Transportation Security
Administration's
Management Letter for
DHS' Fiscal Year 2016
Financial Statements
Audit
June 13, 2017
OIG-17-69
DHS OIG HIGHLIGHTS
Transportation Security Administration’s
Management Letter for DHS’ Fiscal Year 2016
Financial Statements Audit
June 13, 2017
What We Found
Why We Did
KPMG LLP, under contract with the DHS
This Report
Office of Inspector General, audited the
Transportation Security Administration’s
financial statements and internal control over
financial reporting for FY 2016. The resulting
management letter contains 15 observations
The Chief Financial Officers
related to internal controls and other
Act of 1990 (Public Law 101-
operational matters for management’s
576) and the Department Of
consideration. KPMG LLP identified internal
Homeland Security Financial
control deficiencies and the need for
Accountability Act (Public Law
improvement in several processes including
108-330) require us to
personnel actions; property, plant, and
conduct an annual audit of
equipment; Time and Attendance Process and
the Department of Homeland
Financial Disclosure Forms; and the Accounts
Security’s (DHS) consolidated
Receivable Estimate. These deficiencies are not
financial statements and
considered significant and were not required to
internal control over financial
be reported in the Independent Auditors’
reporting.
Report on DHS’ FY 2016 Financial Statements
and Internal Control over Financial Reporting,
During the fiscal year (FY)
dated November 14, 2016, included in the
2016 audit of DHS’
DHS FY 2016 Agency Financial Report. These
consolidated financial
observations are intended to improve internal
statements and internal
control or result in other operating efficiencies.
control over financial
reporting, KPMG LLP noted
certain matters involving the
Transportation Security
Administration’s internal
control and other operational
matters, which are presented
in this report for
management’s consideration.
For Further Information:
Contact our Office of Public Affairs at
(202) 254-4100, or email us at
www.oig.dhs.gov OIG-17-69
OFFICE
OF
INSPECTOR GENERAL
Department
of
Homeland
Security
Washington,
DC
20528
/
www.oig.dhs
.gov
June
13,
2017
MEMORANDUM FOR:
Pat
Rose
Assistant
Administrator
and
Chief
Financial
Officer
Transportation
J;:2:
Adm
~;
ration
FROM:
John
V.
Kelly
-~
Deputy
Inspector
General
SUBJECT:
Transportation
Security
Administration's
Management
Letter
for
DHS'
Fiscal
Year
2016
Financial
Statements
Audit
Attached
for
your
action
is
our
final
report,
Transportation
Security
Administration's
Management
Letter
for
DHS'
Fiscal
Year
2016
Financial
Statements
Audit.
This
report
contains
15
observations
related
to
internal
control
deficiencies
that
were
not
required
to
be
reported
in
our
Independent
Auditors'
Report
on
DHS'
FY
2016
Financial
Statements
and
Internal Control
over
Financial Reporting,
dated
November
14,
2016,
which
was
included
in
the
Department
of
Homeland
Security's
(DHS)
fiscal
year
(FY)
2016
Agency
Financial Report.
We
do
not
require
management's
response
to
the
recommendations.
The
independent
public
accounting
firm
KPMG LLP
conducted
the
audit
of
DHS
'
FY
2016
financial
statements
and
is
responsible
for
the
attached
management
letter
and
the
conclusions
expressed
in
it.
Consistent
with
our
responsibility
under
the
Inspector
General
Act,
we
will
provide
copies
of
our
report
to
congressional
committees
with
oversight
and
appropriation
responsibility
over
the
Department
of
Homeland
Security.
We will
post
the
report
on
our
website
for
public
dissemination.
Please
call
me
with
any
questions,
or
your
staff
may
contact
Maureen
Duddy,
Deputy
Assistant
Inspector
General
for
Audits,
at
(617)
565-8723.
Attachment
KPMG LLP
Suite 12000
1801 K Street, NW
Washington, DC 20006
December 8, 2016
Office of Inspector General
U.S. Department of Homeland Security, and
Chief Financial Officer
U.S. Department of Homeland Security, Transportation Security Administration
Washington, DC
Ladies and Gentlemen:
We planned and performed our audit of the consolidated financial statements (hereinafter referred to as the
“financial statements”) of the U.S. Department of Homeland Security (DHS or Department), as of and for the
year ended September 30, 2016, in accordance with auditing standards generally accepted in the United States
of America; the standards applicable to financial audits contained in Government Auditing Standards issued by
the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 15-02,
Audit Requirements for Federal Financial Statements. We considered the Department’s internal control over
financial reporting (internal control) as a basis for designing audit procedures that are appropriate in the
circumstances for the purpose of expressing our opinion on the consolidated financial statements. In
conjunction with our audit of the consolidated financial statements, we also performed an audit of internal
control over financial reporting in accordance with attestation standards established by the American Institute of
Certified Public Accountants; the standards applicable to attestation engagements contained in Government
Auditing Standards issued by the Comptroller General of the United States; and the internal control
requirements included in OMB Bulletin No. 15-02.
During our audits we noted certain matters involving the Transportation Security Administration’s (TSA) internal
control and other operational matters that are presented for your consideration. These comments and
recommendations, all of which have been discussed with the appropriate members of management, are
intended to improve internal control or result in other operating efficiencies. These observations and
recommendations are summarized in Exhibit I of this letter and are not considered significant deficiencies or
material weaknesses in internal control over financial reporting. Significant deficiencies and material
weaknesses in internal control over financial reporting have been previously communicated to the DHS Office
of Inspector General (OIG) and management in our Independent Auditors’ Report, dated November 14, 2016,
included in the fiscal year 2016 DHS Agency Financial Report.
Deficiencies related to TSA information technology (IT) controls will be presented in a separate letter to the
DHS Office of Inspector General, TSA Chief Information Officer, and TSA Chief Financial Officer.
Our audit procedures are designed primarily to enable us to form an opinion on the financial statements and on
the effectiveness of internal control over financial reporting, and therefore may not bring to light all weaknesses
in policies or procedures that may exist. We aim, however, to use our knowledge of TSA’s organization gained
during our work to make comments and suggestions that should be useful to you.
We would be pleased to discuss these comments and recommendations with you at any time.
KPMG LLP is a Delaware limited liability partnership and the U.S. member
firm of the KPMG network of independent member firms affiliated with
KPMG International Cooperative (“KPMG International”), a Swiss entity.
The purpose of this letter is solely to describe comments and recommendations intended to improve internal
control or result in other operating efficiencies. Accordingly, this letter is not suitable for any other purpose.
Very truly yours,
Transportation Security Administration
Table of Financial Management Comments
September 30, 2016
TABLE OF FINANCIAL MANAGEMENT COMMENTS (FMC)
Comment
Reference Subject Page
FMC 16-01Ineffective Design of Communication of Relevant Accounting
Literature and Ineffective Operating Effectiveness of Employee
Performance Assessment Reviews
FMC 16-02 Insufficient Quality Review of Personnel Actions
FMC 16-03 Ineffective Controls over Invoice Three-Way Match
FMC 16-04 Ineffective Design of Controls over the Review and Approval of
Direct and Material Laws and Regulations
FMC 16-05 Ineffective Controls over Depreciation of Transportation Security
Equipment
FMC 16-06 Ineffective Controls over Property, Plant and Equipment
Retirements
FMC 16-07 Ineffective Controls over the Review and Approval of the Payment
Update Database
FMC 16-08 Ineffective Controls over the Property Inventory Counts
FMC 16-09 Failure to Design and Implement Controls over National Finance
Center Payroll/ Benefits Calculations
FMC 16-10 Ineffective Controls over WebTA and the Time and Attendance
Process
FMC 16-11 Lack of Manual Compensating Controls over the Personnel Action
Process
FMC 16-12 Ineffective Controls over the Federal Employees’ Compensation
Act
FMC 16-13 Ineffective Controls over Financial Disclosure Forms
FMC 16-14 Ineffective Controls over Accounts Receivable Estimate Review
FMC 16-15 Ineffective Design of Controls over the Review and Approval of
Journal Entries
2
2
2
3
3
3
3
4
4
5
5
6
6
7
7
APPENDIX
Appendix Subject Page
A Crosswalk – Financial Management Comments to Active NFRs 8
1
Transportation Security Administration
Financial Management Comments and Recommendations
September 30, 2016
FMC 16-01 – Ineffective Design of Communication of Relevant Accounting Literature and Ineffective
Operating Effectiveness of Employee Performance Assessment Reviews (NFR No. TSA 16-01)
Controls over the communication and distribution of accounting literature updates were not designed
effectively to ensure all Branch Chiefs receive the Flash Notice update emails. Specifically, during our
testing of the design and implementation, we noted three Branch Chiefs were omitted from Flash
Notice 16-011 sent on December 18, 2015.
Controls over the review and approval of employee performance plan and appraisal forms were not
operating effectively. Specifically, during our testwork over 15 performance plans and appraisal
samples, we noted one instance in which the Financial Policy and Travel Branch Chief was designated
as both the Rating and Reviewing Official for a Travel Services Section employee.
Recommendation:
TSA should:
Establish policies and procedures to verify that all accounting policies and literature updates are
distributed to all appropriate individuals.
Review all performance plans at the start of the rating cycle to ensure that the correct rating and
reviewing officials are listed for each employee’s plan.
FMC 16-02 – Insufficient Quality Review of Personnel Actions (NFR No. TSA 16-02)
Controls over the review of completed personnel actions were not operating effectively. Specifically, we
noted that for two of five pay periods selected for testing, Lockheed Martin did not receive sample size
approval from TSA prior to performing the review.
Recommendation:
TSA should take measures to improve its monitoring of the service provider’s quality assurance
process in a consistent and documented method to confirm it is operating effectively.
FMC 16-03 – Ineffective Controls over Invoice Three-Way Match (NFR No. TSA 16-03)
Controls over the invoice three-way match were not operating effectively. Specifically, during our
testwork over 14 samples, we noted one instance in which the amount invoiced did not match the
amount due per the obligating document. As a result, TSA overpaid $16.22 for 12 months, summing to
an overpayment of $194.64.
Recommendation:
TSA should implement additional procedures to ensure that invoice amounts and other relevant data
are matched appropriately to supporting documentation prior to payment.
2
Transportation Security Administration
Financial Management Comments and Recommendations
September 30, 2016
FMC 16-04 – Ineffective Design of Controls over the Review and Approval of Direct and Material
Laws and Regulations (NFR No. TSA 16-04)
Controls over the review and approval of the direct and material laws and regulations listing were not
designed effectively. Specifically, we noted that the Audit Policy Branch made updates to the listing
subsequent to the Office of Chief Counsel review and approval. The Office of Chief Counsel did not
review and approve the subsequent changes prior to submission to the Department. Additionally, the
Audit Policy Branch did not include the Department’s edits to the listing in the TSA submission.
Recommendation:
TSA should design and implement procedures to ensure the completeness and accuracy of the direct
and material laws and regulations listing, prior to submission to the Department.
FMC 16-05 – Ineffective Controls over Depreciation of Transportation Security Equipment (NFR No.
TSA 16-05)
Controls over the depreciation of transportation security equipment assets were not operating
effectively. During our testing of 25 transportation security equipment retirement transactions, we noted
that depreciation expense was recorded in the month following the physical retirement of an asset.
Recommendation:
TSA should implement controls to ensure that depreciation expense and accumulated depreciation
calculated for asset retirements are accurate.
FMC 16-06 – Ineffective Controls over Property, Plant & Equipment Retirements (NFR No. TSA 16-06)
Controls over the review and approval of transportation security equipment asset retirements were not
operating effectively. Specifically, during our testing of 25 asset retirement transactions, we noted that
an asset was removed from the fixed asset module prior to the U.S. Coast Guard Finance Center
(FINCEN) property manager’s approval.
Recommendation:
TSA should enforce existing policies and procedures to ensure asset retirements are appropriately
approved prior to removal from service.
FMC 16-07 – Ineffective Controls over the Review and Approval of the Payment Update Database
(NFR No. TSA 16-07)
Controls over the completeness and accuracy of the Payment Update Database were not operating
effectively. During our testwork over the June 2016 Payment Update Database, we noted the individual
airline detail was not included in the database provided to the Financial Management Division Director
and the Revenue Director for review. The Financial Management Director and Director of Revenue
then approved the database with missing detail.
3
Transportation Security Administration
Financial Management Comments and Recommendations
September 30, 2016
Recommendation:
TSA should clarify the policies and procedures over the Payment Update Database to indicate
documentation and review requirements for all users of the database.
FMC 16-08 – Ineffective Controls over the Property Inventory Counts (NFR No. TSA 16-08)
During control testwork over 25 inventory counts, we identified the following:
One Inventory Certification in which the Accountable Property Officer’s digital signature date was
manually altered.
Four Inventory Certifications in which the Deputy Property Management Official’s digital signature
was dated prior to the inventory start date.
During our site visit testing, we identified the following:
One asset in which the serial number on the asset did not correspond to the serial number listed in
the Sunflower Asset Management System.
Three assets in which the serial number was not legible on the asset tag or the asset was not
tagged with a unique barcode.
One asset in which the asset tag was replaced subsequent to our sample request as the original
asset tag was not legible.
One asset in which the asset was not listed in the Sunflower Asset Management System.
Two assets in which the asset tag was not attached to the asset.
Recommendation:
TSA should:
Provide training to Accountable Property Officers and Deputy Property Management Officials to
address inventory management and the preparation of inventory certification forms.
Develop or update relevant policies and procedures to help provide clarification to Accountable
Property Officers and Deputy Property Management Officials on the inventory process.
FMC 16-09 – Failure to Design and Implement Controls over National Finance Center (NFC) Payroll
and Benefits Calculations (NFR No. TSA 16-09)
TSA does not have controls in place to assess the completeness and accuracy of the NFC’s manual
benefit calculations. Specifically, we noted in our testing of payroll and benefits expenses that the NFC
did not accurately calculate the Federal Employees Retirement System and Thrift Savings Plan
benefits for two employees’ lump sum settlement payments that each spanned multiple fiscal years.
The benefits were calculated using FY 2016 rates for the entire settlement when portions of the
settlements should have been calculated using prior year rates.
Recommendation:
TSA should implement a quality control process of the NFC manual payments for benefits expenses.
4
Transportation Security Administration
Financial Management Comments and Recommendations
September 30, 2016
FMC 16-10 – Ineffective Controls over WebTA and the Time and Attendance Process (NFR No. TSA
16-10)
Controls over the time and attendance process were not operating effectively to ensure that approvals
for timesheets, leave and overtime were accurately and properly recorded on a timely basis.
Specifically, during testing of 117 payroll transactions, we identified the following:
Two instances where an error was missed in the initial review and certifying process and was
reviewed and certified in a subsequent pay period. As such, we noted the supervisor did not
sufficiently review and approve the employee’s timesheet.
Seven instances where the supervisors did not approve the overtime request prior to the employee
working overtime hours.
Five instances where a supervisor did not approve the leave request prior to the employee taking
leave.
One instance where TSA was not able to provide a leave approval for leave taken on a timesheet
that was subsequently certified and paid.
One instance where the days requested for leave on the approved Office of Personnel
Management (OPM) Form 71 did not match the actual days taken per the employee’s certified
timecard.
Recommendation:
TSA should:
Continue to provide guidance, job aids and refresher training on governing policies for leave and
overtime approvals and procedures for the use of WebTA.
Continue to conduct, communicate, provide training, and emphasize awareness on maintaining
effective controls with the payroll user community.
FMC 16-11 – Lack of Manual Compensating Controls over the Personnel Action Process (NFR No.
TSA 16-11)
Controls over Requests for Personnel Actions were not properly designed and implemented to ensure
that the proper personnel submitted and reviewed all personnel action requests within HRAccess. TSA
relies solely on electronic submissions and signatures within the HRAccess application to evidence
approval of personnel actions prior to the effective date of the action. However, General Information
Technology Controls supporting this application were not effective. Due to the risk of inappropriate
access to the application, manual compensating controls were necessary to attain assurance that
appropriate personnel submitted and approved Requests for Personnel Actions.
Recommendation:
TSA should develop and implement manual compensating controls to restrict the review and approval
of personnel actions within the system to appropriate personnel.
5
Transportation Security Administration
Financial Management Comments and Recommendations
September 30, 2016
FMC 16-12 – Ineffective Controls Over the Federal Employees’ Compensation Act (FECA) (NFR No.
TSA 16-12)
During our testing of TSA’s review of the Department of Labor chargeback report, we identified the
following:
One instance where TSA was unable to provide supporting documentation (e.g., employee
timecard, Statement of Earnings and Leave, etc.) evidencing that the employee was a Federal Air
Marshal Service employee at the time of injury.
One instance where a claimant incorrectly filled out his/her date of birth on the signed and reviewed
Claim for Continuation of Pay/Compensation (CA-1) form, which is a required field per the
Department of Labor’s CA-1 instructions. The review process did not detect and correct the error.
Recommendation:
TSA should:
Continue to conduct training sessions with the Workers’ Compensation Coordinators to provide
focused training on FECA policies over validating the quarterly chargebacks.
Continue to enforce policies and procedures for compliance with the FECA, including completing
quality checks of all CA-1 forms prior to submission to Department of Labor, Office of Workers’
Compensation.
FMC 16-13 – Ineffective Controls over Financial Disclosure Forms (NFR No. TSA 16-13)
Controls over the submission and review of Office of Government Ethics (OGE) 278 and 450, public
and confidential financial disclosure forms, were not operating effectively. Specifically, we identified the
following:
During testing of OGE-278 filings, we noted one instance where the form was submitted and the
ethics official’s initial review was not completed timely, within 60 days of submission.
During our testing of OGE-450 filings, we noted one instance where a filer did not submit the report
by the submission deadline. The filer did not receive the notification to file or the subsequent late
notices sent out by the Office of Chief Counsel because the office did not have the correct email
address on file.
6
Transportation Security Administration
Financial Management Comments and Recommendations
September 30, 2016
Recommendation:
We recommend:
TSA implement policies and procedures to ensure that reviewers monitor the status of report
submissions and complete the initial reviews within the statutory timeframes.
The Office of Chief Counsel should continue to work with the Office of Human Capital so that
accurate and timely information, including e-mail and other contact information, is provided to the
Office of Chief Counsel.
FMC 16-14 – Ineffective Controls over Accounts Receivable Estimate Review (NFR No. TSA 16-14)
Controls over the review and approval of the accounts receivable estimate were not operating
effectively. Specifically, during our testing over the year end accounts receivable estimate, we identified
the following:
To calculate the average passenger fee adjustment factor to be used in the accounts receivable
estimate, TSA used an average of passenger fee adjustment factors from August 2014 through
August 2016, which was inconsistent with their policy.
TSA was unable to provide documentation for the methodology used to determine the individual
passenger fee adjustment factors to be used for airlines with a variance of $500K or greater.
TSA was unable to provide support for the August 2014 and September 2014 passenger fee
adjustment factors used in the September 2016 accounts receivable estimate calculation.
Recommendation:
TSA should update their documented policies and procedures to accurately calculate and report the
accounts receivable accrual.
FMC 16-15 – Ineffective Design of Controls over the Review and Approval of Journal Entries (NFR
No. TSA 16-15)
Controls over the review and approval of year end journal entries were not designed effectively.
Specifically, during our journal entry testwork, we noted one manual journal entry that was not reviewed
prior to posting. This journal entry related to year end suspense clearing entries, which do not require
review, approval or supporting documentation.
Recommendation:
TSA should implement or update processes to address the approval requirements of the year end
suspense clearing journal entry.
7
Appendix A
Transportation Security Administration
Crosswalk – Financial Management Comments to Active NFRs
September 30, 2016
Disposition
1
IAR FMC
NFR No. Description MW SD NC No.
16-01 Ineffective Design of Communication of Relevant Accounting
Literature and Ineffective Operating Effectiveness of
Employee Performance Assessment Reviews
16-01
16-02 Insufficient Quality Review of Personnel Actions 16-02
16-03 Ineffective Controls over Invoice Three-Way Match 16-03
16-04 Ineffective Design of Controls over the Review and Approval
of Direct and Material Laws and Regulations
16-04
16-05 Ineffective Controls over Depreciation of Transportation
Security Equipment
16-05
16-06 Ineffective Controls over Property, Plant & Equipment
Retirements
16-06
16-07 Ineffective Controls over the Review and Approval of the
Payment Update Database
16-07
16-08 Ineffective Controls over the Property Inventory Counts 16-08
16-09 Failure to Design and Implement Controls over National
Finance Center Payroll/Benefits Calculations
16-09
16-10 Ineffective Controls over WebTA and the Time and
Attendance Process
B 16-10
16-11 Lack of Manual Compensating Controls over the Personnel
Action Process
16-11
16-12 Ineffective Controls over the Federal Employees’
Compensation Act
16-12
16-13 Ineffective Controls over Financial Disclosure Forms 16-13
16-14 Ineffective Controls over Accounts Receivable Estimate
Review
16-14
16-15 Ineffective Design of Controls over the Review and Approval
of Journal Entries
16-15
16-16 Non-Compliance with the Federal Financial Management
Improvement Act of 1996
J
8
Appendix A
Transportation Security Administration
Crosswalk – Financial Management Comments to Active NFRs
September 30, 2016
1
Disposition Legend:
IAR Independent Auditors’ Report dated November 14, 2016
FMC Financial Management Comment
MW Contributed to a Material Weakness at the Department-level when combined with the results of all other
components
SD Contributed to a Significant Deficiency at the Department-level when combined with the results of all
other components
NC Contributed to Non-Compliance with laws, regulations, contracts, and grant agreements at the
Department-level when combined with the results of all other components
NFR Notice of Finding and Recommendation
Cross-reference to the applicable sections of the IAR:
A Information Technology Controls and Financial System Functionality
B Financial Reporting
C Property, Plant, and Equipment
D Entity-Level Controls
E Grants Management
F Custodial Revenue and Refunds and Drawback
G Federal Managers’ Financial Integrity Act of 1982
H Single Audit Act Amendments of 1996
I Antideficiency Act, as amended
J Federal Financial Management Improvement Act of 1996
9
OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
Appendix B
Report Distribution
Department of Homeland Security
Secretary
Deputy Secretary
Chief of Staff
General Counsel
Executive Secretary
Director, GAO/OIG Liaison Office
Assistant Secretary for Office of Policy
Assistant Secretary for Office of Public Affairs
Assistant Secretary for Office of Legislative Affairs
Chief Financial Officer
Transportation Security Administration
Administrator
Audit Liaison
Office of Management and Budget
Chief, Homeland Security Branch
DHS OIG Budget Examiner
Congress
Congressional Oversight and Appropriations Committees
www.oig.dhs.gov OIG-17-69
ADDITIONAL INFORMATION AND COPIES
To view this and any of our other reports, please visit our website at: www.oig.dhs.gov.
For further information or questions, please contact Office of Inspector General Public Affairs
at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov. Follow us on Twitter at: @dhsoig.
OIG HOTLINE
To report fraud, waste, or abuse, visit our website at www.oig.dhs.gov and click on the red
"Hotline" tab. If you cannot access our website, call our hotline at (800) 323-8603, fax our
hotline at (202) 254-4297, or write to us at:
Department of Homeland Security
Office of Inspector General, Mail Stop 0305
Attention: Hotline
245 Murray Drive, SW
Washington, DC 20528-0305
