What GAO Found

During our audit of the Commission’s fiscal years 2011 and 2010 financial statements, we identified the following internal control deficiencies that, collectively, constituted a significant deficiency in the Commission’s internal control over financial reporting as of September 30, 2011.

• Access controls over foreign employee payroll systems. The Commission’s controls were not fully effective in appropriately segregating duties of the systems administrators responsible for the foreign employee (non-U.S. citizen employees) payroll systems. In addition, controls were not effective in ensuring that critical system updates and patches to the Commission’s servers were made, leaving them vulnerable to unauthorized access. These issues increase the risk that unauthorized users could access and make changes in the foreign employee payroll systems without the Commission’s knowledge.

• Policies and procedures for processing foreign payroll. The Commission did not have written policies and procedures in place detailing key tasks, roles, and responsibilities related to processing foreign payroll transactions. This increased the risk of (1) errors or irregularities in foreign employee payroll records, (2) misstatements in the Commission’s financial statements, and (3) noncompliance with relevant laws, regulations, and Commission policies.

In addition, we found the following deficiency in the Commission’s internal control as of September 30, 2011.

• Physical inventory counts. The Commission’s policy for conducting biennial physical inventories of equipment was not followed, and procedures for conducting the physical inventories had not been developed. These conditions increased the risk that safeguarding of assets could be compromised and that errors or misstatements could exist in the Commission’s inventory and financial records as well as the financial statements and not be promptly detected and corrected.

At the end of our discussion of each issue, we present our recommendations for strengthening the Commission’s internal control. We are making seven new recommendations that, if effectively implemented, should address the internal control deficiencies we identified. These recommendations are intended to bring the Commission into conformance with its own policies, the Standards for Internal Control in the Federal Government, and guidance issued by the National Institute of Standards and Technology (NIST).

As a result of our fiscal years 2007 through 2010 audits of the Commission’s financial statements, we have provided the Commission with 170 recommendations to improve its internal control, accounting procedures, and information systems. Through February 21, 2012, the date of our completion of the fiscal year 2011 audit, the Commission had implemented 127 recommendations, or about 75 percent of the recommendations we have made from the 2007 through 2010 audits.

Why GAO Did This Study

In March 2012, we issued our report on the results of our audit of the financial statements of the American Battle Monuments Commission (the Commission) as of, and for the fiscal years ending September 30, 2011 and 2010, and on the effectiveness of its internal control over financial reporting as of September 30, 2011. We also reported our conclusions on the Commission’s compliance with provisions of selected laws and regulations.

Our report concluded that although certain internal controls could be improved, the Commission maintained, in all material respects, effective internal control over financial reporting as of September 30, 2011. However, we did report a significant deficiency in the Commission’s internal control over its payroll processes for its non-U.S. citizen employees (foreign employees). The purpose of this report is to present additional information on the control issues that we identified during our audit of the Commission’s fiscal year 2011 financial statements that constituted the significant deficiency and to provide our recommended actions to address those issues. Also, we identified an additional internal control issue that while not considered to be either a material weakness or a significant deficiency, nonetheless warrants management’s attention.

What GAO Recommends

This report provides our recommendations to address this internal control issue as well. In addition, we are providing an update on the status of recommendations we made to address internal control issues identified during our prior years’ financial statement audits of the Commission and related financial management reports.

For more information, contact Steven Sebastian at (202) 512-3406 or sebastians@gao.gov or Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.

Status Legend:

Review Pending-GAO has not yet assessed implementation status.

Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.

Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.

Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.

• Review Pending
• Open
• Closed - implemented
• Closed - not implemented

Recommendations for Executive Action

Recommendation: The Commission should direct the appropriate officials to establish and implement written procedures for conducting all physical inventory counts of equipment. These procedures, at a minimum, should outline the processes for (1) planning and executing the physical inventory count and (2) analyzing and documenting the results.

Agency Affected: American Battle Monuments Commission

Status: Review Pending

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commission should direct the appropriate officials to establish written policies and procedures outlining the key tasks, roles, and responsibilities of both the Human Resources Directorate and the Finance Directorate, including a formal mechanism for communicating all decisions and actions related to processing payroll for foreign employees.

Agency Affected: American Battle Monuments Commission

Status: Review Pending

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commission should direct the appropriate officials to update the Commission’s Computer Security Plan to reflect the current state of the Commission’s information technology environment.

Agency Affected: American Battle Monuments Commission

Status: Review Pending

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commission should direct the appropriate officials to establish a mechanism to monitor implementation of existing procedures requiring timely installation of all patches and critical updates as outlined in the Commission’s Computer Security Plan.

Agency Affected: American Battle Monuments Commission

Status: Review Pending

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commission should direct the appropriate officials to perform a review of the Commission’s computer systems and servers to assess whether all patches and critical updates are current. For any systems and servers found without the most current patch or update, establish a process to ensure immediate installation.

Agency Affected: American Battle Monuments Commission

Status: Review Pending

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commission should direct the appropriate officials to establish and implement written policies and procedures to identify and appropriately segregate the roles and responsibilities of staff involved in developing, testing, and implementing changes to and maintenance of the foreign employee payroll systems to reduce the risk of malevolent activity without collusion.

Agency Affected: American Battle Monuments Commission

Status: Review Pending

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commission should direct the appropriate officials to establish a mechanism to monitor implementation of existing Commission policy to perform biennial physical inventory counts of all items of equipment with an obligated balance of $500 or more.

Agency Affected: American Battle Monuments Commission

Status: Review Pending

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.