USAID Lacked Key Internal Controls Over Its Models for Posting Financial Transactions

Like other executive branch agencies, USAID must prepare annual statements summarizing its financial activities and status at yearend to show the public how well it has managed its funds. To produce its statements, USAID relies on the financial management system it uses to automate day-to-day accounting entries, Phoenix. In that system, electronic models are used to record or post transactions to the general ledger, which summarizes all transactions occurring Agency-wide. Posting models determine which general ledger accounts are affected by each accounting transaction. Since transactions can be worth billions of dollars, and annual totals processed by Phoenix exceed $15 billion, USAID must take care to post the transactions correctly to ensure accurate financial statements. Prior OIG audits of financial statement audits for fiscal years 2015 and 2014 revealed differences between USAID’s general and subsidiary ledgers. Therefore, we conducted this audit to determine whether USAID's Office of the Chief Financial Officer implemented key internal controls over general ledger posting models in Phoenix to mitigate the risk of unauthorized and undocumented changes. We found that because its staff did not perform a formal risk assessment, the office did not implement some key internal controls. For example, USAID headquarters did not have clearly documented procedures for managing the general ledger posting models, nor did it have adequate security controls for tasks related to changing the models—segregating duties, maintaining audit logs, approving changes, and monitoring their implementation. As a result, USAID was at risk of having errors in the models and in its financial statements. USAID management agreed with the two recommendations we made to help the Agency implement the missing internal controls.