Preface
The Department of Homeland Security (DRS) Office of Inspector General (OIG) was established by the Homeland Security Act of2002 (Public Law 107-296) by amendment to the Inspector General Act of1978. This is one of a series of audit, inspection, and special reports prepared as part of our oversight responsibilities to promote economy, efficiency, and effectiveness within the department.
This report presents the information technology (IT) management letter for the FY 2010 U.S. Citizenship and Immigration Services (USCIS) component of the DRS financial statement audit as of September 30, 2010. It contains observations and recommendations related to information technology internal control that were summarized in the Independent Auditors' Report dated November 12,2010 and presents the separate restricted distribution report mentioned in that report. The independent accounting firm KPMG LLP (KPMG) performed the audit procedures at the USCIS component in support of the DRS FY 2010 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management letter dated March 18,2011, and the conclusions expressed in it. We do not express opinions on DRS' financial statements or internal control or conclusion on compliance with laws and regulations.
The recommendations herein have been developed to the best knowledge available to our office, and have been discussed in draft with those responsible for implementation. We trust that this report will result in more effective, efficient, and economical operations. We express our appreciation to all ofthose who contributed to the preparation of this report.
Signature of Frank Deffer Assistant Inspector General Information Technology AuditsSignature of Frank Deffer Assistant Inspector General Information Technology AuditsSignature of Frank Deffer Assistant Inspector General Information Technology Audits
rt:ffl'
Assistant Inspector General Information Technology Audits
KPMG LLP
2001 M Street, NW Washington, DC 20036-3389
March 18, 2011 Inspector General U.S. Department of Homeland Security Chief Information Officer and Chief Financial Officer U.S. Citizenship and Immigration Services
Ladies and Gentlemen:
We were engaged to audit the balance sheet of the U.S. Department of Homeland Security (DHS or Department), as of September 30, 2010 and the related statement of custodial activity for the year then ended (herein after referred to as “financial statements”). We were also engaged to examine the Department’s internal control over financial reporting of the balance sheet as of September 30, 2010 and the statement of custodial activity for the year then ended. We were not engaged to audit the statements of net cost, changes in net position, and budgetary resources as of September 30, 2010 (hereinafter referred to as “other fiscal year (FY) 2010 financial statements”), or to examine internal control over financial reporting over the other FY 2010 financial statements.
Because of matters discussed in our Independent Auditors’ Report, dated November 12, 2010, the scope of our work was not sufficient to enable us to express, and we did not express, an opinion on the financial statements or on the effectiveness of DHS’ internal control over financial reporting of the balance sheet as of September 30, 2010, and related statement of custodial activity for the year then ended. Additional deficiencies in internal control over financial reporting, potentially including additional material weaknesses and significant deficiencies, may have been identified and reported had we been able to perform all procedures necessary to express an opinion on the financial statements or on the effectiveness of DHS’ internal control over financial reporting of the balance sheet as of September 30, 2010, and related statement of custodial activity for the year then ended; and had we been engaged to audit the other FY 2010 financial statements, and to examine internal control over financial reporting over the other FY 2010 financial statements.
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.
The United States Citizenship and Immigration Services (USCIS) is a component of DHS. During our audit engagement, we noted certain matters in the areas of information technology (IT) configuration management, access controls, segregation of duties, and security management with respect to USCIS’ financial systems information technology (IT) general controls, which we believe contribute to an IT material weakness at the DHS level. These matters are described in the IT General Control Findings and Recommendations section of this letter.
Information Technology Management Letter for the USCIS Component of the FY 2010 DHS
Financial Statement Audit
KPMG LLP is a Delaware limited liability partnership,
the U.S. member firm of KPMG International Cooperative
(“KPMG International”), a Swiss entity.
The material weakness described above is presented in our Independent Auditors’ Report, dated November 12, 2010. This letter represents the separate limited distribution letter mentioned in that report.
The control deficiencies described herein have been discussed with the appropriate members of management, and communicated through a Notice of Finding and Recommendation (NFR).
Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. We aim to use our knowledge of USCIS gained during our audit engagement to make comments and suggestions that are intended to improve internal control over financial reporting or result in other operating efficiencies. We have not considered internal control since the date of our Independent Auditors’ Report.
The Table of Contents on the next page identifies each section of the letter. We have provided a description of key USCIS financial systems and IT infrastructure within the scope of our engagement to audit the FY 2010 DHS financial statements in Appendix A; a listing of the FY 2010 IT Notices of Findings and Recommendations (NFR) at USCIS din Appendix B; and the status of the prior year NFRs and a comparison to current year NFR’s at USCIS in Appendix C. Our comments related to certain additional matters have been presented in a separate letter to the Office of Inspector General and the USCIS Chief Financial Officer.
USCIS’ written response to our comments and recommendations has not been subjected to auditing procedures and, accordingly, we express no opinion on it.
This communication is intended solely for the information and use of DHS and USCIS management, DHS Office of Inspector General, Office of Management and Budget (OMB), U.S. Government Accountability Office, and the U.S. Congress, and is not intended to be and should not be used by anyone other than these specified parties.
Very truly yours,
KPMG
No comments:
Post a Comment