Like other executive branch agencies, USAID must prepare annual statements summarizing its financial activities and status at yearend to show the public how well it has managed its funds. To produce its statements, USAID relies on the financial management system it uses to automate day-to-day accounting entries, Phoenix. In that system, electronic models are used to record or post transactions to the general ledger, which summarizes all transactions occurring Agency-wide. Posting models determine which general ledger accounts are affected by each accounting transaction. Since transactions can be worth billions of dollars, and annual totals processed by Phoenix exceed $15 billion, USAID must take care to post the transactions correctly to ensure accurate financial statements. Prior OIG audits of financial statement audits for fiscal years 2015 and 2014 revealed differences between USAID’s general and subsidiary ledgers. Therefore, we conducted this audit to determine whether USAID's Office of the Chief Financial Officer implemented key internal controls over general ledger posting models in Phoenix to mitigate the risk of unauthorized and undocumented changes. We found that because its staff did not perform a formal risk assessment, the office did not implement some key internal controls. For example, USAID headquarters did not have clearly documented procedures for managing the general ledger posting models, nor did it have adequate security controls for tasks related to changing the models—segregating duties, maintaining audit logs, approving changes, and monitoring their implementation. As a result, USAID was at risk of having errors in the models and in its financial statements. USAID management agreed with the two recommendations we made to help the Agency implement the missing internal controls.
USAID Lacked Key Internal Controls Over Its Models for Posting Financial Transactions
USAID's chief financial officer perform a written risk assessment of its general ledger posting model process, as required by Office of Management and Budget Circular A-123. The risk assessment should include cost-benefit considerations and a plan to implement compensating or appropriate internal controls to prevent and detect errors. The risk assessment should address:
- Segregation of duties.
- Data owner approval of changes to the general ledger posting models.
- Records of all steps in procedures.
- Use of activity or transaction logs for monitoring.
- The risk assessment should also document the acceptance of all risks that will not be mitigated.
USAID's chief financial officer update and implement USAID's general ledger posting model procedures, after taking final corrective action on recommendation 1, to include explicit roles and responsibilities and a step-by-step process for updating the posting models.