KPMG LLP (KPMG), under contract with the Department of Homeland Security (DHS) Office of Inspector General, conducted an integrated audit of DHS’ fiscal year (FY) 2017 consolidated financial statements and internal control over financial reporting. KPMG issued an unmodified (clean) opinion over the Department’s financial statements, reporting that they present fairly, in all material respects, DHS’ financial position as of September 30, 2017. However, KPMG identified six significant deficiencies in internal control, two of which are considered material weaknesses. Consequently, KPMG issued an adverse opinion on DHS’ internal control over financial reporting. KPMG also reported instances in which DHS did not comply with four laws and regulations. DHS concurred with all of the recommendations.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | No | $0 | $0 | ||
| We recommend that the DHS Office of the Chief Financial Officer (OCFO), in coordination with the Office of the Chief Information Officer (OCIO) and Component management, make the necessary improvements to the Department's supporting IT general controls. Specific, more detailed recommendations were provided in individual limited distribution NFRs to DHS and Component management. | |||||
| 10 | No | $0 | $0 | ||
| Additional Department-level leadership is required to address the following areas of the control environment at certain components to fill needs for technical and resource personnel support to remediate severe control deficiencies or prevent deterioration of the internal control system. | |||||
| 11 | No | $0 | $0 | ||
| Additional Department-level leadership is required to address the following areas of the control environment at certain components to assess training needs for personnel and aligning skills with roles and responsibilities; and ensuring individuals in key roles with internal control responsibilities possess the appropriate competencies to perform their duties and are held accountable for their internal control responsibilities. | |||||
| 12 | No | $0 | $0 | ||
| Additional Department-level leadership is required to address the following areas of the control environment at certain components to ensure significant accounting policies and standard operating procedures are formally documented, complete, updated, and revised timely. | |||||
| 13 | No | $0 | $0 | ||
| Additional Department-level leadership is required to address the following areas of the control environment at certain components to define roles and responsibilities of program and field personnel that provide key financial information, and ensuring those personnel understand and comply with policies. | |||||
| 14 | No | $0 | $0 | ||
| Additional Department-level leadership is required to address the following areas of the control environment at certain components to establish a structure with central ownership and oversight for internal controls where responsibilities have been delegated to discrete units. | |||||
| 15 | No | $0 | $0 | ||
| Additional Department-level leadership is required to address the following areas of the control environment at certain components to define succession and contingency plans for key roles involved in internal control over financial reporting to mitigate risks due to employee turnover. | |||||
| 16 | No | $0 | $0 | ||
| Risk assessments should be enhanced at both the headquarters level by Departmental management, and individual Components annually, and updated during the year as needed including planned changes that could impact the internal control system, such as financial system transitions and implementation of new tools. | |||||
| 17 | No | $0 | $0 | ||
| Risk assessments should be enhanced at both the headquarters level by Departmental management, and individual Components annually, and updated during the year as needed including processes reliant on information from service organizations, and effectiveness of controls operating at those service organizations. | |||||
| 18 | No | $0 | $0 | ||
| Risk assessments should be enhanced at both the headquarters level by Departmental management, and individual Components annually, and updated during the year as needed including processes and controls in which management relies on system generated or manually prepared reports to respond to risk of incomplete or inaccurate information within those reports. | |||||
| 19 | No | $0 | $0 | ||
| Risk assessments should be enhanced at both the headquarters level by Departmental management, and individual Components annually, and updated during the year as needed including financial accounts and transactions that are susceptible to error due to IT systems functionality issues and inability to rely on application controls supported by IT general controls that are deficient. Refer to Comment I-A, Information Technology Controls and Financial System Functionality. | |||||
| 2 | No | $0 | $0 | ||
| We recommend that DHS develop continuous monitoring and testing of IT general controls to identify weaknesses, assess the resulting risks created by any identified IT deficiencies, and respond to those risks through implementing compensating controls. | |||||
| 20 | No | $0 | $0 | ||
| Communications within Components, between headquarters and Components, and between financial and IT management, should be improved to ensure coordination between headquarters and Components with resource constraints to respond to financial accounting and reporting risks and control deficiencies. | |||||
| 21 | No | $0 | $0 | ||
| Communications within Components, between headquarters and Components, and between financial and IT management, should be improved to ensure the structure, process, and communication between key stakeholders is sufficient to ensure there is a complete understanding of the end-to-end flow of transactions for key business processes that impact financial reporting. | |||||
| 22 | No | $0 | $0 | ||
| Communications within Components, between headquarters and Components, and between financial and IT management, should be improved to ensure individuals within the financial reporting, accounting and budget departments identify and use quality information for financial reporting. | |||||
| 23 | No | $0 | $0 | ||
| Communications within Components, between headquarters and Components, and between financial and IT management, should be improved to ensure roles and responsibilities of program and field personnel that provide key financial information are communicated, and that those personnel understand and comply with policies. | |||||
| 24 | No | $0 | $0 | ||
| Communications within Components, between headquarters and Components, and between financial and IT management, should be improved to ensure individuals with key internal control responsibilities have a sufficient understanding of the implication of IT vulnerabilities and limitations,and manual compensating internal controls are designed and implemented to mitigate risk. | |||||
| 25 | No | $0 | $0 | ||
| Communications within Components, between headquarters and Components, and between financial and IT management, should be improved to ensure monitoring across larger Components with decentralized operations to ensure responsibilities have been properly assigned and clearly communicated, and that internal control over financial reporting and compliance with direct and material laws and regulations have been properly designed and implemented and are operating effectively across the organization. | |||||
| 26 | No | $0 | $0 | ||
| We recommend that DHS design continuous monitoring controls to ensure personnel with internal control oversight responsibilities adequately examine transactions with a higher risk of error. | |||||
| 27 | No | $0 | $0 | ||
| We recommend that DHS seek opportunities to implement more reliable controls earlier in the process to prevent errors at the transaction source. | |||||
| 28 | No | $0 | $0 | ||
| We recommend that DHS enhance internal testing of both financial and IT controls to identify and remediate deficiencies as they may arise in order to sustain auditable financial statements in the future. | |||||
| 29 | No | $0 | $0 | ||
| We recommend that Coast Guard enhance controls over the management review of the CIP rollforward to ensure validity of activity within defined thresholds and accurate recording in the general ledger. | |||||
| 3 | No | $0 | $0 | ||
| We recommend that DHS appropriately align knowledgeable resources to evaluate the roles of service organizations, assess controls at those service organizations, and identify and assess complimentary controls within the Components relying on those service organizations. | |||||
| 30 | No | $0 | $0 | ||
| We recommend that Coast Guard further develop the design of controls over the review of CIP activity cost decisions to ensure a sufficient number of review is completed. | |||||
| 31 | No | $0 | $0 | ||
| We recommend that Coast Guard refine the design of controls over the physical count of real property assets to ensure the completeness and existence of all real property assets. | |||||
| 32 | No | $0 | $0 | ||
| We recommend that Coast Guard reinforce controls over the timely recording of asset addition and retirement activity. | |||||
| 38 | No | $0 | $0 | ||
| Related to the Entry Process: We recommend that CBP update and redistribute guidance to necessary personnel regarding the appropriate CBP directives to ensure consistent performance of controls across all locations and provide training to all personnel on new policies to ensure consistent implementation at decentralized locations. | |||||
| 39 | No | $0 | $0 | ||
| Related to the Entry Process: We recommend that CBP develop policies and procedures to ensure that each STB is reviewed for sufficiency until automation occurs. | |||||
| 4 | No | $0 | $0 | ||
| We recommend that Coast Guard improve and reinforce existing policies, procedures, and related internal controls to ensure that: a) management adequately researches, supports, and reviews all journal entries and adjusting entries prior to recording in the general ledger; b) management records approved on top adjustment entries in the correct underlying general ledger systems in order to generate accurate beginning balances; c) personnel record transactions to the accurate trading partner upon initiation; reconcile all intragovernmental balances with trading partners; and resolve differences in a timely manner; and d) management enhances documentation of their actuarial liability estimate reviews and refines their review of the actuarial liabilities report, underlying data, and assumptions to include precise reconciliations and thresholds. | |||||
| 40 | No | $0 | $0 | ||
| Related to the Entry Process: We recommend that CBP fully implement the automated controls over continuous transaction bond processing. | |||||
| 41 | No | $0 | $0 | ||
| Related to the Entry Process: We recommend that CBP enhance policies and procedures over the review of FP&F and liability for deposit account balances to ensure balances are properly stated at year-end. | |||||
| 42 | No | $0 | $0 | ||
| Related to Refunds and Drawbacks: We recommend that CBP continue with the scheduled implementation of the new drawback system. | |||||
| 43 | No | $0 | $0 | ||
| Related to Refunds and Drawbacks: We recommend that CBP implement requirements of TFTEA, which will take effect beginning in February 2018. | |||||
| 5 | No | $0 | $0 | ||
| We recommend that USSS establish new, or improve existing, policies, procedures, and related internal controls over the valuation of its pension liability to ensure: a) personnel adequately understand the pension estimate; b) management maintains oversight of assumptions used in significant estimates and routinely evaluates continued appropriateness of those assumptions; c) management completes the annual pension checklist; and d) management reviews the underlying census data at least annually. | |||||
| 53 | No | $0 | $0 | ||
| We recommend that the Department conduct complete risk assessments to identify significant risk areas and continuously monitor and test the financial and IT controls within those areas. | |||||
| 54 | No | $0 | $0 | ||
| We recommend that FEMA implement the recommendations in Comment II-F, Grants Management. | |||||
| 55 | No | $0 | $0 | ||
| We recommend that the Department complete the internal reviews currently planned or being performed, and properly report the results in accordance with the ADA, where necessary. | |||||
| 56 | No | $0 | $0 | ||
| We recommend that DHS improve its financial management systems to ensure compliance with FFMIA, and implement the recommendations provided in Exhibits I and II. | |||||
| 6 | No | $0 | $0 | ||
| We recommend that USSS develop and implement policies and procedures over the review of manual journal entries. | |||||
| 7 | No | $0 | $0 | ||
| We recommend that USSS develop and implement policies and procedures for an accrual methodology. | |||||
| 8 | No | $0 | $0 | ||
| We recommend that USSS design and implement controls over the preparation and review of periodic financial information. | |||||
| 9 | No | $0 | $0 | ||
| We recommend that CBP provide additional training to individuals who prepare and review manual entries that emphasizes the impact of entries on the reporting of financial information. | |||||
