Financial Audit: American Battle Monuments Commission's Financial
Statements for Fiscal Years 1999 and 1998 (Letter Report, 03/01/2000,
GAO/AIMD-00-85).

GAO audited the American Battle Monument Commission's financial
statements for fiscal years 1999 and 1998. The Commission is a small,
independent agency created in 1923 to commemorate the sacrifices and
achievements of the U.S. armed forces. The Commission maintains 25
American cemeteries overseas and 27 monuments and memorials, many of
which are in foreign countries. GAO found that the financial statements
were presented fairly in conformity with generally accepted accounting
principles. The Commission had effective internal control over financial
reporting (including safeguarding assets) and complied with laws and
regulations. GAO did note one reportable condition concerning internal
controls over information technology systems. GAO did not consider this
condition to be a material weakness. GAO found no reportable instances
of noncompliance with the laws and regulations GAO tested.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-00-85
     TITLE:  Financial Audit: American Battle Monuments Commission's
	     Financial Statements for Fiscal Years 1999 and 1998
      DATE:  03/01/2000
   SUBJECT:  Financial statement audits
	     Auditing standards
	     Accounting procedures
	     Internal controls
	     Federal agency accounting systems
	     Reporting requirements
	     National parks
	     National historic sites
	     Financial records
	     Financial management
IDENTIFIER:  ABMC Commercial-Off-The-Shelf-Accounting System

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO/AIMD-00-85

Appendix I: Report on Audit of the American Battle Monuments Commission

14

ABMC Assertion Letter on Internal Controls 14

ABMC Annual Financial Report 16

Overview 17

Consolidating Balance Sheet 24

Consolidating Statement of Net Cost and Changes in Net Position 25

Consolidating Statement of Budgetary Resources 26

Consolidating Statement of Financing 27

Notes to the Consolidating Financial Statements 28

Required Supplementary Stewardship Information 39

Statement of Heritage Assets 40

Note to Statement of Heritage Assets 42

ABMC American Battle Monuments Commission

COTS commercial-off-the-shelf

FMFIA Federal Managers' Financial Integrity Act of 1982

OMB Office of Management and Budget

RSSI required supplementary stewardship information

Accounting and Information
Management Division

B-284561

March 1, 2000

The Honorable Arlen Specter
Chairman
The Honorable John D. Rockefeller, IV
Ranking Minority Member
Committee on Veterans' Affairs
United States Senate

The Honorable Bob Stump
Chairman
The Honorable Lane Evans
Ranking Minority Member
Committee on Veterans' Affairs
House of Representatives

This report presents the results of the audit of the American Battle
Monuments Commission's (ABMC) financial statements for the fiscal years
ended September 30, 1999, and 1998. We prepared this report in response to
36 U.S.C. 2103.

We are sending copies of this report to Senator Ted Stevens, Chairman, and
Senator Robert C. Byrd, Ranking Minority Member, Senate Committee on
Appropriations and Representative C.W. Bill Young, Chairman, and
Representative David R. Obey, Ranking Minority Member, House Committee on
Appropriations. We are also sending copies to the Honorable Lawrence H.
Summers, Secretary of the Treasury; the Honorable Jacob J. Lew, Director of
the Office of Management and Budget; General Frederick F. Woerner, Chairman
of ABMC; and other interested parties.

Should you or your staffs have any questions concerning this report, please
contact me on (202) 512-9489 or Roger Stoltz, Assistant Director, on (202)
512-9408.

David L. Clark
Director, Audit Oversight
and Liaison

Accounting and Information
Management Division

B-284561

General Frederick F. Woerner, Chairman
American Battle Monuments Commission

In accordance with 36 U.S.C. 2103, as codified by Public Law 105-225, August
12, 1998, we are responsible for conducting audits of the agencywide
financial statements of the American Battle Monuments Commission (ABMC). In
our audits of ABMC for fiscal years 1999 and 1998, we found

ï¿½ ABMC consolidating financial statements as of and for the fiscal year
ended September 30, 1999, and comparative consolidated totals as of and for
the fiscal year ended September 30, 1998, are presented fairly in conformity
with generally accepted accounting principles.

ï¿½ ABMC had effective internal control over financial reporting (including
safeguarding assets) and compliance with laws and regulations as of
September 30, 1999. However, we noted one reportable condition concerning
internal controls over information technology systems. We did not consider
this condition to be a material weakness.

ï¿½ No reportable instances of noncompliance with selected provisions of laws
and regulations we tested.

The following sections discuss, in more detail, (1) these conclusions and
our conclusions on the consistency of other information, (2) a reportable
condition concerning internal controls over information technology systems,
(3) Year 2000 (Y2K) preparations and results, and (4) the objective, scope,
and methodology of our audit.

The ABMC consolidating balance sheet as of September 30, 1999, and its
related consolidating statements of net cost and changes in net position;
budgetary resources; and financing, including accompanying notes for the
fiscal year then ended, and comparative consolidated totals as of and for
the fiscal year ended September 30, 1998, are presented fairly, in all
material respects, in conformity with generally accepted accounting
principles.

The fiscal year 1999 overview and the required supplementary stewardship
information (RSSI) consisting of a statement of heritage assets, was
included for the purpose of additional information and was read for
consistency, but was not audited.

ABMC maintained, in all material respects, effective internal control over
financial reporting and compliance as of September 30, 1999, that provided
reasonable assurance that misstatements, losses, or noncompliance, material
in relation to the consolidating financial statements or RSSI, would be
prevented or detected on a timely basis. In its letter in appendix I, ABMC
management asserted that its internal control is effective based upon
criteria established under the Federal Managers' Financial Integrity Act of
1982 (FMFIA) and Office of Management and Budget (OMB) Circular No. A-123,
Management Accountability and Control.

However, we noted certain matters involving internal control and its
operations that we considered to be a reportable condition under generally
accepted government auditing standards and by OMB Bulletin No. 98-08, Audit
Requirements for Federal Financial Statements, as amended. Reportable
conditions are deficiencies in the design or operation of internal controls
that, in our judgment, could adversely affect ABMC ability to meet internal
control objectives. A reportable condition may also be considered a material
weakness in internal controls. This occurs when the design or operation of
internal control components does not reduce to a relatively low level the
risk that misstatements in amounts that would be material to the
consolidating financial statements being audited may occur and not be
detected within a timely period by employees in the normal course of
performing their assigned duties.

During our audit we noted several deficiencies in internal controls over
information technology systems that we considered a reportable condition as
of September 30, 1999. The deficiencies are discussed below. We did not
consider them to be a material weakness, primarily because all of the
automated accounting and disbursing systems are not accessible from external
sources and are not electronically interconnected between ABMC offices.
Also, ABMC has a series of manual reviews and reconciliations that must be
performed before any financial transactions can be processed and paid.

ABMC plans to correct its deficiencies through the acquisition and
implementation of a new accounting system and through efforts to be taken in
tandem with the new system. During fiscal year 1998, ABMC developed a design
and implementation plan for an integrated, commercial-off-the-shelf (COTS)
accounting system with assistance from Treasury's Financial Management
Services Center. The new system was intended to conform to all current
guidance and be Year 2000 compliant.1 In fiscal year 1999, ABMC conducted
acceptance testing of a COTS accounting system but terminated the
implementation due to vendor problems. ABMC is now reviewing other systems
options with an objective of installing a new accounting system during 2001.

Inadequate Controls Over Information Technology Systems consisted of five
areas for consideration, as follows.

ï¿½ User Documentation: There was no user documentation to support the Clipper
accounting system used by the European Regional Office and the dBase IV
accounting system used by the Mediterranean Regional Office. Additionally,
there was no user documentation on the payroll function of the Foxpro
accounting system used by the headquarters office that involved 11 civilian
employees. Users learned how to use the systems mainly through on-the-job
training and had limited support to explain how functions should be
performed and questions answered. While the age of these systems and their
pending replacement do not cost justify the development of user
documentation, they nevertheless continue to be a problem.

ï¿½ Security Program and Access Conditions: ABMC had not documented an overall
security program and had various access vulnerabilities as follows.

ï¿½ The headquarters office had not documented an overall security planning
and management program for security and privacy of information as of
September 30, 1999. OMB Circular A-130, Management of Federal Information
Resources provides guidance on documenting such a program including control
objectives, areas of responsibility, system rules, training, personnel
controls, system interconnections, review of controls, and process
authorization. This program would encompass an existing automated
proprietary security program.

ï¿½ The headquarters office did not log violations or critical,
security-related events, such as changes to users' system privileges and
access to unauthorized areas as of September 30, 1999. Although an automated
security log feature was part of the existing system design, it was not
activated until after September 30, 1999. Also, the European and
Mediterranean regional office security logs did not perform sufficient
logging of critical, security-related events, such as changes to users'
system privileges and access to unauthorized areas, as of September 30,
1999.

ï¿½ The headquarters office and the European regional office allowed indirect
access to applications and data files to internal network users beyond the
area of their prescribed duties. Internal users also had access to registry
keys that could be used to install unauthorized programs. While the
headquarters office Foxpro accounting system denied direct access to eight
nonaccounting personnel, it was possible to gain access through the file
allocation table feature. However, the ability to do this was closed after
September 30, 1999.

ï¿½ The headquarters office and the European and Mediterranean regional
offices had not configured their systems to eliminate unneeded services such
as file transfer protocols and world wide web access that expose the system
to unnecessary vulnerability by attracting access from unauthorized
individuals inside or outside the organization. These unneeded services were
eliminated after September 30, 1999.

ï¿½ Passwords : The headquarters office and the European and Mediterranean
regional offices had some deficiencies in the use of system passwords as of
September 30, 1999. The headquarters office system allowed users to enter
short four character passwords and reuse old passwords after three password
changes. Additionally, there was no minimum password age and the system
administrator, who has special system privileges, had an easily identifiable
password. The European office had several accounts without passwords, users
could reuse passwords, and the system administrator had a password that was
the same as the user ID. The Mediterranean office allows users to reuse
passwords after four password changes and users are not prevented from
changing their passwords four or more times in one session. However,
accounting and disbursing systems have limited exposure as they have
additional manual and security safeguards. Several of the above deficiencies
were corrected after September 30, 1999.

ï¿½ Business Continuity Plans : The headquarters office and the European
regional office business continuity plans did not contain sufficient detail
to ensure successful manual operations and timely recovery of automated
processing in the event of a business interruption. The Pacific regional
office was in the process of making its business continuity plans as of
September 30, 1999. Sufficient details for all plans include identification
of business operations and applications, personnel contacts, hardware and
software needs, space requirements, and alternative sites.

ï¿½ Off-site Storage : The headquarters office stores back-up systems tapes in
a bank vault nearby that may be inaccessible in the event of a business
interruption. The Pacific regional office did not have secure off-site
storage of back-up systems tapes as of September 30, 1999, and was
subsequently making arrangements for site storage.

Our tests for compliance with selected provisions of laws and regulations
for fiscal year 1999 disclosed no instances of noncompliance reportable
under generally accepted government auditing standards or OMB Bulletin
98-08, Audit Requirements for Federal Financial Statements, as amended.

However, the objective of our audit was not to provide an opinion on overall
compliance with laws and regulations and, accordingly, we do not express
such an opinion.

ABMC purchased Y2K diagnostic software and tested its existing systems to
ensure compliance with the Y2K requirement. Most of the ABMC hardware and
software was purchased with manufacturer certification of Y2K compliance.
Costs associated with ensuring Y2K compliance were under $5,000. On January
1, 2000, ABMC experienced no systems failures associated with Y2K.

ABMC management is responsible for

ï¿½ preparing the annual financial statements in conformity with generally
accepted accounting principles;

ï¿½ establishing, maintaining, and assessing internal control to provide
reasonable assurance that the broad internal control objectives of FMFIA are
met; and

ï¿½ complying with applicable laws and regulations.

We are responsible for obtaining reasonable assurance about whether
(1) the ABMC consolidating financial statements are presented fairly, in all
material respects, in conformity with generally accepted accounting
principles, and (2) ABMC management maintained effective internal control.
Effective internal control provides reasonable, but not absolute, assurance
that the following objectives were met

ï¿½ Reliability of financial reporting − transactions are properly
recorded, processed, and summarized to permit the preparation of financial
statements and RSSI in accordance with generally accepted accounting
principles, and assets are safeguarded against loss from unauthorized
acquisition, use, or disposition.

ï¿½ Compliance with applicable laws and regulations − transactions are
executed in accordance with: (1) laws governing the use of budgetary
authority and other laws and regulations that could have a direct and
material effect on the financial statements, and (2) any other laws and
regulations or governmentwide policies that OMB or ABMC management have
identified as being significant for which compliance can be objectively
measured and evaluated.

ï¿½ Reliability of performance reporting − transactions and other data
that support reporting measures are properly recorded, processed, and
summarized to permit the preparation of performance information in
accordance with criteria stated by management.

We are also responsible for testing compliance with selected provisions of
laws and regulations that have a direct and material effect on the
consolidating financial statements, with laws for which OMB Bulletin
98-08, Audit Requirements for Federal Financial Statements, as amended,
requires testing. We are also responsible for performing limited procedures
with respect to certain other information appearing in the ABMC annual
financial report.

In order to fulfill these responsibilities, we

ï¿½ examined, on a test basis, evidence supporting the amounts and disclosures
in the consolidating financial statements;

ï¿½ assessed the accounting principles used and significant estimates made by
management;

ï¿½ evaluated the overall presentation of the consolidating financial
statements;

ï¿½ obtained an understanding of internal control related to financial
reporting, (including safeguarding assets), compliance with laws and
regulations, including execution of transactions in accordance with budget
authority, and performance measures reported in the overview;

ï¿½ tested relevant internal controls over financial reporting, including
safeguarding assets and compliance and evaluated ABMC management's assertion
about the effectiveness of internal control;

ï¿½ considered the process for evaluating and reporting on internal control
and financial management systems under FMFIA;

ï¿½ tested compliance with selected provisions of the following laws and
regulations:

ï¿½ ABMC enabling legislation codified in 36 U.S.C. Chapter 21,

ï¿½ Anti-Deficiency Act,

ï¿½ Budget and Accounting Procedures Act of 1950,

ï¿½ Federal Managers' Financial Integrity Act of 1982,

ï¿½ Prompt Payment Act,

ï¿½ Civil Service Reform Act of 1978,

ï¿½ Fair Labor Standards Act of 1938, and

ï¿½ VA, HUD, and Independent Agency Appropriations Act for FY 1999, and

ï¿½ performed such other procedures we considered necessary in the
circumstances.

We did not evaluate all internal controls relevant to operating objectives
as broadly defined by FMFIA, such as those controls relevant to preparing
statistical reports and ensuring efficient operations. We limited our
internal control testing to those controls over financial reporting and
compliance. Because of inherent limitations in internal control,
misstatements due to error or fraud, losses, or noncompliance may
nevertheless occur and not be detected. We also caution that projecting our
evaluation to future periods is subject to the risk that controls may become
inadequate because of changes in conditions or that the degree of compliance
with controls may deteriorate.

We did not test compliance with all laws and regulations applicable to the
ABMC. We limited our tests of compliance to those required by OMB Bulletin
98-08, Audit Requirements for Federal Financial Statements, as amended, and
which we deemed applicable to ABMC consolidating financial statements for
the fiscal year ended September 30, 1999. We caution that noncompliance may
occur and not be detected by these tests and that such testing may not be
sufficient for other purposes.

We did our work in accordance with generally accepted government auditing
standards and OMB Bulletin 98-08, Audit Requirements for Federal Financial
Statements , as amended.

We discussed the results of our audit with ABMC management who provided
comments on a draft of this report and agreed with its contents. Appendix I
contains the ABMC assertion letter on controls and the ABMC Annual Financial
Report.

David L. Clark
Director, Audit Oversight
and Liaison

January 28, 2000

Report on Audit of the American Battle Monuments Commission

ABMC Assertion Letter on Internal Controls
ABMC Annual Financial Report
Overview
Consolidating Balance Sheet
Consolidating Statement of Net Cost and Changes in Net Position
Consolidating Statement of Budgetary Resources
Consolidating Statement of Financing
Notes to the Consolidating Financial Statements
Required Supplementary Stewardship Information
Statement of Heritage Assets
Note to Statement of Heritage Assets
(911949)

  

1. The Year 2000 problem is rooted in the way dates are recorded and
calculated in many computer systems. For the past several decades, systems
have typically used two digits to represent the year in order to conserve on
electronic data storage and reduce operating costs. With this two-digit
format, however, the year 2000 is indistinguishable from the year 1900. As a
result, system or application programs that use dates to perform
calculations, comparisons, or sorting may generate incorrect results when
working with years after 1999.
*** End of document. ***