Office of Justice Programs
Fiscal Year 2000

Report No. 01-22
August 2001
Office of the Inspector General

OJP Needs to Improve Its Accrual Policies and Process for Recording Contract and Other Vendor Accounts Payable Transactions

In current and prior fiscal years (FY), OJP did not have a process in place for accruing contract and other vendor accounts payable. OJP has relied upon its financial statement auditors to inform them, via an audit adjustment, of the amount that should be recorded as accounts payable. Reliance on auditors is not an effective internal control of OJP Management.

In addition, during our search for unrecorded liabilities, we noted that vendor invoices did not always indicate the date on which OJP received and accepted goods or services. Although OJP does have the signature of the receiving officer on the invoices, the receipt and acceptance date is critical information that OJP needs to use to properly accrue its liabilities.

During FY 2000, OJP began to draft, but did not implement accrual policies and procedures; however, the draft policies lack details regarding actual procedures to be performed for contract and other vendor type transactions, significant management conclusions, procedures for documenting estimates, and how estimates are derived. In addition, the policies should emphasize the need for supervisory review.

Without an accurate accrual process in place, OJP could potentially understate its liabilities and appropriations used, and overstate its undelivered orders. For the FY 2000 financial statements an audit adjustment of approximately $13 million for contract and other vendor accruals was made.

OJP's grant accrual and payroll accrual processes were not affected by this condition. In prior years OJP had a material weakness relating to grant accrual because of their inability to produce a timely and accurate accrual for grants. However during FY 2000, OJP implemented a grant accrual program in the Integrated Financial Management Information System (IFMIS) that was able to produce timely and accurate grant accrual information. For its payroll accrual, OJP uses actual data that is available shortly after the year-end.

Statement of Federal Financial Accounting Standard (SFFAS) No. 5, Accounting for Liabilities of the Federal Government, states that government-related events resulting in a liability should be recognized in the period the event occurs if the future outflow or other sacrifice of resources is probable and the liability can be measured, or as soon thereafter as it becomes probable and measurable.

Recommendation No. 1

We recommend that Office of the Comptroller (OC) and Office of Administration (OA):

1. Implement a receipt and acceptance process that includes the signature of the receiving officer, as well as the date of receipt and acceptance of the goods and services.

2. Develop comprehensive accrual policies and procedures for contract and other vendor transactions that will require the recording of an accounts payable based upon the receipt and acceptance date. Also, the policies and procedures should include detailed procedures to be performed in the process, the need for documentation of significant management conclusions, the process for developing estimates, and the required level of supervisory review.

OJP Lacks a Process for Identifying and Accruing Contract Retainage Liabilities

OJP does not have a process in place to identify and accrue contract retainage liabilities resulting from contract services provided and accepted but not yet paid by OJP. This situation occurs in contracts that contain contract retainage clauses that result in OJP withholding a portion of the earned contract fees until all the contract terms are completed satisfactorily.

A review of OJP's existing contracts disclosed that many of OJP's contracts have retainage clauses, and approximately one-third of the contracts have amounts withheld from payment. As a result, contract retainages should be tracked and recorded as a liability by OJP.

Without established policies and procedures in place, OJP could understate its payables and expenses in its financial statements. As a result of our audit inquires, OJP conducted a contract retainage review and recorded the necessary liability of approximately $317,000 in the financial statements as of September 30, 2000; therefore, there is no misstatement to the FY 2000 financial statements. Although, the FY 2000 contract retainage liability was not material to the financial statements, if OJP enters into additional significant contracts, the retainage amounts could become more material to the financial statements. In addition, OJP should have a routine process to capture, track, and record such liabilities.

SFFAS No. 5, Accounting for Liabilities of the Federal Government, states that government-related events resulting in a liability to the reporting entity should be recognized in the period the event occurs if the future payment of resources is probable and the liability can be measured.

Recommendation No. 2

We recommend that OC and OA establish a process to identify and record contract retainages that have been earned but have not been paid due to contract retainage requirements.

OC Needs to Improve its Financial Statement Preparation Process

During the past four financial statement audits, OJP has improved its financial statement preparation, general ledger maintenance, and account analysis areas. However, OJP still lacks proper internal controls to ensure that draft financial statements are accurate and prepared in accordance with Statements of Federal Financial Accounting Standards (SFFAS) and OMB Bulletin No. 97-01 Form and Content of Agency Financial Statements, as amended.

Some of the significant financial statement presentation deficiencies that were in the various draft financial statement versions received by the auditors are as follows.

• The prior year ending balance did not agree to the beginning balance for the Statement of Budgetary Resources line item "Obligated Net Beginning of Period".

• The same financial statement line item amounts were inconsistent among the different financial statements.

• Some financial statements were prepared with incorrect information or were not provided in the level of detail that was required.

• Some of the required financial statement footnotes were omitted.

• Financial statement footnotes did not always tie to the related financial statements.

• Performance measures in the management discussion and analysis section of the financial statements could not be associated with the responsibility segments in the statement of net cost.

• Performance measures provided FY 2000 results however they did not provide FY 1999 actual results, trend information, or outcome measures.

• In addition, many of the draft financial statements were not mathematically correct, and various versions of the draft financial statements did not have the required accompanying footnotes and related trial balances.

Many of the discrepancies noted above are the result of OC not having a detailed process in place to gather all the required information for the financial statements, and not having an adequate quality control process to ensure that the financial statements are reviewed for accuracy and completeness. If OC prepared financial statements on a more routine basis (i.e., at a minimum semi-annually), the process for gathering this information and financial statements would become more established in the activities of OC.

The non-routine nature of the compilation of information for the financial statements and the preparation of the financial statements results in errors and inefficiencies that slow down the financial reporting process. It also resulted in last minute efforts to correct errors that have occurred and were detected throughout the year, and unnecessary demands placed on OC personnel for last minute corrections.

Recommendation No. 3

We recommend that OJP:

1. Establish a detailed process, with timelines, for gathering information for financial statement preparation and to ensure that the financial statements are reviewed for accuracy prior to distribution. Review personnel should preferably be independent of the financial statement preparation process.

2. Ensure that the General Accounting Office (GAO)'s Checklist for Reports Prepared Under the CFO Act and OMB 97-01 Disclosure Checklist are completed during the preparation of the financial statements.

3. Ensure that all financial statement account relationships are reviewed to identify all inconsistencies between financial statements. If differences do exist, they should be researched so they can be adequately explained or corrected.

4. Prepare interim financial statements at least semi-annually, and consider preparing them quarterly.

Modifications to the Accounting System Need to be Made

We noted the following deficiencies relating to OJP's automated accounting system, IFMIS, which impeded the efficient and accurate preparation of the financial statements.

• IFMIS does not have the capability to produce a consolidated trial balance for OJP's multiple appropriations. Therefore, OC is required to manually prepare a consolidated trial balance, which subjects the process to error.

• IFMIS does not have the capability to produce financial statements, as a result significant manual processes are required to be performed.

• The Crime Victims Fund (CVF) general ledger posting logic is not accurate. Certain entries recorded in the fund during the year are incorrectly posted to general ledger accounts 3100 (Unexpended Appropriations) and 5700 (Appropriations Used). Entries are posted to these accounts when payments are made from CVF. These entries should not affect the general ledger accounts 3100 and 5700, because CVF contains fines and penalties (i.e., non-appropriated funds) collected from the U.S. Courts. Because general ledger accounts 3100 and 5700 are incorrectly used, an adjusting entry is required to be made to the general ledger at the end of the year. In addition, if the two accounts do not agree, as was the case during FY 2000, a detailed reconciliation of these accounts is required.

The lack of a consolidated trial balance, the systems' inability to produce financial statements, and inaccurate posting logic for CVF results in errors, inconsistencies, and inefficiencies in the financial statement preparation process. OJP implemented IFMIS during FY 1999, which greatly improved its accountability, however OJP still lacks an automated report package to assist in the preparation of a consolidated trail balance and financial statements.

Recommendation No. 4

We recommend that OC modify IFMIS to produce a consolidated trial balance, produce financial statements, and properly post revenue and expense transactions for the CVF.

Recommendation No. 5

We recommend that OJP develop procedures that can be used by OJP personnel when preparing the following sections of the financial statements:

• Management discussion and analysis,
• Principal financial statements,
• Related financial statement footnotes, and
• Required supplementary information.

The Process for Analyzing and Recording Adjustments (Adjusting Entries) in IFMIS Needs to be Improved

During the audit, we noted the following conditions relating to adjustments that impact the preparation of the financial statements:

• Generally, prior year audit adjustments (i.e., 1996 through 1998) were not posted to IFMIS at year end. As a result, IFMIS could not generate subsequent year beginning balances that agreed to the prior year financial statements.

• OC does not have a process in place to analyze and record the effect of prior year audit adjustments on current year financial statements.

• Three material transactions were incorrectly posted to IFMIS as current year activity, that should have been treated as prior period adjustments.

Adjusting entries are non-routine transactions that can have a significant impact on OJP's current year financial statements. These non-routine transactions require OJP management decisions. In addition, individual interpretation often has an impact on how the adjusting entries are posted to the system.

If OC established a standard materiality level(s) that can be used at the fund level and OJP consolidated fund level, individual interpretations on what is considered a material transaction would be eliminated.

Recommendation No. 6

We recommend that OC develop a policy and review procedures to ensure that:

1. Audit adjustments are posted timely to IFMIS.

2. An analysis is performed to determine the effects of prior year audit adjustments on current and subsequent year financial statements.

3. Adjusting journal vouchers are properly reviewed to determine if the correct standard general ledger accounts have been used.

Entity-Wide Security

During FY 1999, OJP did not have risk assessments developed for the Data Communications System (DCS) which includes the Enterprise Information System (EIS) or (LAN), the Grant Management System (GMS), the Phone Activated Paperless Response System (PAPRS), and the Integrated Financial Management Information System (IFMIS).

OMB Circular A-130, Appendix III states that at least every three years, an independent audit or review of the security controls for each major application should be performed.

Periodic system reviews are critical to ensure management, technical, and operational controls are functioning effectively. In addition, periodic system reviews will help determine the adequacy of the security of systems as technology changes, and procedures and personnel change.

OJP did not perform a risk assessment of IFMIS until the third quarter of FY 2000. Also during FY 2000, vulnerability assessments were performed on PAPRS, EIS, GMS and IFMIS. Vulnerability assessments are conducted in conjunction with a risk assessment. The vulnerability assessments are designed to be a security check performed under actual operating conditions. This is a useful tool for evaluating whether critical financial systems and related systems and data are vulnerable to unauthorized access and disclosure. OJP implemented corrective actions during the FY 2000 audit, however these actions were not in place throughout the fiscal year audited. Therefore, no recommendation is necessary at this time.

Service Continuity

DCS Contingency Plan not Distributed to Appropriate Personnel

The Data Communications System (DCS) Contingency Plan has not been distributed to appropriate personnel (e.g., the Help Desk personnel).

The DCS Contingency Plan requires that copies of the plan be reproduced in paper form and distributed to the Program Manager (PM), all OJP DCS System Administrators, and Help Desk personnel.

Without proper documentation disseminated to the applicable personnel, it is not possible for staff to address emergencies as defined in the DCS Contingency Plan. During emergency situations, a plan must be available for reference so that all situations may be addressed as dictated by OJP management.

During the first quarter of FY 2001, changes were made to the contingency plan and the updated version was distributed to the Help Desk staff. As a result of OJP's corrective actions subsequent to FY 2000, no recommendation is necessary at this time.

Service Level Agreement has not been Arranged for an Alternate Data Processing Facility

OJP has not formally arranged for an alternate data processing facility in the event of an emergency situation.

National Institute of Standards and Technology's Introduction to Computer Security, Section 11.4, Step 4: Selecting Contingency Planning Strategies, 1. Processing Capability states that "Strategies for processing capability are normally grouped into five categories: hot site; cold site; redundancy; reciprocal agreements; and hybrids. These terms originated with recovery strategies for data centers but can be applied to other platforms.

1. Hot site -- A building already equipped with processing capability and other services.

2. Cold site -- A building for housing processors that can be easily adapted for use.

3. Redundant site -- A site equipped and configured exactly like the primary site.

4. Reciprocal agreement -- An agreement that allows two organizations to back each other up.

5. Hybrids -- Any combinations of the above such as using having a hot site as a backup in case a redundant or reciprocal agreement site is damaged by a separate contingency."

Recommendation No. 7

We recommend that Office of the Administration, OJP arrange, via a service level agreement, for an alternate data processing facility.

Access Controls

Terminated Employees Are Not Timely Removed from OJP's Systems

OJP procedures required for terminated employees are not always followed. We obtained an OJP listing of terminated employees and requested to see the checkout sheet associated with each termination. Ten out of 45 terminated employees did not have a checkout form or an explanation. In addition, OJP could not provide an explanation for seven terminated employees that had checkout sheets but were not on the personnel termination listing.

OMB Circular A-123 states that access to resources and records should be limited to authorized individuals, and accountability for the custody and use of resources should be assigned and maintained.

If user accounts associated with terminated employees are not properly disabled, users may obtain access to resources that are no longer necessary as part of their job requirements and security breaches may go undetected.

As a result of this issue, OJP revised its procedures and plans to conduct periodic reviews of their personnel system to ensure users who no longer require access to OJP's network and applications are removed in a timely manner. As a result of OJP's corrective actions subsequent to FY 2000, a recommendation will not be issued.

Dial-In Access Logs are not Always Reviewed

OJP dial-in usage is logged, however these logs are not reviewed on a regular basis. In addition, 3 of 45 names selected did not have a memorandum documenting their dial-in access.

The National Institute of Standards and Technology's Introduction to Computer Security states that "a periodic review of system-generated logs can detect security problems, including attempts to exceed access authority or gain system access during unusual hours."

We received a memorandum dated August 9, 2000 documenting procedures for daily and weekly dial-in monitoring. As a result of OJP's corrective actions during FY 2000, no recommendation is necessary at this time.

Dial-In Access Line

A dial-in access line exists that is connected to the development machine during the day and is moved to the production machine at night. This modem allows the technology contractor to connect from its internal network to the OJP IFMIS development and production environment.

A risk assessment has not been performed on the contractor's network which would allow for control mechanisms to be implemented protecting OJP's network environment. Without a proper risk assessment, there is a greater chance that a security violation will occur such as unauthorized access, modification, or disclosure of sensitive information. At this point, the contractor network is an unknown entity and it is unclear what risks can occur using this method of access.

OJP recognized this access issue, and has developed a proposal/plan for hosting the IFMIS production and development service on a segmented subnet. However, this proposal/plan has not yet been implemented.

Recommendation No. 8

We recommend that the Office of the Comptroller and the Office of Administration, OJP implement their proposal/plan for hosting the IFMIS production and development server on a segmented subnet.

Application Software Development and Change Controls

In January of 2000, OJP began the process of using System Change Requests, System Trouble Reports, and Service Requests (SCRs/STRs/SRs). Prior to this date, OJP did not have a documented process for authorizing and documenting software modifications or for controlling the changes and distribution of new or revised software.

We selected a sample of SCRs/STRs and our testwork disclosed the following discrepancies:

• 21 had not indicated whether Configuration Control Board(CCB) approval was required,
• One was not provided,
• It could not be determined if one of the forms was an SCR or an STR,
• 16 did not have the approval of the chairperson on the cover sheet, and
• Only four of the forms indicated an estimated deployment date, three had the product version number, and only one had a completion signature.

In addition, we selected a sample of SR's and our testwork disclosed the following discrepancies:

• Nine did not have a supervisor signature,
• 19 did not indicate whether or not Infrastructure/Configuration Control Board (I/CCB) review was required, and
• Ten indicated I/CCB approval was required, however four did not have review signatures of the board.

The OJP Information Resource Management Division System Configuration Management Guide outlines the process for documenting and controlling software modifications and controlling the process of distributing and implementing new software.

Without following the documented processes in the Configuration Management Guide, software modifications and service requests and trouble reports will not be properly tracked and documented. In addition, the distribution of new software will not be controlled. During the audit, OJP provided KPMG with a job aid which details how to properly complete the SCR/SR/STR forms.

As a result of OJP's corrective actions subsequent to FY 2000, no recommendation is necessary at this time.

OJP Lacks a Test Plan for New and Revised Software

During FY 2000, a test plan standard had not been developed or implemented by OJP for all new and revised software. The test plan should (1) define the responsibilities of parties participating in testing, (2) explain the process for unit, integration, and system testing, (3) determine how changes are moved into production, and (4) explain how documentation is updated for software changes. Testing software changes in a test environment prior to putting them into a production environment ensures that changes do not adversely affect areas such as security and access paths.

OJP provided us with the Grant Management System (GMS) test plan standard and criteria which OJP plans to implement as the standard for all systems during the second quarter of FY 2001. As a result of OJP's corrective actions subsequent to FY 2000, no recommendation is required at this time.

Grants Management System (GMS) Application Review

GMS Control Deficiencies Exist

The following GMS access control deficiencies were observed during our application review of GMS:

• GMS users were logging into the system using other GMS userids and passwords.

• Users were pre-assigned userids and passwords. Upon their initial login, GMS users were not forced to change their password.

• Requesting a GMS userid was not part of the OJP access request process.

Federal Information Processing Standards (FIPS) Publication (PUB)112, Password Usage, states that "Personal passwords used to authenticate identity shall be owned (i.e., known) only by the individual having that identity." It also states that "Access passwords used to protect private data shall be owned (i.e., known) only by the individual who created the private data."

When users login using an account other than their own, it restricts the ability of management to retrace events if necessary. If users are not forced to change their password, security around their accounts is seriously diminished. Default passwords can be easily guessed and an attack from inside the organization is more likely to occur. Finally, formal approval for account access is necessary for proper security administration of each account.

We received an OJP memorandum addressed to the program office head regarding the following: the policies of not sharing passwords and changing passwords every 90 days . Also, OJP is finalizing the updated new employee access request form which will incorporate the request of GMS userids.. As a result of OJP's corrective actions subsequent to FY 2000, no recommendation is necessary at this time.

GMS Training Materials and User Manuals are Not Updated

GMS system users were trained on the initial module prior to GMS being placed into production, however training materials and user manuals were not updated to reflect the current functionality of the application.

OMB Circular A-130, Appendix III, b. Controls for Major Applications, 2. Application Controls, b) Specialized Training states that before allowing individuals access to the application, ensure that all individuals receive specialized training focused on their responsibilities and the application rules. This may be in addition to the training required for access to a system. Such training may vary from a notification at the time of access (e.g., for members of the public using an information retrieval application) to formal training (e.g., for an employee that works with a high-risk application).

Without properly reflecting current training materials and user manuals, GMS application users inadvertently cause unauthorized access or system integrity problems.

We received training slides and sign-in sheets which verify that GMS users have been given an update/refresher training class. The training dates ranged from July through November 2000. As a result of OJP's corrective actions subsequent to FY 2000, no recommendation is necessary at this time.

GMS Documentation is in Draft Format

The following GMS documentation had been drafted, but not finalized and implemented as of September 30, 2000:

• Grants Management System Security Authorization Agreement,

• Security Operating Procedure Guide for GMS, and

• GMS Rules of Behavior.

OMB Circular A-127 states "Agency financial management systems and processing instructions shall be clearly documented in hard copy or electronically in accordance with (a) the requirements contained in the Federal Financial Management Systems Requirements published by Joint Financial Management Improvement Program (JFMIP) or (b) other applicable requirements. All documentation (software, system, operations, user manuals, operating procedures, etc.) shall be kept up-to-date and be readily available for examination. The OMB Circular also provides specific guidance on the detailed documentation required for both system users and technical systems.

Without proper documentation in place regarding this major application, OJP may be subject to unauthorized access and a weakness in system integrity.

We reviewed the Grants Management System Security Authorization Agreement, Security Operating Procedure Guide for GMS, and the GMS Rules of Behavior. These documents were finalized during the fourth quarter of calendar year 2000. As a result of OJP's corrective actions subsequent to FY 2000, no recommendation is required at this time.

GMS Does Not Have an User Sponsor Identified

The GMS application did not have an OJP user sponsor identified during the testing phase of the application. The primary reason was because the application has not been finalized.

Per OMB Circular A-130, Federal agencies are required to "Assign responsibility for security of each major application to a management official knowledgeable in the nature of the information and process supported by the application and in the management, personnel, operational, and technical controls used to protect it. This official shall assure that effective security products and techniques are appropriately used in the application and shall be contacted when a security incident occurs concerning the application."

Without proper assignment of ownership for the major application, OJP can not ensure that proper information systems controls and responsibilities will be maintained.

We reviewed documentation which identified an owner for the GMS application in December 2000. As a result of OJP's corrective actions subsequent to FY 2000, no recommendation is required at this time.