Financial Management: Review of the Military Retirement Trust Fund's Actuarial Model and Related Computer Controls
AIMD-97-128
Published: Sep 09, 1997. Publicly Released: Sep 09, 1997.
Skip to Highlights
Highlights
Pursuant to a congressional request, GAO reviewed the Department of Defense (DOD) Military Retirement Trust Fund's actuarial model and related computer controls.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | To improve the actuarial process, the Secretary of Defense should ensure that the Office of the Actuary documents annual data preparation and processing steps in a formal, detailed manual. |
Closed – Not Implemented
DOD reports that written descriptions of the various stages of data preparation and processing have been developed, and the Office of the Actuary has created a formal checklist to assist in monitoring completion of various stages of the valuation process. A contractor, PricewaterhouseCoopers, will provide formal, detailed documentation of the retirement valuation model as a contract deliverable, expected to be completed by December 2001. As of September 2003, implementation of this recommendation has been delayed. Consequently, considering the passage of time since GAO's recommendation, GAO is closing this recommendation as not implemented.
|
| Department of Defense | To improve the actuarial process, the Secretary of Defense should ensure that the Office of the Actuary determines the availability of complete data on inactive reservists. |
Closed – Implemented
According to the Office of the Actuary, data on "grey-area" reservists have been included in the most recent pension liability calculations.
|
| Department of Defense | To improve the actuarial process, the Secretary of Defense should ensure that the Office of the Actuary tests a sample of current valuation results independently from prior year results. |
Closed – Implemented
Based on GAO's review of the Office of the Actuary's documentation and based on discussions with the independent public accounting firm that performed the fiscal year 1998 financial audit, actions responsive to this recommendation were completed in December 1998. The Office of the Actuary's contractor created a duplicate version of the retirement valuation model with "test-life" capability. The contractor and the Office of the Actuary then developed spreadsheets that validated the Office of the Actuary's model in approximately 30 cases chosen to reflect the entire September 30, 1997, valuation population. This process ensures that valuation results can be validated independently from prior-year results.
|
| Department of Defense | To improve the actuarial process, the Secretary of Defense should ensure that the Office of the Actuary evaluates the efficiency of using the current spreadsheet analyses and documents those analyses. |
Closed – Implemented
Based on GAO's review of the Office of the Actuary's documentation and discussions with the independent public accounting firm that performed the fiscal year 1998 financial audit, the actions responsive to this recommendation were completed in December 1998. The valuation spreadsheet has been restructured to include (1) a separate sheet for input elements, (2) separate sheets for individual actuarial analyses, (3) explanatory notes to enhance its auditability, and (4) security safeguards to protect it against unwarranted changes.
|
| Department of Defense | To address the EDP general controls weaknesses, the Secretary of Defense should ensure that the Defense Manpower Data Center modifies the security program's parameters to ensure participants' data and actuarial programs are protected and that security requirements comply with regulations. |
Closed – Implemented
DMDC reported previously that it expected to complete an organizational security certification and accreditation (DITSCAP) by March 31, 2000. The fiscal year 1999 financial audit found that (1) five findings from the DITSCAP risk assessment were still open as of January 2000, (2) DMDC security policy (requirements) was still in draft, (3) DMDC had no configuration standards for three of its platforms, and (4) DMDC had no detailed operating procedures for two platforms. DMDC stated in its response to the audit report that these issues had been corrected. In August 2001, Deloitte & Touche conducted a follow-up, and determined that the five DITSCAP issues had been corrected, DMDC security policy had been issued and updated, and that configuration standards had been developed.
|
| Department of Defense | To address the EDP general controls weaknesses, the Secretary of Defense should ensure that the Defense Manpower Data Center implements security features and parameters to ensure that unauthorized access to systems is reduced and that audit trails are activated and protected from unauthorized editing. |
Closed – Not Implemented
DMDC representatives have consistently stated that they have properly addressed this recommendation and resolved the control issues. Subsequent audits, however, have revealed continuing issues in this area. DoDIG has indicated that it has no plans to review this recommendation in the future. The recommendation will therefore be closed.
|
| Department of Defense | To address the EDP general controls weaknesses, the Secretary of Defense should ensure that the Defense Manpower Data Center develops (or modifies) and implements security policies and procedures to ensure that: (1) all users are authorized and have only the necessary access to facilities and data; (2) such access is reviewed periodically and removed promptly when warranted; and (3) access violations are researched. |
Closed – Not Implemented
DMDC representatives have consistently stated that they have properly addressed this recommendation and resolved the control issues. Subsequent audits, however, have revealed continuing issues in this area. The recommendation will therefore be closed.
|
| Department of Defense | To address the EDP general controls weaknesses, the Secretary of Defense should ensure that the Defense Manpower Data Center develops and implements comprehensive change management procedures governing changes to both the Fund's application programs and related operating systems. |
Closed – Not Implemented
DMDC representatives have stated that they have properly addressed this recommendation and resolved the control issues. To date, change management procedures have reportedly been implemented by DMDC and the Office of the Actuary, but subsequent audits have indicated continuing issues. Subsequent audits have also noted continuing issues with system software change control procedures at the Naval Postgraduate School, as well as undocumented exits and undocumented network connections. The recommendation will therefore be closed.
|
| Department of Defense | To address the EDP general controls weaknesses, the Secretary of Defense should ensure that the Defense Manpower Data Center designs, develops, tests, and implements a comprehensive disaster recovery plan. |
Closed – Not Implemented
DMDC had reported previously that they had completed corrective action on this recommendation. Subsequent audits, however, have revealed continuing issues in this area. The recommendation will therefore be closed.
|
| Department of Defense | To address the EDP general controls weaknesses, the Secretary of Defense should ensure that the Defense Manpower Data Center formally assesses and documents the risk of the Year 2000 impact on the actuarial application and prepares contingency plans, if needed, to ensure operations are not disrupted. |
Closed – Not Implemented
DMDC reported in 1999, that its Y2K conversions were complete, and that its continuity-of-operations (DRP) plans would be complete by the end of 1999. Subsequent audits, however, have indicated continuing issues related to DRP. Y2K is no longer an issue, and DRP is noted above. This recommendation will therefore be closed.
|
Full Report
Office of Public Affairs
Topics
Actuarial tablesComputer securityComputer security policiesControlled accessData collectionDefense auditsElectronic data processingFinancial management systemsInternal controlsNoncomplianceRetirementSecurity policiesTrust fundsVeterans pensionsInformation security regulations