Internal financial control problems can afflict agencies large and small

The Federal Housing Finance Agency says it is strengthening internal financial control practices after a GAO audit found financial statement miscalculations.

The Federal Housing Finance Agency (FHFA) says it is working to strengthen its internal financial control practices. That is after a Government Accountability Office (GAO) audit found FHFA’s financial statements miscalculated the agencies obligations under the Federal Employee Compensation Act. And the way it happened might offer a cautionary tale for other small agencies. Anne Sit-Williams is a director for financial management and assurance at GAO. She talked about the findings with Federal News Network’s Jared Serbu on The Federal Drive with Tom Temin.

Interview Transcript: 

Tom Temin The Federal Housing Finance Agency says it’s working to strengthen its internal financial control practices. That’s after a Government Accountability Office audit found FHFA’s financial statements miscalculated the agency’s obligation under the Federal Employee Compensation Act. And the way it happened might offer a cautionary tale to other small agencies. Anne Sit-Williams is a director for financial management and assurance at GAO. She talked about the findings with Federal News Network’s Jared Serbu.

Jared Serbu Anne, thanks for doing this. And this is a little bit of a complicated story to try to tell on the radio, but I’m confident we can do it. Take us through, if you would, just at the outset here. What actually happened? Take us through the chain of how this misstatement was made, what this misstatement was, and how it was ultimately discovered.

Anne Sit-Williams GAO has been conducting this audit of FHFA’s financial statements and internal controls, every year since about 2008. Sometimes I lose people when I say those words: financial statements, internal controls. So, what are those? Ultimately, financial statements are reports that show how much money is coming into the agency and how that money is being spent. And the internal controls are really the processes that make sure that the information in those financial statements are authorized and properly recorded. So in this scenario with FHFA, it is a little complicated because there are several players involved. One being FHFA, they have consolidated financial statements that include their IG. That’s common to have the IG included. However, in this scenario, the IG makes up a pretty substantial portion of the consolidated financial statements, about 14%, which is bigger than probably other agencies. And they also use what’s called a service provider. So, Treasury is involved in preparing some of the information and also pulling together the financial statements for FHFA. So, in this case, there was an error in the calculation for what’s called the FICA, or worker’s compensation liability. And it was a simple miscalculation that wasn’t caught in the review from the IG, making sure that those amounts were correct. And then at the financial statement level, FHFA, when they reviewed the financial statements, didn’t catch that error, either. There wasn’t caught until EAO was doing their testing and reperforming that calculation notice there, and in discussions with FHFA, did determine that it was a calculation error.

Jared Serbu And so this amounted to a $1.3 million misstatement that you ultimately characterize as a significant deficiency in auditor terms. First of all, you want to just take us through what are the elements of a significant deficiency? What does that mean to a layperson, and, sort of an unfair two part question — first, define significant deficiency, and then tell us, you know, what is the deficiency? Is it this $1.3 million in and of itself, or is it more that, oh, this is a red flag, that there may not be controls in place to prevent this kind of thing?

Anne Sit-Williams That is a good question, because a lot of people do get caught up in ‘well, what is the control deficiency?’ And there are different levels of control deficiency. When we’re testing internal controls, it could be the first level is control deficiency. The second level is a significant deficiency, meaning that it’s something that we want to alert management to. It is a bigger deal than obviously a control deficiency, but not to the level of what we would say is a material weakness, which means that it’s pretty reasonable. If it was a material weakness, that means it’s reasonable that there’s a material misstatement in the financials. We weren’t at that level yet. We were in this middle bucket, meaning, ‘hey, management, you need to pay attention to this and take it seriously.’ And they really have. The second part to your question is, was it just about the dollar amount? And it might seem that the dollar amount, 1.3 million is not a huge amount, but we do have to remember, A, that we have to scale it to the agency that we’re looking at. So for example, if Bill Gates had a $1 million misstatement in his bank account, it probably not matter to him as much as it does to me. $1 million would be a big deal in my bank account. So this 1.3 million might not seem like a big deal. If it was a bigger agency, it probably wouldn’t be. But FHFA’s a smaller agency. They are the agency that oversees the regulators for the home loan banks, and Freddie and Fannie. So they need to make sure that their records and controls are functioning properly as well.

Jared Serbu And as part of the same audit, you also identified some IT access control issues that you kind of characterize separately, apart from the significant deficiency that we were just talking about. One, why did you bin those separately, I think is an important question? And then, kind of describe the issues that you found on the IT front.

Anne Sit-Williams Sure. Those IT access issues, we always think about what line items do those impact. And when we’re doing the audit and trying to group these together. And these were at that lower level that I was talking about, control deficiencies. One was related to their payroll system, and the other one was related to just taking away access once people were separated from the agency. So, obviously, payroll system, we’re very conscientious of that. And just making sure that because payroll is FHFA’s big expense, we always pay particular attention to those. In this scenario, there was missing documentation to really make sure that, were these people authorized to have access to the system? And we weren’t able to get documentation for that. Ultimately, we were able to have discussions with the agency and make sure that people had appropriate access. Some of them had what’s called elevated access, meaning that they had people describe it as the, you know, keys to the kingdom, and they have access that’s probably — if you think about separation of duty — like, you don’t want your cashier to also be the person who’s making the bank deposit at the end of the day. So in this case, these people had elevated access, and they rightfully did, because they were supposed to be monitoring some of the operations that were happening. But we just need to make sure that FHFA has a process to make sure that the people who have elevated access are also being monitored. And with the other one, was also kind of that lower level controlled efficiency, is for separated employees when they leave, just making sure they take access away for all of their systems that they had access to when they were employed, which, in the old days, making sure keys and badges were taken away was easier because that was a physical thing. But now, in the remote environment, making sure that that access is taken away is important.

Jared Serbu My sense is these issues are fairly common across federal agencies. Is that true? Do you have a good sense for whether this is kind of pervasive? I’m talking specifically about the IT access control issues, removing access for separated employees and controlling the levels of access.

Anne Sit-Williams It’s definitely an area we always tend to look at because they are the riskier areas, just in thinking about the agencies I’ve audited. A few of them have definitely had these type of issues. I think a lot of people do have employees separating, and they also grant elevated access and access without the appropriate documentation. So, I would agree that it’s not uncommon to see this.

Jared Serbu And the last thing I wanted to ask you, I think, Anne, is, are there any cautionary tales for other agencies who might have similar setups with shared services providers that handle their financial statements? I mean, this is a little bit of an unusual situation in that you have this chain of the OIG to the main agency, to a shared service provider. Any takeaways for other agencies that might use a similar setup?

Anne Sit-Williams Yeah, I think that in several cases there are agencies that use contractors or shared services, and they think that, well, because we’ve hired them, they have good internal controls, so we can rely on that. And you can, to an extent. But ultimately, at the end of the day, the agency is the one who’s responsible for all of this. They’re the ones who are signing the representation letters at the end of the day, saying that the internal controls and financial statements are fairly presented and operating, so they can’t fall asleep at the wheel and just rely on those external parties. And the same thing with even just thinking about what is the point of the review, not just signing a piece of paper at the end of the day. It’s really digging in and seeing did what was supposed to happen, happen? And I think that’s where we have a lot of errors and control deficiencies when we identify them.

Jared Serbu And you mentioned this briefly, but I just want to make sure we hit it, that it sounds like FHFA is really taking everything that you’ve given them on board, and they’re working to address everything that you recommended.

Anne Sit-Williams Yes. The director of FHFA and the Inspector General have taken these recommendations that we’ve made very seriously. They’re already, when we met with them a few months ago, have already started implementing some of the remediation efforts to correct the internal control findings. And we start the audit very soon for 2024. So, we’ll be able to follow up on those.

Tom Temin Anne Sit-Williams, director for financial management and assurance at the Government Accountability Office, speaking with Federal News Network’s Jared Serbu. We’ll post this interview along with a link to her report at federalnewsnetwork.com/federaldrive. Subscribe to the Federal Drive wherever you get your podcasts.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories