U.S. DEPARTMENT OF ENERGY OFFICE OF INSPECTOR GENERAL AUDIT OF DEPARTMENTAL INTEGRATED STANDARDIZED CORE ACCOUNTING SYSTEM (DISCAS) OPERATIONS AT SELECTED FIELD SITES The Office of Inspector General wants to make the distribution of its reports as customer friendly and cost effective as possible. Therefore, this report will be available electronically through the Internet five to seven days after publication at the following alternative addresses: Department of Energy Headquarters Gopher gopher.hr.doe.gov Department of Energy Headquarters Anonymous FTP vm1.hqadmin.doe.gov U.S. Department of Energy Human Resources and Administration Home Page http://www.hr.doe.gov/ig Your comments would be appreciated and can be provided on the Customer Response Form attached to the report. This report can be obtained from the U.S. Department of Energy Office of Scientific and Technical Information P.O. Box 62 Oak Ridge, Tennessee 37831 Report Number: AP-FS-97-02 ADP and Technical Support Division Date of Issue: June 6, 1997 Washington, D.C. 20585 AUDIT OF DEPARTMENTAL INTEGRATED STANDARDIZED CORE ACCOUNTING SYSTEM (DISCAS) OPERATIONS AT SELECTED FIELD SITES TABLE OF CONTENTS Page SUMMARY . . . . . . . . . . . . . . . . . . 1 PART I - APPROACH AND OVERVIEW . . . . . . . . . . . 2 Introduction. . . . . . . . . . . . . . . . 2 Scope and Methodology . . . . . . . . . . . 2 Background . . . . . . . . . . . . . . . . . 2 Observations. . . . . . . . . . . . . . . . 3 PART II - AUDIT RESULTS . . . . . . . . . . . . . . . 5 General Control Environment for DISCAS Operations . . . . . . . . . . . . . . . . . 5 Application Controls for DISCAS Operations . . . .. . . . . . . . . . . . . 7 U.S. DEPARTMENT OF ENERGY OFFICE OF INSPECTOR GENERAL OFFICE OF AUDIT SERVICES AUDIT OF DEPARTMENTAL INTEGRATED STANDARDIZED CORE ACCOUNTING SYSTEM (DISCAS) OPERATIONS AT SELECTED FIELD SITES Audit Report Number: AP-FS-97-02 SUMMARY The Government Management Reform Act of 1994 requires the Department to annually submit audited financial statements to the Office of Management and Budget beginning with the statements to be issued as of September 30, 1996. As part of a Department-wide financial statements audit, we reviewed operations and internal controls at selected field sites in order to assess the integrity and reliability of financial data processed through the Departmental Integrated Standardized Core Accounting System (DISCAS). Our primary emphasis was placed on reviewing the general control environment in which DISCAS operates to ensure that application controls could not be rendered ineffective by circumvention or modification. We also performed limited tests of application controls and data integrity to assist us in assessing the validity and reliability of data processed through DISCAS. This report addresses certain matters involving the design and operations of DISCAS that could affect the Department's ability to ensure that financial data is recorded, processed, and reported in a reliable manner. Specifically, at the three field sites audited, some weaknesses exist in the general and application controls for DISCAS that could affect the reliability of data processed through the system. However, nothing came to our attention that causes us to believe that the system would introduce significant distortions into the Department's financial statements. Management concurred with our findings and recommendations. Management's comments are summarized in Part II of this report. ___________________________ PART I APPROACH AND OVERVIEW INTRODUCTION The Government Management Reform Act of 1994 requires the Department to annually submit audited financial statements to the Office of Management and Budget (OMB) beginning with the statements to be issued as of September 30, 1996. As part of a Department-wide financial statements audit, we reviewed operations and internal controls at selected field sites in order to assess the integrity and reliability of financial data processed through the Departmental Integrated Standardized Core Accounting System (DISCAS). SCOPE AND METHODOLOGY Our primary emphasis was placed on reviewing the general control environment in which DISCAS operates to ensure that application controls could not be rendered ineffective by circumvention or modification. We also performed limited tests of application controls and data integrity to assist us in assessing the validity and reliability of data processed through DISCAS. Our audit was primarily conducted at the Oak Ridge Financial Management Division, Oak Ridge, Tennessee; the Albuquerque Financial Service Center, Albuquerque, New Mexico; the Capital Accounting Center, formerly the Office of Headquarters Accounting Operations (OHAO); and the Headquarters Computing Facility, Germantown, Maryland. Our audit work was initiated in May 1996, and an exit conference was held with officials of the Office of Chief Financial Officer (CFO) in March 1997. We obtained and reviewed system documentation, prior system reviews, error (edit) reports and related reports and records. We interviewed persons responsible for system design, maintenance, and day-to-day operations, as well as system users. In addition, we used both on-line access and computer assisted audit techniques to assist in our understanding of the general and application control environment in which DISCAS operates, and observed the on-line processing of transactions to verify system control and edit functions. We also compared system characteristics and operating procedures with applicable laws, regulations, and other requirements for Federal financial management systems. Our audit was performed in accordance with generally accepted Government auditing standards for financial audits. This included tests of internal controls and compliance with laws and regulations to the extent necessary to meet the objectives of the audit. Because our review was limited, it would not necessarily have disclosed all internal control deficiencies that may exist. Also, projection of any evaluation of the structure to future periods is subject to the risk that procedures may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate. BACKGROUND DISCAS, as an integral part of the Departmental Primary Accounting System, was designed to provide DOE with a standardized automated system that performs accounting and financial reporting functions consistent with both internal and external accounting policies and procedures, such as those contained in the Department of Energy Accounting Handbook or issued by external organizations such as the OMB, the General Accounting Office (GAO), and the U.S. Treasury. It was designed to perform such functions as funds control, voucher processing, U.S. Treasury payment, accounts receivable, collections, cost accruals and reversals, travel, year-end closing, reimbursable work, and invoice logging and tracking. The system also provides monthly consolidation data to the Financial Information System (FIS) and/or Management Analysis Reporting System (MARS). In addition to FIS/MARS, the following application systems also interface with DISCAS, either through batch processing or menu options: Budget and Reporting Classification System. Funds Distribution System (FDS). Labor Distribution System. Payroll/Personnel System. Procurement and Assistance Data System. DISCAS is intended to operate as an on-line, fully interactive, Agency-level accounting system that uses standard hardware and software. The system contains eight modules, including budget and accounting. It operates on Hewlett-Packard (HP) 3000 Series computers, located at DOE Headquarters and field sites. DISCAS source programs, written in HP COBOL II, are pro vided to each site running the software. The Financial Systems Development Division (FSDD)--located within the Office of Departmental Accounting and Financial Systems Development, CFO-- is responsible for central management of the system. As of the end of Fiscal Year 1996, the system was in operation at 4 DOE sites with HP computers, and was being utilized by 18 different DOE organizations. The system is currently operational at the DOE Albuquerque and Oak Ridge Operations Offices, the Federal Energy Regulatory Commission and the OHAO. The Idaho, Nevada, and Oakland Operations Offices are operational on the Albuquerque system. The Savannah River Operations Office, Richland Operations Office, Pittsburgh Energy Technology Center, Rocky Flats Field Office, Ohio Field Office, the Morgantown Energy Technology Center, and the Strategic Petroleum Reserve Project Office are operational on the Oak Ridge system; and Pittsburgh and Schenectady Naval Reactors, the Chicago Operations Office and the Departmental Accounting and Analysis Division, within the Office of Departmental Accounting and Financial Systems Development, utilize the OHAO system. Also, DISCAS is not utilized at the Department's Power Marketing Administrations. OBSERVATIONS This report addresses certain matters involving the design and operations of DISCAS that could affect the Department's ability to ensure that financial data is recorded, processed, and reported in a reliable manner. Specifically, some weaknesses exist in the general and application controls for DISCAS that could affect the reliability of data processed through the system. Instances were found where general controls relating to the separation of duties; software changes; access; and contingency and disaster recovery planning were not implemented in a manner to ensure that information resources were sufficiently safeguarded, and essential operations could be continued in case of an unexpected interruption. Also, instances were found where application controls relating to validator program operation and difference resolution; and non-posting or invalid transaction documentation were not implemented in a manner to ensure sufficient control over the input and processing of data. Overall, we do not believe that any of the conditions at the field sites audited would introduce significant distortion into the Departments financial statements. Because our review was limited, however, it would not necessarily have disclosed all internal control deficiencies that may exist. Part II of this report provides additional details concerning the audit results. PART II AUDIT RESULTS The following issues regarding the design and internal control structure for DISCAS were identified during the course of the audit and brought to management's attention. 1. General Control Environment for DISCAS Operations. General controls apply to all computer processing carried out at a facility and are independent of specific applications. They relate to organization; system design, development and modification; and security. Weaknesses exist in the general controls for DISCAS that could affect the reliability of data processed through DISCAS. At the three sites established in the Department as consolidated service centers for DISCAS operations, we found instances where general controls were not implemented in a manner to ensure that information resources were sufficiently safeguarded, and essential operations could be continued in case of an unexpected interruption. Specifically, our review disclosed the following: o Certain organizational responsibilities and functions surrounding DISCAS, such as application system operation/security and payment and certification, were inadequately separated. For instance, site personnel with capabilities for establishing application access privileges also had capability to alter financial information. Also, a computer system manager at one site was also responsible for computer system security. o Each site had access to DISCAS source code and could introduce changes into the system that were not approved and documented in accordance with formal change control procedures. From reports generated through the use of computer program comparison software, we found instances of missing, excessive and/or unapproved altered DISCAS core program source code in the production accounts for the sites. o Continuity of operations for performing mission requirements would be uncertain in event of non-availability of the site computer systems due to a major service disruption or disaster. At one site, no contingency agreement existed for an alternate processing facility (i.e., hot site). At another site, prior testing for contingency and disaster recovery disclosed that the alternate processing site may not have sufficient resources to meet processing needs. o Access to the computer and application systems was in excess and/or inconsistent with site user needs. Menu privileges were set up in the application system that allowed the same user to enter, validate and certify a payment transaction, and a large number of user accounts had never been logged into over a period of six months or more. Agencies are required to establish, evaluate, and maintain secure control environments for their financial management systems. For example, Appendix III to Title 2 "Accounting" of the GAO Policy and Procedures Manual for Guidance of Federal Agencies states that systems must include procedures and controls which protect hardware, software, data, and documentation from physical damage by accident, fire, and environmental hazards and from unauthorized access whether inadvertent or deliberate. These weaknesses, in our opinion, existed because the CFO had not (1) provided sufficient uniform guidance on formal procedural requirements for security controls relating to DISCAS operations; (2) performed recent reviews to assess the integrity and security of DISCAS programs and system structure; and (3) provided for overall contingency and disaster recovery planning to ensure continuity of DISCAS operations. Security of data and access to the data are relegated to the sites processing with the DISCAS application. However, the CFO established requirements for site maintenance of site security plans and provided general recommendations on computer security access controls. We found, in some instances, that formal procedures, at the sites, were outdated in certain aspects and/or did not address security controls relating to computer and application system operation, such as specific security software parameter settings for the computer system (e.g., automatic computer system log off of user after a period of inactivity), and application and computer system access control. Also, within the organizational structure established for DISCAS, organizational elements within the CFO had responsibility for application system software programming, analysis and change controls, and the performance of reviews to assess application security and the integrity of core software issued to the sites. However, a review to assess application integrity and security of DISCAS programs and system structure had not been performed by the CFO at the consolidated service centers since 1994. Improvements in the implementation of existing general controls will enable the CFO to better ensure that (1) financial data and programs are protected from unauthorized access, (2) application controls will not be rendered ineffective through circumvention or modification of the general controls, and (3) mission functions such as payment processing and financial information generation can be continued in event of a major service disruption or disaster. Our review, however, did not cause us to believe that these conditions at the sites distorted the results of information input or produced from the application system. Recommendations We recommend that the CFO: 1. Provide, through coordination with the consolidated service centers, uniform guidance on formal procedural requirements for security controls relating to DISCAS operations, to include items such as specific security software parameter settings, and application and computer system access control; 2. Coordinate with the consolidated service centers on formal contingency and disaster recovery planning to ensure that the computer and DISCAS application systems are available when needed to perform mission functions; and 3. Establish plans or procedures for conducting more frequent reviews to ensure the integrity and security of DISCAS programs and system structure. Management Comments Management concurred with our finding and recommendations. Auditor Comments Management's comment is responsive to our recommendations. 2. Application Controls for DISCAS Operations. Application controls are those methods and procedures designed for each application to ensure the authority of data origination, the accuracy of data input, integrity of data processing, and verification and distribution of output. Weaknesses exist in the application controls for DISCAS that could affect the reliability of data processed. At the three sites established in the Department as consolidated service centers for DISCAS operations, application controls related to DISCAS operations were not implemented in a manner to ensure sufficient control over the input and processing of data. Specifically, our review disclosed the following: o The DISCAS software contains validator programs that can be used for (1) performing comparisons or reconciliation between certain data elements across datasets (i.e., collection of data records or entries) in the system, (2) detecting instances where DISCAS files have not been completely processed, and (3) ensuring that entered transactions have been completely processed. However, certain core dataset validator programs in DISCAS were not operating properly. Sites reported, for instance, that a program comparing the trial balance dataset and a dataset maintaining totals for reimbursable activities did not execute properly (i.e., it ran in a continuous loop). Also, a program for ensuring consistency between the general ledger dataset, a summary dataset and a summary dataset maintaining totals by budget and reporting code reported differences because of comparison of a dissimilar data element (i.e., account code). o Differences generated from core dataset validator programs were not being resolved on a regular basis by site personnel. For instance, at one site, a report comparing funding transactions and summary totals of payments by budget and reporting code for fiscal year 1996 identified 345 differences, such as unequal amounts and missing entries between the datasets, that had not been resolved. o Review and disposition of non-posting or invalid transactions is not documented by site personnel to ensure ultimate transaction recording within the application system. Agencies are required to establish controls to provide reasonable assurance that the recording, processing, and reporting of data is properly performed within the framework of financial management systems. For example, Appendix III to Title 2 "Accounting" of the GAO Policy and Procedures Manual for Guidance of Federal Agencies prescribes that agency systems must contain internal controls which operate to prevent, detect, and correct errors and irregularities which may occur anywhere in the chain of events from transaction authorization to issuance of reports. The controls can be generally thought of as covering the functions of transaction authorization and approval, data preparation and validation, input, communications, processing, storage, output, error resolution and reentry of data, and file or data base quality maintenance. These weaknesses, in our opinion, existed because the CFO had not (1) provided sufficient uniform guidance on formal procedural requirements for application controls relating to certain DISCAS operations; and (2) corrected core DISCAS validator programs with problems. In addition, personnel at the sites advised that resolution of differences generated from core dataset validator programs overall had not been a priority. The CFO established requirements for site maintenance of formal procedures for DISCAS operations in general. However, formal procedures at the sites, either did not exist or did not address control for application system operations, such as review and resolution of non-posting or invalid transactions; and validator program execution, review and resolution. Without effective application controls for DISCAS, the CFO cannot ensure that all DOE organizations are consistently recording, processing, and reporting financial transactions and events throughout the Department. Recommendations We recommend that the CFO: 1. Provide, through coordination with the consolidated service centers, uniform guidance on formal procedural requirements for application controls relating to DISCAS operations, to include items such as non-posting or invalid transaction review and resolution, and validator program execution, review and resolution; and 2. Initiate action to correct reported problems in DISCAS core validator programs. Management Comments Management concurred with our finding and recommendations. Auditor Comments Management's comment is responsive to our recommendations. IG Report No. AP-FS-97-02 CUSTOMER RESPONSE FORM The Office of Inspector General has a continuing interest in improving the usefulness of its products. We wish to make our reports as responsive as possible to our customers' requirements, and therefore ask that you consider sharing your thoughts with us. On the back of this form, you may suggest improvements to enhance the effectiveness of future reports. Please include answers to the following questions if they are applicable to you: 1. What additional background information about the selection, scheduling, scope, or procedures of the audit or inspection would have been helpful to the reader in understanding this report? 2. What additional information related to findings and recommendations could have been included in this report to assist management in implementing corrective actions? 3. What format, stylistic, or organizational changes might have made this report's overall message more clear to the reader? 4. What additional actions could the Office of Inspector General have taken on the issues discussed in this report which would have been helpful? Please include your name and telephone number so that we may contact you should we have any questions about your comments. Name_____________________________ Date______________________________ Telephone_________________________ Organization________________________ When you have completed this form, you may telefax it to the Office of Inspector General at (202) 586-0948, or you may mail it to: Office of Inspector General (IG-1) Department of Energy Washington, DC 20585 Attn: Customer Relations If you wish to discuss this report or your comments with a staff member of the Office of Inspector General, please contact Wilma Slaughter on (202) 586-1924.