Department of Justice FY 2005 Performance and Accountability Report
III-11
KPMG LLP. KPMG LLP, a U.S. limited liability partnership, is
a member of KPMG International, a Swiss association.
KPMG LLP
2001 M Street, NW
Washington, DC 20036
Independent Auditors’ Report on Internal Control over Financial Reporting
United States Attorney General
U. S. Department of Justice
Inspector General
U. S. Department of Justice
We have audited the consolidated balance sheets of the U.S. Department of Justice (the Department) as of
September 30, 2005 and 2004, and the related consolidated statements of net cost, changes in net position, and
financing, and the combined statements of budgetary resources and custodial activity for the years then ended
(hereinafter collectively referred to as the “consolidated financial statements”), and have issued our report
thereon dated November 11, 2005. That report indicated that we did not audit the financial statements of the
following components of the Department: the U.S. Marshals Service; the Federal Bureau of Prisons; and the
Federal Prison Industries, Inc. Those financial statements were audited by other auditors whose reports
thereon have been furnished to us, and our report, insofar as it related to the amounts included for those
components, was based solely on the reports of the other auditors. Our report dated November 11, 2005 also
indicated an update to our report dated November 12, 2004, in which we did not express an opinion on the
Department’s 2004 consolidated financial statements because, due to limitations on the scope of their work,
other auditors disclaimed an opinion on the financial statements of the Office of Justice Programs (OJP).
Subsequent to November 12, 2004, OJP restated its 2004 financial statements and we were engaged to audit
the restated 2004 financial statements of OJP and, in connection therewith, expressed an unqualified opinion
on those restated financial statements in our report dated August 26, 2005. As a result, as described in note 20
to the 2005 consolidated financial statements, the Department has restated its 2004 consolidated financial
statements. Accordingly, our present opinion on the 2004 consolidated financial statements is different from
our previous report. We conducted our audits in accordance with auditing standards generally accepted in the
United States of America; the standards applicable to financial audits contained in Government Auditing
Standards, issued by the Comptroller General of the United States; and Office of Management and Budget
(OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements.
As noted above, we did not audit the financial statements of the U.S. Marshals Service; the Federal Bureau of
Prisons; and the Federal Prison Industries, Inc. Those financial statements were audited by other auditors
whose reports thereon, including the other auditorsIndependent Auditors’ Reports on Internal Control over
Financial Reporting, have been furnished to us. Accordingly, our report on the Department’s internal control
over financial reporting, insofar as it relates to these components, is based solely on the reports and findings of
the other auditors.
In planning and performing our 2005 audit, we considered the Department’s internal control over financial
reporting by obtaining an understanding of the Department’s internal control, determining whether internal
controls had been placed in operation, assessing control risk, and performing tests of controls in order to
determine our auditing procedures for the purpose of expressing our opinion on the consolidated financial
statements. We limited our internal control testing to those controls necessary to achieve the objectives
described in Government Auditing Standards and OMB Bulletin No. 01-02. We did not test all internal
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 2
Department of Justice FY 2005 Performance and Accountability Report
III-12
controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act
of 1982. The objective of our audit was not to provide assurance on the Department’s internal control over
financial reporting. Consequently, we do not provide an opinion thereon.
Our consideration of internal control over financial reporting would not necessarily disclose all matters in the
internal control over financial reporting that might be reportable conditions. Under standards issued by the
American Institute of Certified Public Accountants, reportable conditions are matters coming to our attention
relating to significant deficiencies in the design or operation of the internal control over financial reporting
that, in our judgment, could adversely affect the Department’s ability to record, process, summarize, and report
financial data consistent with the assertions by management in the consolidated financial statements. Material
weaknesses are reportable conditions in which the design or operation of one or more of the internal control
components does not reduce to a relatively low level the risk that misstatements, in amounts that would be
material in relation to the consolidated financial statements being audited, may occur and not be detected
within a timely period by employees in the normal course of performing their assigned functions. Because of
inherent limitations in any internal control, misstatements due to error or fraud may occur and not be detected.
In our fiscal year 2005 audit, we noted, and the reports of the other auditors identified, certain matters,
described in Exhibits I and II, involving the internal control over financial reporting and its operation that we
and the other auditors consider to be reportable conditions. Exhibit I is an overview of the reportable
conditions (including material weaknesses) identified in the Department’s component auditors’ Independent
Auditors’ Reports on Internal Control over Financial Reporting, and includes an explanation of how we
treated these component-level reportable conditions at the Department level. Exhibit II provides the details of
the Department-wide reportable conditions that we believe to be material weaknesses. Exhibit III presents the
status of prior years’ Department-wide reportable conditions.
Additional Required Procedures
As required by OMB Bulletin No. 01-02, in our fiscal year 2005 audit, we considered internal control over
Required Supplementary Stewardship Information by obtaining an understanding of the Department’s internal
control, determining whether these internal controls had been placed in operation, assessing control risk, and
performing tests of controls. Our procedures were not designed to provide assurance on internal control over
the Required Supplementary Stewardship Information and, accordingly, we do not provide an opinion thereon.
As further required by OMB Bulletin No. 01-02, in our fiscal year 2005 audit, with respect to internal control
related to performance measures determined by management to be key and reported in the Management’s
Discussion and Analysis and Performance sections of the Department’s Fiscal Year 2005 Performance and
Accountability Report, we and the other auditors obtained an understanding of the design of significant internal
controls relating to the existence and completeness assertions. Our and the other auditors’ procedures were not
designed to provide assurance on internal control over reported performance measures, and, accordingly, we
do not provide an opinion thereon.
______________________________
We noted certain additional matters that we reported to the management of the Department in a separate letter
dated November 11, 2005.
This report is intended solely for the information and use of the management of the U.S. Department of
Justice, the U.S. Department of Justice Office of the Inspector General, the OMB, the Government
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 3
Department of Justice FY 2005 Performance and Accountability Report
III-13
Accountability Office, and the U.S. Congress, and is not intended to be and should not be used by anyone
other than these specified parties.
November 11, 2005
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 4
Department of Justice FY 2005 Performance and Accountability Report
III-14
Exhibit I
OVERVIEW OF REPORTABLE CONDITIONS (INCLUDING MATERIAL WEAKNESSES)
The following table summarizes the 18 reportable conditions identified by the Department’s component
auditors. The component auditors also considered 10 of these reportable conditions to be material weaknesses.
We analyzed these component-level material weaknesses and reportable conditions to determine their effect on
the Department’s internal control over financial reporting and concluded that they comprise two Department-
wide reportable conditions, both of which we also consider to be material weaknesses.
Department Reportable Conditions
Noted During Fiscal Year 2005
D
O
J
O
B
D
s
A
F
F
F
B
I
D
E
A
O
J
P
A
T
F
U
S
M
S
(1)
B
O
P
(1)
F
P
I
(1)
W
C
F
Fundamental changes are needed in the
components’ internal control to ensure financial
information can be provided timely to manage
the Department’s programs and to prepare its
financial statements within the reporting
deadlines of the OMB.
M
M
R
M
M
R
M
M
M
R
R
Improvements are needed in the Department’s
and components’ financial systems general and
application controls.
(2)
M
R
R
M
M
M
M
R
R
FY2005
10 0 0 2 0 3 2 3 0 0 0
Total Material Weaknesses
Reported by Components’ Auditors
FY2004
10 0 0 2 0 5 1 2 0 0 0
FY2005
8 1 1 1 0 1 0 1 1 0 2
Total Reportable Conditions
Reported by Components’ Auditors
FY2004
13 2 1 1 1 1 1 2 1 1 2
Offices, Boards and Divisions (OBDs); Assets Forfeiture Fund and Seized Asset Deposit Fund (AFF); Federal Bureau of
Investigation (FBI); Drug Enforcement Administration (DEA); Office of Justice Programs (OJP); Bureau of Alcohol,
Tobacco, Firearms and Explosives (ATF); United States Marshals Service
(1)
(USMS); Federal Bureau of Prisons
(1)
(BOP);
Federal Prison Industries, Inc.
(1)
(FPI); and Working Capital Fund (WCF).
Legend:
(1)
Department’s components whose financial statements were audited by other auditors.
(2)
Includes the Department's Operations Services Staff (OSS), a component of the Office of the Chief Information Officer
(OCIO), Justice Management Division (JMD), which has primary responsibility over the consolidated information
systems general controls environment. See related finding in Exhibit II.
M – Material weakness
R – Reportable condition
In Exhibit II we discuss in detail the two Department-wide material weaknesses noted above. Because of the
number of internal control deficiencies identified at the Department’s components, we recommend
Department-wide corrective actions.
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 5
Department of Justice FY 2005 Performance and Accountability Report
III-15
Exhibit II
MATERIAL WEAKNESSES
F
UNDAMENTAL CHANGES ARE NEEDED IN THE COMPONENTS INTERNAL CONTROLS TO ENSURE
FINANCIAL INFORMATION CAN BE PROVIDED TIMELY TO MANAGE THE DEPARTMENTS PROGRAMS
AND TO
PREPARE ITS FINANCIAL STATEMENTS WITHIN THE REPORTING DEADLINES OF THE OMB.
We and the other auditors continue to identify weaknesses in the Department’s and components’ financial
management systems and related internal controls and financial reporting processes that, if not addressed, will
continue to present a challenge to meeting the reporting requirements of the OMB.
Financial Management Systems and Internal Controls
Components’ financial management systems are not integrated or are not configured to support financial
management and reporting and the related internal controls are not sufficient, in some respects, to provide
reasonable assurance that: (1) transactions are recorded accurately and in a timely manner, and (2) adequate
documentation exists to support the recorded amounts. Specifically, we and the other auditors noted the
following deficiencies in the components’ financial management systems and related internal controls (the
effects of which were adjusted in the components’ financial statements, as appropriate):
The USMS’s Overall Internal Control Framework. Significant weaknesses were identified in the USMS’s
financial management system controls and monitoring, including gaps in cross-cutting elements of internal
control over financial reporting. Shortcomings involving the interrelated elements of the internal control
framework (the control environment, risk assessment, control activities, information and communications, and
monitoring) that adversely affect the effectiveness of the overall internal control framework were noted,
including:
Segregation of Duties. Certain administrative staff have incompatible duties, which could allow them to
carry out and conceal errors or irregularities in the course of performing their day-to-day activities, as
follows: (1) Office of Finance team leaders for operations and financial reporting have overlapping
responsibilities for processing and recording as well as reviewing and approving transactions. These
individuals also have excessive privileges in the USMS’s financial management system, the Standardized
Tracking, Accounting, and Reporting System (STARS), such that they not only have Administrator-level
privileges, but they can also override funds control and update vendor tables, and (2) a personnel
management specialist in the Human Resources Division has incompatible duties which allows the
specialist to enter employee data into the National Finance Center personnel database and also add,
remove, and modify employee time logs on the USMS’s timekeeping systems.
Internal Communications. The Office of Finance and the program offices it serves have not established
procedures for adequately communicating funds management and other financial issues. The following
instances were noted: (1) numerous misunderstandings between the Office of Finance and program offices
on the status of obligations, including who obligated the funds and when, (2) obligating documents issued
to outside vendors by a program office without being recorded in STARS, and (3) communications to the
General Services Administration (GSA) by a program office on revised use of Reimbursable Work
Authorization (RWA) funds without the Office of Finance being notified.
Funds Control and Management. Certain USMS personnel responsible for funds control and management
are not knowledgeable about appropriate uses for the funds they manage. The following instances were
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 6
Department of Justice FY 2005 Performance and Accountability Report
III-16
noted: (1) construction funds were used for unauthorized purposes, (2) RWA funds were redirected to
other projects without modifying the agreements, (3) there are no procedures for reviewing, approving, and
certifying Intra-Governmental Payment and Collection (IPAC) System billings, and (4) some district
offices and Headquarters locations are not consistently recording obligations properly.
Timeliness of Financial Reporting and the Reliability of Financial Systems and Statements. The USMS’s
core financial management system, STARS, lacks integrated subsidiary ledgers for certain material
account balances. In addition, STARS does not maintain detail for all transactions, such as upward and
downward adjustments of prior-year undelivered orders, nor is STARS United States Standard General
Ledger (SGL) compliant because it does not include an unfunded accrued Federal Employees’
Compensation Act
(FECA) liability account.
Quality Assurance over Draft and Final Financial Statements. The following deficiencies were noted in
the auditors’ reviews of the USMS’s financial statements and supporting subsidiary schedules:
(1) financial statements did not comply, in many respects, with applicable reporting requirements,
including OMB Circular No. A-136, Financial Reporting Requirements, and the Department’s Justice
Management Division’s financial statement preparation requirements, (2) quarterly financial statements
contained discrepancies and errors in disclosures and also did not disclose material aircraft operating
leases, (3) the June 30, 2005, legal representation letter management schedule contained several errors,
(4) GSA real property schedules supporting leasehold improvement and construction work-in-progress
balances contained several formula errors, (5) the June 30, 2005, financial statements were submitted to
JMD late, and (6) certain audit-related documents were provided to the auditors after the agreed-upon
submission dates.
Audit Trail and Documentation for Financial Statement Transactions. The Office of Finance does not
adequately document certain compiled information underlying the financial statements. The following
instances were noted: (1) crosswalks provided to support the Statement of Budgetary Resources and the
Statement of Financing were incomplete, and (2) revenue and expense amounts on the financial statement
crosswalk did not agree to the year-end trial balance.
Accounts Payable. Improvements are needed in ATF’s processes for recording accounts payable. ATF uses
a “receiver” process to indicate the receipt and acceptance of goods and services, the results of which are used
to record the payable directly to the general ledger. We noted significant adjustments to the accounts payable
balances, the primary cause of which was purchasing agents not identifying purchases where the goods and
services had been received and accepted. We also noted that ATF did not perform reviews of the supporting
documentation to verify receipt and acceptance of goods and services. In addition, we noted that supporting
documentation for processed receivers was not reviewed to ensure that receiver information entered was
accurate and complete. Finally, we noted that the review of the aged accounts payable listing to identify and
follow up on old outstanding balances only occurred at year-end, as opposed to on a quarterly basis. This
condition, which was identified as a material weakness in the ATF’s 2004 Independent Auditors’ Report on
Internal Control over Financial Reporting, continued to exist in 2005 although ATF took steps to address the
problem. Such steps included training programs for purchasing agents and implementation of additional
internal controls to detect and correct errors. The continuing weaknesses were due to: (1) the purchasing
agents failure to identify purchases for which the goods and services had been received and accepted, (2)
documentation for processed receivers not being reviewed to ensure that the receiver information entered was
accurate and complete, and (3) a failure to review the aged accounts payable listing to identify and follow up
on old outstanding balances quarterly and at year end.
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 7
Department of Justice FY 2005 Performance and Accountability Report
III-17
Grant Advance and Payable Estimation Process. During testing of the grant advance and payable amounts
reported in OJP’s financial statements, it was noted that improvements are needed to ensure that OJP
accurately estimates these amounts, as follows:
Lack of Formalized Policies and Procedures. While it was noted that OJP has taken steps to improve its
grant estimation process, the methodology had to be revised several times as a result of certain analyses
performed throughout the year and was not finalized until August 2005. In addition, because OJP has not
finalized its corrective action plan for revising the grant accrual methodology, the detailed policies and
procedures have not been formalized and implemented, specifically as they pertain to the actions and
documentation related to executing the various phases of the methodology.
Grant Monitoring Procedures. In reviewing OJP’s grant monitoring procedures, component auditors noted
that OJP did not follow up and resolve certain site visit and Single Audit Act findings within the required
time frames. Specifically, OJP did not prepare and submit to the grantee and the Office of the Inspector
General (OIG) a draft corrective action plan and correspondence memorandum within 15 days of the report
issuance in 21 of the 32 grants reviewed. In addition, final closure was not provided to the OIG within the
one-year timeframe for two of these grants. We also noted that follow-up letters were not issued to
grantees timely in 29 of the 30 site visit reports that we reviewed, nor was OJP’s site visit sample
statistically taken from a complete population of grants (“low-risk” grantees were not included in OJP’s
risk-based sampling technique).
Grant and Non-Grant Deobligations. In testing undelivered orders transactions, we noted a general lack of
timeliness and the need for significant improvement in OJP’s deobligation and close-out process related to
both grant and non-grant undelivered orders, as follows:
Grant Close-Out Process. In reviewing OJP’s grant close-out process, we noted that grant managers did
not consistently ensure that the undelivered orders balances on closed grants were deobligated in a timely
manner (within 180 days). In our analysis of expired grants with unliquidated balances, we noted certain
grants that were not deobligated within one year of the grant termination date.
Non-Grant Undelivered Orders. In our sample of 30 non-grant unliquidated obligations, we identified 4
undelivered orders that were incorrectly recorded. Two of the undelivered orders were invalid and two had
an incorrect balance.
Property and Equipment. The FBI uses a subsidiary ledger, the Property Management Application (PMA),
to account for both capital and non-capital equipment. Consequently, the process used to record and track
property is difficult to apply and prone to error, thus requiring manual intervening processes to detect and
prevent erroneous or unsupported transactions. It was noted that: (1) some equipment purchases were
recorded in PMA, but not recorded in the financial accounting system, (2) not all necessary costs were
included when recording assets in PMA, (3) weaknesses existed in some property subsidiary ledgers, for
example, software-in-progress and construction-in-progress, and (4) equipment purchases were not always
entered into PMA in a timely fashion.
The USMS’s internal controls related to the management and recording of real property need improvement.
The other auditors noted material deficiencies in the USMS’s control processes for acquiring, processing, and
monitoring capitalized real property improvements, as follows:
Deficiencies noted related to the USMS’s GSA construction projects included: (1) construction
appropriation budgetary resources were used for projects that should have been funded by the salaries and
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 8
Department of Justice FY 2005 Performance and Accountability Report
III-18
expenses appropriation, (2) RWA funds were redirected to other projects without modification to the
agreements, (3) there were no procedures in place for approving GSA billings, (4) there were no
procedures in place for following up with GSA on unbilled leasehold improvement amounts at the end of
construction, and (5) RWA-related costs charged to the Repair and Alteration Building and Non-
Capitalized Personal Property sub-object classes were capitalized, while RWA-related costs charged to
other sub-object classes were not.
Deficiencies noted related to all USMS real property included: (1) the USMS does not consistently
populate the STARS data fields and real property tracking schedules (used to reconcile financial
information in STARS) with accurate project numbers. Furthermore, STARS does not identify all related
obligations for which project funds are used; (2) the USMS does not reclassify construction work-in-
progress projects as leasehold improvements in STARS when they are placed in service, rather such
reclassification is made when all obligated amounts are paid (security system installation-related projects)
or the project manager estimates the work to be 100-percent complete (GSA-related projects). At such
time, a reclassification is made from construction work-in-progress to leasehold improvements and
depreciation commences; (3) amounts paid exceeding the value of work based on construction
percentages-of-completion are recorded as offsets to the accrued liability account, as opposed to asset
accounts; and (4) RWAs and Requisitions for Procurement of Supplies and Equipment forms for amounts
exceeding $100,000 were not properly authorized and approved.
Accrual Accounting Functions. Weaknesses were identified in the WCF’s quarterly and year-end
reimbursable agreement (RA) accrual processes related to revenue earned for goods and services provided but
not yet billed. In addition, deficiencies were noted in the RA documentation maintained by certain program
offices. These conditions are indicative of a lack of secondary management review of quarterly unbilled and
earned RA revenue calculations. Weaknesses were also observed in the process for accruing the cost of
unbilled rental expense at certain WCF locations.
Laws and Regulations Noncompliances. The other auditors reported that the USMS did not comply with the
Prompt Payment Act (PPA) and the Improper Payments Information Act (IPIA), and that the USMS’s Federal
Managers’ Financial Integrity Act (FMFIA) report was not consistent with the other auditors’ results, as
follows:
PPA Noncompliance – The USMS District Office personnel responsible for complying with the
requirements of the PPA did not always assess interest on late payments, nor did they notify the vendors
within seven days of receipt in instances where bills were in dispute.
IPIA Noncompliance – The USMS has not established a program to assess, identify, and track improper
payments, nor has it implemented a Recovery Audit Program.
FMFIA Noncompliance – The USMS incorrectly reported that the finding captioned “Timeliness of
Financial Reporting and the Reliability of Financial Systems and Statements” had been resolved. In
addition, that report did not identify each of the material weaknesses disclosed during the other auditors’
audit.
As indicated above, improvements are still needed in the components’ day-to-day adherence to the
standardized accounting policies and procedures, as set forth in the Department’s Financial Statement
Requirements and Preparation Guide, to ensure accuracy and consistency in the Department’s consolidated
financial statements. Moreover, certain components’ financial management systems and related internal
controls do not provide an adequate level of reasonable assurance that financial transactions are properly
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 9
Department of Justice FY 2005 Performance and Accountability Report
III-19
recorded, processed, summarized, and documented to permit the preparation of financial statements in
accordance with generally accepted accounting principles. This condition places added importance on the
financial analysis and analytical review aspects of the quality assurance procedures at the end of each quarter,
and, particularly, at the end of the fiscal year, to detect and correct misstatements in the financial statements.
The limited amount of time available to the components’ staffs at the end of each financial reporting period for
performing financial analyses and analytical reviews increases the risk that errors existing in the components’
financial statements will not be detected and corrected prior to final issuance. Absent improvements in their
financial management, accounting, and internal control practices, components will continue to be challenged
to prepare accurate financial statements in accordance with generally accepted accounting principles in a
timely manner.
Financial Reporting
Certain of the Department’s components do not adequately obtain, record, analyze, reconcile, and adjust
financial information throughout the year, increasing the risk that errors in the financial statements will not be
detected timely. There is also a shortage of trained financial management personnel available to perform
certain internal control functions related to the financial reporting process. We and the other auditors noted the
following financial reporting deficiencies (the effects of which were adjusted in the components’ financial
statements, as appropriate):
OJP’s Financial Reporting, Monitoring, Analysis, and Documentation Procedures. During testing of
OJP’s preparation of financial statements and certain account reconciliations, we noted that improvement is
needed to ensure that OJP can accurately and timely produce its financial statements and perform related
analyses. We noted deficiencies in the following areas:
Accuracy and Completeness of and Support for Financial Statement Information. We noted errors in
OJP’s financial statements related to the posting of adjusting journal entries, specifically the reversing
entries related to the 2003 and 2004 grant accruals were posted to the wrong account. In addition, OJP
incorrectly reversed a portion of its cost posting to general ledger adjusting journal entry. These errors
occurred because the entries were not reviewed to ensure their propriety and that they agreed with related
supporting documentation.
Financial System Queries. OJP does not have written policies and procedures in place for performing the
financial system and general ledger queries necessary to reconcile undelivered orders balances.
Correction of Reconciling Items in the General and Subsidiary Ledgers. OJP performed a reconciliation of
undelivered orders balances in the general ledger and subsidiary ledger, from the implementation date of
the financial management system to the present. An “on-top” adjustment was made in OJP’s 2004 restated
financial statements, as the general ledger had already been closed for the year. As of September 30, 2005,
OJP had yet to record the necessary correcting entries in the general ledger. In turn, OJP recorded another
“on-top” adjustment in its 2005 financial statements.
Support for Journal Voucher Transactions. Documentation maintained to substantiate certain 2004 journal
voucher transactions was inadequate. This condition remained uncorrected as of September 30, 2005.
Processing of Reimbursable Agreements. In testing the undelivered orders reconciliation, we noted that
OJP’s RA with two Department components were processed through journal entries made to the financial
management system. Typically, OJP processes RAs as document transaction records in its cost posting
module, with relevant accounting entries subsequently posted to the general ledger. However, the activity
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 10
Department of Justice FY 2005 Performance and Accountability Report
III-20
for the RAs noted above is posted on a quarterly basis by way of journal voucher without an RA-specific
document record identifier in the financial management system.
The FBI’s Financial Reporting Process. During the audit of the FBI, we noted that the following
weaknesses continue to exist in the financial reporting process and supporting financial management system:
Obligations. The FBI’s internal controls over the management of obligations do not provide for the timely
deobligation of funds that are no longer required for their original purpose. Although improvements were
noted throughout the year as the FBI performed a review of each contract file, our year-end testing
identified obligations that should have been deobligated and were not.
Accounts Payable Accrual Methodology. The FBI has not effectively implemented its accounts payable
accrual methodology, in that during the year: (1) there were no formal procedures or guidance for
estimating accounts payable, (2) insufficient training was provided to assist contracting officers in
estimating accounts payable amounts, and (3) various units and contracting officers applied the
methodology inconsistently. These conditions contributed to inaccurate accruals being made for the
quarters ended March 31, 2005 and June 30, 2005. We noted, however, that corrective action was later
taken, including training programs for contracting officers and documentation of the accrual methodology
for certain types of accounts payable. This corrective action enabled contracting officers to make valid
assumptions in applying the accrual methodology when estimating accounts payable as of September 30,
2005.
Advances to Others. The FBI’s internal controls over the recording and monitoring of advances to others
are not adequate to ensure that advances are recorded accurately or that amounts are liquidated when the
related services have been performed.
Policies and Procedures. The FBI’s formal policies and procedures (including desk manuals) are either
outdated or incomplete for many of the roles, responsibilities, processes, and functions performed within
the Finance Division. For example, improvements are needed in the formal documentation of the
preparation and review of the quarterly and annual financial statements, reconciliation and review of Fund
Balance with Treasury and the Federal Agencies’ Centralized Trial Balance System transactions, quarterly
process for estimating accruals for other than services contracts, and reconciliation and review of fixed
asset information.
Monitoring and Resolution of Internal Audit Findings. During the review of a variety of financial and
custodial controls in place at the FBI’s field offices, it was noted that field office management did not
always take effective action to research and resolve discrepancies that had been noted in internal audits or
in automated exception reports provided to field offices on a recurring basis. As a result, certain types of
transactions remained unresolved for an extended period of time.
Improvements are still needed in these components’ internal controls over the financial reporting process.
Inadequate, outdated, and, in some cases, non-integrated financial management systems do not provide for
certain automated financial transaction processing activities to support management’s need for timely and
accurate financial information. This inhibits management’s ability to assess financial reporting risk; design,
communicate, and implement appropriate control activities; and monitor the financial reporting process.
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 11
Department of Justice FY 2005 Performance and Accountability Report
III-21
Recommendations
We recommend that the Department:
1. Monitor the corrective actions taken by the USMS to improve the condition of its overall internal control
framework, in response to the specific recommendations made in the other auditors’ Independent
Auditors’ Reports on Internal Control over Financial Reporting issued in connection with the audit of the
USMS’s financial statements as of and for the year ended September 30, 2005. (New)
Management Response:
The Department of Justice (DOJ) management concurs with this recommendation. During FY 2006, the
corrective actions taken by the USMS will be constantly monitored by the Department’s Office of Chief
Financial Officer. A team will review the USMS internal control environment and planned procedures to
ensure sound financial management practices are established. Additional oversight will be performed as
the Department implements the revised OMB Circular A-123, Management’s Responsibility for Internal
Control.
2. Continue with the initiative to improve the Department-wide internal control program, with an emphasis
on timely monitoring of financial controls by management. Communicate the importance of financial
reporting monitoring controls in the next update to the Department’s Financial Statement Requirements
and Preparation Guide. Enlist the support of the Department’s senior management in ensuring that direct
responsibility for the implementation of and adherence to financial monitoring controls is clearly
communicated to and affixed with senior management at each component. (Repeat)
Management Response:
DOJ management concurs with this recommendation. During FY 2005, meetings were held with senior
executives to stress the importance of establishing an environment that supports sound internal controls.
In addition, training on the significance of internal controls was given to employees and executives from
several components during the fiscal year. The Justice Management Division has additional internal
control training planned during the next several quarters. Senior management has been made aware of
their responsibility under OMB Circular A-123, to establish and maintain an effective and efficient
internal control environment. The FY 2006 Financial Statement Requirements and Preparation Guide
will also include an emphasis on timely monitoring of financial reporting controls.
3. Assess the adequacy and completeness of the Department’s accounting and financial reporting policies and
procedures in the areas of: (a) accounts payable (and proper consideration of receipt and acceptance of
goods and services), (b) grant advances and the grant-related accounts payable estimation methodology,
(c) budgetary accounting for grant and non-grant obligations, (d) property management (e.g., real property,
construction work-in-progress, the charging of construction costs to the proper budgetary resource,
software-in-progress, leasehold improvements, and subsidiary property records), and (e) RA-related
accrual accounting. Based on the results of this assessment, determine the need to issue new guidance
and/or reiterate to components the existing policies for those areas in which the components’ auditors
identified internal control weaknesses related to the recording of transactions and the reporting of financial
results. (Update)
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 12
Department of Justice FY 2005 Performance and Accountability Report
III-22
Management Response:
DOJ management concurs with the recommendation. JMD will continue to reinforce existing, and
develop new, accounting policy and procedures requiring application of component revenue accrual
methodologies and calculations. Additionally, JMD will work with the various components to develop
training on the adequate accrual methodologies and grant-related accounts payable methodologies.
Working with the various finance and property management offices, JMD will stress the need to ensure
property is accounted for properly. In addition, strategies for accountable property will be revisited.
4. Continue efforts to implement a Department-wide integrated financial management system that is in
compliance with the United States Government Standard General Ledger, conforms with the financial
management systems requirements of the Joint Financial Management Improvement Program, and can
accommodate the requirements of applicable Federal accounting standards. Proceed with implementation
of a financial statement consolidation package to automate the compilation of the Department-wide
financial statements. (Repeat)
Management Response:
DOJ management concurs with this recommendation. The Attorney General identified a unified core
financial system as a major goal for the Department. While a Joint Financial Management Improvement
Program certified software package was selected before the end of the FY 2005, management will select
the integration and implementation contractor in FY 2006. JMD will work with the contractors to ensure
processes meet the requirements of applicable federal accounting standards.
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 13
Department of Justice FY 2005 Performance and Accountability Report
III-23
IMPROVEMENTS ARE NEEDED IN THE DEPARTMENTS COMPONENT FINANCIAL MANAGEMENT SYSTEMS
GENERAL AND APPLICATION CONTROLS.
In performing procedures on the components financial management information systems, we and other
component auditors considered the Government Accountability Office’s (GAO) Federal Information System
Controls Audit Manual; the Department’s Order No. 2640.2E, Information Technology Security; OMB
Circular No. A-130, Management of Federal Information Resources; and technical publications issued by the
National Institute of Standards and Technology (NIST). The FBI’s auditors reviewed the FBI’s information
system (IS) general controls environment and reported their detailed findings to the OIG in a separate limited
distribution report.
In support of the Department's fiscal year 2005 consolidated financial statement audit, we performed a review
of the DOJ consolidated IS general controls environment that provides general control support for several DOJ
components’ financial applications. The Department's OSS has primary responsibility over the consolidated
IS general controls environment and the following services: (1) Technology Assessment and Planning
Services, (2) Customer Services, (3) Infrastructure Services, and (4) Security and Business Continuity
Services. We conducted our general controls environment review for the fiscal year ending September 30,
2005 and reported our detailed findings to the OIG in a separate limited distribution report.
The following table depicts the more significant weaknesses identified by the auditors on the DOJ
consolidated IS general controls environment and the 10 Department reporting components for fiscal year
2005. Following the table, we present some of the specific conditions reported by the components’ auditors.
General & Application Control Weaknesses
O
B
D
s
(1)
A
F
F
(1)
F
B
I
D
E
A
O
J
P
A
T
F
U
S
M
S
B
O
P
(1)
F
P
I
W
C
F
(1)
Entity-wide Security X X
Access Controls X X X X X X X X
Application Software Development and Change
Controls/System Development Life Cycle
(SDLC)
X
X
X
X
Service Continuity X X
Segregation of Duties X X
System Software X X X X X
Application Controls X
(1)
The OSS IS controls environment weakness identified in the areas of security program, access controls, and system
software impacts the OBDs, AFF, BOP, and WCF IS controls environments.
OBDs – Weaknesses were identified in the Financial Management Information System’s (FMIS2)
implementation of OBDs’ management of logical access controls.
AFF – The FMIS2 weaknesses identified at OBDs also impact AFF’s financial management information
systems because AFF uses FMIS2 as its accounting system.
FBI – The weaknesses identified in the above table could compromise the agency’s ability to ensure security
over sensitive programmatic or financial data, the reliability of its financial reporting, and compliance with
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 14
Department of Justice FY 2005 Performance and Accountability Report
III-24
applicable laws and regulations. In addition, weaknesses were determined to continue to exist in the FBI’s
password, patch, and configuration management controls.
OJP – Weaknesses were identified in the overall entity-wide security program, access controls, system
software development and change control procedures for applications, system software, segregation of duties,
and service continuity. Many of these weaknesses had not been corrected from prior years.
ATF – Weaknesses continue to exist in access controls and system software. In addition weaknesses were
identified in ATF’s application change controls. Significant vulnerabilities not fully corrected from prior years
remained in the controls over financial network operating systems, access controls over various financial and
operational databases, and operating system level weaknesses on two servers that impact the processing of
financial data.
USMS – Weaknesses in the general network control environment continue to exist in the areas of segregation
of duties, access controls, and system software for the general support systems. In addition, for the service
continuity area contingency plans have not been fully developed for the Marshals Network, the Financial
Management System and the Standardized Tracking Accounting and Reporting System under guidelines
provided by the Department’s standards.
BOP – Improvements are needed in the overall entity-wide security program, access controls, and system
software development and change control procedures. A number of weaknesses in each of these areas existed
in prior years. In addition, the FMIS2 weaknesses identified at OBDs also apply to BOP because BOP uses
the FMIS2 accounting system maintained by OBDs.
WCF – The FMIS2 weaknesses identified at OBDs also impact WCF’s financial management information
systems because WCF uses FMIS2 as its accounting system.
The weaknesses identified by components’ auditors in the components’ general and application controls
increase the risk that programs and data processed on components’ information systems are not adequately
protected from unauthorized access or service disruption.
Recommendation
We recommend that the Department:
5. Require the components’ and the OSS’s Chief Information Officers (CIO) to submit corrective action
plans that address the weaknesses identified above. The action plans should focus on correcting
deficiencies in entity-wide security, access controls, application software development and change
controls/SDLC, service continuity, segregation of duties, system software, and other specific application
control weaknesses discussed in the component auditors’ reports on internal control and the general
controls environment limited-distribution report. The corrective action plans should include a timeline
that establishes when major events must be completed, and the Department’s CIO should monitor
components’ efforts to correct deficiencies and hold them accountable for meeting the action plan
timelines. (Update)
Management Response:
The Office of the Chief Information Officer (OCIO), working with the Chief Financial Officer and
component program managers as well as their respective CIOs, will continue to develop corrective action
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 15
Department of Justice FY 2005 Performance and Accountability Report
III-25
plans to address weaknesses identified and implement corrective actions to ensure program improvements
are made and institutionalized, including necessary improvements in OSS operations. In February 2005,
the CIO initiated a Financial Audit IT Oversight Program to ensure that weaknesses identified in prior year
audits are addressed and that enhancements in policies, processes, and workflow are implemented to
provide the best possible support for successful financial audits. The corrective actions articulated in that
program will continue to be pursued in order to address the reported control issues. Further, the CIO
program has begun to implement an IT Security Management Scorecard to report the status, progress,
schedule, management issues, risk areas, etc. related to the corrective action plans from prior year financial
audits.
The corrective action plans are a subset of the Department’s overall Plans of Actions and Milestones and
are available to the Office of the Inspector General and reported to OMB in the Department’s quarterly
Federal Information Security Management Act (FISMA) Reports.
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 16
Department of Justice FY 2005 Performance and Accountability Report
III-26
KPMG LLP. KPMG LLP, a U.S. limited liability partnership, is
a member of KPMG International, a Swiss association.
Exhibit III
STATUS OF PRIOR YEARS’ RECOMMENDATIONS
As required by Government Auditing Standards and OMB Bulletin No. 01-02, Audit Requirements for Federal
Financial Statements, we have reviewed the status of the Department’s corrective actions with respect to prior
years’ findings and recommendations. The following table summarizes these issues and provides our
assessment of the progress the Department of Justice has made in correcting these reportable conditions. We
have also provided the Office of the Inspector General report number by which the recommendation is
monitored for audit follow-up.
Reported Condition Recommendation Status
Fundamental changes are
needed in the components’
internal controls to ensure
financial information can be
provided timely to manage
the Department’s programs
and to prepare its financial
statements within the
accelerated reporting
deadlines of the OMB.
FY 2004 Department of
Justice Annual Financial
Statement, Report No. 05-03
Material Weakness.
FY 2003 Department of
Justice Annual Financial
Statement, Report No. 04-13
Material Weakness.
FY 2004 Recommendation No. 2: Assess the adequacy and
completeness of the Department’s accounting and financial
reporting policies and procedures in the areas of:
(a) budgetary accounting (e.g., obligations/deobligations,
unfilled customer orders), (b) property management (e.g., real
property, construction work-in-progress, leasehold
improvements, subsidiary property records, loss on disposal of
assets), (c) accounts payable (e.g., accrual estimates, receipt
and acceptance, unbilled goods and services), (d) advances to
and from others, including under reimbursable agreements,
and (e) expense and revenue recognition. Based on the results
of this assessment, determine the need to issue new guidance
and/or reiterate to components the existing policies for those
areas in which the components’ auditors identified internal
control weaknesses related to the recording of transactions and
the reporting of financial results.
FY 2004 Recommendation No. 3: Continue efforts to
implement a Department-wide integrated financial
management system that is in compliance with the U.S.
Government Standard General Ledger, conforms with the
financial management system requirements of the Joint
Financial Management Improvement Program, and can
accommodate the requirements of applicable Federal
accounting standards. Proceed with implementation of a
financial statement consolidation package to automate the
compilation of the Department-wide financial statements.
FY 2003 Recommendation No. 1: Improve the Department-
wide internal control program and include timely monitoring
of financial controls by management. Communicate this to the
components in the Department’s Financial Statement
Requirement and Preparation Guide. Senior leadership of the
Department must support this effort and assign direct
responsibility for the implementation of the internal control
program to senior leaders at each component.
In Process
In Process
In Process
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 17
Department of Justice FY 2005 Performance and Accountability Report
III-27
Fundamental changes are
needed in the components’
internal controls to ensure
financial information can be
provided timely to manage
the Department’s programs
and to prepare its financial
statements within the
accelerated reporting
deadlines of the OMB.
(cont.)
FY 2003 Recommendation No. 3: Proceed with the rapid
implementation of the Department’s Unified Financial
Management System Project. The core financial system
should include, but not be limited to, applications that support:
(a) funds control (e.g., budget execution); (b) obligation
accounting and control; (c) cash management; (d) inventory
and property management; (e) the standard general ledger;
(f) financial statement preparation, consolidation and
reporting; and (g) customer/vendor recognition, including,
intragovernmental trading partners. To the extent possible, the
financial management system should be able to provide real-
time financial data and provide flexibility in meeting external
reporting requirements. As part of this effort, the Department
should continue its development of a consolidation tool that
will automate the current labor-intensive consolidation
process, including, performance and accountability reporting,
and the reconciliation of intragovernmental and intra-
departmental transactions. Finally, a standard schedule of
transaction codes should be developed and implemented in the
system that describes the accounting transactions and the
standard general ledger accounts to be used (both proprietary
and budgetary). During the development of the transaction
schedule, we strongly encourage the use of the Department of
the Treasury’s Treasury Financial Manual, Section III, which
provides a detailed list of budgetary and proprietary
transactions and the U.S. Government Standard General
Ledger accounts affected.
FY 2003 Recommendation No. 4: Ensure components have
allocated sufficient resources to support the financial
management and reporting process. Develop training for
components’ program and finance staff on the responsibilities
for internal control and financial management. Include a
detailed discussion on the Department’s consolidated
accounting and reporting requirements and emphasize that
components’ financial statements are segments of the
Department’s consolidated financial statements.
In Process
In Process
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 18
Department of Justice FY 2005 Performance and Accountability Report
III-28
Improvements are needed
in OJP’s grant accounting
and monitoring policies and
procedures.
FY 2004 Department of
Justice Annual Financial
Statement, Report No. 05-03
Material Weakness.
FY 2004 Recommendation No. 5: Direct OJP management
to implement policies and procedures related to the quality of
grantee data, including: (a) ensuring grantee data recorded in
IFMIS is complete, accurate, and valid (specifically with
respect to the input of grant awards, subsequent adjustments,
and ACH data and SF-269 information), (b) performing
periodic monitoring of information in IFMIS to verify that
information is current and accurate, (c) establish formal data
quality procedures to review all grants regularly to ensure that
grants are coded correctly in IFMIS, (d) establish formal
review procedures to ensure that appropriate grants are
included in the grant accrual calculation, and (e) implement
continuous training of Control Desk staff to prepare them to
recognize and code grants correctly, particularly with respect
to distinguishing block grants from discretionary grants.
FY 2004 Recommendation No. 6: Direct OJP management
to implement policies and procedures related to grant
monitoring, including: (a) improving the monitoring
procedures used to capture data that would quantify the effects
of errors in grantees’ SF-269 data or OJP’s own data,
(b) following up with grantees based on level of priority and in
accordance with the timeframes established in its policy for
site visit and Single Audit Act identified issues, and
(c) developing a monitoring program that includes assessing
the risk of potential improper payments under grant programs,
as well as non-grant payments.
FY 2004 Recommendation No. 7: Direct OJP management
to implement policies and procedures related to the grant
accrual and advance calculation methodology, including
(a) evaluating the assumptions utilized in the grant accrual and
advance calculation methodology at the program level, and
(b) analyzing the methodology for reasonableness at
appropriate intervals, with documentation maintained to
support the analyses.
Completed
Completed
Completed
Independent Auditors’ Report on Internal Control over Financial Reporting
Page 19
Department of Justice FY 2005 Performance and Accountability Report
III-29
Improvements are needed
in components’ general and
application controls over
financial management
systems and the general
controls at the
Department’s data
processing centers.
FY 2000 Department of
Justice Annual Financial
Statement, Report No. 01-07
Material Weakness.
FY 2000 Recommendation No. 2: Require the components
to submit corrective action plans to address the identified
weaknesses. The action plans should focus on correcting
deficiencies in continuity planning, risk assessments,
segregation of duties, access controls, and unauthorized
physical or logical access. The action plan must include a
timeline establishing when major events must be completed,
including testing new controls, reconciling data converted
from legacy systems, implementing new controls or modules,
and establishing a plan for monitoring controls post
implementation. The CFO should monitor components’
efforts to correct deficiencies and hold them accountable for
meeting the action plan timelines.
In Process
Department of Justice FY 2005 Performance and Accountability Report
III-30
This page intentionally left blank.