Skip to contentUnited States Department of Transportation - Federal Highway Administration FHWA Home Feedback
Highway Trust Fund, FY 2006 Financial Report

EXHIBIT II
Independent Auditors' Report
Reportable Conditions in Internal Control

The reportable conditions identified below are matters coming to our attention relating to significant deficiencies in the design or operation of the internal control over financial reporting that, in our judgment, could adversely affect the HTF's ability to record, process, summarize, and report financial data consistent with the assertions by management in the recording and reporting of the HTF's financial activity.

B. General Controls over Financial Management Systems

Background:

The HTF relies on extensive information technology systems to administer internal controls over the preparation of financial statements. Information technology (IT) systems are essential to ensure the integrity, confidentiality, and reliability of critical data while reducing the risk of errors, fraud and other illegal acts.

Conditions:

During the course of the audit, we noted that the HTF has made progress in improving various aspects of IT internal control weaknesses reported in Fiscal Year 2005 related to information security management. However, we noted significant issues still exist that include access control and segregation of duties previously reported, as well as additional issues noted in user account administration, physical and environmental security, certification and accreditation, and system configuration vulnerabilities in general support systems supporting HTF applications.

We have provided the following summary of systems reviewed in connection with the Fiscal Year 2006 audit of the HTF consolidated financial statements, along with a general discussion of weaknesses noted. Because of the sensitivity of the matters described below, a separate report titled Limited Distribution Management Report has been issued to management describing in detail, the specific deficiencies identified and recommendations to correct these deficiencies.

In addition, we tested the general and application controls over the following key FTA systems:

Key IT internal control deficiencies were noted in the above systems relating to segregation of duties, logical and physical access controls, information security management for security awareness training and certifying/accrediting information systems, and system configuration weaknesses of general support systems impacting the HTF applications.

Cause:

Safeguards have not been established to prevent or detect unauthorized access related to (1) inappropriate access to production and development platforms, (2) user account administration, and (3) known security vulnerabilities related to supporting infrastructure.

Effect:

These deficiencies could adversely affect the HTF's ability to record, process, summarize, and report financial data consistent with the assertions of management in the HTF consolidated financial statements. In addition, we also noted that these weaknesses impact the HTF's ability to comply with the Federal Financial Management Improvement Act (FFMIA) regarding computer security act requirements and weaknesses cited in internal controls. Lastly, we noted from an application system standpoint, lack of system process and application control documentation for TEAM and ECHO applications.

Criteria:

OMB Circular No. A-130, Security of Federal Automated Information Resources, Appendix III, states "agencies shall implement and maintain a program to assure that adequate security is provided for all agency information collected, processed, transmitted, stored, or disseminated in general support systems and major applications". The OMB Circular No. A-130 emphasizes the importance of technical and operations controls as part of management controls to prevent and detect inappropriate or unauthorized activities.

National Institute of Standards and Technology's (NIST's) Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook states "security monitoring is an ongoing activity that looks for vulnerabilities and security problems". The special publication also states "a periodic review of system-generated logs can detect security problems, including attempts to exceed access authority or gain system access during unusual hours". Furthermore it states "from time to time, it is necessary to review user account management on a system. Within the area of user access issues, such reviews may examine the levels of access each individual has, conformity with the concept of least privilege, whether all accounts are still active, whether management authorizations are up-to-date, whether required training has been completed, and so forth".

Recommendation:

We recommend that FHWA and FTA continue to work with DOT management to improve the information technology environment applicable to the HTF applications by implementing the specific recommendations provided in the aforementioned separate Limited Distribution Management Report.

C. Undelivered Orders

Background:

An obligation is a legal reservation of funds to pay for goods or services ordered. It reflects a binding agreement for a specific purpose that is documented in writing. Undelivered orders (UDOs) reflect obligations for goods or services that have not been delivered or received. UDO balances that remain inactive for a long period of time indicate that the goods or services may no longer be required or that the liquidation of the UDO may not have been properly recorded. Inactive UDOs should be reviewed periodically in order to promptly de-obligate funds so that these funds are available for other uses.

Fiscal Management Information System (FMIS) is the front-end application that records the initial grant agreements/obligations and is reconciled to Delphi quarterly.

Conditions:

We noted instances of UDO balances in the general ledger that were not properly supported. Specifically, we noted numerous instances related to FHWA, FTA, and FRA where UDOs are maintained in the general ledger when funds were no longer available as needed. In addition, we noted payments made to grantees that were posted twice in Delphi. We also noted instances of invalid UDO balances due to posting errors in Delphi. Exceptions related to these issues amounting to approximately $24.8 million were corrected in Fiscal Year 2006. The uncorrected exceptions related to these issues amounted to $64.6 million as of September 30, 2006.

FHWA performed quarterly reconciliations of FMIS to Delphi during Fiscal Year 2006. We noted a net difference between FMIS and Delphi of $82 million. These differences were not analyzed at the project or detail level for the period ended September 30, 2006.

Cause:

Effective policies and procedures are not in place to ensure the accuracy of the UDO balance recorded in the Fiscal Year 2006 HTF consolidated financial statements.

Effect:

The unpaid obligation balance in the HTF consolidated financial statements may be misstated. In addition, funds may be reserved unnecessarily and unavailable for other uses.

Criteria:

United States Code (USC) Title 31 Section 1501 Documentary Evidence Requirement for Government Obligations states that "an amount shall be recorded as an obligation of the United States Government only when supported by documentary evidence of a binding agreement between an agency and another person (including an agency) that is in writing, in a way and form, and for a purpose authorized by law an executed before the end of the period of availability for obligation of the appropriation or fund used for specific goods to be delivered, real property to be bought or leased, or work or service to be provided."

Recommendation:

We recommend that the OAs establish effective policies and procedures to review the accuracy of its reported obligations and specifically review those potentially inactive UDO balances (i.e. inactive for 12 months or more) and take prompt action to de-obligate excess funds so these funds can be available for other uses. In addition, for the quarterly reconciliations performed by FHWA, we recommend that FHWA:

D. Fund Balance with Treasury (FBWT) Reconciliations

Background:

Per the U.S. Department of the Treasury's (Treasury) Financial Manual (TFM) Part 2, Chapter 5100, "Agencies must reconcile the SGL 1010 account balances for each fund symbol with Treasury's records (Financial Management System (FMS) 6653 / 6654) each month. Treasury issues monthly FMS 6653, 6654 and 6655 reports that assist agencies in the reconciliation of FBWT. Treasury also issues a monthly FMS 6652 Report (Statement of Differences Report) to identify differences between the OA and Treasury's deposit and disbursement data for each OA. The Treasury Reporting and Reconciliations Team (Recon Team) in Oklahoma City (OKC) performs a monthly comparison of FBWT balances between Delphi records and FMS 6653 / 6654. The Recon Team also prepares a monthly FMS 6652 comparison. The differences that result from these comparisons are provided to the OAs to review and resolve timely. If the OAs are unable to match a receipt or disbursement of cash transaction to a specific document number in Delphi, then the OAs offset the transaction with a corresponding debit or credit to SGL account 2400, Liabilities for Deposit Funds, Clearing Accounts, and Undeposited Collections which functions as a "suspense" account until the proper posting of the transaction can be resolved.

At month-end, a Statement of Transactions (SF-224) is automatically generated in Delphi by the Recon Team. The SF-224 is the central accounting document used by the OAs to report monthly cash activity to Treasury. Treasury relies on the SF-224 reports to identify differences between Federal agency's records and Treasury control totals. The Recon Team prepares a SF-224 vs. the general ledger (GL) comparison prior to the submission of the SF-224 to Treasury. Preliminary SF-224s are sent to the OAs via email. According to DOT policies and procedures, preliminary SF-224s are forwarded to the OAs by the Recon Team for review by the OAs prior to submission to Treasury. Official signed SF-224s and all supporting documentation is required to be maintained by a responsible OA official. In addition, signed reconciliation certification statements are also required to be signed and maintained for audit.

Conditions:

We noted instances related to all OAs where the FMS 6652, FMS 6653/6654/6655 and the SF-224 vs. GL differences were not properly supported. Furthermore, there is no evidence of management review by any OA of the SF-224s before they are submitted to Treasury. Differences identified by the Recon Team and submitted to the OAs are not properly followed up on in order to ensure the correction has been made. In addition, we noted instances where suspense accounts were not cleared timely.

In addition we noted numerous instances where existing DOT policies and procedures were not being followed. Specifically, we noted that the Recon Team is not forwarding preliminary SF- 224s to the OAs if the variance is less than 10 percent. Based on inquiries with the OAs, it was evident that the OAs were unaware of this improper procedure. Secondly, despite a signature line reflected on the face of the SF-224, we noted that the SF-224s for all OAs did not have evidence of approval prior to submission to Treasury nor were the SF-224s maintained, with all supporting documentation, as required. Lastly, we noted that the OAs are not maintaining signed reconciliation certification statements as required by DOT policies and procedures.

We also noted that FHWA performs detailed reconciliations for all months with the exception of September. These reconciliations include the identification and resolution of significant variances between Delphi and Treasury. Due to time constraints for the month of September related to year-end reporting, differences are identified, but are not properly resolved. Journal entries are made to adjust FBWT to balances reported by Treasury at September 30, 2006. Specifically, FHWA recorded journal entries to adjust Undelivered Orders-Obligations, Unpaid, Delivered Orders- Obligations, Paid, Fund Balance With Treasury, and Operating Expenses. The absolute value of the entries recorded to Undelivered Orders-Obligations Unpaid, Delivered Orders- Obligations, Paid was approximately $113.8 million. The absolute value of the entries recorded to Fund With Treasury, and Operating Expenses was approximately $79.5 million. The net effect of these entries was to decrease Undelivered Orders-Obligations Unpaid by approximately $34.8 million with a corresponding increase in Delivered Orders- Obligations, Paid and a decrease of approximately $536 thousand in Fund Balance With Treasury and a corresponding increase in Operating Expenses. These adjustments are reversed in the subsequent month.

Lastly, we noted that certain suspense accounts were not properly closed at September 30, 2006. Specifically, NHTSA and FMCSA had suspense account balances remaining of $10.4 million and $1million, respectively.

Cause:

Policies and procedures are not in place to ensure that:

Effect:

Financial statements amounts may be misstated and or not properly supported. Failure to implement effective processes and procedures could increase the risks of fraud, violations of appropriation laws and mismanagement of funds.

Criteria:

The Treasury Financial Manual, Part 2 Chapter 5100 Supplement, states that all agencies must complete and fully document a reconciliation of FBWT monthly. The reconciliation should be signed-off by an authorized agency official as evidence that the reconciliation was properly completed and reviewed. Federal agencies must research and resolve differences reported on the monthly Statement of Differences (Financial Management System (FMS) 6652). FMS notifies agencies of their deposit and disbursement differences on FMS 6652. Agencies also must resolve all differences between the balances reported on their general ledger FBWT accounts and balances reported on the Undisbursed Appropriation Account Ledger (FMS 6653), Undisbursed Appropriation Account Trial Balance (FMS 6654) and Receipt Account Ledger (FMS 6655). The Supplement states "An agency may not arbitrarily adjust its FBWT account. Only after clearly establishing the causes of errors and properly documenting those errors, should an agency adjust its FBWT account balance. If an agency must make material adjustments, the agency must maintain supporting documentation. This will allow correct interpretation of the error and its corresponding adjustment."

The Department of Transportation, Financial Management Policies Manual, Section 3.4.3.d Disbursements, Section 3.04.3.e Collections, states that the Cash Operations Team provides each OA with a reconciliation of documents by ALC. The reconciliation shows the document number, amount recorded by Treasury, amount recorded in Delphi, difference amount, the month cleared, and the necessary action to clear each difference. The OAs are responsible for clearing all FMS 6652 differences on subsequent SF-224 reports. FMS 6652 differences must be corrected no later than 30 days after the initial Treasury confirmation month. In addition, all general ledger suspense accounts must be reconciled and closed at September 30.

The Department of Transportation, Financial Management Policies Manual, Section 3.4.3.d Disbursements, Section 3.4.3.g Clearing Accounts (Funds)

OAs must reclassify all clearing account transactions to the correct Treasury Account Symbol (TAS) on the next Statement of Transaction (Standard Form (SF)-224), Reports of Agencies for which the Treasury Disburses reporting cycle, but no later than two months after the accomplished date.

The manual also states all reconciliation spreadsheets, working papers, reports, information, explanations, and certifications resulting from the OAs procedures and processes must be maintained by ALC and must be made available to auditors upon request. The monthly reconciliation certifications are due to the Office of Financial Management no later than the 15th of the month following the end of the reporting period. OAs are responsible for obtaining the official FMS 224 report, certifying it and maintaining all backup documentation.

Recommendations:

We recommend that the OAs:

Previous | Contents | Next


FHWA Home | Feedback
FHWA