[Independent Auditors' Report on the U.S. Fish and Wildlife Service's Financial Statements for Fiscal Years 2001 and 2000]
[From the U.S. Government Printing Office, www.gpo.gov]

Report No. 2002-I-0025

Title: Independent Auditors' Report on the U.S. Fish and Wildlife
       Service's Financial Statements for Fiscal Years 2001 and
       2000

  
Date:  March 25, 2002

**********DISCLAIMER********** 
This file contains an ASCII representation of an OIG report. No attempt has been made to display graphic images or illustrations. Some tables may be included, but may not resemble those in the printed version. A printed copy of this report may be obtained by referring to the PDF file or by calling the Office of Inspector General, Division of Acquisition and Management Operations at (202) 219-3841. 
******************************

Dated:  March 25, 2002

Memorandum

To:  Director, U.S Fish and Wildlife Service

From:  Roger La Rouche /Signed/
Assistant Inspector General for Audits

Subject:  Independent Auditors' Report on the U.S. Fish and Wildlife Service's Financial Statements for Fiscal Years 2001 and 2000 (No. 2002-I-0025)

We contracted with KPMG, LLP, an independent certified public accounting firm, to audit the U.S. Fish and Wildlife Service's (FWS) financial statements for fiscal year 2001. The contract required that KPMG conduct its audit in accordance with the Government Auditing Standards issued by the Comptroller General of the United States of America; Office of Management and Budget Bulletin 01-02, Audit Requirements for Federal Financial Statements; and the General Accounting Office/President's Council on Integrity and Efficiency Financial Audit Manual. The Office of Inspector General (OIG) is responsible for the opinion on the consolidated balance sheet and related notes for fiscal year 2000.

In connection with the contract, we monitored the progress of the audit at key points and reviewed KPMG's report and related working papers and inquired of their representatives.  Our review, as differentiated from an audit in accordance with Government Auditing Standards, was not intended to enable us to express, and we do not express, opinions on the FWS's financial statements or on conclusions about the effectiveness of internal controls or on conclusions about compliance with laws and regulations.  KPMG is responsible for the auditors' report on the fiscal year 2001 financial statements (Attachment 1) and for the conclusions expressed in the report.  However, our review disclosed no instances where KPMG did not comply in all material respects with Government Auditing Standards. 

In its audit report dated January 21, 2002 KPMG stated that in its opinion the FWS's financial statements for fiscal year 2001 present fairly, in all material respects, the financial position of FWS as of September 30, 2001, and its net cost, changes in net position, budgetary resources, and reconciliation of net cost to budgetary obligations for the year then ended, in conformity with accounting principles generally accepted in the United States of America. In our audit report dated January 21, 2002 (Attachment 2) we stated that in our opinion the FWS's balance sheet presents fairly, in all material respects, the financial position of the FWS as of September 30, 2000 in conformity with accounting principles generally accepted in the United States of America.

KPMG found four material weaknesses and one reportable condition related to internal controls over financial reporting.  With regard to compliance with laws and regulations, KPMG found FWS to be noncompliant with a portion of the Federal Financial Management Improvement Act.  Specifically, KPMG reported that the FWS's financial management systems did not substantially comply with EDP security and general control environment requirements, and that identified material weaknesses affected the FWS's ability to prepare its financial statements and related disclosures in accordance with Federal accounting standards.

In the February 21, 2002 response, and in subsequent discussions, the Director, FWS, concurred with Recommendations A, B, C, E, F, and G.  The FWS agreed with the general finding for Recommendation D but disagreed that sufficient risk exists to endanger financial management statements or operations.  Based on the response and subsequent discussions, all seven recommendations are considered resolved but not implemented.  The seven recommendations will be referred to the Assistant Secretary for Policy, Management and Budget for tracking of implementation.

Section 5(a) of the Inspector General Act (5 U.S.C. App. 3) requires the OIG to list this report in its semiannual report to the Congress.  The Independent Auditors' Report is intended for the information of the management of FWS, the Office of Management and Budget, and the United States Congress.  The report, however, is a matter of public record, and its distribution is not limited.

Attachments (2)

ATTACHMENT 1 

Independent Auditors' Report

The Director of the United States Fish and Wildlife Service and the Inspector General of the Department of the Interior:

We have audited the accompanying consolidated balance sheet of the United States Fish and Wildlife Service (Service) as of September 30, 2001, and the related consolidated statements of net cost, changes in net position, and financing and the combined statement of budgetary resources for the year then ended (hereinafter referred to as financial statements). The objective of our audit was to express an opinion on the fair presentation of these financial statements. In connection with our audit, we also considered the Service's internal control over financial reporting and tested the Service's compliance with certain provisions of applicable laws and regulations that could have a direct and material effect on its financial statements.

Summary

As stated in our opinion on the financial statements, we concluded that the Service's financial statements as of and for the year ended September 30, 2001 are presented fairly, in all material respects, in conformity with accounting principles generally accepted in the United States of America.
Our consideration of internal control over financial reporting resulted in the following matters being identified as reportable conditions:

A.  Financial reporting process

B.  Controls, processes, and financial reporting relating to capital equipment

C.  Controls, processes, and financial reporting relating to buildings, structures, and construction work in process

D.  Security and general controls over financial management systems

E.  Financial reporting of the Sport Fish Restoration account

We consider reportable conditions A through D, discussed above, to be material weaknesses.

The results of our tests of compliance with certain provisions of laws and regulations, exclusive of the Federal Financial Management Improvement Act of 1996 (FFMIA), disclosed no instances of noncompliance with laws and regulations that are required to be reported under Government Auditing Standards, issued by the Comptroller General of the United States, and Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements. However, our tests of compliance with FFMIA section 803(a) requirements disclosed instances where the Service's financial management systems did not substantially comply with the following:

F.  Federal financial management systems requirements

G.  Federal accounting standards

The following sections discuss our opinion on the Service's financial statements, our consideration of the Service's internal control over financial reporting, our tests of the Service's compliance with certain provisions of applicable laws and regulations, and management's and our responsibilities.

Opinion on the Financial Statements

We have audited the accompanying consolidated balance sheet of the Service as of September 30, 2001, and the related consolidated statements of net cost, changes in net position, and financing and the combined statement of budgetary resources for the year then ended.

In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of the Service as of September 30, 2001, and its net cost, changes in net position, budgetary resources, and reconciliation of net cost to budgetary obligations for the year then ended in conformity with accounting principles generally accepted in the United States of America.

The information included in the Supplementary Stewardship Information, Supplementary Information on Service Performance, and financial highlights of Service Financial Performance sections are not a required part of the financial statements, but is supplementary information required by the Federal Accounting Standards Advisory Board or Office of Management and Budget Bulletin 97-01, Form and Content of Agency's Financial Statements, as amended. We have applied certain limited procedures which consisted principally of inquiries of management regarding the methods of measurement and presentation of this information. However, we did not audit this information, and accordingly, we express no opinion on it.

Our audit was conducted for the purpose of forming an opinion on the financial statements taken as a whole. The information in the Combining Statement of Budgetary Resources is presented for purposes of additional analysis and is not a required part of the financial statements. Such information has been subjected to the auditing procedures applied in the audit of the financial statements and, in our opinion, is fairly stated, in all material respects, in relation to the financial statements taken as a whole.

Internal Control Over Financial Reporting

Our consideration of internal control over financial reporting would not necessarily disclose all matters in the internal control over financial reporting that might be reportable conditions. Under standards issued by the American Institute of Certified Public Accountants, reportable conditions are matters coming to our attention relating to significant deficiencies in the design or operation of the internal control over financial reporting that, in our judgment, could adversely affect the Service's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements.

Material weaknesses are reportable conditions in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements, in amounts that would be material in relation to the financial statements being audited, may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. Because of inherent limitations in internal control, misstatements due to error or fraud may nevertheless occur and not be detected.

We noted certain matters, discussed below, involving the internal control over financial reporting and its operation that we consider to be reportable conditions. We believe that the following reportable conditions are material weaknesses:

A.  Financial Reporting Process

The Service is a large, complex organization that has numerous programs and offices that participate in financial transaction processing and thereby affect financial reporting. Both programs and field offices are responsible for generating transaction data to the National Business Center and Service Finance Center. The Finance Center is responsible for compiling periodic financial reporting to the Department of Treasury as well as the year-end financial statements.

Each year the Service prepares financial statements that disclose the Service's financial position and results of operations. Office of Management and Budget (OMB) Bulletin 97-01, Form and Content of Agency's Financial Statements, as amended, provides guidance on the Service's financial statements format and content. Financial reporting is necessary for timely and accurate information for business decision making.

Financial Reporting and Analysis. The Service's current financial reporting is untimely, manually intensive, and prone to error. Also, many of the Service's current analyses focus on post-transaction review, designed to detect errors, rather than thorough front-end reviews designed to prevent errors and misstatements. Based on our interviews and test work, it appears that program, field, and regional offices primarily analyze transactions and reports on budgetary execution. Asset and liability management and review of proprietary account information is primarily the responsibility of the Division of Finance. We also noted that the Service did not detect errors in its 2000 Annual Report prior to printing. These errors included certain material items, which were corrected through an "Errata Sheet" that the Service issued in October 2001.

Account Reconciliations. The Service did not perform regular account reconciliations and management reviews of various reconciliations at the Finance Center during the year. Specifically, we noted that:

  -  The Service did not perform reconciliations of propriety to budgetary accounts as well as suspense accounts at year end.

  -  The Service did not reconcile subsidiary financial records to the general ledger in a timely manner. For example, the Service reconciles property, plant, and equipment at year end only as discussed in our material weakness comments relating to capital equipment and buildings, structures, and construction work in process.

  -  The original draft of the Service's 2001 Statement of Financing did not fully reconcile to the Statement of Net Cost. This situation required an adjustment of approximately $15 million to properly reflect expended appropriations for capitalized assets. The Service also had other unreconciled differences.

  -  The Service was unable to fully reconcile its balances with other bureaus within the Department. This intradepartmental elimination process was also not performed in a timely manner.

Accrual Accounting. The Service did not properly accrue accounts payable. Based on our audit work the Service made an adjustment of approximately $18 million to properly reflect accounts payable. The Service also did not accrue liabilities for goods and services provided under reimbursable agreements and the related accounts receivable totaling approximately $4 million. Also, the Service did not accrue the correct amount of its environmental cleanup liabilities. The Service determined that its accrued cleanup cost included 100% of the total cleanup costs of the site. Based on this information, the Service adjusted its estimated environmental liability by approximately $90 million to reflect only those cleanup costs that are probable to be paid by the Service.

Transaction Processing. The Service records certain material transactions only at year end. For some other material transactions, the Service does not record them in a timely manner throughout the year. Both of these situations require various reconciliations and entries in order to present accurate and complete financial results.  We also noted that Service personnel coded numerous transactions to incorrect budget object classes (BOCs) which map to standard general ledger accounts. The BOCs track disbursements according to type such as, but not limited to, compensation, benefits, travel, purchase of goods and services from governmental agencies and equipment and structures. In many instances the Service corrected the original incorrect postings through its review or reconciliation processes; however, this practice is manually intensive and time consuming. Finally, the Service did not properly post certain transactions to Standard General Ledger (SGL) accounts during the year. For example, the Service made adjusting entries to expended appropriations for capitalized assets to properly close account balances at year end.

The deficiencies in the Service's financial reporting process result from:

  -  Inadequate or poorly designed controls and systems.
  -  Lack of appropriate training.
  -  Inadequate management oversight of financial transactions.

Accurate and timely financial information is critical to the Service's decision making process. As a result of the issues noted above, the financial reporting process is inefficient and, at times, erroneous. As a result, the Service's financial statements may be materially misstated and the Service may not detect the misstatements. Further, the Service may make erroneous decisions based on this financial information.

Recommendation

The Service should reevaluate its financial reporting process to improve its efficiency and effectiveness. The manual efforts currently required to generate financial statements should be taken into consideration. The Service's evaluation should include, but not be limited to:

  -  Reviewing Service policies and procedures to ensure that internal and external financial reporting is accurate, complete, and timely. This review should also evaluate current processes to utilize information technology systems and eliminate unnecessary effort.

  -  Reviewing the staffing and organizational structure of the financial reporting function to ensure accurate, complete, and timely financial reporting.

  -  Ensuring that account reconciliations are performed on a regular basis throughout the year with appropriate management review.

  -  Training Division of Finance, Program and Regional, and National Business Center personnel on transaction coding, account analysis, and financial reporting. This training should ensure that personnel are adequately trained on the Hyperion financial reporting application. The Service should also enhance training of personnel responsible for coding and approving disbursements to ensure these transactions are coded to the proper BOC and SGLs at the initial transaction.

  -  Ensuring program and regional personnel properly accrue accounts receivable and payables at year end. Ensuring the Service properly assesses its probability of payment for environmental cleanup costs in determining its liability.

  -  Developing periodic review processes by program managers of Federal Financial System information, not limited to budgetary results.

Management Response

The Service generally agrees that the efficiency and effectiveness of its financial reporting process can be improved. The Service has already initiated several new internal controls and review processes to ensure that financial reporting is accurate and complete. This year we are moving toward more frequent reconciliations of key information systems with the Federal Financial System (FFS) to prepare quarterly financial statements. Actions taken or planned to address KPMG's recommendation's are:

  -  Review finance policies and procedures - We are currently evaluating key business and reporting processes, revising key financial management policies and guidance, and identifying areas requiring additional training and technical assistance to improve performance. Target Date: September 2002.

  -  Review staffing and organizational structure - There has been a dramatic increase in the scope and complexity of the Service's accounting and reporting requirements in recent years. Positions have been added to the Service's Finance Center. All existing vacancies are advertised and will be filled during FY 2002. Target Date: September 2002.

  -  Ensuring account reconciliations are performed regularly - As discussed above, the Service will incorporate clarifying guidance into FWS Manual releases, policies and directives to require more frequent reconciliations throughout the year. Target Date: September 2002.

  -  Training Service personnel in financial reporting - Training of personnel responsible for transaction processing, account analysis, and financial reporting function is a high priority for the Service. The National Conversation Training Center offers courses addressing financial management issues, which are regularly attended. The Service provides formal and informal training at all levels of the organization. Given these ongoing efforts to train Service personnel on accounting and reporting processes, there is little opportunity to enhance training efforts as recommended; however, we plan to reach a greater number of Service personnel outside the finance community. We are heightening recognition of training needs by updating financial management policies to clarify processes required and the roles and responsibilities of personnel involved with financial management functions. Target Date: September 2002.

  -  Ensuring Service personnel properly accrue accounts receivable and payables - Over the past several years, the Service has been adding detailed instructions to its year end guidance and will continue this year with further clarifications and improvements to address proper procedures for accrual transactions, including more complete considerations when estimating the Service's share of future environmental cleanup liabilities prior to making an accrual entry. Target Date: July 2002.

  -  Developing periodic review processes by program managers - A process for reviewing key financial management business practices performed at field stations is being developed this year. The process will identify those field stations and/or Regions where more focused guidance or training is needed to ensure the accuracy, timeliness and reliability of proprietary, as well as budgetary, financial information. Target Date: August 2002.

B.   Controls, Processes, and Financial Reporting Relating to Capital Equipment

The Service needs to improve its controls and processes associated with the accounting for and reporting of capital equipment. During our audit, we noted the following:

  -  Each region uses a different property system to account for capital equipment. The Finance Center uses an Excel spreadsheet to support the capital equipment balances in the accounting records and financial statements. The Finance Center updates the spreadsheet twice a year for additions and once a year for disposals, based on information that the regions submit.

  -  Several reconciliations are performed between the Excel spreadsheet and the accounting records. The Service reconciles property systems to the Federal Financial System (FFS) support by amount only and does not compare property numbers or other information. This situation could lead to inaccurate entries made to FFS.

  -  The Service records corrections to capital equipment through current year activity without an evaluation as to the impact to prior year recorded amounts.

  -  The Service did not properly reflect the acquisition cost of capital equipment transferred to the Service from other federal agencies. The Service recorded transferred equipment at the original acquisition value instead of fair value or net book value.

  -  Each region (specifically Office of Contracting and General Services) prepares a monthly property reconciliation form, which is submitted to the Finance Center to update FFS. The form contains a section for reconciliation to the general ledger. FFS does not maintain detailed property information by region on a monthly basis. The general ledger balances on the form are rolled forward each month from the prior reconciliation. As a result, the current reconciliation form is not accurate.

  -  Each region performs an annual physical inventory of capital equipment as of October 1. The Service requires field offices to submit the inventory results to the regional office by mid-December. Although the inventory is taken as of year end, the Finance Center does not make any adjustments to the year end financial statements based on the results.

  -  The Service recorded depreciation expense for some equipment acquired prior to March 31st,. This is inconsistent with Service policy. Also, the Service calculates depreciation only at year end.

The Service does not have adequate controls over financial reporting of capital equipment. As a result, the Service's process for financial reporting is manually intensive, accumulating information from numerous sources and systems. As a result of the number of systems used and the amount of manually intensive work involved, the Service's processes are inefficient. Also, capital equipment may be misstated in the financial statements based on the Service's timing and accuracy of financial reporting, depreciation policies, and timing of annual inventories.

Recommendation

We understand that the Service is currently assessing its capital equipment processes. We recommend the Service continue these efforts to evaluate its processes for acquiring, tracking, and reporting capital equipment. Specifically, the Service should:

  -  Evaluate current processes to utilize information technology systems and eliminate unnecessary effort.

  -  Consider using one property system for the Regional Offices and the Finance Center for capital equipment.

  -  Work towards quarterly reporting of capital equipment. Specifically, the Service should post acquisitions and dispositions for all capital equipment, as well as depreciation to FFS on a periodic basis throughout the year. Ensure depreciation policies are consistently applied.

  -  Ensure any corrections to prior year capital equipment are properly evaluated as potential prior period adjustments.

  -  Record capital equipment transferred balances from other agencies at net book value not original acquisition cost.

  -  Modify regional property reconciliations to streamline the process and provide the Finance Center necessary information.

  -  Reevaluate the timing of annual physical inventories considering financial reporting requirements.

Management Response

The Service recognizes that the processes governing the reporting of accurate information regarding capitalized equipment could be improved. Last year, the Service established a Capitalized Equipment Workgroup (CEW) to address specific audit findings regarding the Service's FY 2000 financial statements. The work of the CEW continues this year. Below are detailed actions taken or planned to implement KPMG's recommendations:

  -  Use one property system for capitalized equipment - The Service has identified a candidate for a Service-wide system and is currently developing an implementation plan. Target Date: June 2002. 

  -  Work toward quarterly reporting, with appropriate application of depreciation policies - Depreciation relating to capital equipment will be updated in FFS to coincide with quarterly reports and policy and procedures for recording capital equipment in FFS will be reviewed and revised as necessary to ensure that capital equipment is reported accurately in FFS. This process will also be applied to reporting on buildings, structures, and construction work-in-progress, as outlined in C, below. Target Date: July 2002. 

  -  Evaluate corrections to prior year capital equipment - The Service will review and revise, as necessary, processes for correcting prior year capital equipment transactions so that the impact of corrections on prior year recorded amounts are recognized and appropriate prior year adjustments are made. Target Date: September 2002. 

  -  Record capital equipment at net book value - Service policies and procedures governing the recording to transferred capital equipment will be evaluated and revised, as necessary, to ensure that transfers are recorded at net book value. Target Date: June 2002. 

  -  Modify and streamline Regional property reconciliations - The Service is reviewing its property management processes and systems to facilitate monthly and quarterly reconciliations with FFS. Also, the Service will review processes to evaluate whether proper information is being exchanged timely. Target Date: August 2002. 

  -  Evaluate the timing of annual inventories - The Service will re-evaluate the timing of annual physical inventories to assess the impacts of current schedules and whether a change is necessary to ensure timely submission of information for financial statement reporting of personal property inventory. Target Date: July 2002. 

C.   Controls, Processes, and Financial Reporting Relating to Buildings, Structures, and Construction Work in Process

  -  The Service needs to improve its controls and processes associated with the accounting for and reporting of buildings, structures and construction work in process (CWIP). During our audit, we noted the following:

  -  The Service only records certain adjustments to the official Property, Plant, and Equipment (PP&E) accounting records semi-annually for buildings and structures, and construction work in process. The Service records depreciation only at year end. Further, the Service only records adjustments to the official accounting records for land at year end.

  -  The Service's Regional Offices and the Finance Center use the Real Property Inventory (RPI) system, a separate system from FFS, to track buildings and structures. Service personnel perform an intensive, manual reconciliation twice a year to accumulate accurate and complete financial data for construction work in process, buildings, and structures. The Finance Center uses an Excel spreadsheet to support the buildings and structures balance in the financial statements. The Finance Center updates the spreadsheet twice a year with additions and disposals.

  -  The Service did not complete its CWIP review in a timely manner in fiscal year 2001.  As a result, there was a delay in the Service's financial reporting process. We also noted errors in the Service's evaluation of asset capitalization and expense.

  -  The Service reused property numbers in RPI for new acquisitions that replaced existing facilities. This caused errors in depreciation expense.

  -  The Service changed the useful lives and acquisition dates of certain buildings and structures. Some changes were made in error and others were made to correct errors in the RPI system. The Service did not evaluate the effect of these changes on prior period recorded amounts. However, for at least the third straight year, the Service did make other prior period adjustments to buildings and structures in fiscal year 2001.

  -  The Service assigns a useful life of 30 years to all buildings and structures regardless of location, function, or type of construction.

  -  The Service depreciates building improvements over 30 years as opposed to the remaining useful life of the related structure.

The Service does not have an adequate financial reporting system for buildings, structures, and CWIP. As a result, the Service's process for financial reporting is manually intensive, accumulating information from numerous sources and systems. As a result of the number of systems used and the amount of manually intensive work involved, the Service's processes in this area are inefficient. Also, these assets may be misstated in the financial statements based on the Service's timing of financial reporting, useful lives of assets, and depreciation policies.

Recommendation

The Service should:

  -  Evaluate current buildings, structures, and CWIP processes to streamline efforts, ensure timely information is available for financial reporting and eliminate misstatements.

  -  Work towards quarterly reporting of buildings, structures, and CWIP. Specifically, the Service should post acquisitions and dispositions for all buildings, structures, and CWIP, as well as depreciation, to FFS on a periodic basis throughout the year.

  -  Train Regional Offices on the use of RPI, specifically focusing on the reuse of property numbers and changes to acquisition dates.

  -  Evaluate the useful lives of buildings and structures to ensure appropriateness given the expected use of the assets.

  -  Change the useful life of building improvements to the remaining useful life of the related structure.

  -  Ensure leasehold improvements are evaluated for capitalization.

Management Response

This recommendation crosses several operational areas of responsibility within the Service at all levels of the organization. Completing these recommendations will require a coordinated effort of the entire Directorate, with focused leadership from the Service's Refuge and Fish Hatchery Programs. Actions taken or planned to address KPMG's recommendations are:

  -  Evaluate processes to streamline efforts and ensure that real property information is timely and accurate - Improved maintenance of property is high priority of the Service and the Department and considerable improvements have been made to enhance the reliability of property information. The Service plans to amend the Real Property Inventory (RPI) database to generate a report that identifies the mechanisms through which assets were either acquired or disposed and the additions to the RPI resulting from the conduct of condition assessments. Target Date: September 2002.

The Service will review and streamline CWIP processes to increase efficiencies through automated processes: Target Date: July 2002.

  -  Work toward quarterly reporting - The Service needs to establish processes and procedures to accomplish quarterly reporting of information pertinent to the management of buildings, structures, and CWIP. Our commitment will build from revisions made to the RPI database, changes made to existing reconciliation processes, and guidance from the Department on appropriate reporting of quarterly amounts and balances related to buildings, structures, and CWIP. This process will be coordinated with reporting on capitalized equipment, as outlined in B above. Target Date: July 2002. 

  -  Train personnel on the use of the RPI - The Service recognizes that the reuse of old property numbers and unsubstantiated changes to acquisition dates need to be avoided. We will lock database fields, refine user instructions, and complete additional training. Target Date: September 2002.

  -  Evaluate useful lives of buildings and structures, including remaining useful of building improvements - We will refine the criteria for calculating the useful life of buildings, including the remaining useful life of building improvements. The Service will use the revised criteria to allocate improvement funds, report accomplishments, and determine proper accounting treatments. Target Date: September 2002.

  -  Evaluate leasehold improvements for capitalization - The Service will evaluate existing policy and provide clarifying guidance to implement this suggestion. Target Date: July 2002. 

D.   Security and General Controls Over Financial Management Systems

Despite the fact that the Service has made recent improvements in the security and controls over its information systems, controls need to be improved in the areas described below, as required by OMB Circular A-130, Management of Federal Information Resources. These conditions could affect the Service's ability to prevent and detect unauthorized changes to financial information, control electronic access to sensitive information, and protect its information resources.

Entity-wide Security Program and Planning: An entity-wide security program, including security policies and a related implementation plan, is the foundation of an entity's security control structure and a reflection of senior management's commitment to addressing security risks. As outlined in OMB Circular A-130, an effective security program includes a risk assessment process, a certification process, and an effective incident response and monitoring capability. The Service does not have a comprehensive entity-wide security plan, which identifies established security plans, security program management and related personnel, as well as ongoing management of security policies and procedures. Specifically, the Service has not:

  -  Performed comprehensive entity-wide risk assessments of its general support systems and major applications systems and reviewed these assessments for accuracy and completeness.

  -  Finalized and implemented comprehensive security policies to include the establishment of a security management structure and clearly assigned security responsibilities.

  -  Established consistent security-related personnel policies and procedures.

  -  Established and enforced entity-wide computer security training.

Access Controls: Access controls should provide reasonable assurance that computer resources (data files, application programs, and computer-related facilities and equipment) are protected against unauthorized modification, disclosure, loss, or impairment. The objectives of limiting access are to ensure that: (1) users have only the access needed to perform their duties; (2) access to very sensitive resources, such as security software programs, is limited to very few individuals; and (3) employees are restricted from performing incompatible functions or functions beyond their responsibilities. The Service did not have adequate controls to limit or detect access to certain information systems in order to protect against unauthorized modification, loss and disclosure of data. We noted:

  -  Lack of adherence to the Service's policy for maintaining individual user accounts.

  -  Weak access controls and password management for the network and remote field stations.

  -  Weaknesses with network security through configuration management.

  -  Need for a Service-wide policy for routine revalidation of users to general support systems and specific applications.

  -  Weak internal access authentication.

  -  Need for entity-wide password administration standards.

  -  Need for continued implementation of firewalls and configuration of standard rules.

Software Development and Change Controls: Establishing controls over the modification of application software programs help to ensure that only authorized programs and authorized modifications are implemented. Without proper controls, there is a risk that security features could be inadvertently or deliberately omitted or "turned-off," or that processing irregularities could be introduced.  The Service has not fully developed procedures for controlling changes over application software that would prevent unauthorized programs or modifications to an existing program from being implemented. In addition, duties are not properly segregated as application programmers responsible for making changes over application software also approve these changes and move them to production.

System Software Controls: Controls over the modification of system software change controls should provide reasonable assurance that operating system controls are not compromised. Without proper system software controls, unauthorized individuals using the system software could circumvent controls to read, modify, or delete critical or sensitive information or programs. The Service has not fully established system software controls that limit and monitor access to the programs and sensitive files that control the computer hardware and secure applications supported by the system. The Service has not fully developed procedures to ensure that tests of system software changes are performed and documented, system software changes are reviewed, approval is documented before implementation, and duties are properly segregated.

Segregation of Duties: Segregation of duties is important to ensure the division of roles and responsibilities and steps in critical functions are designed in information systems so that no one individual can undermine the process. We noted weaknesses in the Service's segregation of duties for its information systems, specifically relating to:

  -  Policies and procedures governing the identification, assignment, and monitoring of National 

  -  Communications Center (NCC) information functions.

  -  Policies addressing incompatible duties access.

  -  Job functions between security and systems administration and application programming functions.

Service Continuity: Losing the capability to process, retrieve, and protect information maintained electronically could significantly impact the Service's ability to accomplish its mission. Thus, procedures should be in place to protect information resources, minimize the risk of unplanned interruptions, and recover critical operations should interruptions occur. To mitigate the risk of service interruptions, the Service needs to improve its Service-wide Continuity of Operations Plans so that critical systems are prioritized, responsibilities are clearly assigned, alternate processing is clearly identified, restoration of critical functions is addressed, and the plans have been tested.

National Business Center: The Department of the Interior National Business Center (NBC) administers several of the Service's financial management systems, including: the Federal Personnel and Payroll System (FPPS), Federal Financial System (FFS), Hyperion, and the Interior Department Electronic Acquisitions System (IDEAS). Although NBC has recently improved the security and controls over these information systems, NBC needs to continue improvements in the areas of: entity-wide security planning, configuration of operating systems, system software controls, software development and change controls, and service continuity. Weaknesses in these control areas could affect the Service's ability to prevent and detect unauthorized changes to its financial information and increases the Service's need for less efficient manual controls to monitor and reconcile financial information.

Recommendation

We recommend that the Service develop and implement a formal action plan to improve the security and general controls over the financial management systems. This plan should address each of the areas discussed above, as well as other areas that might impact the EDP control environment to ensure adequate security and protection of the Service's financial management systems. We also recommend that the Service annually obtain appropriate assurance (similar to a SAS 70 Type II report) from the NBC that adequate security and controls are in place over the financial management systems the NBC administers.

Management Response

While the Service agrees with the general finding that controls need to be improved in the areas indicated by KPMG, we disagree that there is sufficient risk to endanger financial management statements or operations. Plans to improve controls are underway and will occur in two phases. In the first phase, policies and guidelines relating to IT security are being revised to address the cited areas of weakness. Target Date: July 2002. 

During the second phase, programs and Regions cited during the audit will be monitored to ensure corrective actions are being taken to bring their operations into compliance with new policies. 

Target Date: September 2002. 

Although the Service is not in a position to address the finding regarding the National Business Center (NBC), the Service agrees to secure from NBC appropriate assurances regarding the adequacy of their security and controls in place over the systems they administer. Target Date: July 2002. 

We noted the following reportable condition that is not considered to be a material weakness:

E.   Financial Reporting of the Sport Fish Restoration Account

Title 26 USC Section 9504 establishes the Aquatic Resources Trust Fund (ARTF) and authorizes the transfer of certain taxes received by the Department of Treasury. Appropriations are made from the ARTF to two accounts: the Service's Sport Fish Restoration Account (SFRA) and the Boat Safety Account (BSA) of the United States Coast Guard (Coast Guard). 

We noted that the Service recorded budget authority for the SFRA based on appropriation transfers from Treasury on the SF-1151. According to public law, the SFRA, reported in the Service's budget, was appropriated approximately $417 million in fiscal year 2001 and was to make appropriation transfers to the Corps of Engineers and Coast Guard of approximately $117 million. In fiscal year 2001 only $81.1 million was drawn down by the Corps of Engineers and Coast Guard. Although the flow of funds via Treasury's SF-1151 indicated the Service itself drew down approximately $295 million, the Service should have recorded the full appropriation of $417 million in its financial records and corresponding appropriation transfers of $81.1 million.

In accordance with Statement of Federal Financial Accounting Standard No. 7, Accounting for Revenue and Other Financing Sources, and Statement of Federal Financial Accounting Concepts Number 2, Entity and Display, beginning in fiscal year 2001, the ARTF is recorded in the financial statements of the Service. While the Service obtains a majority of the financial information from the Treasury's Bureau of Public Debt to record the ARTF, it should also record the SFRA budget authority and cash draws in order to accurately and completely reflect amounts due to other program agencies.

We noted the three different Divisions within the Service (the Division of Budget, Division of Federal Aid, and Division of Finance) record the SFRA budget authority and two Divisions record cash draws. These three Divisions' amounts for the difference between budget authority and cash drawn did not agree. Also, the Service could not initially provide supporting documentation for the $400 million SFRA receivable in its financial records which represented monies undrawn from the SFRA by the Service. The Service did reconcile this receivable to its underlying accounting records.

The Service recorded the ARTF in its financial statements for the first time in fiscal year 2001 and did not have adequate communication between the Division of Budget, Division of Federal Aid and Division of Finance regarding account balances of SFRA. In order to fairly present its financial statements, the Service should ensure that the appropriate information is available to record the ARTF and that the SFRA appropriation is properly recorded.

Recommendation

The Service should implement policies and procedures to ensure transactions relating to the ARTF and SFRA are accurately and completely reported in the Federal Financial System and its financial statements. These policies and procedures should include:

  -  Completing the Memorandum of Understanding between the Service and applicable agencies relating to SFRA. The Memorandum should ensure that information is available to properly record the ARTF in the financial statements of the Service in a timely manner.

  -  Ensuring adequate communication is made between the Service's Division of Budget, Division of Federal Aid, and Division of Finance regarding to the completeness and accuracy of the SFRA account balances, including remaining budget authority of the Service, Corps of Engineers, and Coast Guard.

  -  Recording, in accordance with the federal budget, the SFRA appropriation and related appropriation transfers to the Corps of Engineers and Coast Guard.

Management Response

This year was the first year for reporting the ARTF. The Memorandum of Understanding (MOU) being drafted will seek to clarify the roles and responsibilities of the Service, the U.S. Coast Guard, and the Corps of Engineers. Approval of the MOU is the responsibility of the Office of Management and Budget and the Department of the Treasury. The MOU will identify the specific responsibilities of the Bureau of Public Debt in the Department of the Treasury to make monthly and periodic reports available to the Service and other program agencies regarding financial activity of the ARTF. Full implementation of this recommendation will require the coordinated participation of all agencies responsible for managing and expending ARTF funds. Target Date: September 2002. 

A summary of the status of prior year reportable conditions is included as Exhibit I. We also noted other matters involving the internal control over financial reporting and its operation that we have reported to the management of the Service in a separate letter dated January 21, 2002.

Compliance With Laws and Regulations

The results of our tests of compliance with the laws and regulations described in the responsibilities section of this report, exclusive of FFMIA, disclosed no instances of noncompliance that are required to be reported herein under Government Auditing Standards or OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements.
The results of our tests of FFMIA disclosed instances, described below, where the Service's financial management systems did not substantially comply with Federal financial management systems requirements and Federal accounting standards.

F.   Financial Management Systems Requirements

As discussed in the section of our report entitled, Internal Control over Financial Reporting, the Service needs to improve its EDP security and general control environment. As a result, the Service does not substantially comply with the EDP security and general control requirements of OMB Circular A-130, Management of Federal Information Resources.

Recommendation

We recommend that the Service take the necessary actions to improve security and general controls over its financial management systems in accordance with requirements set forth in OMB Circular A-130 in fiscal year 2002.

Management Response

The Service has made substantial efforts with limited resources to comply with OMB Circular A-130 and acknowledges that it needs to make improvements. The Service believes that the actions outlined in our response to finding D, in the Internal Control over Financial Reporting section will correct the issues that led to this finding.

G.   Federal Accounting Standards

The Service is required to prepare its financial statements in accordance with Federal accounting standards. As discussed in the section of this report entitled, Internal Control over Financial Reporting, we identified material weaknesses that affected the Service's ability to prepare its financial statements and related disclosures in accordance with Federal accounting standards. The foregoing material weaknesses in internal control are also an indicator of noncompliance with FFMIA provisions relating to Federal accounting standards.

Recommendation

We recommend that the Service strengthen its procedures and internal control to ensure that its financial statements and related disclosures are prepared in accordance with Federal accounting standards.

Management Response

The Service acknowledges that its processes for preparing its financial statements and related disclosures can be improved. The Service believes that the actions outlined in our responses to the findings in the Internal Control over Financial Reporting section will correct the issues that led to this finding.

The results of our tests disclosed no instances in which the Service did not substantially comply with the United States Government Standard General Ledger at the transaction level.

Responsibilities

Management's Responsibility

The Government Management Reform Act of 1994 (GMRA) requires federal agency's to report annually to Congress on its financial status and any other information needed to fairly present its financial position and results of operations. To meet the GMRA reporting requirements, the Service prepares annual financial statements.

Management is responsible for:

  -  Preparing the financial statements in conformity with accounting principles generally accepted in the United States of America;

  -  Establishing and maintaining internal controls over financial reporting, required supplementary stewardship information, and performance measures; and

  -  Complying with laws and regulations, including FFMIA.

In fulfilling this responsibility, estimates and judgments by management are required to assess the expected benefits and related costs of internal control policies.

Auditors' Responsibility

Our responsibility is to express an opinion on the fiscal year 2001 financial statements of the Service based on our audit. We conducted our audit in accordance with auditing standards generally accepted in the United States of America, the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States, and OMB Bulletin No. 01-02. Those standards and OMB Bulletin No. 01-02 require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement.

An audit includes:

  -  Examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements;

  -  Assessing the accounting principles used and significant estimates made by management; and

  -  Evaluating the overall financial statement presentation.

We believe that our audit provides a reasonable basis for our opinion.

In planning and performing our fiscal year 2001 audit, we considered the Service's internal control over financial reporting by obtaining an understanding of the Service's internal control, determining whether internal controls had been placed in operation, assessing control risk, and performing tests of controls in order to determine our auditing procedures for the purpose of expressing our opinion on the financial statements. We limited our internal control testing to those controls necessary to achieve the objectives described in OMB Bulletin No. 01-02 and Government Auditing Standards. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers' Financial Integrity Act of 1982. The objective of our audit was not to provide assurance on internal controls over financial reporting. Consequently, we do not provide an opinion on internal control over financial reporting.

As required by OMB Bulletin No. 01-02, we considered the Service's internal control over Required Supplementary Stewardship Information by obtaining an understanding of the Service's internal control, determining whether these internal controls had been placed in operation, assessing control risk, and performing tests of controls. Our procedures were not designed to provide assurance on internal control over Required Supplementary Stewardship Information and, accordingly, we do not provide an opinion on such controls.

As further required by OMB Bulletin No. 01-02, with respect to internal control related to performance measures determined by management to be key and reported in the Supplementary Information on Service Performance and financial highlights of Service Financial Performance, we obtained an understanding of the design of significant internal controls relating to the existence and completeness assertions. Our procedures were not designed to provide assurance on internal control over performance measures and, accordingly, we do not provide an opinion on such controls.

As part of obtaining reasonable assurance about whether the Service's fiscal year 2001 financial statements are free of material misstatement, we performed tests of the Service's compliance with certain provisions of laws and regulations, noncompliance with which could have a direct and material effect on the determination of financial statement amounts, and certain provisions of other laws and regulations specified in OMB Bulletin No. 01-02, including certain provisions referred to in FFMIA. We limited our tests of compliance to the provisions described in the preceding sentence, and we did not test compliance with all laws and regulations applicable to the Service. Providing an opinion on compliance with laws and regulations was not an objective of our audit, and, accordingly, we do not express such an opinion.

Under FFMIA, we are required to report whether the Service's financial management systems substantially comply with: (1) Federal financial management systems requirements, (2) applicable Federal accounting standards, and (3) the United States Government Standard General Ledger at the transaction level. To meet this requirement, we performed tests of compliance with FFMIA section 803(a) requirements.

Distribution

This report is intended for the information and use of United States Fish and Wildlife Service management, Department of the Interior, Department of the Interior's Office of the Inspector General, OMB, and the U.S. Congress, and is not intended to be and should not be used by anyone other than these specified parties.

/signed KPMG LLP/

January 21, 2002

Exhibit I

UNITED STATES FISH AND WILDLIFE SERVICE
Summary of the Status of Prior Year Reportable Conditions
September 30, 2001

The table that was included in the report has been converted to text only, see the pdf version of the report for the table format.  The statust of the prior year reportable conditions are shown as reference number, condition and status in the text which follows:

2000 - A.   Undelivered Orders should be reviewed in a timely and comprehensive manner.
This condition has been corrected. 

2000 - B.   Construction-in-Progress reconciliation procedures need improvement in order to detect and correct errors in a timely manner.
This condition has not been corrected and is repeated in FY 2001.

2000 - C.   Reporting processes for grantees needs improvement to ensure grantees provide documentation to support costs incurred for Federal Aid Grants.
This condition has been corrected.

2000 - D.   Capital equipment reconciliation processes need to be more effective.
This condition has not been corrected and is repeated in FY 2001.

2000 - E.   Procedures for recording capital equipment need to be improved.
This condition has not been corrected and is repeated in FY 2001.

2000 - F.   General controls over automated systems need improvement.
This condition has not been corrected and is repeated in FY 2001.

2000 - G.   Stewardship investments funded through grants for nonfederal physical property should be reported.
This condition has been corrected.

ATTACHMENT 2

Independent Auditors' Report

To:      Acting Director, U.S. Fish and Wildlife Service

Subject:     U.S. Fish and Wildlife Service's Financial Statements for Fiscal Year 2000

We have audited the U.S. Fish and Wildlife Service's (FWS) consolidated balance sheet and related notes as of September 30, 2000. The objective of our audit was to express an opinion on the fair presentation of the consolidated balance sheet. This financial statement is the responsibility of the FWS, and our responsibility is to express an opinion, based on our audit, on this financial statement.

We conducted our audit in accordance with the auditing standards generally accepted in the United States of America; the standards for financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and with Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements.  These standards and OMB Bulletin No. 01-02 require that we plan and perform our audit to obtain reasonable assurance as to whether the accompanying consolidated balance sheet and related notes are free of material misstatement.  An audit includes examining, on a test basis, evidence supporting the amounts and disclosures contained in the consolidated balance sheet and the accompanying notes.  An audit also includes assessing the accounting principles used and the significant estimates made by management, as well as evaluating the overall consolidated balance sheet presentation.  We believe that our audit of the consolidated balance sheet provides a reasonable basis for our opinion.

In our opinion, the consolidated balance sheet referred to above presents fairly, in all material respects, the financial position of the FWS as of September 30, 2000 in conformity with accounting principles generally accepted in the United States of America.

As discussed in Notes 16 to the financial statements, the FWS restated its previously reported consolidated statement of financial position (balance sheet) amounts for corrections related to depreciation of buildings and structures and grantee expenses, and for a change in its reporting policies to include the Aquatic Resources Trust Fund in its statements (see also Note 15).

In our report dated February 14, 2001, we expressed an opinion that FWS' statement of net cost for the year ended September 30, 2000 presented fairly, in all material respects, it's net cost of operations in conformity with accounting principles generally accepted in the United States of America.  As described in Note 1M, FWS has restated its statement of net cost for the year ended September 30, 2000 to conform with the presentation of net cost for the year ended September 30, 2001.  We did not audit the restated statement of net cost for the year ended September 30, 2000, and accordingly, we do not express an opinion on this statement and related notes.

/Signed/

Roger La Rouche
Assistant Inspector General for Audits
February 14, 2001, except for Notes 15 and 16
as to which the date is January 11, 2002