Internal Controls: Federal Disbursement Controls Can Be
Strengthened (13-AUG-01, GAO-01-910R).
In the U.S. government's consolidated financial statements for
fiscal year 2000, GAO tested certain internal controls over
federal disbursements processed by the Department of the
Treasury's Financial Management Service (FMS). With some
exceptions, FMS makes disbursements for all federal agencies
through its Regional Financial Centers and Debt Management
Operations Center. For fiscal year 2000, FMS reported processing
approximately 890 million disbursements totaling over $1.2
trillion. The centers disburse funds by check, electronic fund
transfer (EFT), or Fedwire. FMS reported that these disbursements
for fiscal year 2000 included approximately 265 million checks
amounting to over $265 billion, approximately 625 million EFTs
amounting to over $720 billion, and approximately 47,000 Fedwires
amounting to over $275 billion. The centers also process
Automated Standard Application for Payments (ASAP) system
enrollments. FMS reported the federal agencies authorized
payments of over $254 billion in fiscal year 2000 using the ASAP
system. This report reviews the results of GAO's (1) follow-up
work on previously recommended improvements and corrective
actions taken to address such recommendations and (2) fiscal year
2000 testing and related recommendations for improving controls
over safeguarding of assets and processing and documenting
delegation and designation of agency certifying officers. GAO
found that FMS' and the centers' corrective actions resolved
weaknesses reported for fiscal year 1999 relating to (1) controls
over checks awaiting destruction and returned checks, (2)
segregation of duties for the ASAP system, (3) documenting agency
certifying officer's signature verification, (4) authorized
signature for return of canceled Fedwire disbursements, and (5)
reconciling courtesy disbursements. Similar to fiscal year 1999,
FMS had internal control weaknesses in personnel screening,
inventory control, audit procedures, and reporting requirements.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-01-910R
ACCNO: A01601
TITLE: Internal Controls: Federal Disbursement Controls Can Be
Strengthened
DATE: 08/13/2001
SUBJECT: Financial management
Internal controls
Personnel management
Federal agency accounting systems
Check disbursement or control
Financial statement audits
Fedwire
FMS Automated Standard Application for
Payment
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Testimony. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-01-910R
GAO- 01- 910R Federal Disbursement Controls
United States General Accounting Office Washington, DC 20548
August 13, 2001 Mr. Richard Gregg Commissioner Financial Management Service
Department of the Treasury
Subject: Internal Controls: Federal Disbursement Controls Can Be
Strengthened Dear Mr. Gregg: We recently reported on the U. S. government?s
consolidated financial statements for fiscal year 2000. 1 In connection with
fulfilling our requirement to audit these statements, 2 we tested certain
internal controls over federal disbursements processed by the Department of
the Treasury?s Financial Management Service (FMS). With some exceptions (the
largest being the Department of Defense), FMS makes disbursements for all
federal agencies through its Austin, Chicago, Kansas City, Philadelphia, and
San Francisco Regional Financial Centers and the Birmingham Debt Management
Operations Center. 3 For fiscal year 2000, FMS reported processing
approximately 890 million disbursements totaling over $1.2 trillion.
The centers disburse funds by check, electronic fund transfer (EFT), or
Fedwire. 4 FMS reported that these disbursements for fiscal year 2000
included approximately 265 million checks amounting to over $265 billion,
approximately 625 million EFTs amounting to over $720 billion, and
approximately 47,000 Fedwires amounting to over $275 billion. The centers
also process Automated Standard Application for Payments (ASAP) system
enrollments. 5 FMS reported that federal agencies authorized payments of
over $254 billion in fiscal year 2000 using the ASAP system.
1 U. S. Government Financial Statements: FY 2000 Reporting Underscores the
Need to Accelerate Federal Financial Management Reform (GAO- 01- 570T, March
30, 2001). 2 31 U. S. C. 331( e) (1994).
3 FMS informed us subsequent to fiscal year 2000 that the Chicago Financial
Center ceased operations. 4 Fedwire is a telecommunications network that
electronically links FMS to the Federal Reserve Bank of New York and handles
low- volume, high- dollar- value, or same- day payment requests. 5 The ASAP
system, jointly implemented by FMS and the Federal Reserve Bank of Richmond,
is an electronic payment and information system. Under this system, once
enrolled, an organization can draw federal funds from bank accounts
preauthorized by federal agencies.
GAO- 01- 910R Federal Disbursement Controls Page 2 As part of their
disbursement process, the centers also perform claims and various
accounting functions. The claims function primarily relates to crediting
funds back to the requesting agencies in cases in which disbursements have
been canceled or returned.
The purpose of this letter is to communicate the results of our follow- up
work on previously recommended improvements and corrective actions taken to
address such recommendations. In addition, this letter communicates the
results of our fiscal year 2000 testing and related recommendations for
improving to controls over (1) safeguarding of assets and (2) processing and
documenting delegation and designation of agency certifying officers. 6
Although the internal control matters are not material in relation to the
federal government?s fiscal year 2000 consolidated financial statements,
they warrant your attention.
Results in Brief
Our fiscal year 2000 testing disclosed that FMS? and the centers? corrective
actions resolved weaknesses reported for fiscal year 1999 relating to (1)
controls over checks awaiting destruction and returned checks, (2)
segregation of duties for the ASAP system, (3) documenting agency certifying
officer?s signature verification, (4) the authorized signature for return of
canceled Fedwire disbursements, and (5) reconciling courtesy disbursements.
7 In addition, FMS had completed corrective actions during fiscal year 2001
to address weaknesses relating to employment screening practices that were
reported for fiscal year 1999. But these actions were not complete as of the
end of fiscal year 2000.
Our fiscal year 2000 testing of manual controls and procedures indicated the
following weaknesses related to the safeguarding of vulnerable negotiable
assets at the centers tested that increase the risk of fraud and
unauthorized disbursements.
! Similar to fiscal year 1999, FMS? employment screening practices for the
three centers tested did not adequately mitigate risk of employees accessing
negotiable assets and related records. Specifically, these centers permitted
new employees to access sensitive areas or related records before the
results of their fingerprint checks were received and reviewed. In addition,
FMS did not perform periodic background investigation updates on all
employees with access to negotiable assets and related records. During
fiscal year 2001, FMS released policies and procedures relating to
fingerprint/ background checks and periodic background updates. If
effectively implemented, these procedures should address this weakness.
6 Internal Controls: Disbursement Processing Controls Need Improvement (GAO/
AIMD- 00- 236R, August 7, 2000). In addition, on December 7, 1999, we issued
a Limited Official Use report to you detailing the results of our review of
controls relating to physical access and segregation of duties and
reconciliation of blank check stock.
7 A courtesy disbursement is a replacement benefit check issued by FMS at
the request of an agency when the intended recipient notifies the agency
that he/ she has not received a benefit check.
GAO- 01- 910R Federal Disbursement Controls Page 3
! Similar to fiscal year 1999, certain FMS staff at the three centers tested
had inappropriate access to blank check stock and one or more key check
disbursement processing areas, resulting from physical access and
segregation of duty vulnerabilities at the centers. Subsequent to our site
visits at the centers tested, in September 2000 FMS released its revised
Field Operations Manual (FOM) procedures relating to physical access and
segregation of duties. The FOM
contains FMS? operating procedures for use by the centers. If effectively
implemented, these procedures should address this weakness.
! Similar to fiscal year 1999, we found that there was no FOM requirement
to, and the three centers tested did not, physically reconcile all blank
check stock issued to, but not yet used by, the print operators with the
related control records daily. Subsequent to our site visits at the centers
tested in September 2000, FMS released its revised FOM procedures and in
fiscal year 2001 released supplemental procedures relating to reconciliation
of blank check stock. If effectively implemented, these procedures should
address this weakness.
! Similar to fiscal year 1999, we found that there was no FOM requirement
to, and the three centers tested did not, physically reconcile all blank
check stock issued to, but not yet used by, the print operators with the
related control records daily. Subsequent to our site visits at the centers
tested in September 2000, FMS released its revised FOM procedures and in
fiscal year 2001 released supplemental procedures relating to reconciliation
of blank check stock. If effectively implemented, these procedures should
address this weakness.
! The center responsible for processing ASAP return payments did not have a
control in place that required an independent review of the process of
returning credit to a particular organization?s authorized funds available
to draw. During fiscal year 2001, the center modified its internal
guidelines to address this issue. If effectively implemented, these
procedures should address this weakness.
Our fiscal year 2000 testing also indicated internal control weaknesses
relating to FMS? Administrative Service Branch?s (ASB) processing and
documenting of delegation and designation of agency certifying officers that
increase the risk of unauthorized disbursements. Specifically, our testing
disclosed the following.
! While there is a form to document the head of agency (HOA) self-
delegation verifications, ASB personnel did not routinely document the HOA
self- delegation verifications.
! ASB personnel did not routinely document system overrides of designations
of authority to designate certifying officers. In addition, ASB did not
routinely perform supervisory reviews of these overrides or ensure that
documentation to support the validity of such overrides was received from
the affected agencies.
FMS informed us that it had corrective actions in progress during fiscal
year 2001 to address these weaknesses. Specifically, FMS issued formal
written procedures in
GAO- 01- 910R Federal Disbursement Controls Page 4 June 2001 relating to HOA
self- delegation verifications and system overrides. If
effectively implemented, these procedures should address this weakness. This
year, we are recommending that FMS management monitor the implementation and
effectiveness of the procedures established during fiscal year 2001 to
strengthen controls over the reconciliation of blank check stock, processing
and documenting HOA self- delegation verifications, and documenting system
override designations. In addition, for those other matters on which FMS and
the center took corrective actions, we are recommending that FMS follow up
to ensure effective implementation of such control procedures.
Scope and Methodology
As part of fulfilling our requirement to audit the U. S. government?s fiscal
year 2000 financial statements, we performed tests of manual controls and
procedures over the delegation and designation of disbursing authority for
certifying officers; the processing of check, EFT, and Fedwire
disbursements; ASAP system enrollments; and examination/ observation of
selected claims and accounting for various disbursement transactions. In
addition, we reviewed certain hiring practices, physical access controls,
job responsibilities, and reconciliation of blank check stock at the centers
where we performed testing. 8 For fiscal year 1997, the first year we
reported on the U. S. government?s financial statements, we statistically
selected samples of transactions and tested the internal controls relating
to delegation and designation controls for certifying officers and check,
EFT, and Fedwire disbursements. We also performed nonstatistical internal
control tests for ASAP system enrollments and for claims activities and
accounting functions, as it was more efficient to test these through
nonstatistical methods. The internal control matters we found were not
material in relation to the U. S. government?s consolidated financial
statements. As a result, for subsequent fiscal years including fiscal year
2000, testing was primarily limited to follow- up on FMS actions to address
the matters identified in our prior reports and to reconfirm the existence
and functioning of the manual controls and procedures originally tested.
In fiscal year 2000, we initiated a rotational testing approach. Under this
approach, we planned to perform specific transaction and control tests at
three centers, every 2 years. Thus, for fiscal year 2000, for the three
centers we selected specific disbursement processing steps to evaluate the
corrective actions, if any, on recommendations made in our previous reports.
Given the nonstatistical manner of selecting items, the results of this work
are not projectable. For the centers for which specific transaction and
control tests were not performed, we primarily limited our work to inquiry
related to prior year recommendations.
To reconfirm the existence and functioning of manual controls and procedures
at the three selected centers, we also performed nonstatistical testing of
transactions on
8 This testing was limited to center staff members and check processing
areas ?key? to the disbursement process.
GAO- 01- 910R Federal Disbursement Controls Page 5 days during fiscal year
2000 that the centers processed large volumes/ dollars of
disbursements. We examined selected documentation, performed physical
observations, and held discussions with FMS and center officials and staff
relating to (1) the delegation and designation of certifying officers, (2)
check, EFT, and Fedwire disbursement transactions, (3) ASAP system
enrollments and return payment processing, (4) various processes related to
claims and accounting, (5) employment screening practices, (6) physical
access and segregation of duties, and (7) reconciliation of blank check
stock. We selected transactions processed from October 1, 1999, through July
31, 2000. The results of this testing are not projectable.
We reviewed FMS? FOM, which contains a framework for the operating
procedures to be used by the centers. We also considered the standards for
internal control in the federal government. 9 These standards state that
internal control is a major part of managing an organization and provide an
overall framework for establishing and maintaining such controls. The
standards include the plans, methods, and procedures for organizations to
use to meet missions, goals, and objectives. Internal control also serves as
the first line of defense in safeguarding assets and preventing and
detecting errors and fraud. We performed our audit work in accordance with
U. S. generally accepted government auditing standards from August 2000
through June 2001. The Commissioner of FMS provided written comments, which
are discussed in the
?Agency Comments? section of this letter and reprinted in enclosure I.
Controls Over Safeguarding of Assets Can Be Strengthened
We found internal control weaknesses that increase the risk of possible
fraud, theft, and misuse of vulnerable negotiable assets and could result in
unauthorized disbursements. These weaknesses related to (1) FMS? employment
screening practices for the centers, (2) physical access and segregation of
duties, (3) reconciliation of blank check stock, and (4) processing of ASAP
return payments.
The internal control standards state that appropriate hiring practices are
critical in an effective control environment. The standards also require the
following.
! An agency must establish physical control to secure and safeguard
vulnerable assets. In this regard, such assets should be periodically
counted and compared to control records.
! Access to resources (such as blank check stock) and records should be
limited to authorized individuals, and accountability for their custody and
use should be assigned and maintained. To achieve this, periodic comparison
of resources with the recorded accountability should be made to help reduce
the risk of errors, fraud, misuse, or unauthorized alteration.
9 Standards for Internal Control in the Federal Government (GAO/ AIMD- 00-
21.3.1, November 1999). These standards are issued by the Comptroller
General pursuant to 31 U. S. C. 3512 (c), (d), commonly referred to as the
Federal Managers? Financial Integrity Act.
GAO- 01- 910R Federal Disbursement Controls Page 6
! Key duties and responsibilities in authorizing, processing, recording, and
reviewing transactions and handling the related assets (such as blank check
stock) need to be divided or segregated among different people to reduce the
risk of error or fraud.
Employment Screening Practices As a result of our fiscal year 1999 work, we
recommended that FMS develop and implement uniform policies and procedures
requiring, at a minimum, initiation of fingerprint background checks prior
to the start date of new employees and prohibiting new employees from
accessing negotiable assets and related records until the results of the
fingerprint checks are received and reviewed. 10 In addition, we recommended
that FMS develop and implement policies and procedures for periodic
background investigation updates for employees who occupy positions with
access to vulnerable negotiable assets or related records. At the time of
our fiscal year 2000 testing, FMS informed us that it had an effort under
way to address these issues. However, these issues were not addressed by the
end of fiscal year 2000.
At the three centers we tested, for the employees occupying job positions
with access to negotiable assets and related records, our review disclosed
the following.
! Similar to the results of our fiscal year 1999 review, we found that FMS?
Security Branch, the entity primarily responsible for certain employment
screening practices, did not have uniform policies and procedures in place
for the centers to follow that (1) required fingerprint background checks
prior to the start dates of new employees and (2) prohibited new employees
from accessing negotiable assets and related records until the results of
their fingerprint checks were received and reviewed. During our fiscal year
2000 testing, unlike the prior year, the documentation reviewed for each of
the two new employees for the three centers indicated that fingerprint
background checks of new employees were initiated prior to the employees?
start dates. But none of these centers prohibited new employees from being
assigned access to negotiable assets and related records until the results
of fingerprint checks were received and reviewed.
! Similar to the results of our fiscal year 1999 review, we found that FMS?
Security Branch did not require or perform periodic background investigation
updates on all employees with access to negotiable assets and related
records.
Effective hiring practices, which can mitigate the risk associated with
personnel occupying job positions that an agency considers sensitive,
include completion of fingerprint checks on prospective employees prior to
their start dates, prohibiting their assignment to sensitive job positions
until the results of fingerprint checks are received and reviewed, and
conducting periodic background investigation updates.
10 Internal Controls: Disbursement Processing Controls Need Improvement
(GAO/ AIMD- 00- 236R, August 7, 2000).
GAO- 01- 910R Federal Disbursement Controls Page 7 Without effective hiring
practices, the potential risk of employee theft, fraud, and
misuse of negotiable assets is increased. During fiscal year 2001, FMS
issued policies and procedures relating to fingerprint background checks and
periodic background investigation updates. FMS? Security Branch, which
organizationally reports to the Assistant Commissioner for Management, is
responsible for issuing and implementing policies and procedures for FMS?
security program. FMS? Regional Operations (RO) is responsible for the
centers? policies and procedures documented in the FOM. As a result,
Management and RO issued policies and procedures relating to (1) initiation
of fingerprint checks prior to the start dates of new employees, (2)
background investigation updates, and (3) prohibiting new employees from
being assigned access to negotiable assets and related records until the
results of fingerprint checks are received and reviewed. If these procedures
are properly implemented and monitored, FMS will increase its ability to (1)
more quickly identify potential risks with employees and improve
safeguarding of negotiable assets and (2) better assess the risks associated
with potential changes to employees? financial and/ or personal
circumstances.
Physical Access and Segregation of Duty Controls As a result of our fiscal
year 1999 work, we recommended that FMS revise the FOM to include
comprehensive, specific requirements for physical access and segregation of
duty controls within the key check disbursement processing areas at the
centers. Approximately 2 weeks before the end of fiscal year 2000, FMS
issued FOM guidance relating to physical access and segregation of duty
controls. According to the FOM guidance, due to the financially sensitive
nature of the disbursing business, it is necessary to maintain a high level
of integrity and security throughout the process. Further, according to this
guidance, there are a number of tools and techniques that can and will be
used to maintain a high level of integrity and security. These tools and
techniques can be used individually or in combination to achieve such
integrity and security.
The guidance is also intended to be flexible due to differences in the
physical configurations and organizational structures of the centers.
Furthermore, it allows the centers to request written waivers if they cannot
implement any of the requirements outlined in the guidance. We found that
the guidance required, for example, physically restricting certain staff
members? access to one key check disbursement processing area. In instances
in which staff members have access to more than one key check disbursement
processing area, the guidance suggests using dual controls, 11 cameras, and
other compensating controls to mitigate the associated risks.
Furthermore, according to the guidance some staff members? job
responsibilities required access to more than one area. During fiscal year
2000, at the three centers tested, we found situations in which certain
staff members had access to more than
11 Dual control is a control technique requiring at least two individuals to
perform an operation.
GAO- 01- 910R Federal Disbursement Controls Page 8 one key check
disbursement processing area. For example, at two centers we found
that staff members called ?universal/ super operators? were assigned the
duties and responsibilities of check printing and check wrapping. 12 Such
duties and responsibilities created a segregation of duty vulnerability and
allowed the same staff members to have access to both the blank check stock
and the signed printed checks. Without adequate physical access and
segregation of duty controls or adequate compensating controls, the risk of
error or fraud increases. However, with proper implementation and
monitoring, including the use of compensating controls such as those
described in the guidance, FMS increases assurance that the risk of fraud
and unauthorized disbursements is reduced.
Reconciliation of Blank Check Stock As a result of our fiscal year 1999
work, we recommended that FMS revise the FOM to replace the requirement for
daily review of the check numbers used with a requirement for the check
custodians to physically reconcile all blank check stock issued to, but not
yet used by, the print operators with the related control records daily.
During our fiscal year 2000 audit, we found that there was no FOM guidance
requirement to, and the three centers tested did not, physically reconcile
all blank check stock issued to, but not yet used by, the print operators
with the related control records daily. Performing this daily reconciliation
will help assure that all blank check stock issued to, but not yet used by,
the print operators is accounted for. In the latter part of fiscal year
2000, FMS issued FOM guidance requiring that two independent staff members
at each center perform daily reviews of all unused checks issued to, but not
yet used by, the print operators. Additionally, FMS issued supplemental
procedures to the centers during fiscal year 2001. If properly implemented
and monitored, FMS increases assurance that unauthorized check disbursements
are detected promptly.
Controls Over Processing ASAP Return Payments During the course of our
fiscal year 2000 physical observation of return payment processing, we found
that the one center that processes ASAP return payments did not have a
mechanism in place requiring an independent review of the processing of
?Classification/ Reclassification? ASAP return payments. Under the ASAP
system, once enrolled, an organization can draw funds from bank accounts
preauthorized by federal agencies. Although ASAP enrollments are processed
by the three centers we tested, only one center processes ASAP return
payments. There are two types of return payments: ?Reversals?-- the return
of payments back to a financial institution- and ?Classifications/
Reclassifications?-- the return of credit back to a particular
organization?s authorized funds available to draw. ?Classifications/
Reclassifications? returns often occur because a duplicate draw was made in
error by the organization. Without an independent review of the processing
of ?Classification/ Reclassification? return payments, FMS lacks assurance
that such payments are processed properly
12 Wrapping duties entail operating the machines that sign the checks and
inserting the signed checks in envelopes for mailing.
GAO- 01- 910R Federal Disbursement Controls Page 9 and that credit was
properly returned to the organization that initiated the original
draw. During our fiscal year 2000 audit, we notified the center?s management
of this condition. During fiscal year 2001, the center modified its internal
operating guidelines for processing return payments and implemented
procedures for handling ASAP ?Classifications/ Reclassifications? return
payments. With proper implementation and monitoring, FMS increases assurance
that ASAP
?Classification/ Reclassification? payments are processed properly and that
credit is properly returned to the initiating organizations.
Internal Controls Over Processing and Documenting Delegation and Designation
of Agency Certifying Officers Can Be Strengthened
We found internal control weaknesses at FMS? ASB relating to documenting (1)
HOA self- delegation verifications and (2) system overrides of designations
of authority to designate certifying officers. In addition, ASB does not
perform a supervisory review of these overrides or ensure that documentation
to support the validity of such overrides is received from the affected
agencies. If ASB does not fully document its delegation and designation
verifications and ensure that system overrides are documented, subjected to
supervisory review, and supported by documentation, FMS lacks adequate
assurance that the disbursements it processes on behalf of various federal
agencies are properly authorized.
The internal control standards require, in part, the following.
! Transactions and other significant events should be authorized and
executed only by persons acting within the scope of their authority.
Authorizations should be clearly communicated to both managers and
employees.
! Qualified and continual supervision should be provided to ensure that
internal control objectives are achieved. In addition, transactions should
be promptly recorded to maintain their relevance and value to management in
controlling operations and making decisions.
! Internal control and all transactions and other significant events need to
be clearly documented, and the documentation should be readily available for
examination and should appear in management directives, administrative
policies, or operating manuals.
Documenting HOA Self- Delegation Verifications Our review at ASB of
authorization documentation of four certifying officers identified one
instance in which ASB failed to adequately document its HOA selfdelegation
verification. ASB informed us that in this instance, during its verification
process, it called the agency to verify the identity of the HOA. However,
ASB did not document the action taken on the form already in existence for
this purpose. Additionally, ASB informed us that it does not routinely
document the use of the
GAO- 01- 910R Federal Disbursement Controls Page 10 Federal Yellow Book 13
or contacts with agencies, which are used when alternate
procedures are needed to verify the HOA. As a result, FMS lacks adequate
assurance that the identity of the HOA was verified.
The authority to expend agency funds and to certify the disbursement of such
funds resides with the heads of federal agencies. The Treasury Financial
Manual (TFM), Volume I, Part 4, Chapter 1100, Section 1120, defines HOA to
mean the head of an executive agency- that is, department secretaries and
agency administrators and commissioners. It can also include bureau heads
and agency and/ or bureau chief financial officers. The HOA makes this
authority known to FMS through a process known as self- delegation. In
Volume I, Part 4, Chapter 1100, Section 1135, the TFM requires that the HOA
submit to FMS a self- delegation using Form FMS 2958, Delegation of
Authority, along with a self- designation letter bearing the agency?s
official seal. Upon receipt, FMS verifies the designation and returns a copy
of the Form FMS 2958 to the HOA. FMS uses these documents as a basis for
validating all subsequent delegations and designations from that agency head
to lower- level agency officials.
During our fiscal year 2000 audit, we notified ASB of our concern about its
not documenting HOA self- delegation verifications. During fiscal year 2001,
FMS issued formal written procedures requiring documentation of the HOA
delegation verification. With proper implementation and monitoring, FMS
increases assurance that the disbursements it processes on behalf of various
federal agencies are properly authorized.
Documenting System Override Designations Our review at ASB of authorization
documents of four certifying officers? disbursement authority found that ASB
allowed the designation of one individual even though the designator?s
delegation of authority had expired. To complete processing of the
certifying officer?s designation, an ASB administrator overrode the Digital
Signature and Storage Verification (DSSV) system and did not document this
override. Further, this override was not subjected to supervisory review,
and documentation to support its validity was not subsequently received from
the affected agency. Additionally, ASB informed us that it does not document
system overrides of designations of authority to designate certifying
officers. Further, ASB does not ensure that documentation to support the
validity of such overrides is received from the affected agencies. The DSSV
system is used to store and validate the digital signatures of various
agency officials. Because the designation of certifying officers is a
critical step in ensuring that only authorized individuals are granted the
ability to certify agency disbursements, system overrides should be
documented, subjected to qualified and continual supervision, and supported
by valid agency documentation. Without such controls, FMS lacks adequate
assurance that only authorized agency personnel can certify disbursements.
13 The Federal Yellow Book is a leadership directory of federal departments
and agencies that lists individuals such as the heads of agencies.
GAO- 01- 910R Federal Disbursement Controls Page 11 Volume I, Part 4,
Chapter 1100, Section 1140m of the TFM requires that designation
authority be given to individuals responsible for exercising this authority
for the HOA. Such delegations must be for specific authorities as noted on
FMS Form 2958/ 2958A. Delegations of designation authority are valid for a 2
years after the effective dates, unless revoked earlier. Delegations not
renewed by their expiration dates will become void as of those dates and no
further designations/ delegations will be accepted from the individuals.
Once a delegation expires, a new delegation must be submitted to reinstate
that individual. In Volume I, Part 4, Chapter 1100, Section 1145, the TFM
requires that the designating official must have a valid FMS Form 2958 on
file with FMS in order to designate certifying officers for the agency.
Certifying officers are individuals to whom authority to approve disbursal
of agency funds has been delegated, by a properly authorized designating
official.
During our fiscal year 2000 audit, we notified ASB of our concern about not
documenting system overrides. During fiscal year 2001, FMS issued formal
written procedures requiring supervisory approval of system overrides. In
addition, the procedures require that these actions be fully documented by
the DSSV operator and reviewed by the DSSV supervisor. With proper
implementation and monitoring, FMS increases assurance that only authorized
agency personnel can certify disbursements.
Conclusion
We found that certain corrective actions have been taken to address both
prior years? and the new internal control weaknesses we identified as part
of the fiscal year 2000 financial audit. In the areas of reconciliation of
blank check stock, documenting HOA self- delegation verifications, and
documenting system override designations, controls should be strengthened to
reduce the risk of unauthorized disbursements if the corrective actions
taken are effectively implemented.
Recommendations
To ensure effective implementation of actions taken to address the
disbursement internal control weaknesses we identified, we recommend that
the Commissioner of FMS direct the Assistant Commissioner for Regional
Operations to monitor efforts relating to
! the centers? adherence to FOM policies prohibiting new employees from
being assigned access to negotiable assets and related records until the
results of fingerprint checks are received and reviewed;
! the centers? adherence to FOM policies regarding physical access and
segregation of duties relating to key check disbursement processing areas;
! the centers? adherence to FOM revision requiring a daily review of blank
check stock issued to, but not yet used by, the print operators;
! the center?s processing of ASAP ?Classification/ Reclassification? return
payments;
GAO- 01- 910R Federal Disbursement Controls Page 12
! ASB?s adherence to written procedures requiring documentation of the HOA
selfdelegation verifications; and
! ASB?s adherence to written procedures requiring (1) supervisory approval
of system overrides of designations of authority to designate certifying
officers, (2) documentation of system overrides, and (3) performance of a
supervisory review of these actions.
To ensure effective implementation of actions taken to address the remaining
disbursement internal control weaknesses from our prior year audits, we
recommend that the Commissioner of FMS direct the Assistant Commissioner for
Management to monitor efforts relating to
! the Security Branch?s policies and procedures requiring initiation of
fingerprint background checks prior to the start dates of new employees and
! the Security Branch?s policies and procedures requiring periodic
background investigation updates for employees in positions that require
access to vulnerable negotiable assets or related records.
Agency Comments
In commenting on a draft of this report, FMS concurred with our assessment
that the risk of unauthorized disbursements will be reduced if its
corrective actions to address the internal control issues identified are
effectively implemented. In this regard, FMS stated that it had initiated a
comprehensive review program to ensure that all corrective actions are being
followed.
- - - - This letter contains recommendations to you. The head of a federal
agency is required by 31 U. S. C. 720 to submit a written statement on
actions taken on these recommendations. You should submit your statement to
the Senate Committee on Governmental Affairs and the House Committee on
Government Reform within 60 days of the date of the report. A written
statement also must be sent to the House and Senate Committees on
Appropriations with the agency?s first request for appropriations made more
than 60 days after the date of the letter.
This letter is intended for use by Treasury?s management and the Inspector
General. We are sending copies of this letter to the Chairman and Ranking
Minority Member of the Senate Committee on Governmental Affairs and the
House Committee on Government Reform, the Director of the Office of
Management and Budget, and the Fiscal Assistant Secretary and Inspector
General of the Department of the Treasury. Copies will also be made
available to others upon request.
GAO- 01- 910R Federal Disbursement Controls Page 13 If you have any
questions regarding this letter, please contact me at (202) 512- 3406.
Key contributors to this assignment are listed in enclosure II. Sincerely
yours,
Gary T. Engel Director Financial Management and Assurance
Enclosures
Enclosure I GAO- 01- 910R Federal Disbursement Controls Page 14
Comments From the Financial Management Service
Enclosure II GAO- 01- 910R Federal Disbursement Controls Page 15
GAO Staff Acknowledgments
Brian Huchro, Laurie King, Yola Lewis, and Jon Ling made key contributions
to this letter.
(198052)
*** End of document. ***