[Independent Auditors' Report on the U.S. Fish and Wildlife Service's Financial Statements for Fiscal Years 2002 and 2001]
[From the U.S. Government Printing Office, www.gpo.gov]

Report No. 2003-I-0039

Title: Independent Auditors' Report on the U.S. Fish and Wildlife
       Service's Financial Statements for Fiscal Years 2002 and
       2001 


Date:  March 26, 2003

**********DISCLAIMER********** 
This file contains an ASCII representation of an OIG report. No attempt has been made to display graphic images or illustrations. Some tables may be included, but may not resemble those in the printed version. A printed copy of this report may be obtained by referring to the PDF file or by calling the Office of Inspector General, Division of Acquisition and Management Operations at (202) 219-3841. 
******************************


March 26, 2003

Memorandum

To:	Director, U.S. Fish and Wildlife Service

From:	Roger La Rouche
	Assistant Inspector General for Audits

Subject:	Independent Auditors' Report on the U.S. Fish and Wildlife Service's Financial Statements for Fiscal Years 2002 and 2001
	(No. 2003-I-0039)
	
	We contracted with KPMG LLP (KPMG), an independent certified public accounting firm, to audit the U.S. Fish and Wildlife Service's (Service) financial statements as of September 30, 2002 and for the year then ended.  The contract required that KPMG conduct its audit in accordance with the Comptroller General of the United States of America's Government Auditing Standards, the Office of Management and Budget's Bulletin 01-02 Audit Requirements for Federal Financial Statements, and the General Accounting Office/President's Council on Integrity and Efficiency's Financial Audit Manual.

	In its audit report dated January 10, 2003 (Attachment 1), KPMG issued a qualified opinion on the Service's financial statements for fiscal years 2002 and 2001.  KPMG's opinion was qualified because the Service was unable to provide adequate documentation to support the general property, plant and equipment balances stated as $935 million as of September 30, 2002, and $881 million as of September 30, 2001.  Previously KPMG, in its report dated January 21, 2002, issued an unqualified opinion on the Service's 2001 financial statements.  Because of the problems identified above, KPMG's opinion on the 2001 financial statements is different from that previously expressed.  KPMG identified eight reportable conditions related to the following internal controls and financial operations:  (1) processes, controls, and financial reporting relating to buildings, structures, and construction work in process, (2) financial reporting process, (3) reconciling transactions within the Service as well as with other Department of the Interior components, (4) controls, processes, and financial reporting relating to year-end accruals, (5) controls, processes, and financial reporting relating to capital equipment, (6) security and general controls over financial management systems, (7) grant controls and processes over reporting requirements, and (8) IDEAS-Procurement Desktop controls.  KPMG considers the first four reportable conditions to be material weaknesses.  With regard to compliance with laws and regulations, KPMG found the Service noncompliant with portions of the Federal Financial Management Improvement Act (FFMIA).  Specifically, KPMG reported that the Service's financial management systems were not in substantial compliance with Federal financial management systems requirements and Federal accounting standards.  

	In connection with the contract, we monitored the progress of the audit at key points, reviewed KPMG's report and selected related working papers, and inquired of its representatives.  Our review, as differentiated from an audit in accordance with the Government Audit Standards, was not intended to enable us to express, and we do not express, an opinion on the Service's financial statements, conclusions about the effectiveness of internal controls, conclusions on whether the Service's financial management systems substantially complied with the three requirements of FFMIA, or conclusions on compliance with laws and regulations.  KPMG is responsible for the auditors' report and for the conclusions expressed in the report.  Our review disclosed no instances where KPMG did not comply in all material respects with the Government Auditing Standards.

In the March 7, 2003, response from the Deputy Director  (Attachment 2), the Service concurred with all ten findings.  Based on the response all recommendations are considered resolved but not implemented.  The recommendations will be referred to the Assistant Secretary for Policy, Management and Budget for tracking of implementation.
	
	Section 5(a) of the Inspector General Act (5 U.S.C. App. 3) requires the Office of Inspector General to list this report in its semiannual report to the Congress.




Attachments (2)


Independent Auditors' Report
The Director of the United States Fish and Wildlife Service and 
the Inspector General of the Department of the Interior:
We have audited the accompanying consolidated balance sheets of the United States Fish and Wildlife Service (the Service) as of September 30, 2002 and 2001, the related consolidated statements of net cost for the years then ended, and the related consolidated statement of changes in net position, combined statement of budgetary resources, and consolidated statement of financing for the year ended September 30, 2002 (herein after referred to as the financial statements). The objective of our audits was to express an opinion on the fair presentation of these financial statements. In connection with our audits, we also considered the Service's internal control over financial reporting and tested the Service's compliance with certain provisions of applicable laws and regulations that could have a direct and material effect on its financial statements.
Summary
As stated in our opinion on the financial statements, except for the effects on the 2002 and 2001 financial statements of such adjustments, if any, as might have been determined to be necessary had we been able to apply adequate procedures to general property, plant, and equipment, we concluded that the Service's financial statements as of and for the years ended September 30, 2002 and 2001, are presented fairly, in all material respects, in conformity with accounting principles generally accepted in the United States of America. 
As discussed in note 16 to the financial statements, the Service restated its fiscal year 2001 consolidated balance sheet and statement of net cost, and its beginning of fiscal year 2002 unobligated budgetary balance. Also, as discussed in note 16 to the financial statements, the Service changed its method of accounting for allocation transfers as of October 1, 2001.
Our consideration of internal control over financial reporting resulted in the following conditions being identified as reportable conditions:
Reportable Conditions that are Considered to be Material Weaknesses
A. Processes, controls, and financial reporting relating to buildings, structures, and construction work in process
B. Financial reporting process
C. Reconciling transactions within the Service as well as with other Department of the Interior components
D. Controls, processes, and financial reporting relating to year-end accruals

Other Reportable Conditions
E. Controls, processes, and financial reporting relating to capital equipment
F. Security and general controls over financial management systems
G. Grant controls and processes over reporting requirements
H. IDEAS-Procurement Desktop controls 
The results of our tests of compliance with the laws and regulations, exclusive of the Federal Financial Management Improvement Act of 1996 (FFMIA), disclosed no instances of noncompliance that are required to be reported herein under Government Auditing Standards, issued by the Comptroller General of the United States, or Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements.
The results of our tests of FFMIA disclosed instances where the Service's financial management systems did not substantially comply with federal financial management systems requirements and federal accounting standards.
The following sections discuss our opinion on the Service's financial statements, our consideration of the Service's internal control over financial reporting, our tests of the Service's compliance with certain provisions of applicable laws and regulations, and management's and our responsibilities.
Opinion on the Financial Statements
We have audited the accompanying consolidated balance sheets of the Service as of September 30, 2002 and 2001, the related consolidated statements of net cost for the years then ended, and the related consolidated statement of changes in net position, combined statement of budgetary resources, and consolidated statement of financing for the year ended September 30, 2002.
During our audit of the 2002 financial statements, we determined that as of September 30, 2002 and 2001, the Service had not maintained customary records for its real property assets, which represent the majority of general property, plant, and equipment included in the Service's financial statements. As a result, it was not practicable to extend our auditing procedures sufficiently to satisfy ourselves as to the accuracy, completeness and existence of general property, plant, and equipment stated at $935,384,000 and $880,634,000 in the accompanying consolidated balance sheets as of September 30, 2002 and 2001, respectively. Such amounts enter into the determination of net position. We expressed an unqualified opinion on the Service's 2001 financial statements in our report dated January 21, 2002. Our opinion on the 2001 financial statements, as presented herein, is different from that expressed in our previous report.
In our opinion, except for the effects on the 2002 and 2001 financial statements of such adjustments, if any, as might have been determined to be necessary had we been able to apply adequate procedures to general property, plant, and equipment, as discussed in the preceding paragraph, the financial statements referred to above present fairly, in all material respects, the financial position of the Service as of September 30, 2002 and 2001, its net costs for the years then ended, and its changes in net position, budgetary resources, and reconciliation of net costs to budgetary obligations for the year ended September 30, 2002, in conformity with accounting principles generally accepted in the United States of America.
As discussed in note 16 to the financial statements, the Service restated its fiscal year 2001 consolidated balance sheet and statement of net cost, and its beginning of fiscal year 2002 unobligated budgetary balance. Also, as discussed in note 16 to the financial statements, the Service changed its method of accounting for allocation transfers as of October 1, 2001.
The information in the management's discussion and analysis, required supplementary information and required supplementary stewardship information sections is not a required part of the financial statements, but is supplementary information required by accounting principles generally accepted in the United States of America and OMB Bulletin No. 01-09, Form and Content of Agency Financial Statements. We have applied certain limited procedures, which consisted principally of inquiries of management regarding the methods of measurement and presentation of this information. However, we did not audit this information and, accordingly, we express no opinion on it. The Service changed its method for calculating deferred maintenance in fiscal year 2002 to make its estimate consistent with calculations made within the Department of the Interior. This method resulted in an increase in the deferred maintenance estimate.
Internal Control Over Financial Reporting
Our consideration of internal control over financial reporting would not necessarily disclose all matters in the internal control over financial reporting that might be reportable conditions. Under standards issued by the American Institute of Certified Public Accountants, reportable conditions are matters coming to our attention relating to significant deficiencies in the design or operation of the internal control over financial reporting that, in our judgment, could adversely affect the Service's ability to record, process, summarize, and report financial data consistent with the assertions by management in the financial statements.
Material weaknesses are reportable conditions in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.
In our fiscal year 2002 audit, we noted certain matters involving internal control over financial reporting and its operation that we consider to be reportable conditions. We believe that the following reportable conditions are material weaknesses. 
A.	Processes, Controls, and Financial Reporting Relating to Buildings, Structures, and Construction Work in Process
The Service needs to improve processes and controls over the recording of buildings, structures, and construction work in process as follows:
1. Capitalization of Assets - The Service does not consistently capitalize real property. Specifically, we determined that the Service capitalized stewardship land improvements that should have been expensed and the Service expensed real property associated with stewardship land that should have been capitalized. In addition, we determined that the Service does not have adequate procedures to determine, at the inception of a lease, if the lease should be accounted for as a capital or operating lease. 
2. Inventory Processes - The Service completes inventories as part of its annual data call to confirm the accuracy, existence, and completeness of certain real property. We noted that the physical inventory processes are not effective as they do not consistently identify acquisitions and disposals that need to be reflected in the financial statements. We also noted that the Service does not adjust the general ledger or Real Property Inventory (RPI) system based on the inventory results in a timely manner. 
3. Acquisitions and Disposals - The Service does not consistently record real property acquisitions and disposals in a timely manner. Specifically, we determined that the Service expends a significant amount of time and resources identifying and recording real property transactions after the end of the fiscal year. Furthermore, we noted that the Service does not consistently maintain source documents to support the acquisition and disposal of real property. 
4. Transfers and Donation - The Service does not have controls to ensure real property transferred and donated to the Service is properly recorded. 
5. Recording Depreciation - The Service has not established and implemented controls to ensure depreciation starts when assets are placed in service and to ensure useful lives of real property and improvements to real property are consistently applied for the purposes of recording depreciation. In addition, the Service does not calculate or record depreciation until the end of the year. 
6. Reconciliation RPI to the General Ledger - The Service is not able to accurately and efficiently reconcile RPI to the general ledger for real property. 
As a result of these material weaknesses, the Service expended a significant amount of time and resources analyzing, counting, reconciling, and adjusting real property. Also, the Service had not maintained customary records for its real property assets, which represent the majority of general property, plant, and equipment included in the Service's financial statements. Consequently, it was not practicable to extend our auditing procedures sufficiently to satisfy ourselves as to the accuracy, completeness, and existence of general property, plant, and equipment stated at $935,384,000 and $880,634,000 in the consolidated balance sheets as of September 30, 2002 and 2001, respectively. 
Recommendation
1. Capitalization of Assets 
a. We recommend that the Service develop a formal real property capitalization policy. This policy should indicate the types of disbursements that should be capitalized, expensed as acquisition and improvements to stewardship land, or expensed because they are incidental to the acquisition of stewardship land. 
b. We also recommend that the Service establish procedures to determine, at the inception of the lease, if the lease should be accounted for as a capital or operating lease. 
c. Further, we recommend that the Service communicate the real property policy and lease procedures by providing training to the individuals implementing the real property policy and lease procedures. 
2. Inventory Processes 
a. We recommend that the Service improve its inventory processes to verify the accuracy, existence, and completeness of real property. The Service should establish required inventory policies and train individuals on how to perform inventories. 
b. We also recommend that the Service record adjustments to RPI and the general ledger as a result of the inventory observations in a more timely manner. 
3. Acquisitions and Disposals 
a. We recommend that the Service implement internal controls to ensure that real property transactions are recorded in the subsidiary ledger and general ledger at the time the financial event occurs and at the proper amount. 
b. We also recommend that the Service maintain source documents related to property, plant, and equipment acquisitions and disposals.
4. Transfers and Donations - We recommend that the Service review accounting transactions to ensure that assets transferred and donated to the Service are properly recorded. This should include revising the procedures to properly record real property received from others.
5. Recording Depreciation - We recommend that the Service design, communicate, and implement internal controls to ensure that depreciation begins when assets are placed in service and that useful lives are consistently applied. The process should establish useful lives of newly constructed/purchased real property, useful lives of property received and previously owned by other entities, useful lives of improvements to property, and changes in useful lives of improved property. The process should also include improving the communication between the Division of Financial Management and the regions and field offices. 
6. Reconciliation of RPI to the General Ledgers - We recommend that the Service reconcile RPI to the general ledger on a quarterly basis, including resolving any reconciling items. 
Management Response
The Service agrees with this finding and recognizes that improvements are necessary to record and report its real property assets accurately and completely. As a consequence, the Service is working on corrective actions designed to implement KPMG's recommendations. 
1. Capitalization of Assets - The Service will establish policies for real and personal property assets. The Service will also participate in Departmental work groups designed to improve Department-wide policies and controls over property, plant, and equipment (PP&E).
2. Inventory Processes - The Service is committed to conducting a comprehensive review of the RPI, validating and updating information in the database during FY 2003. This review validates property information in the RPI from which financial data is derived, including verifying acquisition year, construction year, acquisition cost or value, and disposals. Additionally, the Service will standardize the RPI processes for the timely recording of acquisitions and disposals in the RPI and the Federal Financial System (FFS) general ledger as well as the maintenance of source documentation.
3. Acquisitions and Disposals - As part of the comprehensive review to the RPI, the Service will evaluate existing documentation related to real property acquisitions and disposals and secure necessary support information for key data fields of the RPI. The Service will also standardize processes for the timely recording of acquisitions and disposals in the RPI and FFS as well as the maintenance of source documentation.
4. Transfers and Donations - As part of the comprehensive RPI review, the Service will revise policies and standardize procedures governing entry of new data for transferred and donated property into the RPI and FFS general ledger as well as the maintenance of source documentation.
5. Recording Depreciation - The Service will develop policies and standardized processes for the timely recording of acquisitions, disposals, transfers, and donations in the RPI. The Service will also add key data fields to the RPI that will generate or calculate depreciation information so that it is available on a quarterly basis.
6. Reconciliation of RPI to the General Ledger - As part of the overall actions described above, the improvements to the Service's RPI policies and processes will result in more timely and frequent reconciliations to assist in preparing accurate and complete financial statements.
B.	Financial Reporting Process
In the prior year we reported a material weakness over internal controls for financial reporting. This year we noted the Service made progress in implementing our recommendations including:
* Performing regular account reconciliations and management reviews of various reconciliations. Specifically, we noted that the Service performed reconciliations of proprietary to budgetary accounts during fiscal year 2002; and,
* Working with the Solicitors' Office to properly determine, accrue, and disclose environmental clean-up liabilities. 
While these steps improved the processes to initiate and record financial transactions, the Service still needs to continue to improve its controls and processes associated with accounting and financial reporting. During our audit, we noted the following issues that result in financial reporting processes continuing to be material weaknesses:
* The Service's financial reporting process continues to be untimely, manually intensive, and prone to some error. This weakness is due in part to the turnover in the financial reporting section, which resulted in a lack of understanding of the financial reporting systems, OMB Bulletin 01-09, standard financial statement crosswalks, and the Service's accounting processes. 
* The statement of financing had unreconciled differences of $1 million.
* Based on our interviews and test work, it appears that program, field, and regional offices continue to primarily analyze transactions and reports on budgetary execution. Asset and liability management and review of proprietary account information is primarily performed by the Division of Finance, not program, field, and regional offices. 
* Service personnel coded numerous transactions to incorrect budget object classes (BOCs) which map to standard general ledger (SGL) accounts. The BOCs track disbursements according to type such as, but not limited to, compensation, benefits, travel, purchase of goods and services from governmental agencies, and equipment and structures. In many instances, the Service corrected the original incorrect postings through its review or reconciliation processes; however, this practice is manually intensive and time consuming. 
* During the year the Service did not use proper posting models for transfers. For example, the Service recorded approximately $600 million of transfers in; however, approximately $9 billion of activity went through the account during the year. The Service corrected the original incorrect postings through its review and reconciliation processes; however, this practice was manually intensive and time consuming. 
* The Service did not detect a debit balance of $25 million in accounts payable. This error was due to inaccurate reversals of prior-year accruals. Also, the Service did not record approximately $1 million of grant accruals. 
* The Service made entries directly to its equity accounts instead of reflecting corrections as current-year activity or prior-period adjustments. 
* The Service could not prepare the Fund Balance with Treasury Balance note in an accurate and timely manner.
* We passed 31 audit differences identified during the audit. While we believe these entries are not material to the financial statements taken as a whole of the Service, they do indicate further financial reporting issues. 
* The Service does not maintain an audit trail for performing and reviewing reconciliations between Hyperion and its feeder system, FFS. We noted that the Service's fourth quarter 2002 FFS upload resulted differences between FFS and Hyperion account balances which had to be resolved through the course of the audit.
* 	Some journal entries for Hyperion are written in Excel by any of the Service's Hyperion users (all Hyperion users can perform this function). Journal entries are required to be approved by management, however, at the Service, such approvals were sometimes verbal, and therefore, an audit trail does not exist. We also noted that journal entries are not consistently signed off or otherwise noted that they have been entered.
The continued deficiencies in the Service's financial reporting process result from inadequate or poorly designed controls and systems, lack of appropriate training, and inadequate management oversight of financial transactions.
Recommendation
The Service should reevaluate its financial reporting process to improve its efficiency and effectiveness. The manual efforts currently required to generate financial statements should be taken into consideration. The Service's evaluation should include, but not be limited to:
1. Reviewing Service policies and procedures to ensure that internal and external financial reporting is accurate, complete, and timely.
2. Providing for adequate succession planning to ensure trained, knowledgeable resources are available to prepare accurate and complete financial statements in a timely manner.
3. Assigning responsibility for posting models to ensure the Service uses the proper model and avoids major clean-up.
4. Training Division of Finance, program and regional, and National Business Center personnel on transaction coding, account analysis, and financial reporting. This training should also ensure that personnel are adequately trained on the Hyperion financial reporting application. The Service should enhance training of personnel responsible for coding and approving disbursements to ensure these transactions are coded to the proper BOC and SGLs at the initial transaction.
5. Developing periodic review processes by program managers and regional budget and finance officers of FFS financial and budgetary information.
6. Consistently apply processes surrounding manual journal entries, including sign-off of Service management indicating approval of each entry and sign-off of accountant making the entry.
7. Implement a process to reconcile FFS to Hyperion, which includes investigating and resolving differences in a timely manner.
Management Response
The Service agrees that there are improvements that need to be made to its financial reporting processes and has taken steps to address KPMG's recommendations.

1. Reviewing Internal Policies and Procedures - The Service's Division of Financial Management is currently developing internal procedures and checklists governing roles and responsibilities, including account reconciliations, investigation and resolution for variances and illogical balances, etc.
2. Provide Adequate Succession Planning - The Division of Financial Management is undergoing an intensive restaffing effort and has taken significant steps to ensure that its personnel are knowledgeable and adequately trained to perform key financial statement preparation functions. The Service is also participating in Departmental financial management recruiting programs to ensure a regular succession of staff. 
3. Assign Responsibility for Posting Models - The Service has made the specific assignment of updating and maintaining posting models to the Branch of Financial Statements within the Division of Financial Management. 
4. Training Division of Financial Management, Regional, Program, and NBC Personnel - The Service continues its training efforts, initiated in FY 2001, for key personnel regarding transaction coding, account analysis, and financial reporting. Further, Service management and technical experts gained significant hands-on experience and enhanced key skill sets during the FY 2002 financial reporting and audit cycle that will improve Service performance in FY 2003. The Service will develop a formal training plan for priority financial reporting and transaction areas.
5. Periodic Review Processes By Program Managers, Regional Budget, and Finance Officers - The Service plans to establish Regional Chief Financial Officers to promote the review of all financial management information. In addition, the Service will develop checklists for Regional program and budget and finance personnel that will define reviews for financial management information.
6. Apply Consistent Processes for Manual Journal Entries - The Service will implement a standard process for reviewing and approving manual journal entries involving review and sign-off by Division of Financial Management supervisors.
7. Audit Trail - Hyperion and FFS are fundamentally different systems, for both of which the Department serves as the system owner. Without an electronic interface, reconciliation between Hyperion and FFS is manual. The Service's audit trail consists of traceable corrective actions to the upload file and adjusting journal entries to bring the two systems into alignment. Until the Department provides an electronic interface to bureau end users, the Service must continue its existing reconciliation operations.
C.	Reconciling Transactions Within the Service as Well as With Other Department of the Interior Components 
As part of its reporting process, the Service is required to reconcile intrabureau activity and intradepartmental transactions between other Department of the Interior (Department) bureaus (referred to as trading partners). The Department and the Service have begun a process to reconcile the intra-Departmental transactions on a quarterly basis; however, as of third quarter, the Service's intrabureau activity was out of balance by $319 million and it had variances with other Department bureaus totaling $20 million. As of the end of the fourth quarter, the Service's intrabureau activity was out of balance by $486,000 and it had variances with other Department bureaus totaling $2.7 million. As part of the audit process, most of these differences were reconciled.
The Service's reconciliation process is a manual process and the Service currently does not have the necessary resources focused on this condition. Variances within the Service accounts and between trading partners are currently identified through a manual process, which includes entering transaction data into Hyperion. This information is accessible by all Department bureaus. Although the information is entered into Hyperion throughout the year, variances are not adequately reconciled and resolved in a timely manner. It also appears as though some of the differences relate to inconsistent posting models used by the Service. 
Variances within Service accounts and with trading partners indicate misstatements in financial reporting at both the bureau and Department levels. Further, the majority of the reconciliations continue to occur at year-end and encompass a significant amount of accounting staff time and resources. The lack of devotion of time and resources to these areas may ultimately impact the Service's ability to prepare reliable financial statements in a timely manner as timelines for financial reporting continue to be expedited.
Recommendation
We understand that the Department is developing an automated process to facilitate the reconciliation of intradepartmental transactions. Until the automated process is implemented, we recommend that the Service improve its manual process to identify and reconcile the intradepartmental transactions to address the material weaknesses. The reconciliation process should be completed quarterly and include procedures to resolve any differences identified in a timely manner.
Management Response
The Service concurs with the finding; however, the Service would like to point out that reconciling intradepartmental transactions is a problem common to all Department bureaus. The Service's efforts to reconcile transactions are often made more difficult because timely and accurate information is not available from other bureaus. Until the planned Department-wide automated system for eliminating intrabureau transactions is implemented, the elimination reconciliation process will remain a difficult and resource intensive task for all bureaus.
D.	Controls, Processes, and Financial Reporting Relating to Year-End Accruals
The Service did not properly accrue accounts payable at year-end. Based on our audit, the Service made an adjustment of approximately $14 million to properly reflect accounts payable. The Service also did not accrue liabilities for goods and services provided under reimbursable agreements and the related accounts receivable totaling approximately $2.6 million.
The Service's process to record accounts payable at year-end relies on field stations and other divisions to make accurate and complete accruals. Our test work and discussions with Service personnel revealed these groups did not completely understand and execute the year-end closing instructions related to accruals. 
Recommendation
To address this material weakness, the Service should evaluate and revise, as applicable, its process to accrue accounts payable at year-end. This evaluation should include, but not be limited to:
1. Ensuring regional offices explain the accrual process to field stations and monitor execution of year-end closing instructions relating to accruals.
2. Consideration of alternative methods to accrue accounts payable at year-end that do not rely on field stations to record individual invoices or projects.
Management Response
The Service is pursuing alternative methods for accruing accounts payable quarterly and at year-end that do not rely on field stations recording individual invoices. The Service is also directly participating in Department efforts to establish Department-wide policies and procedures governing accruals. The Service will also work with KPMG by seeking their review and concurrence of newly developed alternative methods.
We noted the following reportable conditions that are not considered material weaknesses:
E.	Controls, Processes, and Financial Reporting Relating to Capital Equipment
In the prior year, we reported a material weakness over internal control for capital equipment. This year, we noted the Service made progress in implementing the recommendations including:
* Implementing one personal property system for capital equipment, the Personal Property Management System (PPMS).
The Service also made plans to implement changes for fiscal year 2003 to:
* Apply consistent depreciation polices based on appropriate useful lives and acquisition dates. 
* Record the cost of capital equipment transferred to the Service from other federal agencies at net book value.
* Revise inconsistent salvage values. 
While these steps improved the processes to initiate and record fixed assets, the Service needs to continue to improve its controls and processes associated with the accounting for and reporting of capital equipment. During our audit, we noted the following:
* Neither PPMS or the FFS is completely accurate at year-end due to various reconciliation and timing issues. These differences are not considered material to the financial statements of the Service taken as whole; however, certain adjustments were made to correct the financial statements. 
* Capitalized equipment deletions and additions are entered throughout the year and are reconciled within the month they are entered into the PPMS on the Capitalized Equipment Report. Capitalized equipment is recorded in the SGL monthly as it is entered into FFS; however, both systems are reconciled at year-end.
* The Service recorded corrections to capital equipment through current-year activity without an evaluation as to the impact to prior-year recorded amounts. For example, certain regions changed the acquisition cost of capital equipment. Such changes were treated as current period changes in the financial statements and not evaluated for prior-period impact. Deletions were also not evaluated for prior-period impact. 
* Certain regions did not enter capital equipment items into the PPMS in a timely manner. End of year PPMS amounts are used to record capital equipment in the FFS. The delay in entering capital equipment information into PPMS may result in assets being entered into PPMS in fiscal year 2003 that were received by the Service in fiscal year 2002. Since the Service records capital equipment based on information in PPMS, this may result in assets not being reflected in the financial statements in the proper fiscal year.
* One region recorded the acquisition date in PPMS as the date the assets were entered into the system instead of the date the asset was received.
Recommendation
We recommend the Service continue its efforts to evaluate and revise, as applicable, its processes for acquiring, tracking, and reporting capital equipment. Specifically, the Service should:
1. Work towards quarterly reporting of capital equipment. Specifically, the Division of Financial Management should post acquisitions and dispositions as well as depreciation to FFS on a periodic basis throughout the year.
2. Ensure implementation of planned fiscal year 2003 changes to transfer values, salvage values, and depreciation policies. 
3. Ensure corrections to capital equipment are evaluated as prior-period adjustments as applicable.
4. Ensure timely entry of capital equipment items into PPMS.
5. Improve the reconciliation performed by the Division of Financial Management of PPMS to FFS to ensure all reconciling items are identified and adequately supported.
Management Response
The Service is committed to using a continually updated personal property system that contributes timely information to the quarterly financial statement preparation process. We appreciate KPMG acknowledging Service improvements and advancements in achieving this goal. The Service will continue to perfect quarterly reconciliation processes, including identifying all necessary information that must be kept in the Service's PPMS and exploring automated means of reconciliation between PPMS and FFS. Also, the Service will develop guidelines to assist regional property managers to record identified information into PPMS properly and timely and to use IDEAS to track new equipment purchases for proper entry into PPMS and FFS.
F.	Security and General Controls over Financial Management Systems
The Service has made recent improvements in the security and controls over its information systems; however, controls still need to be improved in the areas described below, as required by OMB Circular A-130, Management of Federal Information Resources. These conditions could affect the Service's ability to prevent and detect unauthorized changes to financial information, control electronic access to sensitive information, ensure that data and system integrity is achieved, and protect its information resources.
During our audit, we noted the Service improved its security related personnel policies and procedures as well as computer security training. The Service also improved its policies and procedures governing National Communications Center functions. Finally, the Service improved certain aspects of its network security though configuration management. However, we did note the following areas in which controls still need to be improved. 
1. Entity-Wide Security Program and Planning: An entity-wide security program, including security policies and a related implementation plan, is the foundation of an entity's security control structure and a reflection of senior management's commitment to addressing security risks. As outlined in OMB Circular A-130, an effective security program includes a risk assessment process, a certification process, and an effective incident response and monitoring capability. The Service does not have a comprehensive entity-wide security program that identifies established security plans, security program management and related personnel, as well as ongoing management of security policies and procedures. Specifically, the Service has not:
* Implemented an effective entity-wide security program that includes a centralized security structure, a comprehensive incident handling program, addresses system software ownership, a standard for the Statement of Responsibility process, a process for prompt user access removal from all Service systems, and performance of background checks and completion of nondisclosure statements; and,
* Established a current, comprehensive security plan that addresses user account administration. 
2. Access Controls: Access controls should provide reasonable assurance that computer resources (data files, application programs, and computer-related facilities and equipment) are protected against unauthorized modification, disclosure, loss, or impairment. The objectives of limiting access are to ensure that: (1) users have only the access needed to perform their duties; (2) access to very sensitive resources, such as security software programs, is limited to very few individuals; and (3) employees are restricted from performing incompatible functions or functions beyond their responsibilities. The Service did not have adequate controls to limit or detect access to certain information systems in order to protect against unauthorized modification, loss, and disclosure of data. We noted:
* Lack of implemented control measures to ensure that access to data is properly controlled;
* Weaknesses with the configuration of the Service's intranet security architecture;
* Improperly configured web servers permitted unauthorized access to the internal network;
* Unauthorized access to the internal network provided full control over a server; and
* Weaknesses in internal access control and password management. 
3. Software Development and Change Controls: Establishing controls over the modification of application software programs helps to ensure that only authorized programs and authorized modifications are implemented. Without proper controls, there is a risk that security features could be inadvertently or deliberately omitted or "turned-off," or that processing irregularities could be introduced. The Service has not established a current, comprehensive system life cycle that describes a standard methodology, a detailed software and application software change management process, and software testing procedures. 
4. Segregation of Duties: Segregation of duties is important to ensure the division of roles and responsibilities and steps in critical functions are designed in information systems so that no one individual can undermine the process. We noted weaknesses in the Service's segregation of duties surrounding:
* Regional security managers performing primary and secondary security functions; and,
* Technology support staff performing change management responsibilities and network monitoring.
5. Service Continuity: Losing the capability to process, retrieve, and protect information maintained electronically could significantly impact the Service's ability to accomplish its mission. Thus, procedures should be in place to protect information resources, minimize the risk of unplanned interruptions, and recover critical operations should interruptions occur. To mitigate the risk of service interruptions, the Service needs to implement comprehensive, tested Continuity of Operations Plans to protect resources, minimize the risk of unplanned interruptions, and to recover critical operations. 
6. Hyperion Application: We noted that there is not an appropriate segregation of duties for general user access within the Service's Hyperion-Enterprise application database. Currently, all users within the Service's application database have the same level of access, granting them the abilities to: 1) upload and process quarterly financial data, 2) create, change and delete all manual journal entries, and 3) create, change and delete all user/system generated reports. Also, all Hyperion users have the ability to view the Hyperion activity log which logs all login, data load, journal posting, edit check, and consolidation procedure. However, Service management does not periodically review this log for unusual activity.
Recommendation
We recommend that the Service develop and implement a formal action plan to improve the security and general and application controls over its financial management systems. This plan should address each of the areas discussed above, as well as other areas that might impact the information technology control environment to ensure adequate security and protection of the Service's financial management systems. 
Management Response
We agree with the general finding that the Service needs to improve security and general controls over its information/financial management systems.
KPMG acknowledges that the Service has made improvements in the security and controls over its information systems, security-related personnel policies, computer security training, as well as security policies and procedures at the National Communications Center. The Service will continue to move in the direction of complete compliance with OMB Circular A-130, Management of Federal Information Systems, as quickly as possible. Toward this goal, the Service has published updated official policy manuals that describe: the overall Service Information Technology Architecture (SITA); planning and managing information technology (IT) capital investments; policies and procedures for IT governance; management control reviews for automated information systems; data standards and data management practices; and policies, procedures, and responsibilities for the Service entity-wide IT security program.
Having established official policy, procedures, and guidance for effective security and general controls over information systems, we have the following comments for the categories cited in this report:

1. Entity-wide Security Plan - The Service established an entity-wide security program and security planning guidelines through the publication of Information Technology Manual titled "Automated Information System Security" in September 2002. The Service formed a new Branch of Security Management with responsibility for oversight of the Service's IT security program. To ensure full Service program and regional compliance with the Service's IT security program as established in official policy, the Service will develop and issue technical bulletins containing standards and guidance.
2. Access Controls - Weaknesses identified in Service web server and internal network configuration have been addressed. The Service believes other weaknesses identified by KPMG on the internal network are not a significant security threat, but we are pursuing alternative configuration methods and procedures. The Service will also inform all system owners and managers of major applications (MA) and general support systems (GSS) that they are required to complete and effect security plans per Service policy.
3. Software Development and Change Control - The Service has issued policy governing Automated Information Systems Capital Planning and Management which clarifies responsibilities for system owners and managers including configuration management and change control. The Service will publish additional technical bulletins for system owners and managers that provide a more detailed System Development Life Cycle (SDLC) methodology.
4. Segregation of Duties - The Service partially disagrees with the audit findings concerning segregation of duties. The Service believes the program offices cited in the findings have provided for adequate separation of duties in their security plans and procedures based on the limited staff available. The system owners accept any residual risk. Further, such residual risk is unlikely to affect the integrity of financial management systems. The Service has issued official policy governing Automated Information System Security. The Service is planning to provide system owners and managers with appropriate guidance for self-review concerning segregation of duties.
5. Service Continuity - The Service will issue a technical bulletin to provide guidance and procedures for the proper preparation of continuity of operations plans and/or business resumption plans.
6. Hyperion Application - While the Department of the Interior is responsible for core security of Hyperion and the server environment, KPMG's findings address the Service's use of the Hyperion application, with particular emphasis on control of access to Hyperion by Service employees, on whether the Service has provided an adequate audit trail with this application, and on whether the Service has adequate segregation of duties during its use:
a.	Access control of the Hyperion application - The Service maintains a list of input activity; and employee access granted by Department officials generally is reviewed and approved by Service management. Also, an activity log is reviewed to monitor employee access and access purpose and activity is approved by Service management. Thus, the Service believes that the Service has adequate controls over Service employee access; however, there have been a few instances where the Department has provided employee access to Service records and did so by circumventing the Service's approving official. We are working with the Department on ensuring that such circumvention does not occur again. 
b.	Segregation of duties - Preparing journal entries in software compatible with the Hyperion application was part of the Service's effort to automate the journal voucher process. With thousands of lines of property, accruals, and corrections, the Service designed controls concomitant with available resources. Since the Service has completed it staffing plan and hired appropriate staff as discussed under B. above, the Service has assigned responsibilities among several knowledgeable staff in a manner where we believe we have adequate separation of duties. Also, with the addition of staff, operational processes now require journal vouchers to be initialed by the preparer and signed by the approving official.
G.	Grant Controls and Processes Over Reporting Requirements
The Federal Aid in Sport Fish and Wildlife Restoration Act was created to fund restoration efforts for the benefit of fish, wildlife, and the American people. The Service's Division of Federal Aid makes funds available from these appropriations to eligible state agencies in the form of grants. Receipt of these grants require certain financial and performance reporting at interim periods for the grant and at its close. 
During our test work, we noted that the Service did not receive SF-269 Financial Status Reports in a timely manner. Our test work revealed 103 overdue reports as of September 30, 2002. A majority of these were due as of year-end; however, 26 reports were due prior to this time. We also noted 6 instances in our sample of 45 items in which the States did not request filing extensions and filed the SF 269s past the 90-day timeframe.
We also noted the Service did not receive performance reports within the 90 days of the close of the grant. Our test work revealed approximately 170 overdue performance reports at September 30, 2002; 22 of these reports were due prior to the Federal Aid Information Management System (FAIMS) conversion on January 1, 1999. These performance reports are used in part to monitor grant performance and also generate capital investment disclosure information for the Service's investment in nonfederal physical property.
While the Division of Federal Aid has made efforts to request reports from states after they become delinquent, it has not performed sufficient monitoring to ensure states submit required Performance Reports and SF-269 Financial Status Reports in a timely manner. 
SF-269 Financial Status Reports are used to properly record grant expense in the FAIMS and receipt of these reports also triggers deobligation of funds at the close of grants. Failure to receive reports in a timely manner could result in a misstatement of the Service's financial statements. Performance reports are the primary source for required disclosure of investments in nonfederal physical property. As a result of not obtaining such reports in a timely manner, the Service's required supplementary information may be incomplete.
Recommendation
The Division of Federal Aid should ensure that Performance Reports and SF-269 reports are obtained and entered into FAIMS in a timely manner. The Service should consider implementing remedies available in Code of Federal Regulations Section 43 in order to increase state compliance with reporting provisions.
Management Response
The Service agrees with this finding and is completing action plans designed to accommodate KPMG's recommendations. Further, the Service will explore all available options to encourage States to comply timely with financial and performance reporting requirements in a manner that improves the information available for the Service's financial statements.
H.	IDEAS-Procurement Desktop Controls
The IDEAS-Procurement Desktop (IDEAS-PD) is used by the Service to process obligations. The reconciliation process surrounding the IDEAS-PD and access controls over the system needs improvement. We noted that:
* The Citrix-based interface between IDEAS-PD and FFS does not consistently complete interface transactions. An individual user attempting an interface transaction is notified when the interface transaction has rejected; however, the Service has not established a formal process to reconcile obligations in IDEAS-PD to FFS;
* Numerous users have access to databases outside their region; 
* Generic accounts are used; and,
* IDEAS-PD does not have an approved risk assessment, security plan, or contingency plan in place.
We also noted that IDEAS-PD has not been formally authorized by the Service's Division of Contracting and Facilities Management for use in the Service. This authorization normally occurs via an accreditation from system owners. The application is used in markedly different ways across the Service. For example, some regions use the electronic Purchase Request (PR) feature whereas other regions pick up the procurement transaction from the approved and certified paper PR. 
The cause of some of the issues noted above is that the Service replicated all databases in each region when IDEAS-PD moved from the centralized National Business Center (NBC) application hosting to the regional client-server architecture. This move, along with the resulting attempts to clean and administer the mirrored databases locally, resulted in users with access to other regions' databases and the use of generic accounts.
We noted that field stations and other cost centers are responsible for ensuring obligations are properly posted to FFS; however, there is no consolidated reconciliation process of IDEAS-PD and FFS. Currently, reporting from FFS has not been established to facilitate this reconciliation process. Once such a report is in place, and the Service indicated that reconciliations for FY 2001 and 2002 will be performed. If the interface between IDEAS-PD and FFS is inconsistent, the Service's obligations may be misstated. These misstatements may be exacerbated by the regions using the application differently. 
Recommendation
We recommend that the Service, at a minimum, take the following steps to improve controls over IDEAS-PD:
1. Continue to isolate the problems with the Citrix-based interface from IDEAS-PD to FFS.
2. Complete the reconciliation process of initial obligations.
3. Ensure access is appropriate to regional databases and the specific job responsibilities of the regional users.
4. Eliminate the use of generic user IDs.
5. Proceed with the formal OMB Circular A-130 Major Application compliance process.
Management Response
The Service will work to improve its operational guidelines and procedures and to monitor their execution with the goal of automating reconciliation with FFS and PPMS. Also, the Service will continue its efforts to refine security features of IDEAS-PD consistent with Service and Departmental security plans.
A summary of the status of prior-year reportable conditions is included as exhibit I.
We also noted other matters involving internal control over financial reporting and its operation that we have reported to the management of the Service in a separate letter dated January 10, 2003. 
Compliance With Laws and Regulations 
The results of our tests of compliance with certain provisions of laws and regulations described in the responsibilities section of this report, exclusive of FFMIA, disclosed no instances of noncompliance that are required to be reported herein under Government Auditing Standards or OMB Bulletin No. 01-02.
The results of our tests of FFMIA disclosed instances, described below, where the Service's financial management systems did not substantially comply with the federal financial management systems requirements and federal accounting standards. 
I.	Federal Financial Management Systems Requirements - As discussed in the section of our report entitled Internal Control over Financial Reporting, the Service needs to improve its information technology security and general control environment. As a result, the Service does not substantially comply with the information technology security and general control requirements of OMB Circular A-130, Management of Federal Information Resources.
J.	Federal Accounting Standards - The Service is required to prepare its financial statements in accordance with federal accounting standards. As discussed in the section of this report entitled Internal Control over Financial Reporting, we identified material weaknesses related to buildings, structures, and construction work in process, financial reporting, reconciliation of intrabureau activity and intradepartmental transactions and accounts payable. The foregoing material weaknesses in internal control are also an indicator of noncompliance with FFMIA provisions relating to federal accounting standards. 
Recommendation
1. We recommend that the Service take the necessary actions to improve information technology security and general controls over its financial management systems in accordance with requirements set forth in OMB Circular A-130 in fiscal year 2003.
2. We recommend that the Service strengthen its procedures and internal control to ensure that buildings, structures, and construction work in process is fairly stated, its financial reporting process is improved, its intrabureau activity and intradepartmental transactions are reconciled, and accounts payable are recorded in accordance with federal accounting standards.
The results of our tests of FFMIA disclosed no instances in which the Service's financial management systems did not substantially comply with the United States Government Standard General Ledger at the transaction level.
Management Response
The Service has made substantial improvements in IT security policy and controls to comply with OMB Circular A-130, Management of Federal Information Resources, but acknowledges that it needs to make further progress. In our response to the recommendations in section F., the Service explains how it intends to achieve full compliance, with the goal to address all previous findings of noncompliance, as well as to pro-actively bring all offices, programs and systems in the Service into complete A-130 compliance in FY 2003.
The Service believes that the corrective actions outlined under sections A., B., and D. will implement KPMG's recommendations and will address the finding of noncompliance with federal accounting standards.
Responsibilities
Management's Responsibilities
The Government Management Reform Act (GMRA) of 1994 requires each federal agency to report annually to Congress on its financial status and any other information needed to fairly present its financial position and results of operations. To assist the Department of the Interior in meeting the GMRA reporting requirements, the Service prepares annual financial statements. 
Management is responsible for the financial statements, which includes:
* Preparing the financial statements in conformity with accounting principles generally accepted in the United States of America;
* Establishing and maintaining internal controls over financial reporting, and preparation of the management's discussion and analysis (including the performance measures), required supplementary information, and required supplementary stewardship information; and
* Complying with laws and regulations, including FFMIA.
In fulfilling this responsibility, estimates and judgments by management are required to assess the expected benefits and related costs of internal control policies. Because of inherent limitations in internal control, misstatements, due to error or fraud, may nevertheless occur and not be detected. 
Auditors' Responsibilities
Our responsibility is to express an opinion on the financial statements of the Service based on our audits. Except as disclosed in the second paragraph of our opinion on the financial statements, we conducted our audits in accordance with auditing standards generally accepted in the United States of America, the standards applicable to financial audits contained in Governmental Auditing Standards issued by the Comptroller General of the United States and OMB Bulletin No. 01-02. Those standards and OMB Bulletin No. 01-02 require that we plan and perform the audits to obtain reasonable assurance about whether the financial statements are free of material misstatement.
An audit includes:
* Examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements;
* Assessing the accounting principles used and significant estimates made by management; and
* Evaluating the overall financial statement presentation. 
We believe that our audits provide a reasonable basis for our opinion.
In planning and performing our fiscal year 2002 audit, we considered the Service's internal control over financial reporting by obtaining an understanding of the Service's internal control, determining whether internal controls had been placed in operation, assessing control risk, and performing tests of controls in order to determine our auditing procedures for the purpose of expressing our opinion on the financial statements. We limited our internal control testing to those controls necessary to achieve the objectives described in OMB Bulletin No. 01-02 and Governmental Auditing Standards. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers' Financial Integrity Act of 1982. The objective of our audit was not to provide assurance on internal control over financial reporting. Consequently, we do not provide an opinion thereon.
As required by OMB Bulletin No. 01-02, we considered the Service's internal control over required supplementary stewardship information by obtaining an understanding of the Service's internal control, determining whether these internal controls had been placed in operation, assessing control risk, and performing tests of controls. Our procedures were not designed to provide assurance on internal control over required supplementary stewardship information and, accordingly, we do not provide an opinion thereon.
As further required by OMB Bulletin No. 01-02, with respect to internal control related to performance measures determined by management to be key and reported in the management's discussion and analysis, we obtained an understanding of the design of significant internal controls relating to the existence and completeness assertions. Our procedures were not designed to provide assurance on internal control over performance measures and, accordingly, we do not provide an opinion thereon.
As part of obtaining reasonable assurance about whether the Service's fiscal year 2002 financial statements are free of material misstatement, we performed tests of the Service's compliance with certain provisions of laws and regulations, noncompliance with which could have a direct and material effect on the determination of financial statement amounts, and certain provisions of other laws and regulations specified in OMB Bulletin No. 01-02, including certain provisions referred to in FFMIA. We limited our tests of compliance to the provisions described in the preceding sentence, and we did not test compliance with all laws and regulations applicable to the Service. Providing an opinion on compliance with laws and regulations was not an objective of our audit and, accordingly, we do not express such an opinion.
Under OMB Bulletin No. 01-02 and FFMIA, we are required to report whether the Service's financial management systems substantially comply with (1) federal financial management systems requirements, (2) applicable federal accounting standards, and (3) the United States Government Standard General Ledger at the transaction level. To meet this requirement, we performed tests of compliance with FFMIA Section 803(a) requirements. 
Distribution
This report is intended for the information and use of the United States Fish and Wildlife Service management, Department of the Interior, Department of the Interior's Office of the Inspector General, OMB, and the U.S. Congress, and is not intended to be and should not be used by anyone other than these specified parties. 

January 10, 2003 

UNITED STATES FISH AND WILDLIFE SERVICE
Summary of the Status of Prior-Year Reportable Conditions
September 30, 2002
Reference

Condition Area

Status





2001-A

Financial Reporting

This condition has not been corrected and is repeated in FY 2002.
2001-B

Capital Equipment

This condition has not been corrected and is repeated in FY 2002.
2001-C

Buildings, Structures, and Construction Work in Process

This condition has not been corrected and is repeated in FY 2002.
2001-D

Security and General Controls Over Financial Management Systems

This condition has not been corrected and is repeated in FY 2002.
2001-E

Aquatic Resource Trust Fund and 
Sport Fish Restoration Account

This condition has been corrected.
2001-F

FFMIA - Financial Management Systems Requirements

This instance of noncompliance has not been corrected and is repeated in FY 2002.
2001-G

FFMIA - Federal Accounting Standards

This instance of noncompliance has not been corrected and is repeated in FY 2002.





2


1



C-IN-FWS-0093-2002