Management Report:

Improvements Are Needed to Strengthen the American Battle Monuments Commission's Internal Controls and Accounting Procedures

GAO-12-830R: Published: Jul 26, 2012. Publicly Released: Jul 26, 2012.

Additional Materials:

Contact:

Cheryl E. Clark
(202) 512-3000
sebastians@gao.gov

 

Nabajyoti Barkakati
(202) 512-4499
barkakatin@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

During our audit of the Commission’s fiscal years 2011 and 2010 financial statements, we identified the following internal control deficiencies that, collectively, constituted a significant deficiency in the Commission’s internal control over financial reporting as of September 30, 2011.

  • Access controls over foreign employee payroll systems. The Commission’s controls were not fully effective in appropriately segregating duties of the systems administrators responsible for the foreign employee (non-U.S. citizen employees) payroll systems. In addition, controls were not effective in ensuring that critical system updates and patches to the Commission’s servers were made, leaving them vulnerable to unauthorized access. These issues increase the risk that unauthorized users could access and make changes in the foreign employee payroll systems without the Commission’s knowledge.
  • Policies and procedures for processing foreign payroll. The Commission did not have written policies and procedures in place detailing key tasks, roles, and responsibilities related to processing foreign payroll transactions. This increased the risk of (1) errors or irregularities in foreign employee payroll records, (2) misstatements in the Commission’s financial statements, and (3) noncompliance with relevant laws, regulations, and Commission policies.

In addition, we found the following deficiency in the Commission’s internal control as of September 30, 2011.

  • Physical inventory counts. The Commission’s policy for conducting biennial physical inventories of equipment was not followed, and procedures for conducting the physical inventories had not been developed. These conditions increased the risk that safeguarding of assets could be compromised and that errors or misstatements could exist in the Commission’s inventory and financial records as well as the financial statements and not be promptly detected and corrected.

At the end of our discussion of each issue, we present our recommendations for strengthening the Commission’s internal control. We are making seven new recommendations that, if effectively implemented, should address the internal control deficiencies we identified. These recommendations are intended to bring the Commission into conformance with its own policies, the Standards for Internal Control in the Federal Government, and guidance issued by the National Institute of Standards and Technology (NIST).

As a result of our fiscal years 2007 through 2010 audits of the Commission’s financial statements, we have provided the Commission with 170 recommendations to improve its internal control, accounting procedures, and information systems. Through February 21, 2012, the date of our completion of the fiscal year 2011 audit, the Commission had implemented 127 recommendations, or about 75 percent of the recommendations we have made from the 2007 through 2010 audits.

Why GAO Did This Study

In March 2012, we issued our report on the results of our audit of the financial statements of the American Battle Monuments Commission (the Commission) as of, and for the fiscal years ending September 30, 2011 and 2010, and on the effectiveness of its internal control over financial reporting as of September 30, 2011. We also reported our conclusions on the Commission’s compliance with provisions of selected laws and regulations.

Our report concluded that although certain internal controls could be improved, the Commission maintained, in all material respects, effective internal control over financial reporting as of September 30, 2011. However, we did report a significant deficiency in the Commission’s internal control over its payroll processes for its non-U.S. citizen employees (foreign employees). The purpose of this report is to present additional information on the control issues that we identified during our audit of the Commission’s fiscal year 2011 financial statements that constituted the significant deficiency and to provide our recommended actions to address those issues. Also, we identified an additional internal control issue that while not considered to be either a material weakness or a significant deficiency, nonetheless warrants management’s attention.

What GAO Recommends

This report provides our recommendations to address this internal control issue as well. In addition, we are providing an update on the status of recommendations we made to address internal control issues identified during our prior years’ financial statement audits of the Commission and related financial management reports.

For more information, contact Steven Sebastian at (202) 512-3406 or sebastians@gao.gov or Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Commission should direct the appropriate officials to establish a mechanism to monitor implementation of existing procedures requiring timely installation of all patches and critical updates as outlined in the Commission's Computer Security Plan.

    Agency Affected: American Battle Monuments Commission

    Status: Open

    Comments: At the time of our review, the ABMC does not have any mechanisms to monitor the implementation of patches and critical updates as outlined in the Computer Security Plan. Furthermore, GAO found patches and critical updates were not timely installed on Microsoft SQL Server and BlackBerry Enterprise Servers.

    Recommendation: The Commission should direct the appropriate officials to perform a review of the Commission's computer systems and servers to assess whether all patches and critical updates are current. For any systems and servers found without the most current patch or update, establish a process to ensure immediate installation.

    Agency Affected: American Battle Monuments Commission

    Status: Open

    Comments: During our testing, ABMC had not installed patches on several information systems including Microsoft SQL Servers which support inventory. Further, it was discovered that their BlackBerry Enterprise Servers were not up-to-date.

    Recommendation: The Commission should direct the appropriate officials to establish a mechanism to monitor implementation of existing Commission policy to perform biennial physical inventory counts of all items of equipment with an obligated balance of $500 or more.

    Agency Affected: American Battle Monuments Commission

    Status: Open

    Comments: During our audit of the American Battle Monuments Commission's (the Commission) fiscal year 2011 financial statements, we found that Commission had not performed independent physical inventory of equipment owned by the Commission at the various cemeteries across the world. We found that although the Commission had a policy to perform biennial physical inventory counts of all equipment over $500, this policy was not adhered to during fiscal year 2011. As a result of this finding, we recommended that the Secretary of the Commission direct the appropriate officials to establish a mechanism to monitor implementation of existing Commission policy to perform biennial physical inventory counts of all items of equipment with an obligated balance of $500 or more. During our fiscal year 2012 audit, we found that although the Commission had performed a comparison of the equipment on hand to the data recorded in SharePoint (Document management web application to share documents internally), an independent physical inventory was not performed. We determined that the Commission had not established a mechanism for performing an inventory of assets.

    Recommendation: The Commission should direct the appropriate officials to establish and implement written procedures for conducting all physical inventory counts of equipment. These procedures, at a minimum, should outline the processes for (1) planning and executing the physical inventory count and (2) analyzing and documenting the results.

    Agency Affected: American Battle Monuments Commission

    Status: Open

    Comments: During our audit of the American Battle Monuments Commission's (the Commission) fiscal year 2011 financial statements, we found that Commission had not performed independent physical inventory of equipment owned by the Commission at the various cemeteries across the world. We found that although the Commission had a policy to perform biennial physical inventory counts of all equipment over $500, this policy was not adhered to during fiscal year 2011. Further, the policy does not explain how to plan, execute, and analyze the results of an inventory count. As a result of this finding, we recommended that the Secretary of the Commission instruct the appropriate officials to establish and implement written procedures for conducting all physical inventory counts of equipment. These procedures, at a minimum, should outline the processes for (1) planning and executing the physical inventory count and (2) analyzing and documenting the results. During our fiscal year 2012 audit, we noted that the Commission does not have policies and procedures for performing an inventory of physical assets.

    Recommendation: The Commission should direct the appropriate officials to establish written policies and procedures outlining the key tasks, roles, and responsibilities of both the Human Resources Directorate and the Finance Directorate, including a formal mechanism for communicating all decisions and actions related to processing payroll for foreign employees.

    Agency Affected: American Battle Monuments Commission

    Status: Open

    Comments: During our audit of the American Battle Monuments Commission's (the Commission) fiscal year 2011 financial statements, we found that the Commission did not have effective controls to minimize the risk of errors in processing payroll actions for its foreign employees. Specifically, we found that the Commission did not have policies and procedures clearly delineating the responsibilities of both the Human Resources and Finance Directorates with respect to ensuring accurate and complete payroll information for foreign employees. As a result of this finding, we recommended the Commission direct the appropriate officials to establish written policies and procedures outlining the key tasks, roles, and responsibilities of both the Human Resources Directorate and the Finance Directorate, including a formal mechanism for communicating all decisions and actions related to processing payroll for foreign employees. During fiscal year 2012, the Commission contracted with a consultant to (1) assess information relating to the Commission's foreign payroll operations, (2) analyze outsourcing options, and (3) compare vendors for final selection and contract negotiations. However, the Commission informed us that as of September 30, 2012, it had not taken action to address the specific deficiencies we identified during our fiscal year 2011 audit concerning its foreign payroll systems. Consequently, the weaknesses we identified contributing to this significant deficiency remained as of September 30, 2012, continuing to increase the risk of undetected errors or irregularities in the processing of the Commission's foreign payroll and, ultimately, in the Commission's financial statements.

    Recommendation: The Commission should direct the appropriate officials to update the Commission’s Computer Security Plan to reflect the current state of the Commission’s information technology environment.

    Agency Affected: American Battle Monuments Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Commission should direct the appropriate officials to establish a mechanism to monitor implementation of existing procedures requiring timely installation of all patches and critical updates as outlined in the Commission’s Computer Security Plan.

    Agency Affected: American Battle Monuments Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Commission should direct the appropriate officials to perform a review of the Commission’s computer systems and servers to assess whether all patches and critical updates are current. For any systems and servers found without the most current patch or update, establish a process to ensure immediate installation.

    Agency Affected: American Battle Monuments Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Commission should direct the appropriate officials to establish and implement written policies and procedures to identify and appropriately segregate the roles and responsibilities of staff involved in developing, testing, and implementing changes to and maintenance of the foreign employee payroll systems to reduce the risk of malevolent activity without collusion.

    Agency Affected: American Battle Monuments Commission

    Status: Open

    Comments: At the time of review, ABMC began, but has not completed, implementing policies and procedures to identify and appropriately segregate the roles and responsibilities to maintain the foreign employee payroll systems. Further, they are in the process of outsourcing foreign payroll.

    Recommendation: The Commission should direct the appropriate officials to update the Commission's Computer Security Plan to reflect the current state of the Commission's information technology environment.

    Agency Affected: American Battle Monuments Commission

    Status: Open

    Comments: At the time of our review, the ABMC Computer Security Plan had not been updated. The latest version was from 2009 and does not reflect the current state of the Commission?s information technology environment.

    Mar 27, 2014

    Mar 13, 2014

    Mar 12, 2014

    Feb 27, 2014

    Dec 23, 2013

    Dec 16, 2013

    Dec 12, 2013

    Dec 11, 2013

    Looking for more? Browse all our products here