Financial Management: Review of the Military Retirement Trust Fund's
Actuarial Model and Related Computer Controls (Letter Report, 09/09/97,
GAO/AIMD-97-128).
Pursuant to a congressional request, GAO reviewed the Department of
Defense (DOD) Military Retirement Trust Fund's actuarial model and
related computer controls.
GAO noted that: (1) based on GAO's review, GAO concurs with KPMG Peat
Marwick LLP's conclusion that the methodology and actuarial assumptions
used by the DOD Office of the Actuary to calculate the pension liability
as of September 30, 1996, and the annual actuarial activity for the Fund
were reasonable and reliable; (2) GAO also concurs with KPMG's
identification of numerous control weaknesses related to: (a) the data
gathering and preparation process; and (b) electronic data processing
(EDP) activities; (3) due to the serious nature of the computer-related
weaknesses identified, GAO agrees with KPMG's conclusion that there is a
lack of overall security administration and management governing access
to Fund data files; (4) in particular, DOD has not adequately
implemented security policies and procedures, controlled the ability of
computer programmers to make changes to systems, and controlled access
to information on pension fund participants; (5) such uncontrolled
access affects other sensitive personal and career-related information
as well; (6) the computer that houses the Fund's data files also stores
information on social security numbers, pay rates, child and spousal
abuse allegations, and medical test results for both active duty and
retired personnel; (7) although DOD regulations require that sensitive
data be housed only on computers meeting specific security guidelines,
the Fund processing sites reviewed by KPMG do not comply with those
guidelines; (8) despite the weaknesses identified, KPMG believed that a
material misstatement of the pension liability was unlikely to occur
because of compensating controls that hinge largely on the experience
and tenure of staff in the Office of the Actuary; and (9) GAO agrees
that compensating controls currently exist in the Office of the Actuary
but caution DOD against long-term reliance on controls that depend
largely on the retention of a few key employees.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: AIMD-97-128
TITLE: Financial Management: Review of the Military Retirement
Trust Fund's Actuarial Model and Related Computer
Controls
DATE: 09/09/97
SUBJECT: Internal controls
Computer security
Trust funds
Actuarial tables
ADP
Data collection
Financial management systems
Veterans pensions
Defense audits
Noncompliance
IDENTIFIER: Military Retirement Trust Fund
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO report. Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved. Major **
** divisions and subdivisions of the text, such as Chapters, **
** Sections, and Appendixes, are identified by double and **
** single lines. The numbers on the right end of these lines **
** indicate the position of each of the subsections in the **
** document outline. These numbers do NOT correspond with the **
** page numbers of the printed product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
** A printed copy of this report may be obtained from the GAO **
** Document Distribution Center. For further details, please **
** send an e-mail message to: **
** **
** **
** **
** with the message 'info' in the body. **
******************************************************************
Cover
================================================================ COVER
Report to the Secretary of Defense
September 1997
FINANCIAL MANAGEMENT - REVIEW OF
THE MILITARY RETIREMENT TRUST
FUND'S ACTUARIAL MODEL AND RELATED
COMPUTER CONTROLS
GAO/AIMD-97-128
Military Retirement Trust Fund
(919066)
Abbreviations
=============================================================== ABBREV
CFO - Chief Financial Officer
DOD�IG - DOD Office of Inspector General
DOD - Department of Defense
EDP - electronic data processing
GMRA - Government Management and Reform Act of 1994
Letter
=============================================================== LETTER
B-277418
September 9, 1997
The Honorable William S. Cohen
The Secretary of Defense
Dear Mr. Secretary:
The Department of Defense (DOD) Military Retirement Trust Fund was
authorized by Public Law 98-94 for the accumulation of funds to
finance, on an actuarially sound basis, DOD's liabilities for
military retirement and survivor benefit programs. The DOD Office of
Inspector General (DOD�IG) audited the Fund's financial statements
for fiscal years 1995 and 1996 in accordance with the requirements of
the Chief Financial Officers (CFO) Act of 1990, as expanded by the
Government Management Reform Act of 1994 (GMRA), and rendered an
unqualified opinion on those statements on May 5, 1997. Also, we
will audit the consolidated financial statements of the federal
government beginning with fiscal year 1997. With total actuarial
liabilities of $548 billion as reported in its financial statements
for fiscal year 1996, the Fund is expected to be material to the
consolidated governmentwide financial statements.
In preparation for our audit of the consolidated governmentwide
financial statements, we contracted with an independent public
accounting firm, KPMG Peat Marwick LLP, to review (1) the methods and
assumptions used by the DOD Office of the Actuary to calculate the
Fund's pension liability as of September 30, 1996, and (2) the
effectiveness of general electronic data processing (EDP) controls at
the computer processing locations managed by the Defense Manpower
Data Center that are responsible for receiving, formatting, and
processing the actuarial information. These two areas are critical
to verifying the reasonableness of the Fund's reported liabilities.
In order to rely on the work of the KPMG specialists, we
-- evaluated the qualifications and independence of the review
staff;
-- reviewed and approved the contractor's approach plans and work
programs;
-- attended key meetings between the contractor and DOD personnel;
and
-- reviewed the contractor's working papers to determine (1) the
nature, timing, and extent of work performed, (2) the extent of
quality control methods used, and (3) whether evidence in the
working papers supported the contractor's conclusion concerning
the reliability of the Fund's actuarial liability and related
computer controls.
We performed our oversight of KPMG's work from November 1996 through
May 1997, in accordance with generally accepted government auditing
standards. DOD provided written comments on a draft of this report.
These comments are presented and evaluated in the "Agency Comments
and Our Evaluation" section and are reprinted in appendix II.
To avoid duplication of effort, we made KPMG's results available to
the DOD�IG for its reliance in performing the required fiscal year
1996 financial statement audit and in rendering its opinion on May 5,
1997. Appendix I presents KPMG's report to us on the results of its
work.
RESULTS IN BRIEF
------------------------------------------------------------ Letter :1
Based on our review, we concur with KPMG's conclusion that the
methodology and actuarial assumptions used by the DOD Office of the
Actuary to calculate the pension liability as of September 30, 1996,
and the annual actuarial activity for the Fund were reasonable and
reliable.
We also concur with KPMG's identification of numerous control
weaknesses related to (1) the data gathering and preparation process
and (2) EDP activities. Due to the serious nature of the
computer-related weaknesses identified, we agree with KPMG's
conclusion that there is a lack of overall security administration
and management governing access to Fund data files.
In particular, DOD has not adequately implemented security policies
and procedures, controlled the ability of computer programmers to
make changes to systems, and controlled access to information on
pension fund participants. Such uncontrolled access affects other
sensitive personal and career-related information as well.
The computer that houses the Fund's data files also stores
information on social security numbers, pay rates, child and spousal
abuse allegations, and medical test results for both active duty and
retired personnel. Although DOD regulations require that sensitive
data be housed only on computers meeting specific security
guidelines, the Fund processing sites reviewed by KPMG do not comply
with those guidelines. Despite the weaknesses identified, KPMG
believed that a material misstatement of the pension liability was
unlikely to occur because of compensating controls that hinge largely
on the experience and tenure of staff in the Office of the Actuary.
We agree that compensating controls currently exist in the Office of
the Actuary but caution DOD against long-term reliance on controls
that depend largely on the retention of a few key employees.
ACTUARIAL DATA GATHERING AND
PREPARATION PROCESS CONTROL
WEAKNESSES
---------------------------------------------------------- Letter :1.1
Although the actuarial results were reasonable and reliable for
fiscal year 1996, weaknesses exist in the controls over the data
gathering and preparation process. Most notably, this process is not
adequately documented and, as a result, is heavily dependent on the
knowledge of experienced staff members. If significant staff changes
were to occur, the annual data update--which is critical to
determining the pension liability--might not be performed timely or
correctly.
Also, as part of the data preparation process, the Office of the
Actuary must estimate the number of eligible inactive reservists
because complete data are not provided for inactive reservists who
may have earned a vested benefit but have not yet begun to receive
benefit payments. Even though the number is small in comparison to
total retirees and such an estimate probably would not materially
affect the results, DOD should strive for complete and accurate data
in order to ensure the correct calculation of its actuarial
liabilities. In addition, the program used to calculate the pension
liability does not allow the comparison of the actual results using
current actuarial estimates and assumptions against the current
anticipated results. Such comparison is a standard actuarial
process.
Instead, the actuary can only compare, for reasonableness, actual
results of the current year calculation in total against prior year
valuations. As a result, if prior year calculations were in error,
current and future years' calculations could be consistent but also
incorrect. Further, no formal documentation exists for this program
nor for the data input process and data flow organization/layout of
the primary valuation spreadsheet. Here again, the process is
dependent on the knowledge of current key staff members.
GENERAL EDP CONTROLS
WEAKNESSES
---------------------------------------------------------- Letter :1.2
Significant weaknesses related to EDP access controls, security
policies and procedures, and program change controls expose the
Fund's systems to unnecessary risk and diminish the reliability of
its financial management information. Access to pension fund
participant information was not restricted to only those who required
such access to perform their jobs. In addition, the activities of
individuals who were permitted access to read or modify participant
information were not adequately monitored. For example, security
violations were not being logged, the ability to use previous
passwords was not limited, and over 200 users were permitted to read
all data sets on the system. As a result, DOD did not have
reasonable assurance that the confidentiality of the data was
protected.
Security policies and procedures were either not formalized at data
processing sites or, where they were formalized, the sites' daily
operations were not in compliance. Many of the control features of
the access control software were not activated or the control
parameters selected did not adequately restrict access to only
authorized users. For example, procedures for both creating and
deactivating user accounts were found to be inconsistent and lacking
documented guidance.
Features intended to identify users and their related computer
activity (audit trails) were not enabled; therefore, if unauthorized
activity did occur, there would be no system-generated audit trail to
assist in a subsequent investigation. For example, 22 systems users
were able to delete and modify files within a component of the
operating system that is intended to serve as an audit trail for
security-related events. As a result, they could inactivate the
parameter that enables the auditing of security events. Typically,
system users would not be able to change or delete the audit trail
function.
There were no formal controls governing how changes to systems could
be made or who could make them. For the application system that
calculates the pension liability, no comprehensive change management
process has been developed. For the operating systems, although a
change management process exists, it lacks procedures to ensure that
changes are documented, tested, reviewed, and approved.
Consequently, changes could be introduced to the operating system
that would facilitate unauthorized access and those changes may not
be detected promptly.
DOD has not developed, tested, and implemented a comprehensive
disaster recovery plan at the sites that process Fund data. Should a
disaster occur, DOD has no assurance that the computer facilities and
operations or the actuarial operations necessary to support the Fund
could be restored in a timely manner. The Fund may be at further
risk since the application that performs the actuarial
calculations--an application that may be sensitive to date
changes--has not yet been assessed for Year 2000 impact.\1 In
assessing risk, DOD must determine the impact of the year 2000 on its
systems and applications and initiate realistic contingency plans to
ensure continuity of business processes if systems or applications
fail to operate at the turn of the century.
--------------------
\1 The Year 2000 problem is rooted in the way dates are recorded and
computed in many computer systems. For the past several decades,
systems have typically used two digits to represent the year, such as
"97" representing 1997. With this two-digit format, the year 2000 is
indistinguishable from 1900, 2001 from 1901, and so forth. As a
result, system or application programs that use dates to perform
calculations, comparisons, or sorting may generate incorrect results
when working with years after 1999.
RECOMMENDATIONS
------------------------------------------------------------ Letter :2
We concur with all of the recommendations made by KPMG to address the
actuarial process and EDP general controls weaknesses identified
during the review. To improve the actuarial process, we recommend
that you ensure that the Office of the Actuary
-- documents annual data preparation and processing steps in a
formal, detailed manual;
-- determines the availability of complete data on inactive
reservists;
-- tests a sample of current valuation results independently from
prior year results; and
-- evaluates the efficiency of using the current spreadsheet
analyses and documents those analyses.
To address the EDP general controls weaknesses, we recommend that you
ensure that the Defense Manpower Data Center
-- modifies the security program's parameters to ensure
participants' data and actuarial programs are protected and that
security requirements comply with regulations;
-- implements security features and parameters to ensure that
unauthorized access to systems is reduced and that audit trails
are activated and protected from unauthorized editing;
-- develops (or modifies) and implements security policies and
procedures to ensure that (1) all users are authorized and have
only the necessary access to facilities and data, (2) such
access is reviewed periodically and removed promptly when
warranted, and (3) access violations are researched;
-- develops and implements comprehensive change management
procedures governing changes to both the Fund's application
programs and related operating systems;
-- designs, develops, tests, and implements a comprehensive
disaster recovery plan; and
-- formally assesses and documents the risk of the Year 2000 impact
on the actuarial application and prepares contingency plans, if
needed, to ensure operations are not disrupted.
In addition, KPMG made other suggestions to address less significant
weaknesses and provided them to DOD personnel under separate cover.
We concur with those suggestions as well.
AGENCY COMMENTS AND OUR
EVALUATION
------------------------------------------------------------ Letter :3
In written comments on a draft of this report, DOD concurred with our
recommendations to improve its actuarial process and EDP general
controls. DOD's response (see appendix II) cited numerous planned
corrective actions to address the individual components of those
recommendations. DOD's corrective action plan addresses the
weaknesses cited in our report.
---------------------------------------------------------- Letter :3.1
You are required by 31 U.S.C. 720 to submit a written statement on
actions taken on these recommendations to the Senate Committee on
Governmental Affairs and the House Committee on Government Reform and
Oversight within 60 days of the date of this report. You must also
send a written statement to the House and Senate Committees on
Appropriations with the agency's first request for appropriations
made over 60 days after the date of this report.
We are sending copies of this report to the Chairmen and Ranking
Minority Members of the Senate Committee on Armed Services, the House
Committee on National Security, the Senate Committee on Governmental
Affairs, and the House Committee on Government Reform and Oversight
and the Director of the Office of Management and Budget. We are also
sending copies to the Acting Under Secretary of Defense (Comptroller)
and the DOD Inspector General. Copies will be made available to
others upon request. Please contact Molly Boyle, Assistant Director,
Defense Audits, on (202) 512-9524 if you or your staff have any
questions.
Sincerely yours,
Gene L. Dodaro
Assistant Comptroller General
(See figure in printed edition.)Appendix I
REVIEW OF THE MILITARY RETIREMENT
TRUST FUND'S ACTUARIAL MODEL
============================================================== Letter
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)Appendix II
COMMENTS FROM THE DEPARTMENT OF
DEFENSE
============================================================== Letter
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
*** End of document. ***