Management Report: Improvements Are Needed to Strengthen the American Battle Monuments Commission's Internal Controls and Accounting Procedures

Highlights

What GAO Found

During our audit of the Commission’s fiscal years 2011 and 2010 financial statements, we identified the following internal control deficiencies that, collectively, constituted a significant deficiency in the Commission’s internal control over financial reporting as of September 30, 2011.

Access controls over foreign employee payroll systems. The Commission’s controls were not fully effective in appropriately segregating duties of the systems administrators responsible for the foreign employee (non-U.S. citizen employees) payroll systems. In addition, controls were not effective in ensuring that critical system updates and patches to the Commission’s servers were made, leaving them vulnerable to unauthorized access. These issues increase the risk that unauthorized users could access and make changes in the foreign employee payroll systems without the Commission’s knowledge.

Policies and procedures for processing foreign payroll. The Commission did not have written policies and procedures in place detailing key tasks, roles, and responsibilities related to processing foreign payroll transactions. This increased the risk of (1) errors or irregularities in foreign employee payroll records, (2) misstatements in the Commission’s financial statements, and (3) noncompliance with relevant laws, regulations, and Commission policies.

In addition, we found the following deficiency in the Commission’s internal control as of September 30, 2011.

Physical inventory counts. The Commission’s policy for conducting biennial physical inventories of equipment was not followed, and procedures for conducting the physical inventories had not been developed. These conditions increased the risk that safeguarding of assets could be compromised and that errors or misstatements could exist in the Commission’s inventory and financial records as well as the financial statements and not be promptly detected and corrected.

At the end of our discussion of each issue, we present our recommendations for strengthening the Commission’s internal control. We are making seven new recommendations that, if effectively implemented, should address the internal control deficiencies we identified. These recommendations are intended to bring the Commission into conformance with its own policies, the Standards for Internal Control in the Federal Government, and guidance issued by the National Institute of Standards and Technology (NIST).

As a result of our fiscal years 2007 through 2010 audits of the Commission’s financial statements, we have provided the Commission with 170 recommendations to improve its internal control, accounting procedures, and information systems. Through February 21, 2012, the date of our completion of the fiscal year 2011 audit, the Commission had implemented 127 recommendations, or about 75 percent of the recommendations we have made from the 2007 through 2010 audits.

Why GAO Did This Study

In March 2012, we issued our report on the results of our audit of the financial statements of the American Battle Monuments Commission (the Commission) as of, and for the fiscal years ending September 30, 2011 and 2010, and on the effectiveness of its internal control over financial reporting as of September 30, 2011. We also reported our conclusions on the Commission’s compliance with provisions of selected laws and regulations.

Our report concluded that although certain internal controls could be improved, the Commission maintained, in all material respects, effective internal control over financial reporting as of September 30, 2011. However, we did report a significant deficiency in the Commission’s internal control over its payroll processes for its non-U.S. citizen employees (foreign employees). The purpose of this report is to present additional information on the control issues that we identified during our audit of the Commission’s fiscal year 2011 financial statements that constituted the significant deficiency and to provide our recommended actions to address those issues. Also, we identified an additional internal control issue that while not considered to be either a material weakness or a significant deficiency, nonetheless warrants management’s attention.

Recommendations

This report provides our recommendations to address this internal control issue as well. In addition, we are providing an update on the status of recommendations we made to address internal control issues identified during our prior years financial statement audits of the Commission and related financial management reports.

Recommendations for Executive Action

Agency Affected	Recommendation	Status
American Battle Monuments Commission	The Commission should direct the appropriate officials to establish and implement written policies and procedures to identify and appropriately segregate the roles and responsibilities of staff involved in developing, testing, and implementing changes to and maintenance of the foreign employee payroll systems to reduce the risk of malevolent activity without collusion.	Closed – Implemented During our audit of the American Battle Monuments Commission's (the Commission) fiscal year 2011 financial statements, we found that the Commission system administrators had inappropriate system access, allowing them to not only make system changes but to alter data for which they were responsible for developing, testing, and implementing foreign payroll system, which included the systems used to process their own payroll. To address this risk, we recommended the Commission establish and implement written policies and procedures to identify and appropriately segregate roles and responsibilities of staff involved in developing, testing, and implementing changes to and maintenance of the foreign employee payroll system. In fiscal year 2013, the Commission completed its outsourcing of its foreign payroll systems for FSN employees. The Commission's action to outsource FSN payroll reduces the risk that input validation errors could occur by crafting erroneous input into the timesheet and payroll application. Furthermore, by outsourcing, the Commission reduced the risk that any system administrator could make changes to the development, testing, and implementation of the payroll system. As a result, this recommendation is closed as implemented.
American Battle Monuments Commission	The Commission should direct the appropriate officials to perform a review of the Commission's computer systems and servers to assess whether all patches and critical updates are current. For any systems and servers found without the most current patch or update, establish a process to ensure immediate installation.	Closed – Implemented During our audit of the Commission's fiscal years 2011 and 2010 financial statements, we found that the Commission had not installed critical updates and patches on several of its servers as outlined in its Computer Security Plan. By not installing critical system updates and patches, unauthorized users could gain full administrator-level access to the Commission's systems through a server that communicates with the Internet. ABMC stated that the critical updates were not installed primarily because of an oversight when the servers were converted to a virtualized environment during fiscal year 2010. This oversight also contributed to the Commission's Computer Security Plan not being updated to reflect the virtualized environment. By not updating the security plan to reflect the current information technology environment, the Commission's ability to adhere to established operational and security controls was impaired. In response to our finding, during FY 2016, ABMC implemented and deployed WSUS/Shavlik and SCCM in order to automate enterprise-wide patch roll-outs. The Commission's actions to implement WSUS/Shavlik and SCCM to manage all Cisco ASA Devices and to utilize system policies to automate enterprise-wide patch roll-outs decreases the risk of unauthorized access to the Commission's IT environment.
American Battle Monuments Commission	The Commission should direct the appropriate officials to establish a mechanism to monitor implementation of existing procedures requiring timely installation of all patches and critical updates as outlined in the Commission's Computer Security Plan.	Closed – Implemented During our fiscal year 2011 financial statement audit, we found that the Commission had not installed critical updates and patches on several of its servers as outlined in its Computer Security Plan. Patch management is a critical process to securing computing systems and data processed in those systems. Up-to-date patch installation helps mitigate flaws in software code that could be exploited to cause significant damage and enable malicious individuals to read, modify, or delete sensitive information or disrupt operations. By not installing critical system updates and patches, unauthorized users could gain full administrator-level access to the Commission's systems through a server that communicates with the Internet. This, in turn, could allow unauthorized users to gain administrator-level access to the foreign employee payroll systems. Based on our discussions with Commission staff, we were informed that the critical updates were not installed primarily because of an oversight when the servers were converted to a virtualized environment during fiscal year 2010. This oversight also contributed to the Commission's Computer Security Plan not being updated to reflect the virtualized environment. By not updating the security plan to reflect the current information technology environment, the Commission's ability to adhere to established operational and security controls was impaired. To address this risk, we recommended the Commission establish a mechanism to monitor implementation of existing procedures requiring timely installation of all patches and critical updates as outlined in the Commission's Computer Security Plan. In fiscal year 2015, we verified that the Commission has instituted the Windows Update Services. This application automates and enforces patch management to Windows servers and workstations. The Commission's action to update their workstations and implement Windows Update Services decreases the risk of unauthorized access to the Commission's IT environment by installing security patches in a timely fashion.
American Battle Monuments Commission	The Commission should direct the appropriate officials to update the Commission's Computer Security Plan to reflect the current state of the Commission's information technology environment.	Closed – Implemented During our fiscal year 2011 financial statement audit, we were informed that the critical updates were not installed primarily because of an oversight when the servers were converted to a virtualized environment during fiscal year 2010. This oversight also contributed to the Commission's Computer Security Plan not being updated to reflect the virtualized environment. By not updating the security plan to reflect the current information technology environment, the Commission's ability to adhere to established operational and security controls was impaired. To address this risk, we recommended the Commission update the Commission's Computer Security Plan to reflect the current state of the Commission's information technology environment. In fiscal year 2015, we verified that the Commission's Computer Security Plan was updated on 1/27/2015 to reflect the current state of the information technology environment. The Commission's action to update the Commission's Computer Security Plan decreases the risk of unauthorized access to the Commission's IT environment by having an accurate policy reflecting a current state of the IT environment.
American Battle Monuments Commission	The Commission should direct the appropriate officials to establish written policies and procedures outlining the key tasks, roles, and responsibilities of both the Human Resources Directorate and the Finance Directorate, including a formal mechanism for communicating all decisions and actions related to processing payroll for foreign employees.	Closed – Implemented During our audit of the American Battle Monuments Commission's (Commission) fiscal year 2011 financial statements, we found that the Commission did not have effective controls for minimizing the risk of errors in processing payroll actions for its foreign employees. Specifically, we found that the Commission did not have policies and procedures clearly delineating the responsibilities of the Human Resources and Finance Directorates with respect to ensuring accurate and complete payroll information for foreign employees. For example, during our testing of foreign payroll expenditures, we were unable to trace the amounts in the foreign payroll systems to the general ledger, and officials were unable to readily provide the supporting documentation and related explanations describing the differences. To enhance controls over processing foreign payroll, we recommended that the Commission direct the appropriate officials to establish written policies and procedures outlining the key tasks, roles, and responsibilities of the Human Resources Directorate and the Finance Directorate, including a formal mechanism for communicating all decisions and actions related to processing payroll for foreign employees. In response to our recommendation, in August 2015, the Commission established policies and procedures for processing foreign payroll outlining the steps to be performed by the Commission's foreign payroll service provider and the Finance Directorate to validate and approve payroll inputs and outputs, and therefore, minimize the risk of processing errors. For example, one objective delineated in the procedures is to ensure that payroll data match the general ledger, and this is required to be reviewed. The Commission's actions to establish policies and procedures for processing foreign payroll should help reduce the risk of misstatements in the financial statements and noncompliance with relevant laws, regulations, and Commission policies.
American Battle Monuments Commission	The Commission should direct the appropriate officials to establish and implement written procedures for conducting all physical inventory counts of equipment. These procedures, at a minimum, should outline the processes for (1) planning and executing the physical inventory count and (2) analyzing and documenting the results.	Closed – Implemented During our fiscal year 2011 financial audit, we identified deficiencies in the American Battle Monuments Commission's (ABMC) internal controls over reporting and safeguarding of property and equipment. Specifically, we found that although the ABMC had a policy to perform biennial physical inventory counts of all equipment valued over $500, this policy was not adhered to during fiscal year 2011. To enhance ABMC's controls over the physical inventory process, we recommended that the agency establish and implement written procedures for conducting all physical inventory counts of equipment. These procedures, at a minimum, should outline the processes for (1) planning and executing the physical inventory count and (2) analyzing and documenting the results. In response to our recommendation, in April 2023, the ABMC established a new policy that requires periodic inventories of equipment. This policy provides guidance on performing physical inventories and reporting the results. The ABMC's actions help ensure that information in its inventory records-and ultimately its financial statements-is accurate, complete, and reliable.
American Battle Monuments Commission	The Commission should direct the appropriate officials to establish a mechanism to monitor implementation of existing Commission policy to perform biennial physical inventory counts of all items of equipment with an obligated balance of $500 or more.	Open During our audit of the American Battle Monuments Commission's (ABMC) fiscal year 2011 financial statements, we found that ABMC had not performed independent physical inventory of equipment it owned at the various cemeteries across the world. We found that although ABMC had a policy to perform biennial physical inventory counts of all equipment over $500, this policy was not adhered to during fiscal year 2011. As a result, we recommended that ABMC establish a mechanism to monitor the implementation of existing ABMC policy to perform biennial physical inventory counts of all items of equipment with an obligated balance of $500 or more. During our fiscal year 2012 audit, we found that although ABMC had performed a comparison of the equipment on hand to the data recorded in SharePoint (document management web application to share documents internally), an independent physical inventory was not performed. As a result, we determined that ABMC had not established a mechanism for performing an inventory of assets. In January 2024, ABMC informed us that that acceptance testing of a new inventory system is currently underway. We will continue to follow-up on this recommendation.

See All 7 Recommendations

Full Report

Full Report (14 pages)

Accessible Text

GAO Contacts

Cheryl E. Clark

Director

Nabajyoti Barkakati

Office of Public Affairs

Chuck Young

Managing Director

youngc1@gao.gov

(202) 512-4800

Topics

Auditing and Financial Management

Internal controlsAuditsFinancial statementsPayroll recordsPayroll systemsFederal employeesFinancial reportingInformation systemsAccounting proceduresData errors