Open Recommendations

Additional Department-level leadership is required to address the following areas of the control environment at certain components to fill needs for technical and resource personnel support to remediate severe control deficiencies or prevent deterioration of the internal control system.

Additional Department-level leadership is required to address the following areas of the control environment at certain components to assess training needs for personnel and aligning skills with roles and responsibilities; and ensuring individuals in key roles with internal control responsibilities possess the appropriate competencies to perform their duties and are held accountable for their internal control responsibilities.

Additional Department-level leadership is required to address the following areas of the control environment at certain components to ensure significant accounting policies and standard operating procedures are formally documented, complete, updated, and revised timely.

Additional Department-level leadership is required to address the following areas of the control environment at certain components to define roles and responsibilities of program and field personnel that provide key financial information, and ensuring those personnel understand and comply with policies.

Additional Department-level leadership is required to address the following areas of the control environment at certain components to establish a structure with central ownership and oversight for internal controls where responsibilities have been delegated to discrete units.

Additional Department-level leadership is required to address the following areas of the control environment at certain components to define succession and contingency plans for key roles involved in internal control over financial reporting to mitigate risks due to employee turnover.

Risk assessments should be enhanced at both the headquarters level by Departmental management, and individual Components annually, and updated during the year as needed including planned changes that could impact the internal control system, such as financial system transitions and implementation of new tools.

Risk assessments should be enhanced at both the headquarters level by Departmental management, and individual Components annually, and updated during the year as needed including processes reliant on information from service organizations, and effectiveness of controls operating at those service organizations.

Risk assessments should be enhanced at both the headquarters level by Departmental management, and individual Components annually, and updated during the year as needed including processes and controls in which management relies on system generated or manually prepared reports to respond to risk of incomplete or inaccurate information within those reports.

Risk assessments should be enhanced at both the headquarters level by Departmental management, and individual Components annually, and updated during the year as needed including financial accounts and transactions that are susceptible to error due to IT systems functionality issues and inability to rely on application controls supported by IT general controls that are deficient. Refer to Comment I-A, Information Technology Controls and Financial System Functionality.

We recommend that DHS develop continuous monitoring and testing of IT general controls to identify weaknesses, assess the resulting risks created by any identified IT deficiencies, and respond to those risks through implementing compensating controls.

Communications within Components, between headquarters and Components, and between financial and IT management, should be improved to ensure coordination between headquarters and Components with resource constraints to respond to financial accounting and reporting risks and control deficiencies.

Communications within Components, between headquarters and Components, and between financial and IT management, should be improved to ensure the structure, process, and communication between key stakeholders is sufficient to ensure there is a complete understanding of the end-to-end flow of transactions for key business processes that impact financial reporting.

Communications within Components, between headquarters and Components, and between financial and IT management, should be improved to ensure individuals within the financial reporting, accounting and budget departments identify and use quality information for financial reporting.

Communications within Components, between headquarters and Components, and between financial and IT management, should be improved to ensure roles and responsibilities of program and field personnel that provide key financial information are communicated, and that those personnel understand and comply with policies.

Communications within Components, between headquarters and Components, and between financial and IT management, should be improved to ensure individuals with key internal control responsibilities have a sufficient understanding of the implication of IT vulnerabilities and limitations,and manual compensating internal controls are designed and implemented to mitigate risk.

Communications within Components, between headquarters and Components, and between financial and IT management, should be improved to ensure monitoring across larger Components with decentralized operations to ensure responsibilities have been properly assigned and clearly communicated, and that internal control over financial reporting and compliance with direct and material laws and regulations have been properly designed and implemented and are operating effectively across the organization.

We recommend that DHS design continuous monitoring controls to ensure personnel with internal control oversight responsibilities adequately examine transactions with a higher risk of error.

We recommend that DHS seek opportunities to implement more reliable controls earlier in the process to prevent errors at the transaction source.

We recommend that DHS enhance internal testing of both financial and IT controls to identify and remediate deficiencies as they may arise in order to sustain auditable financial statements in the future.

We recommend that Coast Guard enhance controls over the management review of the CIP rollforward to ensure validity of activity within defined thresholds and accurate recording in the general ledger.

We recommend that DHS appropriately align knowledgeable resources to evaluate the roles of service organizations, assess controls at those service organizations, and identify and assess complimentary controls within the Components relying on those service organizations.

We recommend that Coast Guard further develop the design of controls over the review of CIP activity cost decisions to ensure a sufficient number of review is completed.

We recommend that Coast Guard refine the design of controls over the physical count of real property assets to ensure the completeness and existence of all real property assets.

We recommend that Coast Guard reinforce controls over the timely recording of asset addition and retirement activity.