Audit Reports 98-17, Independent Auditors' Reports

Independent Auditors' Report on Financial Statements

MATERIAL WEAKNESSES

EVIDENCE

As noted in the Independent Auditors' Report on Financial Statements, the FBI did not have procedures in place as of September 30, 1997, to provide for disclosure of the number and value of assets on hand for evidentiary purposes under its various law enforcement authorities. As such, we were unable to perform sufficient audit procedures to determine the propriety and fairness of presentation of (1) the dollar value of evidence, recorded as both an asset and a liability in the amount of $24,783,000, in the FBI's statement of financial position as of September 30, 1997, and (2) the footnote disclosures related to the FBI's monetary and non-monetary property and its non-valued items, showing the beginning dollar value and item counts, Fiscal Year 1997 additions and dispositions, and ending dollar value and item counts.

Statement of Federal Financial Accounting Standards (SFFAS) No. 3, Accounting for Inventory and Related Property, addresses the accounting and reporting requirements for seized property. The standard defines seized property as "monetary instruments, real property, and tangible personal property of others in the actual or constructive possession of the custodial agency." The standard states that seized monetary instruments shall be recognized as assets when seized and a liability established in an amount equal to the seized asset value. Seized property is to be valued at its market value when seized. Seized property other than monetary instruments is to be disclosed in the footnotes to the financial statements and accounted for in the agency's property management records until the property is forfeited, returned, or otherwise liquidated. Disclosure requirements include:

an explanation of what constitutes a seizure and a general description of the composition of seized property,
a description of the methods used to value seized assets,
changes from the prior year's accounting methods, if any, and
an analysis of changes in seized property, including the dollar value and number of seized properties that are (1) on hand at the beginning of the year, (2) seized during the year, (3) disposed of during the year, and (4) on hand at the end of the year. This information is to be presented by type of seized property and method of disposition, where material.

In addition, the Joint Financial Management Improvement Program's (JFMIP) federal financial management system requirements publication, Seized/Forfeited Asset System Requirements (FFMSR-4) (March 1993), states that an agency's seized/forfeited asset system must track the status of a seized asset from the time of seizure, through various processing steps, until final disposition of the asset. Upon seizure, the system must provide for (among other things) the following:

Coding (i.e., a unique identifier) that will facilitate tracking of the asset through disposition.
Timely recording of the date of seizure; type of asset; location where seized; physical condition and location; owner (s), if known; and entities involved in the seizure.
Timely and accurate recording of the originally-assigned value, the basis for valuation, and identification of who assigned the value.
Capturing, recording, and maintaining information on the current physical condition, location, responsible custodian, and current recorded value of each seized asset in custody.
Segregation of forfeited assets from those in seized status.
Information to allow independent verification that each asset exists and that the recorded physical condition, location, and asset values are accurate.
Readily retrieving detailed information on the current location, value, and condition of individual assets.
Producing exception reports.
Producing reports that provide results of the performance of the system.

The FBI maintains an evidence management control system for safeguarding and "chain-of-custody" purposes. This system was neither designed to be, nor intended to function as, a financial management system for the purposes of recording and producing the financial information required by SFFAS No. 3. However, at the end of Fiscal Year 1997, Departmental guidance was issued whereby custodial agencies became responsible for recording, reporting, and disclosing the number and value of property on hand for evidentiary purposes.

Accordingly, for financial statement purposes, the FBI used data in the evidence management control system to serve as the basis for compiling the required information. Significant human intervention was needed, however, to value, and in some cases count, the property items to satisfy the SFFAS No. 3 reporting requirements. Due to the time needed to compile the data, the resultant information was not available for inclusion in the financial statements until just prior to completion of the audit. As such, we were not able to perform audit procedures to attest to the fairness of presentation of the account balances and required footnote disclosures.

FBI management is of the opinion that the SFFAS No. 3 definition of "seized property" differs from that included in the JFMIP's FFMSR-4. They note that the FFMSR publication defines seized properties as "assets of others which are in the actual or constructive possession of any agency, pending forfeiture or satisfaction of other legal claims." While similar, they note, the SFFAS No. 3 definition appears to broaden the scope of accountability coverage beyond those assets seized under specific legal authority and which are "pending forfeiture or satisfaction of other legal claims." As such, this would include assets in custody for purely evidentiary purposes.

While FBI management acknowledges that the SFFAS No. 3 standard may extend to evidence (obtained under other than specific seizure-authorizing laws) in the custody of a federal agency, it cannot say the same for FFMSR-4's requirements applicable to evidence, since it is clear that those requirements exist to satisfy federal stewardship requirements surrounding assets seized by specific laws. (This position is reflected in management's response following the recommendation.)

Recommendation No. 1

We recommend that the Director, FBI ensure that the evidence management control system is modified, as needed, to satisfy the systems requirements contained in the JFMIP's Seized/Forfeited Asset System Requirements publication and provide for the financial statement reporting information required by SFFAS No 3. (Recommended time frame: by September 30, 1998.)

Management's Response

Concur with the recommendation's intent. The Finance Division will formally petition the Joint Financial Management Improvement Program and the Federal Accounting Standards Advisory Board for an official, joint interpretation and pronouncement regarding the applicability of the systems requirements in FFMSR-4 and the accounting standards in SFFAS No. 3 to evidence (not subject to forfeiture) obtained under other than seizing-authorizing laws and regulations, and will make any required systems modifications needed to implement that pronouncement.

UNDELIVERED ORDERS

As noted in the Independent Auditors' Report on Financial Statements, the FBI did not have an adequate system in place as of September 30, 1997, to support the undelivered orders component of net position as reported in the statement of financial position. As such, we were unable to perform sufficient audit procedures to determine the fairness of presentation of the amount of undelivered orders, stated at $639,813,000, in the net position section of the statement of financial position as of September 30, 1997.

The FBI's general ledger management system relies on the purchasing system to provide subsidiary support for the undelivered orders control account in the general ledger, as needed. To facilitate the audit, the FBI produced an "open purchase order" report from the purchasing system to support the undelivered orders balance as of September 30, 1997. We noted the following with respect to that report:

The open purchase order report required a substantial amount of time to produce and be reconciled to the general ledger balance. After significant effort, the report did not agree with the general ledger by approximately $7 million.
There were 12 adjusting entries (eight debit entries totaling $66.9 million and four credit entries totaling $40.8 million) that were needed to account for accruals and other adjustments affecting the purchasing system data.
There was a $123.4 million adjustment to reduce the open purchase order report balance for other agencies' orders received under reimbursable agreements that are not a part of the FBI's own net position.
We identified the need for an accrual adjustment of an additional $47.8 million to increase the accounts payable/expense balances. An undetermined amount of this accrual adjustment affected the undelivered orders balance.

The JFMIP's publication entitled Core Financial System Requirements (September 1995) defines "general ledger management" as the central function of an agency's core financial system. The general ledger is the highest level of summarization and is to be supported by subsidiary ledgers at various levels of detail, either within the core financial system or in other systems.

The core requirements applicable to "account definition" require subsidiary support for standard general ledger (SGL) accounts, either by subsidiary accounts or additional data elements, in as much detail as the agency deems appropriate for asset protection, management information, and fund accounting purposes. The core requirements applicable to "general ledger analysis and reconciliation" require that the system provide control accounts in the general ledger to balance between the general ledger and other systems. The core requirements applicable to "audit trails" require the core financial system to provide (1) transaction details to support account balances, and (2) audit trails to trace transactions from source documents, original input, and other systems through the core system.

Due to the time required to produce and reconcile the open purchase order subsidiary detail report to the general ledger, the resultant information was not available until just prior to completion of the audit. Due to the late receipt of the report, and the other conditions noted above, we were not able to perform the audit procedures necessary to attest to the fairness of presentation of the undelivered orders account balance.

Recommendation No. 2

We recommend that the Director, FBI ensure that system enhancements are made, as needed, to (1) satisfy the JFMIP core financial system requirements applicable to general ledger management, account definition, general ledger analysis and reconciliation, and audit trails, and (2) provide for subsidiary ledger detail to support the undelivered orders balance contained in the general ledger. (Recommended time frame: by September 30, 1998.)

Management's Response

Concur. The Finance Division will implement the system changes needed to satisfy applicable JFMIP core financial system requirements and ensure that subsidiary-level detail is available to support the general ledger's undelivered orders balance.

Recommendation No. 3

We recommend that the Director, FBI ensure that internal control procedures requiring monthly reconciliations between general ledger control accounts and subsidiary systems are implemented, such that the time needed to produce reliable subsidiary reports at yearend will be reduced.

Management's Response

Concur. The Finance Division will begin performing monthly reconciliations between general ledger control accounts and subsidiary systems to ensure the availability and reliability of subsidiary reports to support yearend general ledger account balances.

Exhibit II

REPORTABLE CONDITIONS

ACCOUNTS PAYABLE ACCRUALS

As a result of our search for unrecorded liabilities testwork, we noted that the FBI needs to revise its method of calculating the accrual for accounts payable at yearend. In comparing our audit estimate of the yearend accrual amount to the amount recorded in the general ledger, we determined that the recorded accrual amount was understated by approximately $48 million.

According to the Federal Accounting Standards Advisory Board's (FASAB) Statement on Federal Financial Accounting Standards (SFFAS) No. 1, Accounting for Selected Assets and Liabilities, accounts payable should be accrued for goods and services received, for progress in contract performance, and rents due to other entities. If invoices for such goods and services are not available when the financial statements are prepared, the amounts owed should be estimated. In addition, the Joint Financial Management Improvement Program's (JFMIP) Core Financial System Requirements (September 1995) states that agencies' core financial systems must allow for the accrual of contracts or other items that cross fiscal years.

In the FBI's case, contractors performing work on some of the FBI's major projects have varying billing cycles. As a result, the FBI routinely receives invoices totaling millions of dollars during the first three months of the fiscal year for goods and services received in the previous fiscal year. In response to a recommendation made as a result of the 1996 audit, the FBI implemented a procedure to estimate the accrued liability for such items. In reviewing the estimation methodology, however, we noted that certain large contracts/programs were not included in the calculation because of inadequate notification to the administrators/managers of the requirement to identify services received as of September 30, 1997, requiring accrual.

The amount of the understatement was corrected in the general ledger and financial statements. However, the FBI needs to improve its accrual estimation methodology to ensure that all contract administrators/managers who have information regarding accrued expense liabilities are contacted and included in the information-gathering process.

Recommendation No. 4

We recommend that the Director, FBI ensure that the accounts payable accrual methodology is revised such that all sources of information regarding the identification and determination of liabilities are included in the accounts payable accrual estimation process in preparing the annual financial statements. (Recommended time frame: by September 30, 1998.)

Management's Response

Concur. The Finance Division will review and revise the procedures used to estimate accounts payable at yearend for invoices not yet received so as to enhance the reliability of the data presented in the financial statements.

INFORMATION SYSTEMS--ENTITY-WIDE SECURITY PROGRAM

As a result of our information systems general controls assessment performed at FBI headquarters, we noted that the FBI's data security program needs refinement to provide maximum security over FBI data resources.

OMB Circular No. A-130, Management of Federal Information Resources, states that agencies should plan for adequate security of each general support system as part of the organization's information resources management (IRM) planning process. In general, information is to be protected commensurate with the risk and magnitude of the harm that would result from the loss, misuse, or unauthorized access to or modification of such information. Also, security plans are to include personnel controls that limit the users' access to their actual needs.

At present, mainframe software has not been fully implemented to provide for maximum security over sensitive information. In addition, there are no formal policies or procedures to administer and control the systems' libraries and data files. As a result, access to all logical processing resources may not be appropriately restricted and security over sensitive information/controlled data may be compromised.

Recommendation No. 5

We recommend that the Director, FBI ensure that changes are made to the mainframe's access control software parameters to decrease the risk that sensitive systems, applications, and data resources are accessed, compromised, altered, or deleted. (Recommended time frame: by September 30, 1998.)

Management's Response

We concur.

Recommendation No. 6

We recommend that the Director, FBI ensure that (1) an entity-wide data assessment is performed on the mainframe and networked systems to determine where potential liabilities exist, and (2) the assessment results are used to correct the identified weaknesses, such that authorized users and system administrators have only the access required to perform their jobs. (Recommended time frame: by September 30, 1998.)

Management's Response

We concur.

Recommendation No. 7

We recommend that the Director, FBI ensure that (1) passwords are issued to all local area network "userid's", and (2) the network's administrative facility is modified such that Finance Division users cannot view each others' access capabilities. (Recommended time frame: by September 30, 1998.)

Management's Response

We concur.

Recommendation No. 8

We recommend that the Director, FBI ensure that administrative policies and procedures regarding operating system integrity mechanisms are developed in compliance with the manufacturer's integrity rules for all affected operating systems. (Recommended time frame: by September 30, 1998.)

Management's Response

We concur.

INFORMATION SYSTEMS--SERVICE CONTINUITY

As a result of our information systems general controls assessment, we noted that the FBI does not have a comprehensive, tested service continuity plan. The current service continuity plan does not include all applications and systems in use, nor does it include the local area network (LAN). In addition, an overall assessment of the needs of end users has not been documented. These contingency planning measures are required by OMB Circular No. A-130, Management of Federal Information Resources.

At present, the FBI has not assigned responsibility for service continuity planning, nor have the business process owners defined their risks and critical recovery needs. Without a comprehensive, tested service continuity plan, the FBI could face potentially critical losses in the event of a disaster, end users may not be able to access critical information needed for continued operations, and critical processing capability could be lost due to the failure to fully identify recovery process needs.

Recommendation No. 9

We recommend that the Director, FBI ensure that responsibility for overall service continuity planning is assigned to an individual with the administrative authority and knowledge to (1) coordinate a comprehensive service continuity plan, (2) require end users to define their critical recovery needs, and (3) implement and document a testing plan that includes periodic testing of all critical applications. (Recommended time frame: by September 30, 1998.)

Management's Response

We concur.

Exhibit III

Status of Prior Year's Recommendations

Report Number	Reported Condition	Recommendation	Status
97-29A	1. The amount of seized assets reported on hand at September 30, 1996 was inaccurate due to incomplete and late reporting of field office seizure activities.	1. Reinforce FBI's policy to require agents involved in asset seizures to promptly inform, and obtain the requisite authorization from, the seized asset units so that timely notice of seizures can be give to FSPU.	Seized assets subject to forfeiture are now reported by the Asset Forfeiture Program. We issued a new material weakness for FY 1997.
		2. Adopt procedures to ensure that field offices update their yearend seized asset inventory reports in a timely manner.	Same as above.
		3. Make the system modifications needed to ensure the completeness of the PFA custody reports at fiscal yearend.	Same as above.
97-29A	2. The FBI had not maintained adequate records to support the amount, location, and valuation of its capital lease assets.	4. Strengthen recordkeeping and reporting procedures to ensure that capital leases are identified, documented, and properly reported in the financial statements	Complete. Capital leases were properly recorded and reported in the FY 1997 financial statements.
97-29A	3. The FBI incorrectly calculated amounts due under interagency agreements due to the inclusion of obligated but unfilled customer orders.	5. Revise FBI Finance Division's accounting procedures for interagency accounts receivable so that amounts are recognized based on actual expenses incurred for assets and services delivered under the related obligations.	Complete. The FBI properly recognized interagency revenue and A/R in the FY 1997 financial statements.
97-29A	4. The acquisition cost of two C-I-P projects were understated in the general ledger and the FAS as a result of the related purchase orders not being properly bar coded as fixed assets.	6. Revise FBI Finance Division's accounting policies and procedures to include periodic reconciliations to ensure that the proper capitalized costs have been entered into FAS, and that the subsidiary system's balances agree with the general ledger.	Reconciliation - Complete. Coding - In Progress.
97-29A	5. The FBI had no procedure for accruing contractor services accounts payable.	7. Establish procedures to estimate contractor-related accounts payable at yearend so as to enhance the quality of data presented in the financial statements.	Complete. Accruals are now recognized, however, we issued a new reportable condition for FY 1997.
97-29A	6.(a) The FBI's disaster recovery plan (DRP) related to its headquarters data center had not been fully tested.	8. Design and implement disaster recovery plan tests to ensure workable restoration of services within a time frame that is consistent with management's expectations.	Open. Considered a reportable condition for FY 1997.
97-29A	6.(b) The potential for lost data is not consistent with current expectations.	9. Reevaluate mission-critical systems for maximum exposure to data loss and adjust the offsite backup rotation procedures to ensure that the maximum time exposure is not exceeded.	Open. Considered a reportable condition for FY 1997.
97-29A	6.(c) The FBI had no documented comprehensive and coordinated Continuity of Business (COB) Plan for the operational and administrative divisions and units located at its headquarters. The agency lacks a plan for the affected areas to resume their normal functions should a disaster occur.	10. Design, develop, implement, and biannually test an organization-wide COB Plan, under a disaster recovery coordinator, that includes: (a) operating procedures prioritized by category, (b) time lines indicating when operational activities will be resumed, (c) human and material inventory needs, (d) locations of needed supplies, and (e) phone trees of key points of contact.	Open. Considered a reportable condition for FY 1997.

Independent Auditors' Report on Compliance with Laws and Regulations

#####