[Independent Auditors Report on Office of Surface Mining
Reclamation and Enforcement Financial Statements for Fiscal
Years 1999 and 1998]
[From the U.S. Government Printing Office, www.gpo.gov]

Report No. 00-I-433

Title: Independent Auditors Report on Office of Surface Mining
       Reclamation and Enforcement Financial Statements for Fiscal
       Years 1999 and 1998

  
  Date: May 10, 2000

  *************DISCLAIMER********** 
  This file contains an ASCII representation of an OIG report. No attempt has      been made to 
  display graphic images or illustrations. Some tables may be included, but may not resemble 
  those in the printed version.

  A printed copy of this report may be obtained by referring to
  the PDF file or by calling the Office of Inspector General, Division of Acquisition and 
  Management Operations at  (202) 219-3841. 
  **********************************                                             

  C-IN-OSM-001-99 R
  
  MAY 10, 2000
  
  INDEPENDENT AUDITORS REPORT
  
  Memorandum
  
  To:  Director, Office of Surface Mining Reclamation and Enforcement
  
  Subject:  Independent Auditors Report on Office of Surface Mining Reclamation and
  Enforcement Financial Statements for Fiscal Years 1999 and 1998 (No. 00-I-433)
  
  SUMMARY
  
  In our audit of the Office of Surface Mining Reclamation and Enforcement's (OSM)
  financial statements  for fiscal year 1999, we found the following:
  
  -  The principal financial statements were fairly presented in all material respects.  OSM's
  principal financial statements consist of the Consolidated Statements of Financial Position
  as of September 30, 1999, and 1998, and the Consolidated Statements of Net Cost, Changes
  in Net Position, Budgetary Resources, and Financing for the fiscal years ended September
  30, 1999, and 1998.   
  
  -  Our tests of internal controls identified a reportable condition involving OSM's general
  controls over its automated information systems.  Specifically, OSM did not have an
  adequate security program; did not have controls over access to automated information
  systems resources, systems software, separation of duties, and software development and
  change management; and did not have assurance of continued operations in the event of a
  disaster or a system failure. 
  
  -  Our tests of compliance with laws and regulations identified a  noncompliance issue that
  is required to be reported concerning the Federal Financial Management Improvement Act
  of 1996.
  
  Our conclusions are detailed in the sections that follow.
  
  OPINION ON PRINCIPAL FINANCIAL STATEMENTS
  
  In accordance with the Chief Financial Officers Act of 1990, we audited OSM's principal
  financial statements for the fiscal years ended September 30, 1999, and 1998, as contained
  in OSM's accompanying 1999 Annual Report.  These financial statements are the
  responsibility of OSM, and our responsibility is to express an opinion, based on our audit,
  on these principal financial statements.
  
  Our audit was conducted in accordance with the "Government Auditing Standards," issued
  by the Comptroller General of the United States, and with Office of Management and Budget
  Bulletin 98-08, "Audit Requirements for Federal Financial Statements," as amended.  These
  audit standards require that we plan and perform the audit to obtain reasonable assurance as
  to whether the accompanying principal financial statements are free of material
  misstatement.  An audit includes examining, on a test basis, evidence supporting the amounts
  and disclosures in the principal financial statements and the accompanying notes.  An audit
  also includes assessing the accounting principles used and the significant estimates made by
  management.  We believe that our audit work provides a reasonable basis for our opinion.
  
  As disclosed  in footnotes 3 and 20 to the principal financial statements, OSM restated the
  financial statements for fiscal year 1998.  In OSM's 1998 Annual Report, the investments
  and the interest receivable on investments were reported separately in the Consolidated
  Statement of Financial Position.  In OSM's 1999 Annual Report, the investments and the
  interest receivable on investments were combined into one line entitled "Investments."  In
  addition, OSM changed the reporting of the fiscal year 1998 Abandoned Mine Lands 
  appropriation.  In the 1998 Annual Report, the $210 million Abandoned Mine Lands
  appropriation for fiscal year 1998 was reported as Appropriated Revenue in the Consolidated
  Statement of Changes in Net Position.  In the 1999 Annual Report, the Abandoned Mine
  Lands appropriations for fiscal years 1999 and 1998 were reported on the line entitled
  "Changes in Unexpended Appropriations"  in the Consolidated Statement of Changes in Net
  Position.  
  
  In our opinion, the principal financial statements (pages 48-52) present fairly, in all material
  respects, the financial position of OSM as of September 30, 1999, and 1998, and its
  consolidated net cost, changes in net position, budgetary resources and outlays, and financing
  for the fiscal years ended September 30, 1999, and 1998, in conformity with generally
  accepted accounting principles.  The supplemental statements of net cost and changes in net
  position for fiscal year 1999, which follow the notes to the consolidated financial statements
  (pages 53-67), were subjected to the auditing procedures applied in the audit of the
  consolidated  financial statements and, in our opinion, are fairly stated in all material respects
  in relation to the principal financial statements taken as a whole. 
  
  REPORT ON INTERNAL CONTROLS
  
  Our audit was conducted in accordance with the "Government Auditing Standards," issued
  by the Comptroller General of the United States, and with Office of Management and Budget
  Bulletin 98-08.  
  
  Management of OSM is responsible for establishing and maintaining an internal control
  structure which provides reasonable assurance that the following objectives are met:
  
  -  Transactions are properly recorded, processed, and summarized to permit the preparation
  of the principal financial statements and the required supplementary stewardship information
  in accordance with Federal accounting standards. 
  
  
  -  Assets are safeguarded against loss from unauthorized acquisition, use, or disposition.
  
  -  Transactions are executed in accordance with (1) laws governing the use of budget
  authority and with other laws and regulations that could have a direct and material effect on
  the principal financial statements and the supplemental statements of net cost and changes
  in net position and (2) any other laws, regulations, and Governmentwide  policies identified
  by the Office of Management and Budget.
  
  -  Transactions and other data that support reported performance measures are properly
  recorded, processed, and summarized to permit the preparation of performance information
  in accordance with criteria stated by management.
  
  Because of inherent limitations in any internal control structure, errors or fraud may occur
  and not be detected.  Also, projections of any evaluation of the internal controls over
  financial reporting to future periods are subject to the risk that the internal controls may
  become inadequate because of changes in conditions or that the degree of compliance with
  the policies or procedures may deteriorate. 
  
  In planning and performing our audit, we considered OSM's internal controls over financial
  reporting by obtaining an understanding of OSM's  internal controls, determined whether
  these internal controls had been placed in operation, assessed control risks, and performed
  tests of controls in order to determine our auditing procedures for the purpose of expressing
  an opinion on the principal financial statements and the supplemental statements of net cost
  and changes in net position and not to provide assurance on the internal controls over
  financial reporting.  Consequently, we do not express an opinion on internal controls. 
  
  Our consideration of the internal controls over financial reporting would not necessarily
  disclose all matters in the internal control structure over financial reporting that might be
  reportable conditions.  Under standards established by the American Institute of Certified
  Public Accountants and by Office of Management and Budget Bulletin 98-08, reportable
  conditions are matters coming to our attention relating to significant deficiencies in the
  design or operation of the internal controls that, in our judgment, could adversely affect
  OSM's ability to record, process, summarize, and report financial data consistent with the
  assertions made by management in the principal financial statements.  Material weaknesses
  are reportable conditions in which the design or operation of one or more of the internal
  control components does not reduce to a relatively low level the risk that misstatements in
  amounts that would be material in relation to the financial statements being audited may
  occur and not be detected within a timely period by employees in the normal course of
  performing their assigned functions.  However, we noted a certain matter  involving the
  internal control and operation that we consider to be a reportable condition as described by
  the American Institute of Certified Public Accountants and Office of Management and
  Budget Bulletin 98-08. However, the reportable condition is not considered to be a material
  weakness.  
  
  OSM Needs Improved General and Application Controls Over its Automated
  Information Systems
  
  The report "General and Application Controls Over Automated Information Systems, Office
  of Surface Mining Reclamation and Enforcement" (No. 00-I-138), issued by our office in
  December 1999, stated that the general controls over OSM's automated information systems
  were not effective.  Specifically, OSM did not have an adequate security program that
  included security plans which addressed risks to sensitive financial data and sensitive
  automated information systems.  Additionally, OSM did not have adequate controls over
  (1) access to automated information systems' resources, such as controlling the levels of
  access granted to system users, passwords, and password settings; (2) operating systems to
  ensure integrity over systems processing and data; (3) separation of duties between security
  administrators and security reviewers and the duties between application programmers and
  users; and (4) software changes to ensure that the changes were authorized, approved, and
  tested before being moved into production.  Further, OSM did not develop a continuity of
  operations plan for its telecommunications links, did not finalize plans for its facilities and
  data center, and did not have an incident response plan or team.  The lack of adequate
  controls increased the risk of unauthorized access and modifications to and the disclosure of
  OSM data, theft or destruction of OSM software and sensitive information, and loss of
  critical OSM systems and functions in the event of a disaster or a system failure.  OSM
  concurred with the findings and recommendations contained in the report and took
  immediate actions to resolve the deficiencies.  In its remediation plan, which was developed
  in response to the report, OSM indicated that all of the weaknesses would be corrected by
  September 30, 2000.  
  
  With respect to the internal controls related to the performance measures reported in OSM's
  overview (pages 17, 29, 37, and 47), we obtained an understanding of the design of
  significant internal controls related to the existence and completeness assertions, as required
  by Bulletin No. 98-08.  Our procedures were not designed to provide assurance on internal
  controls over reported performance measures, and accordingly, we do not provide an opinion
  on such controls.  
  
  REPORT ON COMPLIANCE WITH LAWS AND REGULATIONS
  
  Our audit was conducted in accordance with the "Government Auditing Standards," issued
  by the Comptroller General of the United States, and with Office of Management and Budget
  Bulletin 98-08.  
  
  The management of OSM is responsible for complying with laws and regulations applicable
  to that agency.  As part of obtaining reasonable assurance about whether OSM's principal 
  financial statements are free of material misstatement, we performed tests of OSM's
  compliance with certain provisions of laws and regulations, noncompliance with which could
  have a direct and material effect on the determination of  financial statement amounts and
  certain other laws and regulations specified in Bulletin 98-08, including the requirements
  referred to in the Federal Financial Management Improvement Act of 1996.  However,
  providing an opinion on compliance with certain provisions of laws and regulations was not
  an objective of our audit, and accordingly, we do not express such an opinion.  
  
  The results of our tests of compliance with laws and regulations discussed in the preceding
  paragraph exclusive of the Federal Financial Management Improvement Act disclosed no
  instances of noncompliance that are required to be reported under the "Government Auditing
  Standards" or Bulletin 98-08.
  
  Under the Federal Financial Management Improvement Act, we are required to report
  whether OSM's financial management systems were in substantial compliance with
  requirements for Federal financial management systems, Federal accounting standards, and
  the U.S. Government Standard General Ledger at the transaction level.  To meet these
  requirements, we performed tests of compliance using the implementation guidance for the
  Federal Financial Management Improvement Act included in Appendix D of Bulletin 98-08.
  
  We believe that the ineffective general controls over OSM's automated information systems 
  discussed in the Report on Internal Controls section of this report are significant  departures
  from  certain requirements of Office of Management and Budget Circulars A-127, "Financial
  Management Systems," and A-130, "Management of Federal Information Resources," and
  are therefore instances of substantial noncompliance with the Federal financial management
  systems requirements under the Federal Financial Management Improvement Act.
  
  Except as noted in the previous paragraph, the results of our tests of compliance disclosed
  no instances of noncompliance with other laws and regulations that are required to be
  reported under the "Government Auditing Standards" or Bulletin 98-08.  
  
  CONSISTENCY OF OTHER INFORMATION
  
  We reviewed the financial information presented in OSM's overview (pages 7-47) and
  supplementary information (pages 68-69) to determine whether the information was
  consistent with the principal financial statements.  Based on our review, we determined that
  the information in the overview was consistent with the principal financial statements.
  
  PRIOR AUDIT COVERAGE
  
  We reviewed  prior Office of Inspector General and General Accounting Office audit reports
  related to OSM's financial statements to determine whether these reports contained any
  unresolved or unimplemented recommendations that were significant to OSM's financial
  statements or internal controls.  We found that there were no reports which contained
  significant unresolved or unimplemented recommendations related to OSM's financial
  statements or internal controls.  
  
  OBJECTIVE, SCOPE, AND METHODOLOGY
  
  Management of OSM is responsible for the following:
  
      - Preparing the principal financial statements and the required supplemental
  information referred  to in the Consistency of Other Information section of this report in
  conformity with generally accepted accounting principles and for preparing the other
  information contained in the 1999 Annual Report.
  
  -  Establishing and maintaining an internal control structure over financial reporting.  In
  fulfilling  this responsibility, estimates and judgments are required to assess the expected
  benefits and related costs of internal control structure policies and procedures.  
  
  -  Complying with applicable laws and regulations.
  
  We are responsible for the following:  
  
  -  Expressing an opinion on OSM's principal financial statements.  
  
  -  Obtaining an understanding regarding the effectiveness  of the internal controls based upon
  the internal control objectives in Bulletin 98-08, which require that transactions be properly
  recorded, processed, and summarized to permit the preparation of the principal financial
  statements and the required supplemental information in accordance with Federal accounting
  standards; that assets be safeguarded against loss from unauthorized acquisition, use, or
  disposal; and that transactions and other data that support reported performance measures be
  properly recorded, processed, and summarized to permit the preparation of performance
  information in accordance with criteria stated by management. 
  
  -  Testing OSM's compliance with selected provisions of laws and regulations that could
  materially affect the principal financial statements or the required supplementary
  information.
  
  To fulfill these responsibilities, we took the following actions:  
  
  -  Examined, on a test basis, evidence supporting the amounts disclosed in the principal
  financial statements.
  
  -  Assessed the accounting principles used and the significant estimates made by
  management.  
  
  -  Evaluated the overall presentation of the financial statements.  
  
  -  Obtained an understanding of the internal control structure related to safeguarding assets;
  compliance with laws and regulations, including the execution of transactions in accordance
  with budget authority; financial reporting; and certain performance measure information
  reported in the Overview.  
  
  -   Tested relevant internal controls over the safeguarding of assets; compliance with laws
  and regulations, including the execution of transactions in accordance with budget authority;
  and financial reporting.  
  
  -  Tested compliance with selected provisions of laws and regulations.
  
  We did not evaluate all of the internal controls relevant to the operating objectives as broadly
  defined by the Federal Managers' Financial Integrity Act, such as those controls relevant to
  preparing statistical reports and ensuring efficient operations.  We limited our internal
  control testing to those controls necessary to achieve the objectives outlined in our report on 
  internal controls.
  
  We also identified other issues  that, in our judgment, were not required to be included in this
  audit report but that should be communicated to management.  We have included these
  issues in a management letter that will be issued separately.  
  
  In an April 3 , 2000, exit conference, OSM officials generally agreed with the findings
  contained in the report and made comments on the report.  Their comments were considered
  in the preparation of this report and were incorporated as appropriate.
  
  Since this report does not contain any recommendations, a response is not required.  
  
  Section 5(a) of the Inspector General Act (5 U.S.C. app. 3) requires the Office of Inspector
  General to list this  report in its semiannual report to the Congress.  In addition, the Office
  of Inspector General provides audit reports to the Congress.  
  
  This report is intended for the information of management of OSM and the Office of
  Management and Budget and the Congress.  However, this report is a matter of public
  record, and its distribution is not limited. 
  
  
  
  Roger La Rouche
  Acting Assistant Inspector General
  for Audits
  
  [CONTACT THE OFFICE OF SURFACE MINING RECLAMATION AND
ENFORCEMENT FOR
  INFORMATION ON  ITS FINANCIAL STATEMENTS FOR FISCAL YEAR 1999, WHICH
ARE NOT
  INCLUDED]