Veterans Affairs banner with U.S. FlagVeterans Affairs banner with U.S. Flag

Office of Budget

Fiscal Year 2004 Performance and Accountability Report
Published November 15, 2004

Back to Table of Contents

Independent Auditors' Report

Department of Veterans Affairs Office of Inspector General

REPORT OF THE AUDIT OF THE DEPARTMENT OF VETERANS AFFAIRS CONSOLIDATED FINANCIAL STATEMENTS FOR FISCAL YEARS 2004 AND 2003

Report No. 04-00986-14

VA Office of Inspector General Washington DC 20420

November 15, 2004

Memorandum to the Secretary

Report of Audit of the Department of Veterans Affairs Consolidated Financial Statements for Fiscal Years 2004 and 2003

  1. Attached is the Report of Audit of the Department of Veterans Affairs (VA) Consolidated Financial Statements (CFS) for Fiscal Years (FY) 2004 and 2003, as required by the Chief Financial Officers Act of 1990. The Office of Inspector General contracted with the independent public accounting firm, Deloitte & Touche LLP, to perform the audit of VA's FY 2004 CFS.

  2. The independent auditors' report by Deloitte & Touche LLP provides an unqualified opinion on VA's FYs 2004 and 2003 CFS. The report on internal control identifies four reportable conditions, of which two are material weaknesses. The two material weaknesses are (i) information technology security controls and (ii) integrated financial management system. The two reportable conditions are (i) operational oversight and (ii) judgments and claims. During FY 2004, VA management took corrective action to eliminate the medical malpractice and claims data reportable condition reported in the FY 2003 audit report.

  3. The report on compliance with laws and regulations continues to show that VA is not in substantial compliance with the financial management system requirements of the Federal Financial Management Improvement Act of 1996. The internal control issues concerning an integrated financial system and information technology security controls indicate noncompliance with the requirements of Office of Management and Budget (OMB) Circular A-127, "Financial Management Systems," which incorporates by reference OMB Circulars A-123, "Management Accountability and Control," and A-130, "Management of Federal Information Resources."

  4. The auditors' unqualified opinion was achieved through the extensive efforts of program and financial management staff, as well as the auditors, to overcome material weaknesses in internal control to produce auditable information after the fiscal year-end. Although these efforts resulted in materially correct annual financial statements, reliable information was not readily available during the year. The risk of materially misstating financial information remains high using the existing financial management systems.

  5. The independent auditors will follow up on these internal control findings and evaluate the adequacy of corrective actions taken during the audit of the VA's FY 2005 CFS.

Michael L. Staley
Assistant Inspector General for Auditing


INDEPENDENT AUDITORS' REPORT

Secretary
Department of Veterans Affairs

We have audited the accompanying consolidated balance sheets of the Department of Veterans Affairs (VA) as of September 30, 2004 and 2003, and the related consolidated statements of net cost, changes in net position, financing and the combined statements of budgetary resources for the years then ended which collectively comprise VA's basic financial statements. These financial statements are the responsibility of VA's management. Our responsibility is to express an opinion on these financial statements based on our audits.

We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller General of the United States; and the requirements of Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, as amended. Those standards and the OMB Bulletin require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audits provide a reasonable basis for our opinion.

In our opinion, the financial statements referred to above present fairly, in all material respects, the respective financial position of VA as of September 30, 2004 and 2003, and the respective net costs, changes in net position, financing and budgetary resources thereof for the years then ended in conformity with accounting principles generally accepted in the United States of America.

In accordance with Government Auditing Standards, we have also issued our report dated November 4, 2004, on our consideration of VA's internal control over financial reporting and on our tests of its compliance with certain provisions of laws, regulations, contracts and grant agreements and other matters. The purpose of that report is to describe the scope of our testing of internal control over financial reporting and compliance and the results of that testing, and not to provide an opinion on the internal control over financial reporting or on compliance. That report is an integral part of an audit performed in accordance with Government Auditing Standards and should be considered in assessing the results of our audit.

Deloitte & Touche LLP

November 4, 2004


INDEPENDENT AUDITORS' REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING AND COMPLIANCE AND OTHER MATTERS BASED UPON THE AUDIT PERFORMED IN ACCORDANCE WITH GOVERNMENT AUDITING STANDARDS

Secretary
Department of Veterans Affairs

We have audited the basic financial statements of the Department of Veterans Affairs (VA), as of and for the year ended September 30, 2004, and have issued our report thereon dated November 4, 2004. We conducted our audit in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and the requirements of the Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, as amended.

INTERNAL CONTROL OVER FINANCIAL REPORTING

In planning and performing our audit, we considered VA's internal control over financial reporting in order to determine our auditing procedures for the purpose of expressing our opinion on the financial statements and not to provide an opinion on the internal control over financial reporting. However, we noted certain matters involving the internal control over financial reporting and its operation that we consider to be reportable conditions. Reportable conditions involve matters coming to our attention relating to significant deficiencies in the design or operation of the internal control over financial reporting that, in our judgment, could adversely affect VA's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements.

A material weakness is a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. Our consideration of the internal control over financial reporting would not necessarily disclose all matters in the internal control that might be reportable conditions and, accordingly, would not necessarily disclose all reportable conditions that are also considered to be material weaknesses.

We identified the following matters involving the internal control over financial reporting and its operation that we consider to be reportable conditions. Reportable conditions that we identified in our prior year report dated November 11, 2003 are identified as repeat conditions.

Four reportable conditions are described in the following paragraphs and include significant departures from certain requirements of OMB Circular A-127, "Financial Management Systems," which incorporates by reference Circulars A-123, "Management Accountability and Control," and A-130, "Management of Federal Information Resources," among other requirements. We believe that the two reportable conditions identified as "Information Technology (IT) Security Controls" and "Integrated Financial Management System" are also material weaknesses.

INFORMATION TECHNOLOGY

Information Technology (IT) Security Controls - Material Weakness (Repeat Condition)

VA continued to make organizational changes in the IT area during fiscal year (FY) 2004 that facilitated IT security controls improvements through centralization of certain information technology controls initiatives. Many application program offices have also taken corrective actions to remediate material weaknesses reported in our prior year report. However, VA's program and financial data continue to be at risk due to serious weaknesses related to: 1) inadequate implementation and enforcement of controls and oversight over access to information systems; 2) improper segregation of key duties and responsibilities of employees; and 3) underdeveloped contingency planning. These weaknesses placed sensitive information, including financial data and sensitive veteran medical and benefit information, at risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction, possibly occurring without detection.

Our testing of key controls over the general computer systems at the VA's primary data centers and 14 medical facilities, the Veterans Health Information Systems and Technology Architecture (VISTA) application, and our external and internal network vulnerability assessment of the VA's network infrastructure, identified the following control weaknesses:

Access Control
  • For general computer systems including network and operating systems, the control weaknesses included inconsistent implementation of internal wide area network access authentication mechanisms and administration of user access, inappropriate access privileges due to nonrestrictive system access profiles for internal operations and programming staff, and inconsistent monitoring and review of user access.
  • The internal vulnerability assessment disclosed vulnerabilities related to weak operating systems configurations and passwords on administrative level accounts, a lack of robust intrusion detection alerts, and coordination and communication between security functions.
Segregation of Duties
  • In the Integrated Funds Distribution, Control Point Activity, Accounting and Procurement (IFCAP) and Automated Engineering Management System/Medical Equipment Reporting System (AEMS/MERS) applications, we identified improper design of system controls to support segregation of duties and responsibilities of employees who had super user rights.
Service Continuity
  • A business continuity plan at the VA level has not been fully developed to provide overall guidance, direction and coordination for IT service continuity. The "Bull" operating system, supporting VBA's applications such as compensation, pension and education programs and data, has not been tested for the service continuity purpose because the backup hardware does not have adequate memory and processing capacity. Certain legacy loan guaranty system components, such as the Property Management System and Guaranteed and Insured Loan System, are not likely to be recovered within the specified timeframe due to inadequate technical documentation on these applications. In addition, testing of the Continuity of Operations Plan at certain medical facilities has not been consistently scheduled and performed.

VA's success in improving information security is dependent on VA's continued effort in comprehensively addressing these weaknesses at an enterprise level, including continuing its high level of coordination and obtaining adequate resources to implement the plan.

Recommendations:

The VA Chief Information Officer (CIO) should:

  1. Apply appropriate resources and establish a clear chain of command and accountability structure in implementing and enforcing information technology internal controls in order to implement planned corrective actions and remediate identified deficiencies within a reasonable timeframe. Perform proactive oversight of compliance with established IT internal control policies and procedures.

  2. Improve access control policies and procedures to provide actionable steps for configuring security settings on operating systems, improving administration of user access, and intrusion detection alerting.

  3. Evaluate user functional access needs and privileges to ensure proper segregation of duties within financial applications such as the IFCAP and AEMS/MERS. Assign, communicate, and coordinate responsibility for enforcing and monitoring such controls in a consistent fashion throughout VA.

  4. Develop a business continuity plan at the VA level that will facilitate effective communication and implementation of overall guidance and standards, and provide coordination of VA's business continuity effort. Schedule and test IT disaster recovery plans to ensure continuity of operations in the event of a disruption of service.

OPERATIONS

Integrated Financial Management System - Material Weakness (Repeat Condition)

As defined in OMB Circular A-127, "a financial management system encompasses automated and manual processes, procedures, controls, data, hardware, software, and support personnel dedicated to the operation and maintenance of system functions." Such financial management systems shall be designed to provide for an effective and efficient interrelationship between software, hardware, personnel, procedures, controls, and data contained within the systems.

With respect to system requirements in the area of financial reporting, OMB Circular A-127 provides that an agency's financial management system should generate reliable, timely, and consistent information necessary for meeting management's responsibilities, including the preparation of financial statements. Within OMB Circular A-123, the management control processes necessary to ensure that "reliable and timely information is obtained, maintained, reported and used for decision making" are set forth, including prompt and appropriate recording and classification.

During our audit of VA's consolidated financial statements, we noted continuing difficulties related to the preparation, processing, and analysis of financial information to support the efficient and effective preparation of VA's consolidated financial statements. While significant efforts are made at the component and consolidated levels to assemble, compile, and review the necessary financial information for annual financial reporting requirements, in many cases, components of certain feeder systems and financial applications are not fully integrated with the core Financial Management System. As a result, significant manual work-arounds and out-of-date systems impede the process. For example, we noted that:

  • Reconciliations of property records in the loan guaranty programs continue to identify significant differences from non interfaced systems;

  • Within the compensation, pension and education programs, there are a number of programs that do not directly interface with the general ledger or they interface at various intervals. As a result, numerous adjusting entries resulting from timing differences are necessary to reconcile balances with the general ledger to ensure the amounts are properly stated; and

  • In the life insurance programs, the lack of system interface with the VA's general ledger creates the need for a significant amount of adjusting entries. We observed that some journal entries were not posted to the general ledger nor were reconciling items identified and posted timely.

Recommendation:
  1. The VA CIO and Chief Financial Officer (CFO) should develop and implement a fully integrated financial management system. The VA CFO should implement and enforce supplemental manual processes to meet appropriate control objectives until a fully integrated financial management system is implemented.

Operational Oversight (Repeat Condition)

With more than 150 medical centers nationwide, management oversight at the medical centers is essential to ensure compliance with Departmental established policies and procedures. To assess the effectiveness of internal controls at the medical center level, we conducted tests at 14 medical centers within 11 Veterans Integrated Service Networks (VISNs) to

  1. determine whether staffs were aware of key internal controls,
  2. review evidence to determine whether internal controls were functioning as intended and
  3. assess the effectiveness of the internal controls.

During our testing, we continued to find a number of previously reported instances where key internal controls and reconciliation processes were not performed consistently or completely. The Veterans Health Administration (VHA), Office of the CFO, has implemented a monthly reconciliation monitoring process. VHA also conducted training designed specifically for medical center accountants and developed performance measures for the VISN's scorecard to monitor medical center progress in complying with certain Departmental policies and procedures. Although there has been improvement, our testing at the medical centers showed continued noncompliance with certain established policies and procedures. Among the control exceptions found at the medical centers were:

  • Supervisory reviews of medical accounts receivable reconciliations were not completed in accordance with certain VA procedures;

  • Completed construction or upgrade projects were not capitalized in a timely manner;

  • Non-expendable equipment inventories were not completed or were not completed in accordance with certain VA policies and procedures;

  • Accounts receivable collections were not properly completed or were not completed in a timely manner;

  • Monitoring of accrued services payable transactions was not effectively performed;

  • Estimated environmental clean-up costs were not reported in a timely manner; and

  • Deferred maintenance costs were not recorded or were incorrectly recorded in the general ledger.

Recommendations:
  1. The VHA CFO should continue monitoring monthly reconciliations at the medical centers, develop training programs in areas where noncompliance continues to exist, and use the VISN scorecards to measure compliance with VA policies and procedures to improve internal controls over financial reporting; and

  2. Management at the medical centers should take action necessary to comply with VA policies and procedures.

Judgments and Claims

VA's Office of General Counsel (OGC) GCLAWS claims tracking system records medical malpractice claims and is used as an input to the model which estimates the value of future settlements pursuant to Statement of Federal Financial Accounting Standard Number 5, Accounting for Liabilities of the Federal Government. VA management was unable to explain differences between the amount of settled tort claims recorded in the GCLAWS system and the amount of paid claims recorded in the Judgment Fund maintained by the Department of the Treasury. The Judgment Fund is an appropriated government-wide fund from which settlement payments can be made for both tort and other claims and settlements against the VA based on the authorization of the OGC or the Department of Justice. As a result, the VA could not determine that it provided the appropriate information to the estimation model or that charges to the Judgment Fund were appropriate.

Recommendation:
  1. The CFO should establish a process to regularly reconcile and investigate differences between the paid claim amounts recorded in GCLAWS and amounts paid from the Judgment Fund.

Follow-up on Previous Report

In our Independent Auditors' Report On Internal Control Over Financial Reporting And On Compliance Based Upon the Audit Performed in Accordance with Government Auditing Standards dated November 11, 2003, we reported four reportable conditions (with two material weaknesses) in the areas of (1) Information Technology (IT) Security Controls, (2) Integrated Financial Management System, (3) Operational Oversight and (4) Medical Malpractice Claims Data. In FY 2004, the material weaknesses repeated are items (1) and (2), and the repeat reportable condition is item (3). Item (4) has been corrected.

With respect to the internal control related to performance measures reported in Management's Discussion and Analysis, we obtained an understanding of the design of significant internal controls relating to the existence and completeness assertions, as required by OMB Bulletin No. 01-02, as amended. Our procedures were not designed to provide assurance on internal control over reported performance measures and, accordingly, we do not provide an opinion on such controls.

In addition, we considered VA's internal control over Supplementary Information by obtaining an understanding of VA's internal control, determined whether these internal controls had been placed in operation, assessed control risk, and performed tests of controls as required by OMB Bulletin No. 01-02 as amended. Our procedures were not designed to provide assurance on these internal controls. Accordingly, we do not provide an opinion on such controls.

COMPLIANCE AND OTHER MATTERS

As part of obtaining reasonable assurance about whether VA's financial statements are free of material misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on the determination of financial statement amounts and certain other laws and regulations specified in OMB Bulletin No. 01-02, as amended, including the requirements referred to in the Federal Financial Management Improvement Act (FFMIA) of 1996. However, providing an opinion on compliance with those provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests disclosed instances of noncompliance or other matters that are required to be reported under Government Auditing Standards, and are described below.

Under FFMIA, we are required to report whether the agency's financial management systems substantially comply with Federal financial management systems requirements, applicable Federal accounting standards, and the U. S. Standard General Ledger at the transaction level. To meet this requirement, we performed tests of compliance using the implementation guidance and evaluative criteria issued by OMB in Circular A-127.

The material weaknesses in internal control over financial reporting discussed above and identified as "Information Technology (IT) Security Controls" and "Integrated Financial Management System" indicate that VA is not in full compliance with the requirements of OMB Circulars A-123, A-127, and A-130. As discussed above, we found material weaknesses in

  1. the effectiveness of the information technology controls; and
  2. the design and operation of internal controls over financial reporting, particularly with effectiveness of the control monitoring and reconciliation processes in support of the preparation of the Department's consolidated financial statements.

We believe these material weaknesses, in the aggregate, result in departures from certain of the requirements of OMB Circulars A-123, A-127 and A-130, and are, therefore, instances of substantial noncompliance with the Federal financial management systems requirements under FFMIA.

In addition, we noted other matters involving the internal control and compliance over financial reporting that we have reported to the VA, in a separate letter dated November 4, 2004.

DISTRIBUTION

This report is intended solely for the information and use of the VA Office of Inspector General, the management of the VA, the Office of Management and Budget, the U.S. Government Accountability Office, Office of the President and the U.S. Congress and is not intended to be and should not be used by anyone other than these specified parties.

Deloitte & Touche LLP

November 4, 2004


Memorandum

Department of Veterans Affairs

Date: Nov 10 2004

From: Acting Assistant Secretary for Management (004)

Subj: Report of Audit of VA's Consolidated Financial Statements for FY 2004 and 2003

To: Assistant Inspector General for Auditing (52)

  1. The Office of Management is pleased to receive an unqualified opinion in the Report of Audit of the Department of Veterans Affairs Consolidated Financial Statements for Fiscal Years 2004 and 2003. We are especially proud in meeting the FY 2004 timeframe requirements established by the Office of Management and Budget. Please extend to your staff and the staff of Deloitte & Touche, LLP, my appreciation for their detailed planning, hard work and cooperation during this year's audit.

  2. We will share the results of the audit, as well as the findings on internal controls over financial reporting and regulatory compliance, with senior officials in the Administrations and with other VA staff and program managers. We will continue to provide you with updates on our progress in implementing management plans to correct the two material weaknesses, Integrated Financial Management System and Information Technology Security Controls.

  3. Thank you again for your efforts in bringing us to another successful conclusion of the audit cycle.

William A. Moorman