This is the accessible text file for GAO report number GAO-12-830R 
entitled 'Management Report: Improvements Are Needed to Strengthen the 
American Battle Monuments Commission's Internal Controls and 
Accounting Procedures' which was released on July 26, 2012. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

GAO-12-830R: 

United States Government Accountability Office: 
Washington, DC 20548: 

July 26, 2012: 

The Honorable Max Cleland, Secretary:
American Battle Monuments Commission:
Courthouse Plaza II, Suite 500:
2300 Clarendon Boulevard:
Arlington, Virginia 22201: 

Subject: Management Report: Improvements Are Needed to Strengthen the 
American Battle Monuments Commission's Internal Controls and 
Accounting Procedures: 

Dear Mr. Secretary: 

In March 2012, we issued our report on the results of our audit of the 
financial statements of the American Battle Monuments Commission (the 
Commission) as of, and for the fiscal years ending September 30, 2011 
and 2010, and on the effectiveness of its internal control over 
financial reporting as of September 30, 2011.[Footnote 1] We also 
reported our conclusions on the Commission's compliance with 
provisions of selected laws and regulations. 

Our report concluded that although certain internal controls could be 
improved, the Commission maintained, in all material respects, 
effective internal control over financial reporting as of September 
30, 2011. However, we did report a significant deficiency[Footnote 2] 
in the Commission's internal control over its payroll processes for 
its non-U.S. citizen employees (foreign employees).[Footnote 3] The 
purpose of this report is to present additional information on the 
control issues that we identified during our audit of the Commission's 
fiscal year 2011 financial statements that constituted the significant 
deficiency and to provide our recommended actions to address those 
issues. Also, we identified an additional internal control issue that 
while not considered to be either a material weakness or a significant 
deficiency, nonetheless warrants management's attention. This report 
provides our recommendations to address this internal control issue as 
well. In addition, we are providing an update on the status of 
recommendations we made to address internal control issues identified 
during our prior years' financial statement audits of the Commission 
and related financial management reports. 

Results in Brief: 

During our audit of the Commission's fiscal years 2011 and 2010 
financial statements, we identified the following internal control 
deficiencies that, collectively, constituted a significant deficiency 
in the Commission's internal control over financial reporting as of 
September 30, 2011. 

* Access controls over foreign employee payroll systems. The 
Commission's controls were not fully effective in appropriately 
segregating duties of the systems administrators responsible for the 
foreign employee (non-U.S. citizen employees) payroll systems. In 
addition, controls were not effective in ensuring that critical system 
updates and patches to the Commission's servers were made, leaving 
them vulnerable to unauthorized access.[Footnote 4] These issues 
increase the risk that unauthorized users could access and make 
changes in the foreign employee payroll systems without the 
Commission's knowledge. 

* Policies and procedures for processing foreign payroll. The 
Commission did not have written policies and procedures in place 
detailing key tasks, roles, and responsibilities related to processing 
foreign payroll transactions. This increased the risk of (1) errors or 
irregularities in foreign employee payroll records, (2) misstatements 
in the Commission's financial statements, and (3) noncompliance with 
relevant laws, regulations, and Commission policies. 

In addition, we found the following deficiency in the Commission's 
internal control as of September 30, 2011. 

* Physical inventory counts. The Commission's policy for conducting 
biennial physical inventories of equipment was not followed, and 
procedures for conducting the physical inventories had not been 
developed. These conditions increased the risk that safeguarding of 
assets could be compromised and that errors or misstatements could 
exist in the Commission's inventory and financial records as well as 
the financial statements and not be promptly detected and corrected. 

At the end of our discussion of each issue, we present our 
recommendations for strengthening the Commission's internal control. 
We are making seven new recommendations that, if effectively 
implemented, should address the internal control deficiencies we 
identified. These recommendations are intended to bring the Commission 
into conformance with its own policies, the Standards for Internal 
Control in the Federal Government,[Footnote 5] and guidance issued by 
the National Institute of Standards and Technology (NIST).[Footnote 6] 

As a result of our fiscal years 2007 through 2010 audits of the 
Commission's financial statements, we have provided the Commission 
with 170 recommendations to improve its internal control, accounting 
procedures, and information systems. Through February 21, 2012, the 
date of our completion of the fiscal year 2011 audit, the Commission 
had implemented 127 recommendations, or about 75 percent of the 
recommendations we have made from the 2007 through 2010 audits. 

In commenting on a draft of this report, the Commission stated it 
agreed with the issues raised and would respond more fully at a later 
date. The Commission's response is reprinted in its entirety in 
enclosure II. 

Scope and Methodology: 

This report addresses internal control deficiencies we identified 
during our audit of the Commission's fiscal years 2011 and 2010 
financial statements. As part of our audit, we tested the Commission's 
internal control over financial reporting.[Footnote 7] We designed our 
audit procedures to test relevant controls, including those for proper 
authorization, execution, accounting, and reporting of transactions. 
In conducting the audit, we reviewed applicable Commission policies 
and procedures, assessed controls over the recording and processing of 
transactions, examined relevant documents and records, and interviewed 
management and staff. We also performed a targeted general controls 
and security review of the Commission's critical computer systems 
using applicable sections of GAO's Federal Information System Controls 
Audit Manual (FISCAM).[Footnote 8] 

We performed our audit of the Commission's fiscal years 2011 and 2010 
financial statements in accordance with U.S. generally accepted 
government auditing standards. We believe that our audit provided a 
reasonable basis for our conclusions in this report. Further details 
on our audit scope and methodology are presented in enclosure I. 

Significant Deficiency: 

Access Controls over Foreign Employee Payroll Systems: 

During our fiscal year 2011 financial statement audit, we identified 
deficiencies in controls over the Commission's foreign employee 
payroll systems. These deficiencies increased the risk of unauthorized 
access to, and alteration of, payroll-related information that would 
not be detected by Commission management. 

Specifically, we found that two system administrators had 
inappropriate system access, allowing them to not only make system 
changes but to alter data in systems for which they were responsible. 
These administrators were responsible for (1) developing, (2) testing, 
and (3) implementing the foreign payroll systems and any changes to 
them, which included the systems used to process their own payroll. 
This amounted to the administrators having the ability to read, 
change, and delete any data in the foreign payroll systems without 
oversight or verification by Commission management. This included the 
ability to alter their own wage and earnings and other data before the 
payroll files are sent to the U.S. Department of the Treasury 
(Treasury) for the disbursement of wages and to the Commission's 
financial management system for recording in the general ledger. 
[Footnote 9] Such access authority increases the risk that 
administrators could add or alter payroll data without authorization 
and that such changes would not be readily detectable by Commission 
management. The systems administrators were able to perform these 
inappropriate functions because the Commission had not developed, 
documented, and implemented policies and procedures for assigning and 
segregating roles and responsibilities for staff members involved in 
the administrative functions of the foreign payroll systems. 

We also found that the Commission had not installed critical updates 
and patches on several of its servers as outlined in its Computer 
Security Plan. Patch management is a critical process to securing 
computing systems and data processed in those systems.[Footnote 10] Up-
to-date patch installation helps mitigate flaws in software code that 
could be exploited to cause significant damage and enable malicious 
individuals to read, modify, or delete sensitive information or 
disrupt operations.[Footnote 11] By not installing critical system 
updates and patches, unauthorized users could gain full administrator-
level access to the Commission's systems through a server that 
communicates with the Internet. This, in turn, could allow 
unauthorized users to gain administrator-level access to the foreign 
employee payroll systems. Based on our discussions with Commission 
staff, we were informed that the critical updates were not installed 
primarily because of an oversight when the servers were converted to a 
virtualized environment during fiscal year 2010.[Footnote 12] This 
oversight also contributed to the Commission's Computer Security Plan 
not being updated to reflect the virtualized environment. By not 
updating the security plan to reflect the current information 
technology environment, the Commission's ability to adhere to 
established operational and security controls was impaired. 

Internal control standards state that key duties and responsibilities 
need to be divided or segregated among different people to reduce the 
risk of error or fraud.[Footnote 13] No one individual should control 
all key aspects of a transaction or event. Similarly, no single system 
administrator should have the ability to develop, test, and implement 
a financial information system without appropriate mitigating 
controls. In addition, NIST standards suggest that an organization 
separate duties of individuals, as necessary, to prevent malevolent 
activity without collusion. Further, NIST provides that organizations 
should promptly install security-relevant software updates (such as 
patches). By not ensuring that operational and computer security 
controls are designed to limit access to authorized users, the 
Commission increases the risk of unauthorized access and manipulation 
of its information systems and related data and misstatements in the 
financial statements. 

Recommendations for Executive Action: 

We recommend that the Commission direct the appropriate officials to 
take the following actions: 

* Establish and implement written policies and procedures to identify 
and appropriately segregate the roles and responsibilities of staff 
involved in developing, testing, and implementing changes to and 
maintenance of the foreign employee payroll systems to reduce the risk 
of malevolent activity without collusion. 

* Perform a review of the Commission's computer systems and servers to 
assess whether all patches and critical updates are current. For any 
systems and servers found without the most current patch or update, 
establish a process to ensure immediate installation. 

* Establish a mechanism to monitor implementation of existing 
procedures requiring timely installation of all patches and critical 
updates as outlined in the Commission's Computer Security Plan. 

* Update the Commission's Computer Security Plan to reflect the 
current state of the Commission's information technology environment. 

Policies and Procedures for Processing Foreign Payroll: 

During our fiscal year 2011 financial statement audit, we found that 
the Commission did not have effective controls to minimize the risk of 
errors in processing payroll actions for its foreign employees. 
Specifically, we found that the Commission did not have policies and 
procedures clearly delineating the responsibilities of both the Human 
Resources and Finance Directorates with respect to ensuring accurate 
and complete payroll information for foreign employees. 

The Human Resources Directorate is responsible for processing all 
foreign employee personnel actions, such as promotions, salary 
increases, and benefit changes. The Finance Directorate is responsible 
for verifying and approving foreign employee information in the 
payroll systems, including the certification of time charges and 
verification of salary and benefits information. We found that the 
Commission did not have procedures that set out required steps to be 
followed by the Human Resources Directorate to communicate employee 
actions that it approved and processed to the Finance Directorate. The 
lack of such sufficiently detailed procedures regarding the roles and 
responsibilities of each directorate increased the risk of undetected 
errors in the reporting of payroll information. 

For example, during our testing of foreign payroll expenditures, we 
were unable to trace the amounts in the foreign payroll systems to the 
general ledger. When we asked the Commission's Finance Directorate for 
a reconciliation of the amounts, officials were unable to readily 
provide the supporting documentation and related explanations 
describing the differences. Although the support and explanations were 
subsequently provided, we found that during the course of the staff's 
day-to-day operations, written instructions or directives were not 
available outlining the key tasks, roles, and responsibilities of each 
directorate involved in processing foreign payroll. Moreover, during 
our testing of a statistical sample of payroll expenditures, we found 
two instances where payroll information was incorrect. These findings 
and errors were consistent with the results of similar testing in 
prior years' audits.[Footnote 14] The lack of written policies and 
procedures clearly outlining the tasks, roles, and responsibilities of 
the Human Resources and Finance Directorates for processing foreign 
payroll contributed to the errors we identified. 

Internal control standards state that control activities must be 
clearly documented, periodically updated, and readily available for 
examination.[Footnote 15] Control activities are an integral part of 
an entity's planning, implementing, reviewing, and accountability for 
stewardship of government resources and achieving effective results. 
However, to be effective, the policies and procedures used to carry 
out the Human Resources and Finance Directorates' functions should be 
clearly documented to ensure that all transactions are completely and 
accurately recorded and that management's directives are carried out 
in an effective and efficient manner to accomplish control objectives. 
Without clear policies and procedures and a formal means to 
communicate payroll actions, earnings and leave changes and other 
amounts involved in processing foreign payroll could be unsupported, 
duplicated, or omitted, resulting in errors in the payroll records for 
foreign employees. This increases the risk of misstatements in the 
financial statements and noncompliance with relevant laws, 
regulations, and Commission policies. 

Recommendation for Executive Action: 

We recommend that the Commission direct the appropriate officials to 
establish written policies and procedures outlining the key tasks, 
roles, and responsibilities of both the Human Resources Directorate 
and the Finance Directorate, including a formal mechanism for 
communicating all decisions and actions related to processing payroll 
for foreign employees. 

Other Control Deficiencies: 

Physical Inventory Counts: 

During our fiscal year 2011 financial audit, we identified 
deficiencies in the Commission's internal controls over reporting and 
safeguarding of property, plant, and equipment. Specifically, we found 
that although the Commission had a policy to perform biennial physical 
inventory counts of all equipment over $500, this policy was not 
adhered to during fiscal year 2011. We were told that the policy had 
not been followed because of (1) an oversight or other tasks being 
given a higher priority and (2) written procedures for performing such 
physical inventory counts not being developed. A physical inventory 
count helps ensure that assets, such as the heavy equipment (e.g., 
tractors and mowers) purchased to maintain cemetery grounds and 
facilities, are accurately recorded, exist at a given point in time, 
and are properly safeguarded. This verification also helps ensure that 
information in the inventory records and general ledger, and 
ultimately the financial statements, is accurate, complete, and 
reliable. 

Internal control standards state that control activities, including 
policies and procedures, help ensure that management's directives are 
carried out in an effective and efficient manner to accomplish control 
objectives.[Footnote 16] They are also an integral part of planning, 
implementing, reviewing, and accountability for stewardship of 
government resources and achieving effective results. Further, the 
standards state that an agency must establish physical control to 
safeguard vulnerable assets and these assets should be periodically 
counted and compared to control records. Because the Commission has 
not developed procedures for performing a physical inventory count of 
equipment, there is an increased risk that the inventory counts will 
not be (1) performed, (2) conducted properly, or (3) used as a control 
to detect theft of assets. This, in turn, increases the risk that 
misstatements in the financial statements may not be promptly detected 
and corrected and that assets are not effectively safeguarded from 
theft or loss. 

Recommendations for Executive Action: 

We recommend that the Commission direct the appropriate officials to 
take the following actions: 

* Establish and implement written procedures for conducting all 
physical inventory counts of equipment. These procedures, at a 
minimum, should outline the processes for (1) planning and executing 
the physical inventory count and (2) analyzing and documenting the 
results. 

* Establish a mechanism to monitor implementation of existing 
Commission policy to perform biennial physical inventory counts of all 
items of equipment with an obligated balance of $500 or more. 

Status of Prior Years' Recommendations: 

As a result of our fiscal years 2007 through 2010 audits of the 
Commission's financial statements, we have provided the Commission 
with 91 recommendations to improve its internal control and accounting 
procedures. As summarized in table 1, as of February 21, 2012, the 
date of audit completion for the fiscal year 2011 audit, the 
Commission had implemented 66, or about 73 percent, of our 
recommendations related to our prior years' findings on internal 
control and accounting procedure issues. 

Table 1: Status of Fiscal Years 2007 through 2010 Internal Control and 
Accounting Procedure Recommendations: 

Fiscal year ended Sept. 30, 2007: 
Total number of recommendations: 5; 
Number of closed recommendations: 5; 
Number of open recommendations: 0. 

Fiscal year ended Sept. 30, 2008: 
Total number of recommendations: 26; 
Number of closed recommendations: 23; 
Number of open recommendations: 3. 

Fiscal year ended Sept. 30, 2009: 
Total number of recommendations: 45; 
Number of closed recommendations: 33; 
Number of open recommendations: 12. 

Fiscal year ended Sept. 30, 2010: 
Total number of recommendations: 15; 
Number of closed recommendations: 5; 
Number of open recommendations: 10. 

Total: 
Total number of recommendations: 91; 
Number of closed recommendations: 66; 
Number of open recommendations: 25. 

Source: GAO analysis as of February 21, 2012. 

[End of table] 

The Commission stated that it has actions under way to address the 
remaining 25 recommendations related to internal control and 
accounting procedure issues. 

Also, as a result of our fiscal years 2007 through 2010 audits of the 
Commission's financial statements, we have provided the Commission 
with 79 recommendations related to information systems control issues. 
As summarized in table 2, as of February 21, 2012, the date of audit 
completion for the fiscal year 2011 audit, the Commission had 
implemented 61, or about 77 percent, of our recommendations related to 
our prior years' findings on information systems. 

Table 2: Status of Fiscal Years 2007 through 2010 Information Systems 
Recommendations: 

Fiscal year ended Sept. 30, 2007: 
Total number of recommendations: 8; 
Number of closed recommendations: 8; 
Number of open recommendations: 0. 

Fiscal year ended Sept. 30, 2008: 
Total number of recommendations: 18; 
Number of closed recommendations: 18; 
Number of open recommendations: 0. 

Fiscal year ended Sept. 30, 2009: 
Total number of recommendations: 37; 
Number of closed recommendations: 24; 
Number of open recommendations: 13. 

Fiscal year ended Sept. 30, 2010: 
Total number of recommendations: 16; 
Number of closed recommendations: 11; 
Number of open recommendations: 5. 

Total: 
Total number of recommendations: 79; 
Number of closed recommendations: 61; 
Number of open recommendations: 18. 

Source: GAO analysis as of February 21, 2012. 

[End of table] 

The Commission stated that it has actions under way to address the 
remaining 18 recommendations related to information systems issues. 

In total, of the 170 recommendations we made to improve its internal 
control, accounting procedures, and information system controls, the 
Commission had implemented 127, or about 75 percent, of our 
recommendations from the fiscal years 2007 through 2010 financial 
audits. We will evaluate the status of the Commission's actions to 
address all of the prior year recommendations that remain open, as 
well as the new recommendations we are making in this report, in 
future audits of the Commission's financial statements. 

Commission Comments and Our Evaluation: 

In its written comments, reprinted in enclosure II, the Commission 
Secretary agreed with the issues raised in the report and stated that 
the Commission would provide a full response to each recommendation as 
part of its 31 U.S.C. � 720 letter to the Congress, which is due 60 
days after the issuance of the report. As part of our fiscal year 2012 
financial statement audit, we will follow up on all of these matters 
to determine the status of related corrective actions. 

This report contains recommendations to the Commission. The head of a 
federal agency is required by 31 U.S.C. � 720 to submit a written 
statement on actions taken on these recommendations. You should submit 
your statement to the Senate Committee on Homeland Security and 
Governmental Affairs and to the House Committee on Oversight and 
Government Reform within 60 days of the date of this report. A written 
statement must also be sent to the House and Senate Committees on 
Appropriations with the Commission's first request for appropriations 
made more than 60 days after the date of this report. Furthermore, to 
ensure that we have accurate, up-to-date information on the status of 
the Commission's actions on our recommendations, we request that you 
also provide us with a copy of the Commission's statement of actions 
taken on open recommendations. Please send your statement of actions 
to Steven Sebastian, Managing Director, at sebastians@gao.gov or John 
D. Sawyer, Assistant Director, at sawyerj@gao.gov. 

This report is intended for use by the management of the Commission. 
We are sending copies of this report to interested congressional 
committees and the Acting Director of the Office of Management and 
Budget. In addition, the report is available at no charge on the GAO 
website at [hyperlink, http://www.gao.gov]. 

We acknowledge and appreciate the cooperation and assistance provided 
by Commission management and staff during our audit of the 
Commission's fiscal years 2011 and 2010 financial statements. If you 
have any questions about this report or need assistance in addressing 
these issues, please contact Steven Sebastian at (202) 512-3406 or 
sebastians@gao.gov or Nabajyoti Barkakati at (202) 512-4499 or 
barkakatin@gao.gov. Contact points for our Offices of Congressional 
Relations and Public Affairs may be found on the last page of this 
report. GAO staff who made major contributions to this report are 
listed in enclosure III. 

Sincerely yours, 

Signed by: 

Steven J. Sebastian:
Managing Director:
Financial Management and Assurance: 

Signed by: 

Nabajyoti Barkakati:
Chief Technologist:
Applied Research and Methods: 

Enclosures - 3: 

[End of section] 

Enclosure I: Scope and Methodology: 

To fulfill our responsibilities as the auditor of the financial 
statement of the American Battle Monuments Commission (the 
Commission), our audit work included the following: 

* Examined, on a test basis, evidence supporting the amounts and 
disclosures in the financial statements. This included selecting 
statistical samples of payroll and nonpayroll expenditures.[Footnote 
17] 

* Assessed the accounting principles used and significant estimates 
made by Commission management. 

* Evaluated the overall presentation of the financial statements. 

* Obtained an understanding of the Commission and its operations, 
including its internal control over financial reporting. 

* Considered the Commission's process for evaluating and reporting on 
internal control over financial reporting that the Commission is 
required to perform by 31 U.S.C. � 3512 (c), (d), commonly known as 
the Federal Managers' Financial Integrity Act of 1982. 

* Assessed the risk that a material misstatement exists in the 
financial statements and the risk that a material weakness exists in 
internal control over financial reporting. 

* Evaluated the design and operating effectiveness of internal control 
over financial reporting based on the assessed risk. 

* Tested relevant internal control over financial reporting. 

* Tested compliance with selected provisions of the following laws and 
regulations: the Commission's enabling legislation codified in 36 
U.S.C. Chapter 21; public laws applicable to the World War II Memorial 
Fund; Buffalo Soldiers Commemoration Act of 2005; Continuing 
Appropriations Resolution, 2010; Consolidated Appropriations Act, 
2010; Continuing Appropriations Act, 2011; Full-Year Continuing 
Appropriations Act, 2011; Antideficiency Act; Pay and Allowance System 
for Civilian Employees; and Prompt Payment Act. 

* Performed audit site work at Commission headquarters in Arlington, 
Virginia; its Paris Overseas Office in Garches, France; and its 
Brookwood and Cambridge American Cemeteries in London, England. 

Our audit work was conducted from May 3, 2011, through February 21, 
2012, pursuant to our authority to conduct an annual audit of the 
Commission's financial statements under 36 U.S.C. � 2103. We performed 
our audit of the Commission's fiscal years 2011 and 2010 financial 
statements in accordance with U.S. generally accepted government 
auditing standards. We believe that our audit provided a reasonable 
basis for our conclusions in this report. 

[End of section] 

Enclosure II: Comments from the American Battle Monuments Commission: 

American Battle Monuments Commission: 
Established by Congress 1923: 
Courthouse Plaza II, Suite 500: 
2300 Clarendon Boulevard: 
Arlington, VA 22201-3367: 

July 19, 2012: 

Mr. Steven J.Sebastian: 
Managing Director, Financial Management and Assurance: 
United States Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Sebastian: 

This responds to your July 5, 2012, memorandum regarding your proposed
report: Improvements Are Needed to Strengthen the American Battle
Monuments Commission's Internal Controls and Accounting Procedures 
(GAO-12-830R). 

We agree with the issues raised in your report and are considering its 
recommendations, but we have no specific response at this time. 
However, we do not anticipate that we will disagree with any of the 
recommendations. The Commission will provide a full response to each 
recommendation as part of our 31 U.S.C. 720 letter to the Congress, 
which is due 60 days after the issuance of the report. 

Sincerely, 

Signed by: 

Max Cleland: 
Secretary: 

[End of section] 

Enclosure III: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov: 

Nabajyoti Barkakati, (202) 512-4499 or barkakatin@gao.gov: 

Staff Acknowledgments: 

In addition to the contacts named above, John D. Sawyer and Edward 
Alexander, Assistant Directors; Mark Canter; Taya R. Tasse; and Tory 
Wudtke made key contributions to this report. 

[End of section] 

Footnotes: 

[1] GAO, Financial Audit: American Battle Monuments Commission's 
Financial Statements for Fiscal Years 2011 and 2010, [hyperlink, 
http://www.gao.gov/products/GAO-12-404] (Washington, D.C.: Mar. 1, 
2012). 

[2] A significant deficiency is a deficiency, or a combination of 
deficiencies, in internal control that is less severe than a material 
weakness, yet important enough to merit the attention of those charged 
with governance. A deficiency in internal control exists when the 
design or operation of a control does not allow management or 
employees, in the normal course of performing their assigned 
functions, to prevent, or detect and correct misstatements on a timely 
basis. A material weakness is a deficiency, or combination of 
deficiencies, in internal control such that there is a reasonable 
possibility that a material misstatement of the entity's financial 
statements will not be prevented, or detected and corrected on a 
timely basis. 

[3] During fiscal year 2011, the Commission used a total of 396 full-
time equivalent positions. Of these, 73 positions were held by U.S. 
citizens, while the remaining 323 positions were held by non-U.S. 
citizens employed at the Commission's regional offices and at the 
cemeteries in the countries where the Commission operates. 

[4] Patches are additional pieces of code that have been developed to 
address specific problems or flaws in existing software. 
Vulnerabilities are flaws that can be exploited, enabling unauthorized 
access to information technology systems or enabling users to have 
access to greater privileges than authorized. A server represents a 
computer running administrative software that controls access to all 
or part of the network and its resources, such as disk drives or 
printers. A computer acting as a server makes resources available to 
computers acting as workstations on the network. 

[5] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: November 1999), contains the internal control 
standards to be followed by executive agencies in establishing and 
maintaining systems of internal control as required by 31 U.S.C. � 
3512 (c), (d) (commonly referred to as the Federal Managers' Financial 
Integrity Act of 1982). 

[6] The Federal Information Security Management Act (FISMA) requires 
each agency to develop, document, and implement an agencywide 
information security program for the information and information 
systems that support the operations and assets of the agency, using a 
risk-based approach to information security management. FISMA assigned 
to NIST the responsibility for developing standards and guidelines 
that include minimum information security requirements. See 15 U.S.C. 
� 278g-3. 

[7] An entity's internal control over financial reporting is a process 
effected by those charged with governance, management, and other 
personnel, the objectives of which are to provide reasonable assurance 
that (1) transactions are properly recorded, processed, and summarized 
to permit the preparation of financial statements in accordance with 
U.S. generally accepted accounting principles, and assets are 
safeguarded against loss from unauthorized acquisition, use, or 
disposition and (2) transactions are executed in accordance with the 
laws governing the use of budget authority and other laws and 
regulations that could have a direct and material effect on the 
financial statements. 

[8] GAO, Federal Information System Controls Audit Manual (FISCAM), 
[hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, 
D.C.: February 2009). 

[9] Payroll for the Commission's federal employees (U.S. citizens) is 
managed by the General Services Administration, and these employees 
are paid using electronic funds transfers from Treasury. Payroll for 
the majority of its foreign employees is managed by the Commission in 
three separate payroll systems. These systems generate payroll files 
that are used to initiate wage disbursements from Treasury and record 
entries in the Commission's general ledger. 

[10] GAO, Information Security: Continued Action Needed to Improve 
Software Patch Management, [hyperlink, 
http://www.gao.gov/products/GAO-04-706] (Washington, D.C.: June 2, 
2004). 

[11] GAO, Information Security: Weaknesses Continue Amid New Federal 
Efforts to Implement Requirements, [hyperlink, 
http://www.gao.gov/products/GAO-12-137] (Washington, D.C.: Oct. 3, 
2011). 

[12] Virtualization is a process by which several operating systems 
can be run in parallel on a single central processing unit. This 
parallelism tends to reduce overhead costs and differs from 
multitasking, which involves running several programs on the same 
operating system. 

[13] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[14] GAO, American Battle Monuments Commission: Improvements Needed in 
Internal Controls and Accounting Procedures - Fiscal Year 2010, 
[hyperlink, http://www.gao.gov/products/GAO-11-577R] (Washington, 
D.C.: July 28, 2011), and Management Report: Improvements Needed in 
American Battle Monuments Commission's Internal Controls and 
Accounting Procedures, [hyperlink, 
http://www.gao.gov/products/GAO-10-596R] (Washington, D.C.: July 23, 
2010). 

[15] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[16] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[17] These statistical samples were selected primarily to determine 
the validity of activities reported in the Commission's financial 
statements. We projected any errors in dollar amounts to the 
population of transactions from which they were selected. In testing 
some of these samples, certain attributes were identified that 
indicated deficiencies in the design or operation of internal control. 
These attributes, where applicable, were statistically projected to 
the appropriate populations. 

[End of section] 

GAO�s Mission: 

The Government Accountability Office, the audit, evaluation, and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the 
performance and accountability of the federal government for the 
American people. GAO examines the use of public funds; evaluates 
federal programs and policies; and provides analyses, recommendations, 
and other assistance to help Congress make informed oversight, policy, 
and funding decisions. GAO�s commitment to good government is 
reflected in its core values of accountability, integrity, and 
reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO�s website [hyperlink, http://www.gao.gov]. Each 
weekday afternoon, GAO posts on its website newly released reports, 
testimony, and correspondence. To have GAO e-mail you a list of newly 
posted products, go to [hyperlink, http://www.gao.gov] and select 
�E-mail Updates.� 

Order by Phone: 

The price of each GAO publication reflects GAO�s actual cost of 
production and distribution and depends on the number of pages in the 
publication and whether the publication is printed in color or black 
and white. Pricing and ordering information is posted on GAO�s 
website, [hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or 
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card, 
MasterCard, Visa, check, or money order. Call for additional 
information. 

Connect with GAO: 

Connect with GAO on facebook, flickr, twitter, and YouTube.
Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts.
Visit GAO on the web at [hyperlink, http://www.gao.gov]. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 
Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; 
E-mail: fraudnet@gao.gov; 
Automated answering system: (800) 424-5454 or (202) 512-7470. 

Congressional Relations: 

Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, DC 20548. 

Public Affairs: 
Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, DC 20548.