Veterans Affairs banner with U.S. FlagVeterans Affairs banner with U.S. Flag

Office of Budget

Fiscal Year 2006 Performance and Accountability Report
Published November 15, 2006

Back to Table of Contents

Independent Auditors' Report

Department of Veterans Affairs
Office of Inspector General

REPORT OF THE AUDIT OF THE DEPARTMENT OF VETERANS AFFAIRS CONSOLIDATED FINANCIAL STATEMENTS FOR FISCAL YEARS 2006 AND 2005

Report No. 06-01279-24
November 14, 2006
VA Office of Inspector General Washington, DC 20420

Department of Veterans Affairs
Office of Inspector General
Washington DC 20420

Memorandum to the Secretary

Report of Audit of the Department of Veterans Affairs Consolidated Financial Statements for Fiscal Years 2006 and 2005

  1. Attached is the Report of Audit of the Department of Veterans Affairs (VA) Consolidated Financial Statements (CFS) for Fiscal Years (FY) 2006 and 2005, as required by the Chief Financial Officers Act of 1990. The Office of Inspector General contracted with the independent public accounting firm, Deloitte & Touche LLP, to perform the audit of VA's FY 2006 CFS.

  2. The independent auditors' report by Deloitte & Touche LLP provides an unqualified opinion on VA's FYs 2006 and 2005 CFS. The report on internal control identifies three reportable conditions, of which all are material weaknesses. The three material weaknesses are repeat conditions from the prior year audit and identified as (i) information technology security controls, (ii) integrated financial management system, and (iii) operational oversight.

  3. The report on compliance with laws and regulations continues to show that VA is not in substantial compliance with the financial management system requirements of the Federal Financial Management Improvement Act (FFMIA) of 1996. The material weaknesses in internal control over financial reporting indicate that VA's financial management systems did not substantially comply with the Federal financial management systems requirements as required by FFMIA section 803(a).

  4. Deloitte & Touche LLP is responsible for the attached auditor's report dated November 14, 2006, and the conclusions expressed in the report. We do not express opinions on VA's financial statements or internal control or on whether VA's financial management systems substantially complied with FFMIA; or conclusions on compliance with laws and regulations.

  5. The auditors' unqualified opinion was achieved through the extensive efforts of program and financial management staff, as well as the auditors, to overcome material weaknesses in internal control to produce auditable information. The risk of materially misstating financial information remains high because of these material weaknesses.

  6. The independent auditors will follow up on these internal control findings and evaluate the adequacy of corrective actions taken during the audit of the VA's FY 2007 CFS.

KENNETH R. SARDEGNA
Acting Assistant Inspector General for Auditing

Attachment

Deloitte & Touche LLP
555 12th Street N.W.
Suite 500
Washington, DC 20004-1207
USA
Tel: +1 202 879 5600
Fax: +1 202 879 5309
www.deloitte.com

INDEPENDENT AUDITORS' REPORT

To the Secretary of Department of Veterans Affairs

We have audited the accompanying consolidated balance sheets of the Department of Veterans Affairs ("VA") as of September 30, 2006 and 2005, and the related consolidated statements of net cost, changes in net position, financing, and the combined statements of budgetary resources for the years then ended which collectively comprise VA's basic financial statements. These financial statements are the responsibility of VA's management. Our responsibility is to express an opinion on these financial statements based on our audits.

We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller General of the United States; and the requirements of Office of Management and Budget ("OMB") Bulletin No. 06-03, Audit Requirements for Federal Financial Statements. Those standards and the OMB Bulletin require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes consideration of internal control over financial reporting as a basis for designing audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of VA's internal control over financial reporting. Accordingly, we express no such opinion. An audit also includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements, assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audits provide a reasonable basis for our opinion.

VA changed its accounting for earmarked funds pursuant to Statement of Federal Financial Accounting Standards No. 27, Identifying and Reporting Earmarked Funds, discussed in Note 17. VA also changed its method of accounting for medical reimbursable services as discussed in Note 23.

In our opinion, the financial statements referred to above present fairly, in all material respects, the respective financial position of VA as of September 30, 2006 and 2005, and the respective net costs, changes in net position, financing, and budgetary resources thereof for the years then ended in conformity with accounting principles generally accepted in the United States of America.

In accordance with Government Auditing Standards, we have also issued our report dated November 14, 2006, on our consideration of VA's internal control over financial reporting and on our tests of its compliance with certain provisions of laws, regulations, contracts, and other matters. The purpose of that report is to describe the scope of our testing of internal control over financial reporting and compliance and the results of that testing, and not to provide an opinion on the internal control over financial reporting or on compliance. That report is an integral part of an audit performed in accordance with Government Auditing Standards and should be considered in assessing the results of our audit.

Deloitte & Touche LLP
November 14, 2006

Member of Deloitte & Touche Tohmatsu

Deloitte & Touche LLP
555 12th Street N.W.
Suite 500
Washington, DC 20004-1207
USA
Tel: +1 202 879 5600
Fax: +1 202 879 5309
www.deloitte.com

INDEPENDENT AUDITORS' REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING AND COMPLIANCE AND OTHER MATTERS BASED UPON THE AUDIT PERFORMED IN ACCORDANCE WITH GOVERNMENT AUDITING STANDARDS

To the Secretary of Department of Veterans Affairs:

We have audited the basic financial statements of the Department of Veterans Affairs ("VA"), as of and for the year ended September 30, 2006, and have issued our report thereon dated November 14, 2006. We conducted our audit in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and the requirements of the Office of Management and Budget ("OMB") Bulletin No. 06-03, Audit Requirements for Federal Financial Statements.

Internal Control Over Financial Reporting

In planning and performing our audit, we obtained an understanding of the design effectiveness of internal controls over financial reporting, determined whether they have been placed in operation, assessed control risk, and performed tests of the VA's internal controls over financial reporting. We considered VA's internal control over financial reporting in order to determine our auditing procedures for the purpose of expressing our opinion on the financial statements and not to provide an opinion on the internal control over financial reporting. However, we noted certain matters involving the internal control over financial reporting and its operation that we consider to be reportable conditions. Reportable conditions involve matters coming to our attention relating to significant deficiencies in the design or operation of the internal control over financial reporting that, in our judgment, could adversely affect VA's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements.

A material weakness is a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. Our consideration of the internal control over financial reporting would not necessarily disclose all matters in the internal control that might be reportable conditions and, accordingly, would not necessarily disclose all reportable conditions that are also considered to be material weaknesses.

We identified the following matters involving the internal control over financial reporting and its operation that we consider to be reportable conditions. Reportable conditions that we identified in our prior year report dated November 14, 2005, are identified as repeat conditions.

Three reportable conditions are described in the following paragraphs and include significant departures from certain requirements of OMB Circular A-127, Financial Management Systems; Circular A-123, Management's Responsibility for Internal Control; and Circular A-130, Management of Federal Information Resources. We believe that the three reportable conditions identified as "Information Technology ("IT") Security Controls," "Integrated Financial Management System," and "Operational Oversight" are also material weaknesses.

Also in Fiscal Year ("FY") 2006, the VA engaged an independent public accounting firm to assist in an internal control assessment pursuant to OMB Circular A-123 Appendix A, Management's Responsibility for Internal Control. In its report, FY 2006 Recommendations for Internal Control Improvements Financial Reporting and Funds Management Key Business Processes, dated September 6, 2006, the accounting firm identified two internal control reportable conditions, "Transactions rejected by FMS" and "Intergovernmental Transactions."

Information Technology (IT) Security Controls - Material Weakness (Repeat Condition)

We observed that management of data centers and several program offices have taken actions to remediate elements of IT control weaknesses reported in our prior year reports. However, VA's program and financial data continue to be at risk due to serious weaknesses related to lack of effective implementation and enforcement of agency-wide security programs in a coordinated manner. These weaknesses placed sensitive information, including financial information and veterans' medical and benefit information, at risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, theft, or destruction, possibly occurring without detection. Our assessment of the general and application controls of VA's key financial systems identified control weaknesses. Examples of these weaknesses include:

Agency-wide Security Program

  • Adequate agency-wide security control policies and procedures have not been updated and enforced to provide effective guidance and organizational standards.
  • The risk assessments for critical financial management systems do not consistently meet standards published by the National Institute of Standards and Technology.

Access Control

  • Strong access authentication mechanisms and administration of user access have not been consistently implemented and enforced.
  • Information systems were not patched in a consistent and timely manner.
  • Access privileges were not restricted by proper system access profiles for users and programming staff and monitored based on need.
  • Intrusion detection mechanisms, and coordination and communication between Central Incident Response group and local security functions were not operating consistently to detect and resolve potential security violations from internal sources.

Segregation of Duties

  • Legacy financial management systems and procedures have not been structured to support and enforce proper segregation of duties, leading to weaknesses in management oversight and the ability for IT staff and users to bypass internal controls.
  • Prior years' weaknesses in segregation of duties controls for the Veterans Health Information Systems and Technology Architecture ("VistA") Integrated Funds Distribution Control Point Activity, Accounting and Procurement ("IFCAP") system and the Automated Engineering Management system/Medical Equipment Reporting system ("AEMS/MERS") remained uncorrected.

Service Continuity

  • A business continuity plan at the departmental level has not been fully implemented to provide overall guidance, direction, and coordination for entity-wide IT service continuity.
  • Testing of the Continuity of Operations Plan for financial management systems at certain facilities and data centers has not been consistently scheduled and adequately performed.

Change Control

  • Change control policy at the departmental level does not provide uniform application development and change management guidance.

VA's success in improving information security and controls is dependent on VA's continued effort to comprehensively address these weaknesses at the departmental level, including continuing high level coordination and adequate resources.

Recommendations:

VA senior leadership should continue to pursue a more centralized approach, apply appropriate resources, and establish a clear chain of command and accountability structure to implement and enforce internal controls. The information owners should perform proactive oversight of compliance with established internal control policies and procedures. VA should continue its effort to prioritize its resources in accomplishing its management agenda. Key tasks include, but are not limited to, the following:

  1. Update and strengthen security programs to guide agency-wide information security and controls operations in accordance with standards established by the National Institute of Standards and Technology. Establish and communicate chain of command and accountability to enforce and monitor compliance with security and controls policies and procedures.
  2. Provide actionable steps for ensuring that user access needs are justified, and system security settings and updates are current and properly implemented for all interconnected networks, systems, and applications. Perform proper oversight of system activities to detect and resolve user access issues.
  3. Configure systems to support proper system segregation of duties, and provide adequate human resources and management oversight to complement system controls.
  4. Complete and implement a service continuity plan that will provide effective guidance, communication, and coordination of security continuity planning and testing activities throughout the agency.
  5. Implement a change control framework that guides the development and implementation of system-specific change management procedures for mission critical systems.

Integrated Financial Management System - Material Weakness (Repeat Condition)

As defined in OMB Circular A-127, Financial Management Systems, "a financial management system encompasses automated and manual processes, procedures, controls, data, hardware, software, and support personnel dedicated to the operation and maintenance of system functions." A financial management system may include multiple applications and controls that are integrated through a common database or are electronically interfaced, as necessary, to meet defined data and processing requirements.

With respect to system requirements in the area of financial reporting, OMB Circular A-127 provides that an agency's financial management system should generate reliable, timely, and consistent information necessary for meeting management's responsibilities, including the preparation of financial statements. Within OMB Circular A-123, the management control processes necessary to ensure that "reliable and timely information is obtained, maintained, reported and used for decision making" are set forth, including prompt and appropriate recording and classification.

VA management took the initiative to implement a Hyperion-based MinX reporting system to automate the preparation of the consolidated financial statement. Despite the initial roll-out effort, we noted continuing difficulties with the legacy systems related to the preparation, processing, and analysis of financial information to support the efficient and effective preparation of VA's consolidated financial statements. While significant efforts are made at the component and consolidated levels to assemble, compile, and review the necessary financial information for annual financial reporting requirements, in many cases, components of certain feeder systems and financial manual procedures are not fully integrated. As a result, significant manual workarounds and out-of-date systems impede the process. For example, we noted that:

  • Reconciliations of property records in the loan guaranty programs continue to identify significant differences from non-interfaced systems.
  • Within the compensation, pension and education programs, there are a number of programs that do not directly interface with the general ledger or they interface at various intervals. As a result, numerous adjusting entries resulting from timing differences are necessary to reconcile balances with the general ledger to ensure that amounts are properly stated.
  • In the life insurance programs, the lack of system interface with the VA's general ledger creates the need for a significant amount of adjusting entries. We observed that some journal entries were not posted to the general ledger nor were reconciling items identified and posted timely.

Recommendation:

  1. Management, including Chief Information Officer ("CIO") and Chief Financial Officer ("CFO"), should develop and implement a fully integrated financial management system. The VA CFO should implement and enforce supplemental manual processes to meet appropriate control objectives until a fully integrated financial management system is implemented.

Operational Oversight - Material Weakness (Repeat Condition)

Despite significant efforts by the managements' of the separate components and the Departments' financial reporting group, the VA's internal control structure over accounting and financial reporting continues to suffer from a number of weaknesses that can be broadly characterized as inadequate operational oversight.

VA continues to have difficulty assuring key internal controls and reconciliation processes are performed consistently and completely, and at times, fails to assure appropriate management review of the detail and support for the financial statements. Moreover, these weaknesses combined with the lack of an integrated financial management system, noted above, complicate VA's ability to prepare and report financial statements timely after fiscal year end thus impairing its ability to make the November 15th reporting deadline set by the OMB. Furthermore, many required adjustments arise from the audit process rather than being discovered by management in the normal course of their control oversight.

Illustrations of these issues include:

  • Extended amounts of time are required to obtain certain requested details of transactions for audit testing.
  • Support for certain note disclosures was difficult to obtain.
  • Unreconciled differences continued to exist at year end for tort claims.
  • Certain projects were placed in service and not capitalized in a timely manner. In addition, the estimated useful life of certain projects was not in accordance with VA policy guidance.
  • During the testing, we noted the majority of the selected sites had not updated their documentation of the estimate of environmental liability. In some cases, the revised assessments resulted in accounting adjustments.
  • Accounts receivable issues continue to be identified with exceptions noted in the following areas:
    • Exceptions related to lack of supervisory review of monthly accounts receivable reconciliations or evidence of review.
    • No evidence that certain non-MCCF (Medical Care Collections Fund) receivables reconciliations were being performed nor completed in a timely manner. Medical centers stated they did not have the staff to perform all the reconciliations.
    • Certain medical centers were not updating their non-MCCF allowance for bad debt expense. As a result, the allowance account was not properly stated and in at least two cases, the allowance account had a net debit balance.
    • Uncollectible non-MCCF and MCCF receivables remained recorded without further follow-up or resolution.
    • Delinquent receivables are not consistently followed up for collection.
  • Some undelivered orders transactions selected for testing had insufficient or no supporting procurement documentation. In other cases, exceptions were found related to follow-up of undelivered orders.
  • Certain policy and procedures particularly related to reconciliations should be clarified. Some policies are broadly written and subject to interpretation by the medical centers. Procedures should be enhanced and indicate the frequency in which reconciliations should be performed. In addition, the policies and procedures should clarify when evidence of a supervisory review is required and how that evidence is documented.
  • Financial statements were provided late and required a number of iterations before completion of the audit. A significant numbers of adjustments needed to be proposed by the auditor.

Recommendations:

  1. Consider financial training for program directors and other supervisory personnel highlighting the importance of accurate financial reporting and promoting timely and thorough follow up on aged accounts balances. The CFO should also review and enhance controls related to approving write-off transactions.
  2. Consider further centralization of the accounting and financial reporting responsibilities, which are now decentralized at the program and medical center levels, to improve internal control.
  3. Update policies and procedures to financial management.
  4. Management should enhance data quality analysis, adjustments and review procedures related to financial reporting for the purpose of improving the quality of financial reporting and minimize year end adjustments.

Follow-up on Previous Report

In our Independent Auditors' Report On Internal Control Over Financial Reporting And On Compliance Based Upon the Audit Performed in Accordance with Government Auditing Standards dated November 14, 2005, we reported three reportable conditions that were also material weaknesses, in the areas of (1) Information Technology, (IT) Security Controls, (2) Integrated Financial Management System, and (3) Operational Oversight. These conditions continue to be reported as material weaknesses.

With respect to the internal controls related to performance measures reported in Management's Discussion and Analysis, we obtained an understanding of the design of significant internal controls relating to the existence and completeness assertions and determined whether they have been placed in operation, as required by OMB Bulletin No. 06-03. Our procedures were not designed to provide assurance on internal control over reported performance measures and accordingly, we do not provide an opinion on such controls.

In addition, we considered VA's internal control over Supplementary Information by obtaining an understanding of VA's internal control, determined whether these internal controls had been placed in operation, assessed control risk, and performed tests of controls as required by OMB Bulletin No. 06-03. Our procedures were not designed to provide assurance on these internal controls and accordingly, we do not provide an opinion on such controls.

Compliance and Other Matters

As part of obtaining reasonable assurance about whether VA's financial statements are free of material misstatement, we performed tests of its compliance with certain provisions of laws, regulations, and contracts, noncompliance with which could have a direct and material effect on the determination of financial statement amounts and certain other laws and regulations specified in OMB Bulletin No. 06-03, including the requirements referred to in the Federal Financial Management Improvement Act ("FFMIA") of 1996. However, providing an opinion on compliance with those provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests disclosed instances of noncompliance or other matters that are required to be reported under Government Auditing Standards, and are described below.

Under FFMIA, we are required to report whether the agency's financial management systems substantially comply with Federal financial management systems requirements, applicable Federal accounting standards, and the U.S. Standard General Ledger at the transaction level. To meet this requirement, we performed tests of compliance using the implementation guidance and evaluative criteria issued by OMB in Circular A-127.

The material weaknesses in internal control over financial reporting discussed above and identified as "Information Technology (IT) Security Controls" "Integrated Financial Management System," and "Operational Oversight" indicate that VA's financial management systems did not substantially comply with the Federal financial management systems requirements as required by FFMIA section 803(a).

In addition, we noted other matters involving the internal control and compliance over financial reporting that we have reported to VA, in a separate letter dated November 14, 2006.

Distribution

This report is intended solely for the information and use of the VA Office of Inspector General, the management of VA, the Office of Management and Budget, the U.S. Government Accountability Office, Office of the President, and the U.S. Congress and is not intended to be, and should not be, used by anyone other than these specified parties.

Deloitte & Touche LLP
November 14, 2006

Department of Veterans Affairs

Date: Nov 15 2006

From: Assistant Secretary for Management (004)

Subj: Report of the Audit of the Department of Veterans Affairs Consolidated Financial Statements for Fiscal Years 2006 and 2005

To: Assistant Inspector General for Auditing (52)

  1. We have reviewed the Report of the Audit of the Department of Veterans Affairs Consolidated Financial Statements for Fiscal Years 2006 and 2005, and are pleased with the receipt of an unqualified opinion. We are proud that we were able to meet the FY 2006 reporting timeline established by the Office of Management and Budget. Please extend to your staff and the staff of Deloitte & Touche, LLP our appreciation for their detailed planning, hard work, and cooperation during this year's audit.

  2. We will share the results of the audit with VA's senior officials in VHA, VBA, and NCA and with other staff and program managers. We will continue to provide you with updates on our progress to correct the three material weaknesses, Lack of an Integrated Financial Management System, Information Technology Security Controls, and Operational Oversight.

  3. Thank you again for your efforts in bringing us to another successful conclusion of the audit cycle.

Robert J. Henke


Back to Top | Next | Previous | Office of Budget Home | Budget Submission Summary Volume | Office of Management Home | Office of Finance | Office of Acquisition and Logistics | Office of Asset and Enterprise Management | Office of Business Oversight | Office of Financial and Logistics Integrated Technology Enterprise