DHS OIG Update on CBP's IT Financial Control Deficiency

July 18, 2011 by Marie Rapport|Customs and Ports

The Department of Homeland Security's Office of Inspector General has issued a follow-up letter on the recent "Independent Auditors' Report" issued by KPMG LLP on U.S. Customs and Border Protection's fiscal year 2010 internal controls for the financial reporting of its Information Technology activity. The letter details the "significant deficiency" that was found for CBP's IT and financial system controls in the following areas: access control, security management, segregation of duties, and financial system functionality, and lists recommendations for improvement.

(The "Independent Auditors' Report" report had also found a "material weakness" in drawback, as well as other "significant deficiencies" in the entry process (in-bond, trade compliance management, bonded warehouse, and foreign trade zones), etc.)

OIG states that while CBP took corrective action in FY 2010 to address prior year IT control weaknesses, other general control weaknesses in IT continue to be found. The most significant weaknesses from a financial statement audit perspective related to controls over access to programs and data. Collectively, the IT control weaknesses limited CBP's ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity and availability.

The OIG recommends that CBP focus on the Automated Commercial System (ACS) as well as the Automated Commercial Environment (ACE), and suggested the following (partial list):

Continue to modernize business processes using ACE,
Work with ACE stakeholders (the trade, CBP, etc.) to prioritize and develop the functionality that will allow CBP to fulfill its mission and meet the needs of its stakeholders,
Formalize a detailed procedure for the review of ACS security profile change logs,
Implement and monitor procedures to consistently document the access requests and approvals for any and all access creations and changes to ACS user profiles,
Determine whether to use an ACE custom-developed solution or purchase off-the-shelf software for the full automation of audit log reviews, and
Implement procedures to reinforce adherence to timely notification of separations by employees or contractors with access to ACE (no later than the day of separation).

(In the March 2011 "Independent Auditor's Report", KPMG audited the consolidated balance sheets of CBP; it also considered CBP's internal controls over financial reporting and tested CBP's compliance with certain provisions of applicable laws, regulations, and contracts agreements that could have a direct and material effect on these consolidated financial statements.

See ITT's Online Archives or 04/14/11, 04/15/11, 04/18/11, 04/20/11, and 04/21/11 news, 11041401, 11041522, 11041823, 11041928, and 11042133, for Parts I-V of BP's series of summaries of the report.)

(OIG-11-90, June 2011)