation that
were recorded in CIP, even though the CRF appropriation includes funding for noncapitalizable
items (such as routine repairs and maintenance expenditures for existing
facilities). Adjustments were made to NIST’s CIP account in FY 2005 to correct the
Department’s consolidated financial statements for these misstatements.
The CIP accounting issues occurred because NIST did not have sufficient controls in
place to segregate capitalizable versus non-capitalizable costs. Prior to March 31, 2005,
NIST did not have a policy requiring a periodic reconciliation of the CIP account
balance, by project, to active construction project files maintained by the NIST facilities
management personnel in Gaithersburg, Maryland and Boulder, Colorado. NIST also did
not have a procedure to annually validate the status of project balances in the CIP
account.
Recommendations
We recommend that the NIST Chief Financial Officer (CFO) establish and enforce
routine controls to ensure that completed construction projects are removed timely from
CIP and only capitalizable costs are added to NIST’s CIP balance. Specifically:
- A routine process should be established that requires communication between NIST
Finance and NIST facilities management personnel in Gaithersburg, Maryland and
Boulder, Colorado regarding the status of active construction projects to ensure that
completed projects are transferred from CIP into completed asset accounts, timely.
- The NIST CFO and Chief Facilities Management Officer should coordinate efforts to
ensure that NIST Finance is performing timely quarterly reconciliations of CIP cost
reports to ensure that all costs in the CIP account are capitalizable and relate to active
construction projects. Additionally, they should also coordinate efforts to ensure that
NIST facilities management personnel in Gaithersburg, Maryland and Boulder,
Colorado is maintaining complete and current project files and is communicating
timely capitalization information to NIST Finance.
- NIST Finance should finalize and implement policies and procedures relating to
accounting and reporting of CIP costs. These policies and procedures should
incorporate all aspects of accounting for and managing CIP costs, including
reviewing appropriation and budget language, monitoring and validating project
activities, performing timely quarterly reconciliations, and performing proper
capitalization.
Management’s Response
Management agreed with our findings, conclusions, and recommendations related to improving NIST’s accounting for CIP. The Department is in the process of finalizing corrective action plans to address the above recommendations.
|