DHS' Office of Inspector General Reports on CBP's IT Controls

Most Significant IT Control Weakness Relates to Access to Program & Data

During FY 2008, the auditors (KPMG LLP) continued to identify IT general control weaknesses at CBP. The most significant weaknesses, from a financial statement audit perspective, related to controls over access to programs and data.

Collectively, the IT control weaknesses limited CBP's ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability.

In addition, these weaknesses negatively impacted the internal controls over CBP financial reporting and its operation and the auditors consider them to collectively represent a significant deficiency¹ for CBP.

CBP Continues to Have Material Weakness in System for Processing Drawbacks

In addition, the auditors found that while progress has been made from previous fiscal years, CBP continues to have material weakness² in its system for processing drawbacks.

(In FYs 2003-2007, the auditors found that weaknesses over the processing of drawback claims exist within CBP's system. For example, when a CBP entry specialist attempts to liquidate an import entry, the system displays a warning message, indicating that a drawback claim has been filed against the import entry. The purpose of the warning is to ensure that both a refund and drawback are not paid on the same goods. However, entry specialists can override the warning message without supervisory review and process a refund without investigating pending drawback claims.)

In FY 2008, the auditors noted that CBP's Office of International Trade had developed a report which displays all control overrides performed at a particular port. However, due to the pervasiveness of this application control weakness, the mitigating control only partially alleviates the weakness. Therefore, this issue remains a material weakness.

CBP Generally Agreed with Findings, OIG Satisfied with CBP's Remedies

The auditors state that generally, CBP management agreed with all of their findings and recommendations and CBP has developed a remediation plan to address these findings and recommendations. In addition, CBP's OIG states it agrees with the steps that CBP's management is taking to satisfy these recommendations.

¹The report presents the IT management letter for the FY 2008 CBP balance statement audit as of September 30, 2008, contains observations and recommendations related to IT internal controls that were not required to be reported in the financial statement audit report of November 2008, etc.

²A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects CBP's ability to initiate, authorize, record, process, or report financial data reliably in accordance with U.S. generally-accepted accounting principles such that there is more than a remote likelihood that a misstatement of CBP's financial statements that is more than inconsequential will not be prevented or detected by CBP's internal control over financial reporting.

³A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected by CBP's internal controls.

DHS OIG report entitled, "Information Technology Management Letter for the FY 2008 Customs and Border Protection Financial Statement Audit" (redacted version) (OIG-09-59, dated April 2009) available at http://www.dhs.gov/xoig/assets/mgmtrpts/OIGr_09-59_Apr09.pdf