[Management Issues Identified During the Audit of the U.S. Geological Surveyâs Fiscal Year 2003 Balance Sheet]
[From the U.S. Government Printing Office, www.gpo.gov]

Report No. E-IN-GSV-0035-2004

Title: Management Issues Identified During the Audit of the U.S.
       Geological Surveyï¿½s Fiscal Year 2003 Balance Sheet

  

Date:  January 7, 2004

****************************************DISCLAIMER******************
This file contains an ASCII representation of an OIG report. No attempt has been made to display graphic images or illustrations. Some tables may be included, but may not resemble those in the printed version. A printed copy of this report may be obtained by referring to the PDF file or by calling the Office of Inspector General, Division of Acquisition and Management Operations at (202) 219-3841.
**********************************************************************


Memorandum

To:	Director, U.S. Geological Survey

From:	Roger La Rouche 
	Assistant Inspector General for Audits

Subject:    Management Issues Identified During the Audit of the U.S. Geological Surveyï¿½s Fiscal Year 2003 Balance Sheet (No. E-IN-GSV-0035-2004)

	We contracted with KPMG LLP (KPMG), an independent certified public accounting firm, to audit the U.S. Geological Surveyï¿½s (USGS) balance sheet as of September 30, 2003.  In conjunction with its audit, KPMG noted certain matters involving internal control and other operational matters that should be brought to managementï¿½s attention. These matters, which are discussed in the attached letter, are in addition to those reported in KPMGï¿½s audit report on USGSï¿½s balance sheet (Report No. E-IN-GSV-0070-2003) and do not constitute reportable conditions as defined by the American Institute of Certified Public Accountants. 

	The recommendations will be referred to the Assistant Secretary for Policy, Management and Budget for tracking of implementation.  If you have any questions regarding KPMGï¿½s letter, please contact me at (202) 208-5512.

	The legislation, as amended, creating the Office of Inspector General, (5 U.S.C.A. App. 3) requires semiannual reporting to Congress on all audit reports issued, actions taken to implement audit recommendations, and recommendations that have not been implemented.  Therefore, this report will be included in our next semiannual report.

Attachment

cc:	Assistant Secretary for Water and Science
	Chief Financial Officer, U.S. Geological Survey
	Director, Office of Financial Management
	Deputy Chief for Financial Management, U.S. Geological Survey
	Audit Liaison Officer, Water and Science
	Audit Liaison Officer, U.S. Geological Survey
	Focus Leader for Management Control and Audit Followup,
	   Office of Financial Management
	



October 31, 2003


Director of the U.S. Geological Survey and Inspector General
U.S. Department of the Interior:


We have audited the consolidated balance sheet of the U.S. Geological Survey (USGS) as of September 30, 2003, and have issued our report thereon dated October 31, 2003.  In planning and performing our audit of the consolidated balance sheet of USGS, we considered internal control in order to determine our auditing procedures for the purpose of expressing our opinion on the consolidated balance sheet. An audit does not include examining the effectiveness of internal control and does not provide assurance on internal control.  We have not considered internal control since the date of our report. 

During our audit we noted certain matters involving internal control and other operational matters that are presented for your consideration.  These comments and recommendations, all of which have been discussed with the appropriate members of management, are intended to improve internal control or result in other operating efficiencies and are summarized as follows:

A. Improve Emergency Procedures Training 
   Comment
In prior years, we noted that emergency procedures training of computer center employees is provided via the distribution of training videotapes.  Refresher tapes are distributed every two years to existing data center employees.  However there are no management control procedures in place to ensure that all data center employees completely view either the initial training videotapes or the refresher tapes.
During the current year testwork, we noted that USGS has adopted a policy to provide mandatory annual Occupant Emergency Plan (OEP) training to all employees.  The training includes computer center emergency procedures.  Any computer center personnel who fails to attend the mandatory training will be denied access, unless alternate training sessions are arranged.  As a result of our testing, however, we noted that out of 101 employees authorized to access the computer center, 95 employees did not attend the mandatory training held in October 2002, nor were they otherwise trained by the time we concluded our testwork.

Recommendation
We recommend that USGS management enforce the requirement that the computer center personnel receive periodic training on emergency procedures to ensure that they are aware of their responsibilities in preventing, mitigating, and responding to emergency situations.

B. Complete Contingency Plans 
   Comment
In prior years, we noted that USGS had a contingency plan, titled the Continuity of Operations Plan (COOP) for the National Center dated February 2000.   The plan had been distributed to the appropriate personnel and approved by key affected groups.  However the plan had not been tested, nor revised to reflect any recent changes in hardware, software, systems architecture, and personnel. 
During current yearï¿½s testwork, we noted that USGS had completed the COOP for 12 of the 13 mission essential facilities as required by a department-wide directive.  However, the COOP for the National Center was not completed or tested by the time of the conclusion of our audit.

Recommendations

We recommend that USGS management:

1. Complete the National Center COOP;
2. Develop specific testing procedures and include them in USGSï¿½ contingency plan.  Considerations should be given to developing a 12-18 month cycle, rotating through different disaster scenarios; and
3. Analyze all test results and adjust the contingency plan accordingly.  Test results should be documented and a report, such as a ï¿½lessons learnedï¿½ report, should be developed and provided to senior management.  The contingency plan and any related agreements and preparations can then be adjusted to correct any deficiencies identified during testing.

C. Improve New-Employee On-Boarding Process 

Comment

During the performance of audit procedures regarding on-boarding of new hires, we noted that USGS has not standardized procedures to:

* Perform background investigations that are consistent with the sensitivity of the position that is considered a non-National Security Position.
* Administer computer security awareness training before, or shortly after, the new hires gain access to USGS IT resources.

As a result, management was not able to provide the background investigation records or the training records for the new hires selected for testing.

Recommendations
1. We recommend that USGS establish standards and procedures to perform background checks of prospective employees and contractors.  USGS should specify the types of background checks required, the timing of their initiation and completion, and the related record keeping requirements.  The procedures should also address steps taken for both favorable and unfavorable screening results.
2. We further recommend that USGS incorporate computer security awareness training as part of the new-employee (or contractor) on-boarding process.  For example, USGS may include the security training materials in the new employee orientation information packet; security officers may conduct brief group or one-on-one training sessions.  USGS should maintain evidence of new employeeï¿½s (or contractorï¿½s) completion of the training program and acknowledgement of his/her computer security responsibilities.  Such evidence should accompany the request for access to USGS IT resources, or be obtained and kept on file shortly after the access is granted.

D. Improve Physical Access Controls 
Comment
During the performance of audit procedures regarding the physical access to the data center, we noted that access granted to 3 out of 10 personnel selected for testing was not supported with proper documentation.

Recommendations
We recommend that USGS management:

1. Continue the review process and ensure that all currently authorized personnel have legitimate business needs for such access;
2. Obtain and maintain proper authorization documentation that reflects the current level of access; and
3. Establish a program to review physical access list to sensitive areas at least quarterly.

E. Improve System Development Life Cycle Implementation 
   Comment
In prior years, we noted a condition that USGS did not have a formalized System Development Life Cycle (SDLC).  In March 2003, USGS adopted a SDLC.  However, upon reviewing the application changes made this year, we noted that the changes lack many supporting documents required by the SDLC.

Recommendations
We recommend that USGS management:

1. Develop a SDLC implementation plan, which includes milestones and deadlines; and
2. Ensure that all on-going application modifications have proper supporting documentation as required by the SDLC methodologies.

F. Improve Library Software Controls
Comment
During the performance of our audit procedures, we noted that USGS does not use an automated library software tool to control the application change process.

Recommendation
We recommend that USGS management acquire and install an automated library software or configuration management tool.
G. Improve System Software Change Controls 
   Comment
Modifications to the Solaris system software are not automatically tracked and logged.  It was noted that no software development is performed and that the only changes to the system software are periodic updates and patches.  However, unauthorized changes could occur under the current configuration and go undetected without an automatic logging process in place.  In addition, formal change control forms are not used and retained when system software updates and patches are applied.  The only evidence of modifications lies in a manual log that is kept by the three system administrators who perform the changes. 

   
Recommendations
   We recommend that USGS management:
   
1. Configure the Solaris system to automatically track and log all changes to the system software;
2. Develop procedures for authorized personnel to regularly review the change logs for unauthorized changes; and
3. Utilize formal change request forms to authorize and track all changes or modifications to the Solaris system software.  All change request forms should be kept on file by management.

H. Improve Production Library Access Controls
Comment
Access controls over production libraries needs strengthening.  During our review of the listing of users with the ALTER access to FFS production libraries, we noted that certain application programmers had such access.

Recommendations
1. We recommend that USGS management review current listing of users with ALTER access to the production libraries and

* Remove programmersï¿½ access or revise access profiles of programmers to read-only; and 
* Ensure that the remaining users with ALTER access have valid business needs for such access.
2. We also recommend that management review programming changes implemented during FY 2003 to determine whether any changes were unauthorized.  If unauthorized changes are found, take remedial actions.

I. Improve Controls Related to Personal Property Inventory Observations 
Comment

The Personal Property observation control procedures may not be effective in ensuring the completeness of recorded Personal Property.  The official inventory instructions as contained on the USGS web site do not indicate the specific procedures that should be performed to cover the completeness of Personal Property that are located at remote locations.  Through our inquiry, we found that the Accountable Property Officer (APO) confirms the existence of the off-site Personal Property through verbal conversation with the individual of record thought to be responsible for the Personal Property.  However, there is no procedure in which the individual responsible for the Personal Property confirms all Personal Property under his/her control to the APO.  As such, the APO may not be able to determine if he/she has addressed the completeness of the Personal Property located at remote locations.

Recommendation
We recommend that the USGS revise its policies and procedures to address Personal Property that is located at remote locations at the time of the observation.  This should include a method by which the APO receives written confirmation from the responsible individual of all Personal Property in his/her control.  Another viable alternative is to have the APO physically observe the high dollar value Personal Property on a rotational basis, or if unable to physically observe, request current pictures of the Personal Property from the responsible individual.

J. Improve Controls Related to Fund Balance with Treasury 
Comment

KPMG noted that there has not been timely resolution of all amounts reflected on the Statement of Differences (TFS 6652) and Treasuryï¿½s Undisbursed Appropriation Account Ledger report (TFS 6653).  As of May 31, 2003, the cumulative difference with Treasury is $522,097.  It is our understanding that most of the items that make up the difference are several months old.

KPMG was told that the unreconciled amounts represent transactions that are being researched to determine the cause of the difference.  In addition, some of the unreconciled amounts were due to foreign payments made by the State Department on USGSï¿½s behalf.  The State Department reported the payments in the wrong appropriation, causing a misstatement of appropriation amounts between funds.  However, 61 days after the month end, the differences have not been corrected.

Recommendation
We recommend USGS establish procedures to ensure reconciliations are performed more timely and that differences are identified and corrected within 30 days.



K. Improve Controls Related to the Debt Collection Improvement Act 

Comment

We tested USGSï¿½s compliance with the Debt Collection Improvement Act by selecting 32 accounts receivable items greater than 180 days old and determined that of the 32 items tested we noted:

*	7 items that were not referred to Treasury.  USGSï¿½s policy is to only refer those debts to Treasury that USGS determines are uncollectible and these items were not considered uncollectible.
*	22 items where the amount of interest and penalty assessed was not in compliance with the Debt Collection Act. The exceptions are due to the way the Project Cost Accounting System (PCAS) is configured to calculate interest and penalties.  If the debt becomes delinquent mid month, the system will round to the previous or subsequent month when computing the interest and penalty.  This resulted in an understatement of interest and penalties on the sample tested of approximately $21,500. 
*	6 items where we noted that USGS did not use the interest rates published in the Federal Register in the interest calculation.  The exceptions are due to the time lag between when Treasury notifies USGS of the new rates and when the new rates are entered  into the system.  

As a result of the above issues, USGS is not in compliance with the Debt Collection Improvement Act.  In addition, USGS is either under or overcharging interest and penalties, causing the Interest Receivable account to be misstated. However, the impact of the misstatement is not material to the consolidated financial statements, as Interest and Penalty Receivable, net is only $219,639 as of September 30, 2003.

   Recommendations
   
   We recommend that USGS: 
   
1. Review the remaining delinquent receivables and refer all applicable accounts receivable to Treasury within the required time frame and change its policies and procedures to ensure compliance with the Actï¿½s referral requirements in the future.
2. Configure PCAS to begin accruing interest and penalties on the date that the bill becomes delinquent.
3. Implement a policy in which USGS personnel check the Treasury website instead of waiting to receive notice via email or mail.



L. Improve Controls Related to the Working Capital Fund 
Comment

KPMG selected a representative sample of 25 disbursements related to the Working Capital Fund (WCF) Investment Component and noted the following:

* USGS does not complete all sections of the Investment Plan, which according to Section 335.6 of the USGS WCF Manual, requires the following: ï¿½All investments and expenditures from a WCF investment component must be documented in an approved, multi-year Investment Plan (IP)ï¿½.  KPMG noted that USGS completes the contributions section of the Investment Plan.  However, USGS does not complete the expenditures section of the Investment Plan. KPMG noted that the individual cost centers maintain a listing of approved expenditures; however, the expenditures are not included in the Investment Plans maintained at headquarters.
* The Investment Plan does not provide enough description to facilitate the monitoring of the use of the funds.  
* Lack of familiarity with all of the program requirements by USGS staff who are responsible for monitoring compliance and initiating Investment Plans.

Recommendations
1. We recommend that USGS develop an in-house training for participants in the USGS WCF, and ensure that all supervisory staff responsible for approving investment plans and related contributions and expenditures attend such training on an annual basis.  

2. We also recommend that USGS establish a centralized quality assurance team to perform independent reviews, on a test basis throughout the year, to ensure that WCF Investment Plans and expenditures are compliant with laws and regulations.  The central team should also require descriptions in the Investment Plans to be detailed so that expenditures can be easily traced to Purchase Orders and Invoices.

M. Improve Controls Related to Leases 
   Comment

During our testwork over the classification of USGS leases, KPMG selected a sample of 23 leases (13 non-GSA and 10 GSA leases) and noted the following:

* USGS does not accurately complete the Determination of Capital versus Operating Leases worksheet utilized by DOI for non-GSA leases.
* Supervisory review of the Determination of Capital versus Operating Leases worksheet is not performed by an employee who is knowledgeable of the applicable accounting standards.  Thus, errors in the completion of the worksheet are not detected and corrected before entry into the Federal Financial System.
* USGS does not complete a Determination of Capital versus Operating Leases worksheet for GSA leases.
* The Determination of Capital versus Operating Leases worksheet is not designed to properly report contingent liabilities, such as tenant improvements.  Upon management review of the sample of GSA leases, USGS noted that an unrecorded contingent liability exists for tenant improvements, which are improvements made to a rented facility that are financed by GSA and repaid, with interest, by USGS over the term of the lease.  The improvement costs must be repaid to GSA upon early termination of the agreement.  We noted that USGS does not have a policy in place to facilitate the reporting of this contingent liability.

Recommendations
1. We recommend that USGS formally and thoroughly train those responsible for lease accounting in terms of classification, financial statement implications, and present value computations.  We also recommend that USGS reassess and redesign the tools currently being utilized to assist with lease classifications to be more clear and concise and to address contingent liabilities.

2. We recommend that USGS implement a policy for supervisory review of leases by an employee within the Office of Financial Management who is knowledgeable with respect to the applicable accounting standards.  We also recommend that USGS re-evaluate all GSA lease agreements entered into to ensure proper classification and to ensure that no liability is unrecorded.

N. Improve Controls Related to Inventory 
Comment

During our review of the inventory policies and procedures, KPMG noted the following conditions:  

* In 1995 and 1996, USGS conducted a complete physical inventory of the warehouse.  Since that date, completeness, existence, and accuracy of inventory quantities has been controlled by cycle count procedures that include a statistical sampling plan.  KPMG noted that using the cycle counts as a replacement for a full physical count of inventory is insufficient due to the following factors: (1) The cycle counts only cover 4% of total inventory, and while the system is updated for the counts, documentation of the results for statistical evaluation is not always maintained; (2) the statistical sampling plan only considers quantities, therefore, USGS may not be able to focus on high dollar items using this methodology; (3) the errors in the statistical portion of the cycle count are not extrapolated to the entire population to determine possible misstatement and; (4) USGS does not maintain historical count information to ensure that different products are selected, ultimately ensuring that over time, 100% of inventory is subject to counting.
* USGS tracks the cost of each finished good by recording direct costs (raw materials and labor) and indirect costs (cost of running machinery, spoilage, waste, shipping, training/travel, supervision, and facilities costs).  Indirect costs are based on rates established by the National Association for Printing Leadership (NAPL).  The NAPL performed a study in 1998 in order to determine the standard cost.  However, standard costs have not been updated since 1998 and no adjustment for inflation has been made, thus causing an understatement of costs.  
* USGS manages inventory quantities using the Integrated Business Solution (IBiS) inventory system and costing using the Covalent system.  KPMG notes that USGS only updates the general ledger to reflect the data from these systems on an annual basis.
* USGS uses the Statistical Analysis System (SAS) to compile information from IBiS and Covalent.  There is no automatic interface, instead a manual file download is done.  USGS lacks adequate control over these systems to ensure that the systemï¿½s manual download is complete and that the manual file download includes all applicable inventory.  USGS does not perform a reconciliation of the manual file download, nor is there a management review of this process.  In fiscal year 2002, KPMG noted that there were inconsistencies between the systems and the General Ledger, in which inventory was recorded in the subsidiary systems but not in the General Ledger.

Recommendation
We recommend that the USGS implement a full physical count of inventory for the Denver Mapping Center.  Once a full physical count is performed, USGS should implement a statistical plan that gives adequate coverage and allows for extrapolation of errors in subsequent years.  In addition, USGS should make yearly adjustments to their standard rates to account for inflation.

Our audit procedures were designed primarily to enable us to form an opinion on USGSï¿½s consolidated balance sheet, and therefore, may not bring to light all weaknesses in policies or procedures that may exist.  We aim, however, to use our knowledge of USGS, gained during our work, to make comments and suggestions that we hope will be useful to you.

We appreciate the courteous and professional assistance that USGS personnel extended to us to complete our audit timely.  Should you have any questions concerning the matters presented herein, we would be pleased to discuss them with you at any time.

This report is intended for the information and use of the USGSï¿½s management, the U.S. Department of Interiorï¿½s management, the U.S. Department of the Interiorï¿½s Office of Inspector General, OMB, the General Accounting Office, and the U.S. Congress, and is not intended to be and should not be used by anyone other than these specified parties. 

Very truly yours,