A required outside audit of the Department of Homeland Security (DHS) yielded a “clean” opinion of the agency’s financial statements for Fiscal Years 2018 and 2019, but also a finding of “material weaknesses” in the areas of financial controls, and IT controls and financial systems.
According to a report from the DHS Office of Inspector General (OIG), outside auditor KPMG made 28 recommendations to improve the agency’s internal controls, and DHS concurred with all of them.
“The Department continued its commitment to identifying areas for improvement, developing and monitoring corrective actions, and establishing and maintaining effective internal control over financial reporting this past fiscal year,” the OIG said in a Nov. 15 letter explaining the audit results. “Looking forward, the Department must continue remediation efforts and stay focused in order to sustain its clean opinion on its financial statements and obtain a clean opinion on its internal control over financial reporting,” the OIG said.
“We request that the Department provide us with a corrective action plan that demonstrates progress in addressing the report’s recommendations,” the OIG added.
Specific to the material weakness identified by KPMG in IT controls and financial systems, the OIG report says that DHS had “ineffective design, implementation, and operating effectiveness of ITGCs [IT general controls] over IT operating systems, databases, and IT applications supporting financial reporting processes” in the areas of configuration management, and access control and segregation of duties.
Under the heading of access control and segregation of duties, the report flags:
- User, service, privileged, and generic (including emergency, temporary, developer, and migrator) accounts not properly authorized, recertified, and revoked timely;
- The principles of least privilege and segregation of duties not applied;
- Password security not properly configured for data protection and inactivity;
- Audit logging activity requirements not defined;
- Audit logs not generated, reviewed, analyzed, and protected; and
- Development and production environment duties not segregated between conflicting roles.
Under configuration management, the report finds:
- Configuration management processes including documented policies and procedures; and systems not properly configured;
- System changes including change implementation, testing, and approval dates not documented; and
- Periodic reviews of the results of vulnerability scans not performed.
The report also flags ineffective ITGCs performed by service organizations that provide infrastructure support for various DHS IT systems, and ineffective controls and manual processes that are dependent on information derived from DHS financial reporting systems.
The impact of those problems, the OIG report says, includes risks that current and former employees as well as contractors may get unauthorized access to financial systems and sensitive data, that systems may be changed without proper authorization, and that DHS will have less confidence that its IT systems will operate as intended and that data is reliable, valid, and complete.