Financial Management:

Review of the Military Retirement Trust Fund's Actuarial Model and Related Computer Controls

AIMD-97-128: Published: Sep 9, 1997. Publicly Released: Sep 9, 1997.

Contact:

Joel C. Willemssen
(202) 512-6253
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed the Department of Defense (DOD) Military Retirement Trust Fund's actuarial model and related computer controls.

GAO noted that: (1) based on GAO's review, GAO concurs with KPMG Peat Marwick LLP's conclusion that the methodology and actuarial assumptions used by the DOD Office of the Actuary to calculate the pension liability as of September 30, 1996, and the annual actuarial activity for the Fund were reasonable and reliable; (2) GAO also concurs with KPMG's identification of numerous control weaknesses related to: (a) the data gathering and preparation process; and (b) electronic data processing (EDP) activities; (3) due to the serious nature of the computer-related weaknesses identified, GAO agrees with KPMG's conclusion that there is a lack of overall security administration and management governing access to Fund data files; (4) in particular, DOD has not adequately implemented security policies and procedures, controlled the ability of computer programmers to make changes to systems, and controlled access to information on pension fund participants; (5) such uncontrolled access affects other sensitive personal and career-related information as well; (6) the computer that houses the Fund's data files also stores information on social security numbers, pay rates, child and spousal abuse allegations, and medical test results for both active duty and retired personnel; (7) although DOD regulations require that sensitive data be housed only on computers meeting specific security guidelines, the Fund processing sites reviewed by KPMG do not comply with those guidelines; (8) despite the weaknesses identified, KPMG believed that a material misstatement of the pension liability was unlikely to occur because of compensating controls that hinge largely on the experience and tenure of staff in the Office of the Actuary; and (9) GAO agrees that compensating controls currently exist in the Office of the Actuary but caution DOD against long-term reliance on controls that depend largely on the retention of a few key employees.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To improve the actuarial process, the Secretary of Defense should ensure that the Office of the Actuary determines the availability of complete data on inactive reservists.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: According to the Office of the Actuary, data on "grey-area" reservists have been included in the most recent pension liability calculations.

    Recommendation: To improve the actuarial process, the Secretary of Defense should ensure that the Office of the Actuary tests a sample of current valuation results independently from prior year results.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: Based on GAO's review of the Office of the Actuary's documentation and based on discussions with the independent public accounting firm that performed the fiscal year 1998 financial audit, actions responsive to this recommendation were completed in December 1998. The Office of the Actuary's contractor created a duplicate version of the retirement valuation model with "test-life" capability. The contractor and the Office of the Actuary then developed spreadsheets that validated the Office of the Actuary's model in approximately 30 cases chosen to reflect the entire September 30, 1997, valuation population. This process ensures that valuation results can be validated independently from prior-year results.

    Recommendation: To improve the actuarial process, the Secretary of Defense should ensure that the Office of the Actuary evaluates the efficiency of using the current spreadsheet analyses and documents those analyses.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: Based on GAO's review of the Office of the Actuary's documentation and discussions with the independent public accounting firm that performed the fiscal year 1998 financial audit, the actions responsive to this recommendation were completed in December 1998. The valuation spreadsheet has been restructured to include (1) a separate sheet for input elements, (2) separate sheets for individual actuarial analyses, (3) explanatory notes to enhance its auditability, and (4) security safeguards to protect it against unwarranted changes.

    Recommendation: To address the EDP general controls weaknesses, the Secretary of Defense should ensure that the Defense Manpower Data Center modifies the security program's parameters to ensure participants' data and actuarial programs are protected and that security requirements comply with regulations.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: DMDC reported previously that it expected to complete an organizational security certification and accreditation (DITSCAP) by March 31, 2000. The fiscal year 1999 financial audit found that (1) five findings from the DITSCAP risk assessment were still open as of January 2000, (2) DMDC security policy (requirements) was still in draft, (3) DMDC had no configuration standards for three of its platforms, and (4) DMDC had no detailed operating procedures for two platforms. DMDC stated in its response to the audit report that these issues had been corrected. In August 2001, Deloitte & Touche conducted a follow-up, and determined that the five DITSCAP issues had been corrected, DMDC security policy had been issued and updated, and that configuration standards had been developed.

    Recommendation: To address the EDP general controls weaknesses, the Secretary of Defense should ensure that the Defense Manpower Data Center implements security features and parameters to ensure that unauthorized access to systems is reduced and that audit trails are activated and protected from unauthorized editing.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: DMDC representatives have consistently stated that they have properly addressed this recommendation and resolved the control issues. Subsequent audits, however, have revealed continuing issues in this area. DoDIG has indicated that it has no plans to review this recommendation in the future. The recommendation will therefore be closed.

    Recommendation: To address the EDP general controls weaknesses, the Secretary of Defense should ensure that the Defense Manpower Data Center develops (or modifies) and implements security policies and procedures to ensure that: (1) all users are authorized and have only the necessary access to facilities and data; (2) such access is reviewed periodically and removed promptly when warranted; and (3) access violations are researched.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: DMDC representatives have consistently stated that they have properly addressed this recommendation and resolved the control issues. Subsequent audits, however, have revealed continuing issues in this area. The recommendation will therefore be closed.

    Recommendation: To address the EDP general controls weaknesses, the Secretary of Defense should ensure that the Defense Manpower Data Center develops and implements comprehensive change management procedures governing changes to both the Fund's application programs and related operating systems.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: DMDC representatives have stated that they have properly addressed this recommendation and resolved the control issues. To date, change management procedures have reportedly been implemented by DMDC and the Office of the Actuary, but subsequent audits have indicated continuing issues. Subsequent audits have also noted continuing issues with system software change control procedures at the Naval Postgraduate School, as well as undocumented exits and undocumented network connections. The recommendation will therefore be closed.

    Recommendation: To address the EDP general controls weaknesses, the Secretary of Defense should ensure that the Defense Manpower Data Center designs, develops, tests, and implements a comprehensive disaster recovery plan.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: DMDC had reported previously that they had completed corrective action on this recommendation. Subsequent audits, however, have revealed continuing issues in this area. The recommendation will therefore be closed.

    Recommendation: To improve the actuarial process, the Secretary of Defense should ensure that the Office of the Actuary documents annual data preparation and processing steps in a formal, detailed manual.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: DOD reports that written descriptions of the various stages of data preparation and processing have been developed, and the Office of the Actuary has created a formal checklist to assist in monitoring completion of various stages of the valuation process. A contractor, PricewaterhouseCoopers, will provide formal, detailed documentation of the retirement valuation model as a contract deliverable, expected to be completed by December 2001. As of September 2003, implementation of this recommendation has been delayed. Consequently, considering the passage of time since GAO's recommendation, GAO is closing this recommendation as not implemented.

    Recommendation: To address the EDP general controls weaknesses, the Secretary of Defense should ensure that the Defense Manpower Data Center formally assesses and documents the risk of the Year 2000 impact on the actuarial application and prepares contingency plans, if needed, to ensure operations are not disrupted.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: DMDC reported in 1999, that its Y2K conversions were complete, and that its continuity-of-operations (DRP) plans would be complete by the end of 1999. Subsequent audits, however, have indicated continuing issues related to DRP. Y2K is no longer an issue, and DRP is noted above. This recommendation will therefore be closed.

    Jul 29, 2014

    Jul 28, 2014

    Jul 7, 2014

    Jun 16, 2014

    May 27, 2014

    Apr 21, 2014

    Mar 5, 2014

    Feb 26, 2014

    Dec 27, 2013

    Looking for more? Browse all our products here