Fiscal Year 2005 Performance and Accountability Report Published November 15, 2005
Back to Table of Contents
Department of Veterans Affairs Office of Inspector General
REPORT OF THE AUDIT OF THE DEPARTMENT OF VETERANS AFFAIRS CONSOLIDATED FINANCIAL STATEMENTS FOR FISCAL YEARS 2005 AND 2004
Report No. 05-01096-21
VA Office of Inspector General Washington DC 20420
November 15, 2005
Memorandum to the Secretary
Report of Audit of the Department of Veterans Affairs Consolidated Financial Statements for Fiscal Years 2005 and 2004
Attached is the Report of Audit of the Department of Veterans Affairs (VA) Consolidated Financial Statements (CFS) for Fiscal Years (FY) 2004 and 2003, as required by the Chief Financial Officers Act of 1990. The Office of Inspector General contracted with the independent public accounting firm, Deloitte & Touche LLP, to perform the audit of VA's FY 2005 CFS.
The independent auditors' report by Deloitte & Touche LLP provides an unqualified opinion on VA's FYs 2005 and 2004 CFS. The report on internal control identifies three reportable conditions, of which all are material weaknesses. The three material weaknesses are (i) information technology security controls, (ii) integrated financial management system, and (iii) operational oversight. During FY 2005, VA management took corrective action to eliminate the judgments and claims reportable condition reported in the FY 2004 audit report.
The report on compliance with laws and regulations continues to show that VA is not in substantial compliance with the financial management system requirements of the Federal Financial Management Improvement Act of 1996. The internal control issues concerning an integrated financial system and information technology security controls indicate noncompliance with the requirements of Office of Management and Budget (OMB) Circular A-127, "Financial Management Systems," which incorporates by reference OMB Circulars A-123, "Management Accountability and Control," and A-130, "Management of Federal Information Resources."
The auditors' unqualified opinion was achieved through the extensive efforts of program and financial management staff, as well as the auditors, to overcome material weaknesses in internal control to produce auditable information. The risk of materially misstating financial information remains high using the existing nonintegrated financial management systems.
The independent auditors will follow up on these internal control findings and evaluate the adequacy of corrective actions taken during the audit of the VA's FY 2006 CFS.
Michael L. Staley
Assistant Inspector General for Auditing
INDEPENDENT AUDITORS' REPORT
Secretary
Department of Veterans Affairs
We have audited the accompanying consolidated balance sheets of the Department of Veterans Affairs (VA) as of September 30, 2005 and 2004, and the related consolidated statements of net cost, changes in net position, financing and the combined statements of budgetary resources for the years then ended which collectively comprise VA's basic financial statements. These financial statements are the responsibility of VA's management. Our responsibility is to express an opinion on these financial statements based on our audits.
We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller General of the United States; and the requirements of Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, as amended. Those standards and the OMB Bulletin require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes consideration of internal control over financial reporting as a basis for designing audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of VA's internal control over financial reporting. Accordingly, we express no such opinion. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audits provide a reasonable basis for our opinion.
In our opinion, the financial statements referred to above present fairly, in all material respects, the respective financial position of VA as of September 30, 2005 and 2004, and the respective net costs, changes in net position, financing and budgetary resources thereof for the years then ended in conformity with accounting principles generally accepted in the United States of America.
In accordance with Government Auditing Standards, we have also issued our report dated November 14, 2005, on our consideration of VA's internal control over financial reporting and on our tests of its compliance with certain provisions of laws, regulations, contracts and other matters. The purpose of that report is to describe the scope of our testing of internal control over financial reporting and compliance and the results of that testing, and not to provide an opinion on the internal control over financial reporting or on compliance. That report is an integral part of an audit performed in accordance with Government Auditing Standards and should be considered in assessing the results of our audit.
Deloitte & Touche LLP
November 14, 2005
INDEPENDENT AUDITORS' REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING AND COMPLIANCE AND OTHER MATTERS BASED UPON THE AUDIT PERFORMED IN ACCORDANCE WITH GOVERNMENT AUDITING STANDARDS
Secretary
Department of Veterans Affairs
We have audited the basic financial statements of the Department of Veterans Affairs (VA), as of and for the year ended September 30, 2005, and have issued our report thereon dated November 11, 2005. We conducted our audit in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and the requirements of the Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, as amended.
INTERNAL CONTROL OVER FINANCIAL REPORTING
In planning and performing our audit, we considered VA's internal control over financial reporting in order to determine our auditing procedures for the purpose of expressing our opinion on the financial statements and not to provide an opinion on the internal control over financial reporting. However, we noted certain matters involving the internal control over financial reporting and its operation that we consider to be reportable conditions. Reportable conditions involve matters coming to our attention relating to significant deficiencies in the design or operation of the internal control over financial reporting that, in our judgment, could adversely affect VA's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements.
A material weakness is a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. Our consideration of the internal control over financial reporting would not necessarily disclose all matters in the internal control that might be reportable conditions and, accordingly, would not necessarily disclose all reportable conditions that are also considered to be material weaknesses.
We identified the following matters involving the internal control over financial reporting and its operation that we consider to be reportable conditions. Reportable conditions that we identified in our prior year report dated November 4, 2004 are identified as repeat conditions.
Three reportable conditions are described in the following paragraphs and include significant departures from certain requirements of OMB Circular A-127, "Financial Management Systems," which incorporates by reference Circulars A-123, "Management Accountability and Control," and A-130, "Management of Federal Information Resources," among other requirements. We believe that the three reportable conditions identified as "Information Technology (IT) Security Controls," "Integrated Financial Management System" and "Operational Oversight" are also material weaknesses. Certain conditions existed in Fiscal Year (FY) 2005 that resulted in the "Operational Oversight" reportable condition being elevated to a material weakness in the current year.
Information Technology (IT) Security Controls - Material Weakness (Repeat Condition)
VA continued to make IT security controls improvements through the implementation of improved controls over VA financial management systems. Data centers and financial management system program offices have taken corrective actions to remediate elements of IT control weaknesses reported in our prior year report. However, VA's program and financial data continue to be at risk due to serious weaknesses related to: 1) inadequate implementation and enforcement of access controls over access to financial management systems and data; 2) improper segregation of key duties and responsibilities of employees in operating and maintaining key systems; 3) underdeveloped IT service continuity planning; and 4) inconsistent development and implementation of system change controls. These weaknesses placed sensitive information, including financial data and veterans' medical and benefit information, at risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction, possibly occurring without detection. Our testing of key controls over the general computer systems at the VA's primary computer centers and selected medical facilities, selected financial management systems, as well as external and internal network vulnerability assessment of the VA's network infrastructure, identified the following control weaknesses:
Access Control
- Strong access authentication mechanisms and administration of user access have not been consistently implemented and enforced at the data centers, medical centers, and regional offices;
- Access privileges were not restricted based on needs due to non-restrictive system access profiles for users and programming staff. There were ineffective monitoring and review of user access profiles; and
- Intrusion detection mechanisms, and coordination and communication between Central Incident Response group and local security functions were not operating promptly and effectively to detect and resolve potential security violations from internal sources. There were also system configuration management and password issues identified in the current and previous year.
Segregation of Duties
- Legacy systems have not been configured to support proper implementation of system segregation of duties in financial management systems such as Veterans Health Information Systems and Technology Architecture accounts receivables and procurement modules and certain personnel and payroll functions.
- Prior years' segregation of duties issues for the Integrated Funds Distribution Control Point Activity, Accounting and Procurement (IFCAP) system and the Automated Engineering Management System/Medical Equipment Reporting System (AEMS/MERS) remained uncorrected in FY 2005.
Service Continuity
- A business continuity plan at the departmental level has not been fully developed to provide overall guidance, direction, and coordination for IT service continuity;
- The "Bull" operating system, supporting Veteran's Benefit Administration (VBA) applications such as compensation, pension and education programs, loan guarantee, and the property management systems' data, has not been tested for the service continuity purpose because the backup hardware does not have adequate memory and processing capacity; and
- Testing of the Continuity of Operations Plan for financial management systems at certain medical facilities and data centers has not been consistently scheduled and adequately performed.
Change Control
- Change control policy at the departmental level does not provide uniformed application development and change guidance for a wide-range of new and legacy applications to facilitate consistent implementation and effective monitoring of system change controls for mission critical systems.
VA's success in improving information security is dependent on VA's continued effort in comprehensively addressing these weaknesses at the departmental level, including continuing its high level of coordination and obtaining adequate resources to implement the plan.
Recommendations:
VA senior leadership should continue to pursue a more centralized approach, apply appropriate resources, and establish a clear chain of command and accountability structure to implement and enforce IT internal controls. In addition, VA needs to plan and implement corrective actions and remediate identified deficiencies within a reasonable timeframe. The VA Chief Information Officer (CIO) should perform proactive oversight of compliance with established IT internal control policies and procedures. VA should continue its entity-wide effort to accomplish the following key tasks:
Improve access control policies and procedures to provide actionable steps for configuring security settings on operating systems, improving administration of user access, and detection and resolution of potential access violations. Access privileges need to be assigned based on the user's level of responsibility and position.
Evaluate user functional access needs and system access privileges to support proper segregation of duties within financial applications. Assign, communicate, and coordinate responsibility for enforcing and monitoring such controls in a consistent fashion throughout VA.
Develop a service continuity plan at the departmental level that will facilitate effective communication and implementation of overall guidance and standards, and provide coordination of VA's service continuity effort. Schedule and adequately test IT disaster recovery plans to ensure continuity of operations in the event of a disruption of service.
Develop a change control framework and, within that framework, implement application specific change control procedures for mission critical systems.
Integrated Financial Management System - Material Weakness (Repeat Condition)
As defined in OMB Circular A-127, "a financial management system encompasses automated and manual processes, procedures, controls, data, hardware, software, and support personnel dedicated to the operation and maintenance of system functions." Such financial management systems shall be designed to provide for an effective and efficient interrelationship between software, hardware, personnel, procedures, controls, and data contained within the systems.
With respect to system requirements in the area of financial reporting, OMB Circular A-127 provides that an agency's financial management system should generate reliable, timely, and consistent information necessary for meeting management's responsibilities, including the preparation of financial statements. Within OMB Circular A-123, the management control processes necessary to ensure that "reliable and timely information is obtained, maintained, reported and used for decision making" are set forth, including prompt and appropriate recording and classification.
During our audit of VA's consolidated financial statements, we noted continuing difficulties related to the preparation, processing, and analysis of financial information to support the efficient and effective preparation of VA's consolidated financial statements. While significant efforts are made at the component and consolidated levels to assemble, compile, and review the necessary financial information for annual financial reporting requirements, in many cases, components of certain feeder systems and financial applications are not fully integrated with the core Financial Management System. As a result, significant manual work-arounds and out-of-date systems impede the process. For example, we noted that:
Reconciliations of property records in the loan guaranty programs continue to identify significant differences from non interfaced systems;
Within the compensation, pension and education programs, there are a number of programs that do not directly interface with the general ledger or they interface at various intervals. As a result, numerous adjusting entries resulting from timing differences are necessary to reconcile balances with the general ledger to ensure the amounts are properly stated; and
In the life insurance programs, the lack of system interface with the VA's general ledger creates the need for a significant amount of adjusting entries. We observed that some journal entries were not posted to the general ledger nor were reconciling items identified and posted timely.
Recommendation:
The VA CIO and Chief Financial Officer (CFO) should develop and implement a fully integrated financial management system. The VA CFO should implement and enforce supplemental manual processes to meet appropriate control objectives until a fully integrated financial management system is implemented.
Operational Oversight - Material Weakness (Repeat Condition)
With more than 150 medical centers nationwide, management oversight at the medical centers is essential to ensure compliance with VA's established policies and procedures. To assess the effectiveness of internal controls at the medical center level, we conducted tests at selected medical centers to
- determine whether staffs were aware of key internal controls,
- review evidence to determine whether internal controls were functioning as intended and
- assess the effectiveness of the internal controls.
During the current year testing, exceptions identified in previous years continued to exist. In addition, in one medical center, financial data was manipulated in a manner that circumvented financial monitoring controls and internal financial performance metrics producing improved financial indicators for that medical center.
We continued to find a number of previously reported instances where key internal controls and reconciliation processes were not performed consistently or completely. The Veterans Health Administration (VHA), Office of the CFO, has implemented a monthly reconciliation monitoring process.
VHA also conducted training designed specifically for medical center accountants and developed performance measures for the Veterans Integrated Service Networks (VISN) scorecard to monitor medical centers' progress in complying with VA policies and procedures. Although there has been improvement, our testing at the medical centers showed continued noncompliance with certain established policies and procedures. Among the control exceptions found at the medical centers were:
Certain medical accounts receivable and/or other account receivable balances had not been reconciled in a timely manner. Furthermore, supervisory reviews of medical accounts receivable reconciliations were not completed in accordance with procedures;
Completed construction or upgrade projects were not capitalized in a timely manner;
Non-expendable equipment inventories were not completed or were not completed in accordance with certain VA policies and procedures;
Accounts receivable collections were not properly completed or were not completed in a timely manner;
Inadequate reviews of undelivered orders and/or accrued service payable transactions increased in FY 2005;
Estimated environmental clean-up costs were not reported in a timely manner;
Deferred maintenance costs were not recorded or were incorrectly recorded in the general ledger; and
Accounts records were modified without approval.
Recommendations:
The VHA CFO should enhance monitoring controls over medical center financial and performance metrics reporting and investigate unusual activity or financial variances on a monthly basis. The VHA CFO should also continue training programs in areas where noncompliance continues to exist, and use the VISN scorecards to measure compliance with VA policies and procedures to improve internal controls over financial reporting.
The VHA CFO should consider financial training for medical center directors and other supervisory personnel highlighting the importance of accurate financial reporting and promoting timely and thorough follow up on aged accounts balances. The VHA CFO should also review and enhance controls related to approving writeoff transactions.
Management at the medical centers should take action necessary to comply with VA policies and procedures.
Follow-up on Previous Report
In our Independent Auditors' Report On Internal Control Over Financial Reporting And On Compliance Based Upon the Audit Performed in Accordance with Government Auditing Standards dated November 4, 2004, we reported four reportable conditions (with two material weaknesses) in the areas of (1) Information Technology (IT) Security Controls, (2) Integrated Financial Management System, (3) Operational Oversight and (4) Judgment and Claims. In FY 2005, the material weaknesses repeated are items (1) and (2). Item (3) has been elevated to a material weakness. Item (4) is no longer a reportable condition.
With respect to the internal control related to performance measures reported in Management's Discussion and Analysis, we obtained an understanding of the design of significant internal controls relating to the existence and completeness assertions, as required by OMB Bulletin No. 01-02, as amended. Our procedures were not designed to provide assurance on internal control over reported performance measures and, accordingly, we do not provide an opinion on such controls.
In addition, we considered VA's internal control over Supplementary Information by obtaining an understanding of VA's internal control, determined whether these internal controls had been placed in operation, assessed control risk, and performed tests of controls as required by OMB Bulletin No. 01-02, as amended. Our procedures were not designed to provide assurance on these internal controls. Accordingly, we do not provide an opinion on such controls.
Compliance and Other Matters
As part of obtaining reasonable assurance about whether VA's financial statements are free of material misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on the determination of financial statement amounts and certain other laws and regulations specified in OMB Bulletin No. 01-02, as amended, including the requirements referred to in the Federal Financial Management Improvement Act (FFMIA) of 1996. However, providing an opinion on compliance with those provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests disclosed instances of noncompliance or other matters that are required to be reported under Government Auditing Standards, and are described below.
Under FFMIA, we are required to report whether the agency's financial management systems substantially comply with Federal financial management systems requirements, applicable Federal accounting standards, and the U. S. Standard General Ledger at the transaction level. To meet this requirement, we performed tests of compliance using the implementation guidance and evaluative criteria issued by OMB in Circular A-127.
The material weaknesses in internal control over financial reporting discussed above and identified as "Information Technology (IT) Security Controls" and "Integrated Financial Management System" and "Operational Oversight" indicate that VA is not in compliance with the requirements of OMB Circulars A-123, A-127, and A-130. As discussed above, we found material weaknesses in
- the effectiveness of the information technology controls; and
- the design and operation of internal controls over financial reporting, particularly with effectiveness of the control monitoring and reconciliation processes in support of the preparation of the VA's consolidated financial statements and
- circumvention of controls.
We believe these material weaknesses, in the aggregate, result in departures from certain of the requirements of OMB Circulars A-123, A-127 and A-130, and are, therefore, instances of substantial noncompliance with the Federal financial management systems requirements under FFMIA.
In addition, we noted other matters involving the internal control and compliance over financial reporting that we have reported to the VA, in a separate letter dated November 14, 2005.
Distribution
This report is intended solely for the information and use of the VA Office of Inspector General, the management of the VA, the Office of Management and Budget, the U.S. Government Accountability Office, Office of the President and the U.S. Congress and is not intended to be and should not be used by anyone other than these specified parties.
Deloitte & Touche LLP
November 14, 2005
Memorandum
Department of Veterans Affairs
Date: Nov 15 2005
From: General Counsel (02) and Former Chief Management Officer (004)
Subj: Report of the Audit of the Department of Veterans Affairs Consolidated Financial Statements for Fiscal Years 2005 and 2004
To: Assistant Inspector General for Auditing (52)
The Office of Management is pleased to receive an unqualified opinion in the Report of Audit of the Department of Veterans Affairs Consolidated Financial Statements for Fiscal Years 2005 and 2004. We are especially proud in meeting the FY 2005 timeframe requirements established by the Office of Management and Budget. Please extend to your staff and the staff of Deloitte & Touche, LLP, my appreciation for their detailed planning, hard work and cooperation during this year's audit.
We will share the results of the audit, as well as the findings on internal controls over financial reporting and regulatory compliance, with senior officials in VHA, VBA, and NCA and with other VA staff and program managers. We will continue to provide you with updates on our progress to correct the two material weaknesses, Integrated Financial Management System and Information Technology Security Controls, as well as develop and implement a plan to correct the material weakness, Operational Oversight, first reported this year.
Thank you again for your efforts in bringing us to another successful conclusion of the audit cycle.
Tim S. McClain
|