2006 Annual Report Highlights

Independent Auditor’s Report

To the Inspector General of the
Pension Benefit Guaranty Corporation

We have audited the accompanying statements of financial condition of the Single-Employer and Multiemployer Program Funds administered by the Pension Benefit Guaranty Corporation (PBGC) as of September 30, 2006 and 2005, and the related statements of operations and changes in net position and cash flows for the years then ended. These financial statements are the responsibility of PBGC’s management. Our responsibility is to express an opinion on these financial statements based on our audits.

We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 06-03, Audit Requirements for Federal Financial Statements. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audits provide a reasonable basis for our opinion.

In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of the Single-Employer and Multiemployer Program Funds administered by PBGC as of September 30, 2006 and 2005, and the results of their operations and their cash flows for the years then ended in conformity with accounting principles generally accepted in the United States of America.

By law, PBGC’s Single-Employer and Multiemployer Program Funds must be self-sustaining. As of September 30, 2006, PBGC reported in its financial statements net deficit positions (liabilities in excess of assets) in the Single-Employer and Multiemployer Program Funds of $18,142 million and $739 million, respectively. As discussed in Note 7 to the financial statements, losses as of September 30, 2006 for the Single-Employer and Multiemployer Programs that are reasonably possible as a result of unfunded vested benefits are estimated to be $73,000 million and $83 million, respectively. The PBGC’s net deficit, and long-term viability, could be further impacted by losses from plans classified as reasonably possible (or from other plans not yet identified as potential losses) as a result of deteriorating economic conditions, the insolvency of a large plan sponsor or other factors. PBGC has been able to meet their short-term benefit obligations. However, as discussed in Note 1 to the financial statements, management believes that neither program at present has the resources to fully satisfy PBGC’s long-term obligations to plan participants.

In accordance with Government Auditing Standards, we have also issued our reports dated November 9, 2006 on our consideration of PBGC’s internal control over financial reporting and on our tests of its compliance with certain provisions of laws and regulations and other matters. Those reports are an integral part of an audit performed in accordance with Government Auditing Standards and should be considered in assessing the results of our audit.

The financial statement highlights, management’s discussion and analysis, actuarial valuation, annual performance report, and financial summary contain a wide range of data, some of which are not directly related to the financial statements. We do not express an opinion on this information. However, we compared this information for consistency with the financial statements and discussed the methods of measurement and presentation with PBGC officials. Based on this limited work, we found no material inconsistencies with the financial statements.

Calverton, Maryland

November 9, 2006

Independent Auditor’s Report on Internal Control

To the Inspector General of the
Pension Benefit Guaranty Corporation

We have examined management’s assertion included in the accompanying Annual Management Report, that the Pension Benefit Guaranty Corporation (PBGC) maintained effective internal control over financial reporting (including safeguarding assets) and compliance with laws and regulations as of September 30, 2006, based on the criteria contained in the Federal Managers’ Financial Integrity Act of 1982 (FMFIA) (31 U.S.C. 3512). PBGC’s management is responsible for maintaining effective internal control over financial reporting. Our responsibility is to express an opinion on management’s assertion based on our examination.

Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants; Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 06-03, Audit Requirements for Federal Financial Statements, and, accordingly, included obtaining an understanding of the internal control over financial reporting (including safeguarding assets) and compliance with laws and regulations, testing and evaluating the design and operating effectiveness of the internal control, and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.

We did not evaluate all internal controls relevant to operating objectives as broadly defined by FMFIA, such as those controls relevant to preparing statistical reports and ensuring efficient operations. We limited our internal control testing to controls over financial reporting and compliance. Because of inherent limitations in any internal control, misstatements due to error, fraud, losses, or noncompliance may occur and not be detected. Also, projections of any evaluation of the internal control over financial reporting to future periods are subject to the risk that the internal control may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.

In our opinion, management’s assertion that PBGC maintained effective internal control over financial reporting (including safeguarding assets) and compliance with laws and regulations as of September 30, 2006 is fairly stated, in all material respects, based on criteria contained in FMFIA.

However, we noted certain matters involving the internal control over financial reporting (including safeguarding assets) and compliance with laws and regulations and its operation that we consider to be reportable conditions. Reportable conditions involve matters coming to our attention relating to significant deficiencies in the design or operation of the internal control over financial reporting (including safeguarding assets) and compliance with laws and regulations that, in our judgment, could adversely affect PBGC’s ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements. Reportable conditions we noted are as follows:

PBGC needs to integrate its financial management systems (Repeat Condition).
PBGC needs to complete its efforts to fully implement and enforce an effective information security program (Repeat Condition).
PBGC needs to improve controls related to single-employer premiums (Repeat Condition).
PBGC needs to strengthen its preparedness for unanticipated incidences and disruptions (Repeat Condition).

A material weakness is a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. We believe that none of the reportable conditions described in this report are material weaknesses.

REPORTABLE CONDITIONS

1. PBGC Needs to Integrate Its Financial Management Systems (Repeat Condition)

A lack of integration of PBGC’s significant financial management systems was identified in prior year audits. These systems include: Financial Reporting System (FRS), Performance Accounting (PA) System, Trust Accounting System (TAS), Participant Records Information System Management (PRISM), Premium Accounting System (PAS), Integrated Present Value of Future Benefits (IPVFB), and Pension and Lump Sum System (PLUS).

OMB Circular A-127, Financial Management System, requires that financial management systems should be designed to provide for effective and efficient interrelationships between systems. This Circular states the following:

“The term "single, integrated financial management system" means a unified set of financial systems and the financial portions of mixed systems encompassing the software, hardware, personnel, processes (manual and automated), procedures, controls and data necessary to carry out financial management functions, manage financial operations of the agency and report on the agency's financial status to central agencies, Congress and the public. Unified means that the systems are planned for and managed together, operated in an integrated fashion, and linked together electronically in an efficient and effective manner to provide agency-wide financial system support necessary to carry out the agency's mission and support the agency's financial management needs.”

OMB’s Office of Federal Financial Management’s (OFFM – formerly the Joint Financial Management Improvement Program – JFMIP) Core Financial System Requirements document, lists the following integrated financial management system attributes:

Standard data classifications (definition and formats) established and used for recording financial events.
Common processes used for processing similar kinds of transactions.
Internal controls over data entry, transaction processing, and reporting applied consistently.
A system design that eliminates unnecessary duplication of transaction entry.

PBGC has manual controls related to its significant financial management systems and is making progress to further improve data integrity controls and promote further integration of systems, as evidenced by the following:

The system interface controls, used to reconcile data transmitted to and from the three general ledger applications, TAS, PA, and FRS, appear to be operating effectively.
The manual interface controls, used to reconcile data between IPVFB and FRS, appear to be operating effectively.

Additionally, management stated that:

PBGC performed testing of its commercially based general ledger system, Consolidated Financial System (CFS), which integrates the three previously separate ledger systems (TAS, PA and FRS), and incorporates full budget execution and administrative payment processes. This Oracle Enterprise Resources Planning software system allows organizations to be compliant with OFFM’s Core Financial System Requirements. PBGC will make CFS its system of record, effective October 1, 2006.
PBGC also integrated the design of its premium system upgrade, Premium Payment System (PPS), into the design of CFS. During FY 2006 a contract was awarded for the design and implementation of that critical element as a sub-ledger with an anticipated completion date of October 2007.

Despite the above, we believe more needs to be done to integrate PBGC's existing significant financial management systems. We identified the following factors relevant to the integration of systems:

Lack of standard data classifications and common data elements:

PBGC management has indicated that a logical database model is being developed. Therefore, no centralized data catalog defining data elements or data access method was available for current databases.
The current decentralized database structure may lead to erroneous financial and participant data. For example, the same data elements are required to be reformatted or are used for different purposes across PBGC's various applications.
The current decentralized database structure may lead to untimely financial or participant data. Participant data must be reformatted and distributed to multiple PBGC systems; therefore, users may be relying on outdated information to make business decisions.

Duplication of transaction entry:

PBGC uses three general ledger systems, TAS, PA, and FRS, to track and record trust, revolving, and consolidated transactions, respectively, rather than one system to track and record all three. Therefore, manual processes and adjustments are required to synchronize the data from TAS and PA to FRS; however, it is anticipated by management that CFS will address these issues for FY 2007.
Probable and multiemployer plan data initially entered into IPVFB must be manually re-entered into a spreadsheet and then manually entered into FRS as adjusting journal entries.
Plan data initially entered into the Case Administration System (CAS) application must be re-entered into the TAS application's portfolio header.
Plan contingency listings are determined using data extracted from PAS. However, plans with multiple filings must be manually aggregated before the plans can be classified.
Plan sponsor data initially entered into PAS to process receivables must also be entered into PA to process refunds. Management stated that this has been addressed in the design of the new CFS/PPS system.

Poor data integrity:

The data in PAS requires significant manual review and adjustment before it can be used for the purpose of reporting the premium income and receivables in PBGC's financial statements.

In the short term, PBGC’s ability to accurately and efficiently accumulate and summarize information required for internal and external financial reporting may be impacted. For this reason, this issue remains a reportable condition for fiscal year (FY) 2006.

Recommendation:

We are encouraged by the improvement made and direction taken by PBGC in the areas noted above. However, we recommend that PBGC continue its efforts in this area by doing the following:

Integrate its financial management systems, in accordance with OMB Circular A-127. (OIG Control Number FOD-268)

2. PBGC Needs to Complete its Efforts to Fully Implement and Enforce an Effective Information Security Program (Repeat Condition)

Improvement is needed in PBGC’s enterprise-wide security management program as indicated in prior year audits. During our FY 2006 review of PBGC's existing security program, we noted that PBGC made the following progress:

PBGC has developed and granted interim approval for its Enterprise Information Security Policy in June 2006, pending (a) review of other existing directives for possible conflict and overlaps, and (b) circulation for comments by PBGC offices. The purpose of PBGC’s information security policy document is to identify and disseminate the principles and framework that guide the secure usage of information at PBGC.

Our review of PBGC's existing security program revealed continuing weaknesses in controls that expose PBGC's significant financial management systems and data to unauthorized access and/or modification. Weaknesses included the following:

Weaknesses in PBGC’s certification and accreditation (C&A) program impact the reporting of accurate and complete information required for PBGC to make credible, risk-based decisions related to production system operations. These weaknesses compromise PBGC’s ability to accept and manage the risk to PBGC’s operations, agency assets, and personnel. Without an effective C&A program, there will be no reasonable assurance that PBGC’s information systems are able to meet both their functional requirements and provide adequate security to protect PBGC’s operations, assets, and personnel. For example, PBGC had not completed effective security plans, risk assessments, and testing as part of its C&A program. The National Institute of Standards and Technology (NIST) Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, provides the framework under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347, for how PBGC’s C&A program is to be implemented.
PBGC’s current information security policy and plan do not comply with standards and guidance issued by NIST in furtherance of its statutory responsibilities under FISMA. NIST has developed standards and guidelines, including minimum requirements for providing adequate information security for all agency operations and assets.

The 2006 reorganization of the Office of Information Technology (OIT) has severely impacted the Information System Security Officer’s (ISSO) ability to ensure appropriate operational security for PBGC’s information system security program. The change in organizational structure further demotes the ISSO function in establishing security policies and procedures and reduces clarity on the ISSO’s responsibility and accountability. The ISSO function at PBGC has not been placed organizationally in a position to effectively carry out PBGC’s responsibilities under FISMA.

OIT’s process for reviewing, approving and disseminating policies and procedures needs improvement. Certain policies presented as approved referenced outdated or non-existent policies and procedures. In some cases, PBGC policies and procedures were not implemented and enforced because responsible officials were not aware of their existence.
PBGC has not consistently deployed security configurations across its significant financial management applications and general support systems.
PBGC has not formalized effective processes for granting, removing, and recertifying user access to significant financial management applications and general support systems.
Application owners or administrators do not perform periodic auditing and monitoring of user access and sensitive transactions for significant financial management systems
OIT management’s, application owners’, and application administrators’ duties are not clearly defined regarding user and security administration for significant financial management systems.
PBGC has granted developers inappropriate access to the production environment.
OIT has not developed a process that would allow the ISSO to manage and monitor the effectiveness of the entity-wide security program.

Until PBGC implements a complete and effective enterprise-wide information security program that complies with FISMA and NIST standards and guidance, its ability to mitigate and appropriately manage the risk of unauthorized access to, and/or modification or disclosure of sensitive PBGC financial information will be impaired.

Recommendations:

We recommend that PBGC management perform the following:

Assign specific resources to 1) update the general security plan and associated security policies to reflect the current operating environment, and 2) complete the implementation of a fully functional and integrated enterprise-wide information security program, with priority given to implementation and monitoring of technical security standards. (OIG Control Number CTO-5)
Develop enforcement mechanisms to ensure that all departments comply with the enterprise-wide information security program, as well as consistently enforce policies and procedures for logical access to information resources that are based on the concepts of "least possible privilege". (OIG Control Number CTO-6)
Implement an organization structure that promotes independence and reporting with regard to PBGC’s information security program. (OIG Control Number CIO-1)
Implement a certification and accreditation program that is in full compliance with NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. (OIG Control Number OIT-86)
Strengthen the OIT process for reviewing, approving and disseminating policies and procedures to ensure documents are 1) accurate, consistent, and properly approved, and 2) properly disseminated to the officials and responsible parties for their implementation and enforcement. (OIG Control Number OIT-87)

3. PBGC Needs to Improve Controls Related to Single-Employer Premiums (Repeat Condition)

Management has acknowledged the weaknesses associated with the single-employer premiums and has taken steps to improve the internal controls for premiums including the FY 2006 award of a contract for the design and implementation of a new premium accounting system with an anticipated completion date of October 2007. However, we noted continued internal control weaknesses in our 2006 audit.

The control weaknesses we identified relate to the following internal control objectives:

Safeguarding of Assets - Ensuring PBGC collects all premiums due under statute. OMB Circular A-123, Management’s Responsibility for Internal Control, requires that: “The agency head must establish controls that reasonably ensure that: i) obligations and costs are in compliance with applicable law; (ii) funds, property, and other assets are safeguarded against waste, loss, unauthorized use or misappropriation.”
Financial Reporting - Ensuring PBGC reports complete and reliable premium revenue and receivables in the financial statements. OMB Circular A-123 states that: “The agency head must establish controls that reasonably ensure that: … iii) revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the assets.”

Data quality weaknesses:

During PAS conversion from the legacy Premium Processing System, PBGC experienced difficulty in migrating data. In addition, errors due to incorrect data entry, adjustments, and system-generated balances while not identified as an ongoing issue during the FY 2006 audit were noted as issues in the FY 2004 audit and prior years. These difficulties are the underlying cause of several of the control weaknesses noted during our testing.

PBGC’s ability to identify plans that have a premium filing requirement and to collect premiums owed is limited because the Audit and Enforcement module within PAS to compare Form 1 (premium filing form) filings to pension plan Form 5500 filings with the Department of Labor is not currently functional and will not be until the new premium system is implemented. A match of this data was performed outside of PAS during FY 2006; however, the results of this process have not yet been analyzed. Completing this analysis would enable PBGC to potentially identify plans which had not filed or paid their associated premiums.

Impact of data quality weaknesses:

Because of the data quality issues noted, PBGC is unable to efficiently utilize two of its primary tools, Past Due Filing Notices (PDFN) and Statements of Account (SOA), to ensure the accuracy and completeness of premium data. The PDFN is a PAS-generated notice mailed to plans that have not submitted premium filings. The SOA is also a PAS-generated notice used to ensure that underpaid or overpaid premiums from a plan sponsor are effectively rectified. We noted during the audit that PDFNs and SOAs are not mailed timely in accordance with PBGC policy because significant resources must be expended prior to mailing each notice to validate the information. Because these notices are not mailed in a timely manner, the potential exists that premiums will not be collected or that errors in amounts reflected in PAS will not be detected.

Other control matters:

Finally, we noted that all of the pertinent policies and procedures related to the premium accounting cycle have not been documented, communicated, or implemented throughout PBGC.

Recommendations:

While we acknowledge that PBGC is currently working toward the implementation of a new premium system with an implementation date currently scheduled for October 2007, we continue to recommend that PBGC:

Implement controls to reconcile Form 1 information received by PBGC to Form 5500 information received by the Department of Labor as a means of identifying plans that have not filed or paid their associated premiums. (OIG Control Number FOD-334)
Compile a comprehensive polices and procedures manual for processing and accounting for premium revenue. (OIG Control Number FOD-335)

4. PBGC Needs to Strengthen Its Preparedness for Unanticipated Incidences and Disruptions (Repeat Condition)

PBGC has developed a Continuity of Operations Plan (COOP) that identifies and exercises its ability to respond to a limited number and type of incidents that impact

operations. However the COOP is just one component of a full spectrum of service continuity controls that would allow PBGC to reduce the impact on its operations due to unexpected events. For example, just as losing the capability to process and protect information maintained on PBGC’s computer systems can significantly impact PBGC’s ability to accomplish its mission, maintain productivity, and ensure financial integrity, so would safely evacuating staff from a building due to a fire or similar emergency and relocating operations or dealing with a pandemic flu outbreak have a comparable impact.

Strong service continuity controls should identify and address adequate procedures to minimize the risk of unplanned interruptions and be included in a plan to recover critical operations should such interruptions occur. This plan should consider the impact on and recovery of all facilities, personnel, and information systems as they relate to PBGC’s mission and business objectives. These procedures and plan should be tested periodically to ensure they will work as intended, and if not, timely corrections can be made before the next test.

During our FY 2006 review of PBGC's ability to develop and implement a contingency plan, we noted that PBGC made the following progress:

PBGC has drafted its contingency planning policy statement which is in the process of being approved, disseminated and implemented. The contingency planning policy statement will be effective in FY 2007. The policy addresses a comprehensive set of objectives for the establishment of the organizational framework and responsibilities for comprehensive contingency planning at PBGC, of which COOP is one component.
PBGC is in the process of conducting a business impact analysis (BIA) that will address a comprehensive set of contingency planning scenarios to further direct its development and implementation of a more robust contingency planning process.

We identified the following service continuity control deficiencies in PBGC’s completion of key elements required in establishing a comprehensive contingency plan:

PBGC’s current BIA addressed items necessary to develop its COOP. The BIA did not address all significant recovery issues related to contingency planning.
PBGC’s COOP policy statement was too narrow to meet the needs of PBGC. This was the only contingency related policy statement in effect during FY 2006. It only establishes one objective (e.g. to continue to perform certain critical functions of PBGC in the event that an emergency renders or threatens to render the PBGC sites unusable). PBGC did not have an approved contingency planning policy statement in FY 2006 that addresses a comprehensive set of objectives for the establishment of the organizational framework and responsibilities for comprehensive contingency planning of which COOP is one component.
PBGC’s recovery strategies do not address prioritized recovery scenarios based on disruption impacts and allowable outage times for the failure and/or degradation of critical system components at headquarters. The current strategy does not include a combination of methods that complement one another to provide recovery capability over the full spectrum of incidents.
Although PBGC conducts at least two (2) tests of its COOP annually, PBGC has not demonstrated its ability to successfully recover its major business processes. For example, PBGC could not recover and process several major applications during its August 2006 COOP test. The COOP test did not meet intended objectives and did not achieve the level of recovery envisaged in the COOP test plan. PBGC’s participation in the federal “Forward Challenge” exercise also did not demonstrate PBGC’s ability to successfully operate from an alternative site.

Recommendations:

First, establish and implement a contingency planning policy statement that addresses a comprehensive set of objectives for the establishment of the organizational framework and responsibilities for comprehensive contingency planning. (OIG Control Number FASD-130)
Second, conduct a BIA that addresses a full set of contingencies, including system outages and degradation issues at headquarters. (OIG Control Number FASD-131)
Finally, develop, document, implement, and test recovery strategies as part of PBGC’s COOP to achieve the comprehensive set of objectives in PBGC’s contingency planning policy statement and address the disruption impacts and allowable outage times identified in PBGC’s comprehensive BIA. (OIG Control Number FASD-132)

n addition to the reportable conditions described above, we noted certain matters involving internal control and its operation that we reported to the management of PBGC in a separate letter dated November 9, 2006.

This report is intended solely for the information and use of PBGC’s Office of Inspector General, Board of Directors, management of PBGC, Government Accountability Office, Office of Management and Budget, the United States Congress, and the President and is not intended to be and should not be used by anyone other than these specified parties.

Calverton, Maryland

November 9, 2006

Independent Auditor’s Report on Compliance and Other Matters

To the Inspector General of the
Pension Benefit Guaranty Corporation

We have audited the financial statements of the Single-Employer and Multiemployer Program Funds administered by the Pension Benefit Guaranty Corporation (PBGC) as of and for the year ended September 30, 2006, and have issued our report thereon dated November 9, 2006. We conducted our audit in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 06-03, Audit Requirements for Federal Financial Statements.

The management of PBGC is responsible for complying with laws and regulations applicable to PBGC. As part of obtaining reasonable assurance about whether PBGC’s financial statements are free of material misstatement, we performed tests of its compliance with certain provisions of laws and regulations, noncompliance with which could have a direct and material effect on the determination of financial statement amounts. We limited our tests of compliance to these provisions and we did not test compliance with all laws and regulations applicable to PBGC. However, providing an opinion on compliance with those provisions was not an objective of our audit and, accordingly, we do not express such an opinion.

The results of our tests of compliance disclosed no instances of noncompliance with laws and regulations discussed in the preceding paragraph or other matters that are required to be reported under Government Auditing Standards or OMB Bulletin No. 06-03.

Calverton, Maryland

November 9, 2006

Back to Annual Report Index | Back to WWW.PBGC.GOV | PDF version of PBGC's 2006 Annual Report