[Independent Auditors' Report on the Minerals Management Service's Financial Statements for Fiscal Years 2002 and 2001]
[From the U.S. Government Printing Office, www.gpo.gov]

Report No. 2003-I-0030

Title: Independent Auditors' Report on the Minerals Management
       Service's Financial Statements for Fiscal Years 2002 and
       2001


Date:  March 7, 2003

**********DISCLAIMER********** 
This file contains an ASCII representation of an OIG report. No attempt has been made to display graphic images or illustrations. Some tables may be included, but may not resemble those in the printed version. A printed copy of this report may be obtained by referring to the PDF file or by calling the Office of Inspector General, Division of Acquisition and Management Operations at (202) 219-3841. 
******************************

March 7, 2003

Memorandum

To:	Director, Minerals Management Service 

From:	Roger La Rouche
	Assistant Inspector General for Audits

Subject:	Independent Auditors' Report on the Minerals Management Service's Financial Statements for Fiscal Years 2002 and 2001 (No. 2003-I-0030)

	We contracted with KPMG LLP (KPMG), an independent certified public accounting firm, to audit the Minerals Management Service's (MMS) financial statements as of September 30, 2002 and for the year then ended.  The contract required that KPMG conduct its audit in accordance with the Comptroller General of the United States of America's Government Auditing Standards, the Office of Management and Budget's Bulletin 01-02 Audit Requirements for Federal Financial Statements, and the General Accounting Office/President's Council on Integrity and Efficiency's Financial Audit Manual.

	In its audit report dated December 2, 2003 (Attachment 1), KPMG issued an unqualified opinion on MMS's financial statements.  KPMG identified three reportable conditions, none of which were considered to be material weaknesses, related to internal controls and financial operations: (A) improve controls over information technology data security, (B) improve controls over investment reconciliation's, and (C) improve controls over the reporting of the Strategic Petroleum Reserve. With regard to compliance with laws and regulations, KPMG found MMS to be noncompliant with portions of the Federal Financial Management Improvement Act (FFMIA). Specifically, KPMG reported that MMS's financial management systems did not substantially comply with the federal financial management systems requirements or the United States Standard General Ledger at the transaction level.  

	In connection with the contract, we monitored the progress of the audit at key points, reviewed KPMG's report and selected related working papers, and inquired of its representatives.  Our review, as differentiated from an audit in accordance with the Government Audit Standards, was not intended to enable us to express, and we do not express, an opinion on the MMS's financial statements, conclusions about the effectiveness of internal controls, conclusions on whether MMS's financial management systems substantially complied with the three requirements of FFMIA, or conclusions on compliance with laws and regulations.  KPMG is responsible for the auditors' report and for the conclusions expressed in the report.  Our review has disclosed no instances where KPMG did not comply in all material respects with the Government Auditing Standards.

In the January 6, 2003, response from the Director, MMS (Attachment 2), MMS concurred with all the recommendations.  Based on the response recommendations A, B and C are considered resolved and implemented, and recommendations D and E are considered resolved but not implemented.  Recommendations D and E will be referred to the Assistant Secretary for Policy, Management and Budget for tracking of implementation.
	
	Section 5(a) of the Inspector General Act (5 U.S.C. App. 3) requires the Office of Inspector General to list this report in its semiannual report to the Congress.



Attachments (2)

Independent Auditors' Report
Director of Minerals Management Service and Inspector General
U.S. Department of the Interior:
We have audited the accompanying consolidated balance sheets of the Minerals Management Service (MMS) as of September 30, 2002 and 2001, and the related statements of custodial activity for the years then ended, and the related consolidated statement of net cost, consolidated statement of changes in net position, combined statement of budgetary resources, and consolidated statement of financing for the year ended September 30, 2002. The objective of our audits was to express an opinion on the fair presentation of these financial statements. In connection with our audits, we also considered MMS's internal control over financial reporting and tested MMS's compliance with certain provisions of applicable laws and regulations that could have a direct and material effect on its financial statements.
Summary
As stated in our opinion on the financial statements, we concluded that the MMS's consolidated balance sheets, and the related statements of custodial activity as of and for the years ended September 30, 2002 and 2001, and the related consolidated statement of net cost, consolidated statement of changes in net position, combined statement of budgetary resources, and consolidated statement of financing for the year ended September 30, 2002 are presented fairly, in all material respects, in conformity with accounting principles generally accepted in the United States of America. We did not audit the accompanying consolidated statement of net cost for the year ended September 30, 2001, and, accordingly, we do not express an opinion on it.
Our consideration of internal control over financial reporting resulted in the following conditions being identified as reportable conditions:
A. Improve Information Technology (IT) data security control weaknesses
B. Improve controls over investment reconciliations
C. Improve controls over the reporting of the Strategic Petroleum Reserve (SPR)
We do not consider the reportable conditions, above, to be material weaknesses.
The results of our tests of compliance with the laws and regulations, exclusive of the Federal Financial Management Improvement Act of 1996 (FFMIA), disclosed no instances of noncompliance that are required to be reported herein under Government Auditing Standards, issued by the Comptroller General of the United States, or Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements.
The results of our tests of FFMIA disclosed instances where MMS's financial management systems did not substantially comply with the federal financial management system requirements and the U.S. Standard General Ledger at the transaction level.
The following sections discuss our opinion on MMS's financial statements, our consideration of MMS's internal control over financial reporting, our tests of MMS's compliance with certain provisions of applicable laws and regulations, and management's and our responsibilities.
Opinion on the Financial Statements
We have audited the accompanying consolidated balance sheets of the MMS as of September 30, 2002 and 2001, and the related statements of custodial activity for the years then ended, and the consolidated statement of net costs, consolidated statement of changes in net position, combined statement of budgetary resources, and consolidated statement of financing for the year ended September 30, 2002. The accompanying consolidated statement of net cost for the year ended September 30, 2001 was not audited by us and, accordingly, we do not express an opinion on it.
In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of the MMS as of September 30, 2002 and 2001, and its custodial activities for the years then ended, and its net costs, changes in net position, budgetary resources, and reconciliation of net costs to budgetary obligations, for the year ended September 30, 2002, in conformity with accounting principles generally accepted in the United States of America.
The information in the Management's Discussion and Analysis and Required Supplementary Information sections is not a required part of the financial statements, but is supplementary information required by accounting principles generally accepted in the United States of America or OMB Bulletin No. 01-09, Form and Content of Agency Financial Statements. We have applied certain limited procedures, which consisted principally of inquiries of management regarding the methods of measurement and presentation of this information. However, we did not audit this information and, accordingly, we express no opinion on it.
Our audits were conducted for the purpose of forming an opinion on the consolidated financial statements taken as a whole. The consolidating balance sheet as of September 30, 2002 is presented for purposes of additional analysis of the consolidated balance sheet as of September 30, 2002 rather than to present the financial position of the MMS's components individually. The consolidating balance sheet as of September 30, 2002 has been subjected to the auditing procedures applied in the audit of the consolidated balance sheet as of September 30, 2002 and, in our opinion, is fairly stated in all material respects in relation to the consolidated balance sheet as of September 30, 2002 taken as a whole.
Internal Control Over Financial Reporting
Our consideration of internal control over financial reporting would not necessarily disclose all matters in the internal control over financial reporting that might be reportable conditions. Under standards issued by the American Institute of Certified Public Accountants, reportable conditions are matters coming to our attention relating to significant deficiencies in the design or operation of the internal control over financial reporting that, in our judgment, could adversely affect MMS's ability to record, process, summarize, and report financial data consistent with the assertions by management in the financial statements.
Material weaknesses are reportable conditions in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements, in amounts that would be material in relation to the financial statements being audited, may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. 
In our fiscal year 2002 audit, we noted the following matters involving internal control over financial reporting and its operation that we consider to be reportable conditions. However, we do not consider these reportable conditions to be material weaknesses. 
A. Improve Information Technology Data Security Control Weaknesses
While we have noted that MMS has made certain improvements during fiscal year 2002 in meeting the security policies and procedure requirements of OMB Circular A-130, Security of Federal Automated Information Resources, we continue to note that MMS did not have adequate information security policies and procedures to meet the requirements of OMB Circular A-130. OMB Circular A-130 provides requirements to ensure adequate security for information relating to general support systems and major application systems. MMS also did not have effective policies and procedures to control and protect information systems. Specifically, we noted weaknesses in the following areas:
1. Entity-wide Security Program:  MMS's security plan did not contain all of the information required by OMB Circular A-130, Appendix III. Specifically, MMS did not perform an adequate risk assessment of the Advanced Budget/Accounting Control and Information System (ABACIS).
2. System Software Controls:  MMS did not establish controls to monitor operating system activities and operating system security parameters have not been set for effective logging of user activity. In addition the security monitoring and reporting process in relation to the Minerals Revenue Management Financial System (MRMFS) does not include all information systems platforms and components. 
3. Service Continuity:  MMS had not conducted recent tests of its contingency plans to minimize the risk of unplanned interruptions and to minimize the risk of recovery of critical operations to protect data should interruptions occur. In relation to the MRMFS management has not performed a walk-through test of contingency plan scenarios, nor was there documentation of the contingency plan on site. Moreover, MRM has not participated in, or reviewed the results of, the test of the contingency plan performed by UsiNet.
4. Program Development Testing: MMS did not properly address failed general ledger test scripts during the migration process. While a complete list of test script failures was compiled at the time of conversion, there is currently no project management process in place to ensure that failures are being addressed in an accurate and timely manner. 
Recommendation
MMS should improve controls over information technology systems to ensure adequate security and protection of information resources. MMS should test contingency plans annually and analyze the results once testing has been conducted. MMS should also document and implement a project plan to ensure that each of the failed test scripts is effectively addressed and resolved.
Management's Response
Entity-wide Security Program:  This recommendation has been implemented. An independent risk assessment of the ABACIS was completed by RGII on August 20, 2002. The cover was provided to KPMG as evidence that an assessment had been conducted. MMS acknowledges that the assessment was not completed by the original target date of June 30, 2002.
System Software Controls:  This recommendation as it pertains to the ABACIS has been implemented. All access to the Hewlett Packard (HP), operating platform for the ABACIS, are logged on the console. Reports are available and MMS staff have begun monitoring these reports bi-weekly. Systems manager capabilities are limited to only two MMS employees (located in the A&B Information Resources Technology Division). Application development is limited to staff in Financial Management. MMS believes that this level of monitoring is sufficient to ensure the HP operating system is not degraded by unauthorized use.
With respect to the MRM Financial System, MMS recognizes the need to update its policies and procedures to reflect the new Minerals Revenue Management reengineered architecture. The ITC (Information Technology Center) recently formed an Architecture Group which includes responsibility for such documentation. The MRM Management is in the process of documenting and implementing policies and procedures including those for access requests, system software utilities, and SDLC methodologies. Target completion date is September 2003. However, an influencing factor in these ongoing revisions will be new guidance from the department and bureau level in all of these areas over the next six months.
Service Continuity:  Full compliance with this recommendation is in process. MMS has documented applicable contingency plans. As with all other DOI bureaus, MMS disabled its networks in response to the U.S. District Court order, dated December 6, 2001.  The Special Master's IT contractor (IBM) conducted extensive analysis and determined the MMS Gulf of Mexico Region provided the safest and most secure site to support reconnection of the bureau's Internet connections. MMS essentially tested its contingency plans by realigning the entire bureau's connections through the Gulf site. KPMG acknowledged this in the Notice of Findings and Recommendations issued for this item. 
Testing of the ABACIS contingency plans was not conducted because of firewall issues with the Office of Surface Mining and Reclamation (manager of the contingency site). Testing was completed November 30, 2002.
USi has developed a contingency plan, but MRM management does not have immediate access to the plan. What MMS does have is the USi contingency architecture and contingency test plan for testing November 8-11. MMS has received the results of this test. Lessons learned in the test focused on corrections to be made in future tests. 
Accenture and USi are contractually required to provide the contingency service so the test was a key process. In the absence of a demonstration that this service is not being provided, MMS does not see a need to have access to the USi contingency plan which covers internal processes and procedures for failover.
Program Development Testing:  This recommendation has been implemented. All failed initial test script results and workarounds and stringent internal controls were discussed with KPMG during the audit. MMS will document the impacts and risk assessment when a decision is made to not test or implement a particular software feature. Note, however, that MMS has a formal documented process used to request program modifications to the MRM Financial System (System Investigation Request [SIR]).  The request process must be documented, approved by the requesting supervisor and submitted to the contracting officer's technical representative for final approval. All SIRs are prioritized by MRM management and worked by the contractor as resources are available. The SIRs are tracked and monitored by MRM and the contractor to ensure completion of critical system modifications. Completion entails contractor system test, MRM review of system testing, MRM testing of the change(s), and MRM approval prior to production implementation. Additionally, MRM has acquired contractor resources to resolve general ledger problems for which a workaround was not identified.
B. Improve Controls Over Investment Reconciliations
We noted that quarterly reconciliations of investments held in the Environmental Improvement and Restoration Fund (EIRF) are not effectively performed to ensure that balances recorded in the general ledger agree to those reported by Treasury. In addition, certifications of investments balances to Treasury are not timely.
Recommendation
We recommend that management improve the reconciliation process to require periodic reconciliation of the amounts reported by Treasury to the general ledger. We also recommend that management implement policies that ensure Treasury certifications are performed within a reasonable time from the availability of information from Treasury.
Management's Response
This recommendation has been implemented. MMS procedures have been modified to require reconciliation of investment activity between the Treasury balances and the MRMFS general ledger. The General Ledger team supervisor reviews and confirms the reconciliation and certification process.  The delays in performing the Treasury certifications were due to the internet shutdown and workloads associated with the resultant backlogs.
C. Improve controls over the reporting of the Strategic Petroleum Reserve
We noted that calculations of Strategic Petroleum Reserve (SPR) amounts are not sufficiently reviewed to ensure an accurate calculation and recording of SPR amounts. During our test-work over the amount of recorded SPR collections, we noted that for the September calculation, incorrect Platts prices were used when valuing the SPR. Instead of using the September Platts prices, October prices were inadvertently used. The impact of using the incorrect Platts price was an overstatement of SPR Revenue and related Disposition of Revenue on the Statement of Custodial Activity by approximately $2.8 million. 
Recommendation
We recommend that management improve the management review of the SPR calculation process to ensure accurate recording of the SPR.
Management's Response
This recommendation has been implemented. MMS agrees with the spirit of the finding and recommendation, and has instituted an added quality assurance/quality control procedure to provide an independent review of all data and calculations used to arrive at the valuation of the wellhead crude oil volumes involved in the Strategic Petroleum Reserve (SPR) fill initiative. Additionally, MMS is tasking the Royalty-In-Kind (RIK) systems integrator contractor, Accenture LLP, with supporting the valuation of SPR wellhead crude oil volumes through the upcoming RIK oil management system implementation.
A summary of the status of prior year reportable conditions is included as Exhibit I. We also noted other matters involving internal control over financial reporting and its operation that we have reported to the management of MMS in a separate letter. 
Compliance with Laws and Regulations
The results of our tests of compliance with certain provisions of laws and regulations described in the Responsibilities section of this report, exclusive of FFMIA, disclosed no instances of noncompliance that are required to be reported herein under Government Auditing Standards or OMB Bulletin No. 01-02.
The results of our tests of FFMIA disclosed instances, described below, where MMS's financial management systems did not substantially comply with the federal financial management systems requirements and the U.S. Standard General Ledger at the transaction level.
D. Federal Financial Management System Requirements
As previously discussed in the Internal Control Over Financial Reporting section of this report, MMS did not have adequate information security policies and procedures to meet the federal financial management system requirements of FFMIA.
Recommendation
We recommend that management improve controls over information technology systems to ensure adequate security and protection of information resources and to meet the requirements of FFMIA.
Management's Response
MMS acknowledges deficiencies with respect to written security policies and procedures and has awarded a contract to SAIC to review and ensure MMS's full compliance with OMB Circular A-130 (also reference internal control response above). This effort will be completed by December 2003.
E. U.S. Standard General Ledger at the Transaction Level
The Minerals Revenue Management Financial System (MRMFS) is not in full compliance with FFMIA requirements in relation to the U.S. Standard General Ledger at the transaction level. During our test-work, we noted the following:
* Approximately 30 non-standard journal entries were required to be posted in order to produce a complete trial balance. 
* Accounting posting models, SGL accounts, and attributes are not consistent with Treasury standard models and the Department of the Interior (DOI) chart of accounts. For example, custodial revenue accounts 5740 and 5745 in the MRMFS system are not consistent with DOI guidance and must be converted to 5900 and 5990, respectively for reporting purposes. We also noted that posting requirements for general receipt accounts are not being used. These deficiencies, as well as other posting issues, required conversion of the data by SGL account for upload into the DOI reporting system.  
* Insufficient pre-established posting models exist to meet MRM's mission needs. We noted, for example, that there are not pre-established posting models to record investment activity, transfers of cash between federal and Indian business units, bonus money received on lease sales, and refunds. 
* System inability to properly post trading partner information that complicated and delayed the eliminations process between MMS and its trading partners.
Recommendation
We recommend that management develop and implement a corrective action plan to ensure that the MRMFS is developed to the extent necessary to meet the U.S. Standard General Ledger at the transaction level requirements of FFMIA.
Management's Response
MMS acknowledges that additional work is needed for full-compliance with this section of the FFMIA. System Investigation Requests (SIRs) have or will be documented to modify the accounting models to meet the U.S. Standard General Ledger transactional level requirements of FFMIA. Target completion date is June 30, 2003.
The results of our tests of FFMIA disclosed no instances in which the MMS financial management systems did not substantially comply with the federal accounting standards.
Responsibilities
Management's Responsibilities
The Government Management Reform Act of 1994 (GMRA) requires each federal agency to report annually to Congress on its financial status and any other information needed to fairly present its financial position and results of operations. To assist the Department of the Interior in meeting the GMRA reporting requirements, MMS prepares annual financial statements. 
Management is responsible for:
* Preparing the financial statements in conformity with accounting principles generally accepted in the United States of America;
* Establishing and maintaining internal controls over financial reporting, and preparation of the Management's Discussion and Analysis (including the performance measures);
* Complying with laws and regulations, including FFMIA.
In fulfilling this responsibility, estimates and judgments by management are required to assess the expected benefits and related costs of internal control policies. Because of inherent limitations in internal control, misstatements, due to error or fraud may nevertheless occur and not be detected. 
Auditors' Responsibilities
Our responsibility is to express an opinion on the consolidated balance sheets of the MMS as of September 30, 2002 and 2001, and the related statements of custodial activity for the years then ended, and the related consolidated statement of net cost, consolidated statement of changes in net position, combined statement of budgetary resources, and consolidated statement of financing for the year ended September 30, 2002 based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America, the standards applicable to financial audits contained in Government Auditing Standards and OMB Bulletin No. 01-02. Those standards and OMB Bulletin No. 01-02 require that we plan and perform the audits to obtain reasonable assurance about whether the financial statements referred to above are free of material misstatement.
An audit includes:
* Examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements;
* Assessing the accounting principles used and significant estimates made by management; and
* Evaluating the overall financial statement presentation. 
We believe that our audits provide a reasonable basis for our opinion.
In planning and performing our audits, we considered MMS's internal control over financial reporting by obtaining an understanding of the MMS's internal control, determining whether internal controls had been placed in operation, assessing control risk, and performing tests of controls in order to determine our auditing procedures for the purpose of expressing our opinion on the financial statements. We limited our internal control testing to those controls necessary to achieve the objectives described in OMB Bulletin No. 01-02 and Government Auditing Standards. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers' Financial Integrity Act of 1982. The objective of our audit was not to provide assurance on internal control over financial reporting. Consequently, we do not provide an opinion thereon.
As required by OMB Bulletin No. 01-02, with respect to internal control related to performance measures determined by management to be key and reported in the Management's Discussion and Analysis, we obtained an understanding of the design of significant internal controls relating to the existence and completeness assertions. Our procedures were not designed to provide assurance on internal control over performance measures and, accordingly, we do not provide an opinion thereon.
As part of obtaining reasonable assurance about whether MMS's financial statements are free of material misstatement, we performed tests of MMS's compliance with certain provisions of laws and regulations, noncompliance with which could have a direct and material effect on the determination of financial statement amounts, and certain provisions of other laws and regulations specified in OMB Bulletin No. 01-02, including certain provisions referred to in FFMIA. We limited our tests of compliance to the provisions described in the preceding sentence, and we did not test compliance with all laws and regulations applicable to MMS. Providing an opinion on compliance with laws and regulations was not an objective of our audit and, accordingly, we do not express such an opinion.
Under OMB Bulletin No. 01-02 and FFMIA, we are required to report whether MMS's financial management systems substantially comply with (1) Federal financial management systems requirements, (2) applicable Federal accounting standards, and (3) the United States Government Standard General Ledger at the transaction level. To meet this requirement, we performed tests of compliance with FFMIA Section 803(a) requirements. 
Distribution
This report is intended for the information and use of Department of the Interior's management, Department of the Interior's Office of the Inspector General, OMB and the U.S. Congress, and is not intended to be and should not be used by anyone other than these specified parties. 

December 2, 2002

Exhibit I

Minerals Management Service
Summary of the Status of Prior Year Findings
September 30, 2002

Ref
Condition Area
Status
01-A
MMS did not have adequate information security policies and procedures to meet requirements of OMB Circular A130, Security of Federal Automated Information Resources.
While MMS has made some progress in addressing this issue, it has not fully corrected the condition related to Entity-wide Security Program, Access Controls, System Software Controls, Service Continuity. 
01-B
Improve Controls Over Year-end Accounts Payable and Accounts Receivable Accrual Process
Substantial progress has been made by MMS in addressing this issue and it is no longer considered a reportable condition.
01-C
Compliance with Laws and Regulations: Prompt Payment Act
Substantial progress has been made by MMS in addressing this issue and it is no longer considered a reportable condition. 
01-D
Compliance with Laws and Regulations:  FFMIA
Substantial progress has been made in addressing this issue and it is no longer considered a reportable condition in relation to the prior year finding. We did, however, identify non-compliance with system requirements and the U.S. SGL at the transaction level for the MRMFS system implemented in the current fiscal year. The finding in our current report is not related to the prior year non-compliance.