This is the accessible text file for GAO report number GAO-05-20 entitled 'Financial Management: Improved Financial Systems Are Key to FFMIA Compliance' which was released on October 01, 2004. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: October 2004: FINANCIAL MANAGEMENT: Improved Financial Systems Are Key to FFMIA Compliance: GAO-05-20: GAO Highlights: Highlights of GAO-05-20, a report to the Senate Committee on Governmental Affairs and the House Committee on Government Reform. Why GAO Did This Study: The ability to produce the data needed to efficiently and effectively manage the day-to-day operations of the federal government and provide accountability to taxpayers has been a long-standing challenge to most federal agencies. To help address this challenge, the Federal Financial Management Improvement Act of 1996 (FFMIA) requires the 23 Chief Financial Officers Act agencies to implement and maintain financial management systems that comply substantially with (1) federal financial management systems requirements, (2) applicable federal accounting standards, and (3) the U.S. Government Standard General Ledger (SGL) at the transaction level. FFMIA also requires GAO to report annually on the implementation of the act. What GAO Found: Federal agencies continue to make progress in addressing their financial management weaknesses; however, for fiscal year 2003, auditors for 17 of the 23 CFO Act agencies still reported that agencies’ financial management systems failed to comply with FFMIA. The nature and severity of the reported problems indicate that generally agency management lacked the full range of reliable, useful, and timely information needed for accountability, performance reporting, and decision making. As shown in the figure below, six main types of problems related to agencies’ systems were consistently identified. Problems Reported by Auditors for Fiscal Years 2000 through 2003: [See PDF for image] Note: Based on independent auditors’ reports for fiscal years 2000 – 2003, prepared by agency inspectors general and contract auditors. [End of table] As prescribed in OMB’s reporting guidance, auditors for six agencies provided negative assurance on agency systems’ FFMIA compliance for fiscal year 2003. This means that nothing came to their attention to indicate that financial management systems did not meet FFMIA requirements. GAO continues to believe that this type of reporting is not sufficient under the act and that report users may have the false impression that auditors have reported agency systems to be compliant. To address problems such as nonintegrated systems, inadequate reconciliations, and lack of SGL compliance, agencies are implementing or upgrading financial management systems. Agencies anticipate the new systems will provide reliable, useful, and timely data to support managerial decision making. However, our work at DOD, HHS, and NASA has shown significant problems exist in implementing financial management systems and that agencies are not following the necessary disciplined processes for efficient and effective implementation of these systems. Disciplined processes have been shown to reduce the risks associated with software development and acquisition efforts to acceptable levels and are fundamental to successful system acquisition and implementation. Moreover, governmentwide initiatives to improve financial management systems can help enhance the government’s performance and services for citizens. What GAO Recommends: GAO reaffirms its prior recommendations that OMB revise its FFMIA audit guidance to: (1) include a statement of positive assurance when reporting an agency’s systems to be in substantial compliance with FFMIA, and (2) clarify the definition of “substantial compliance” to promote consistent reporting of FFMIA compliance. As in the past, OMB did not agree with our view on the need for auditors to provide positive assurance on FFMIA, but agreed to consider clarifying the definition of “substantial compliance” in future policy and guidance updates. www.gao.gov/cgi-bin/getrpt?GAO-05-20. To view the full product, including the scope and methodology, click on the link above. For more information, contact Sally Thompson at (202) 512-2600 or thompsons@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Scope and Methodology: Continued Systems Weaknesses Impede Financial Management Accountability: Agencies Struggle to Implement New Financial Systems: Conclusions: Agency Comments and Our Evaluation: Appendixes: Appendix I: Requirements and Standards Supporting Federal Financial Management: Appendix II: Publications in the Federal Financial Management Systems Requirements Series: Appendix III: Statements of Federal Financial Accounting Concepts, Statements of Federal Financial Accounting Standards, and Interpretations: Appendix IV: AAPC Technical Releases: Appendix V: Checklists for Reviewing Systems under the Federal Financial Management Improvement Act: Appendix VI: Comments from the Office of Management and Budget: Appendix VII: GAO Contacts and Staff Acknowledgments: GAO Contacts: Acknowledgments: Table: Table 1: PMO-Certified Core Financial Systems: Figures: Figure 1: Problems Reported by Auditors for Fiscal Years 2000 through 2003: Figure 2: Pyramid to Accountability and Useful Management Information: Figure 3: Auditors' FFMIA Assessments for Fiscal Years 2000 through 2003: Figure 4: Problems Reported by Auditors for Fiscal Years 2000 through 2003: Figure 5: Agency Systems Architecture: Abbreviations: AAPC: Accounting and Auditing Policy Committee: AID: Agency for International Development: ARS: Accrual Reporting System: BSM: Business Systems Modernization: CDC: Centers for Disease Control and Prevention: CFO: chief financial officer: CMS: Centers for Medicare and Medicaid Services: CoreFLS: Core Financial and Logistics System: COTS: commercial off-the-shelf: DHS: Department of Homeland Security: DLA: Defense Logistics Agency: DOD: Department of Defense: EPA: Environmental Protection Agency: FAM: GAO/PCIE Financial Audit Manual: FASAB: Federal Accounting Standards Advisory Board: FFMIA: Federal Financial Management Improvement Act: FFMSR: Federal Financial Management System Requirements: FIA: Federal Managers' Financial Integrity Act: FISMA: Federal Information Security Management Act: GSA: General Services Administration: HHS: Department of Health and Human Services: IEEE: Institute of Electrical and Electronic Engineers: IFMP: Integrated Financial Management Program: IRS: Internal Revenue Service: JFMIP: Joint Financial Management Improvement Program: LOB: Line of Business: LMP: Logistics Modernization Program: NASA: National Aeronautics and Space Administration: NBRSS: NIH Business and Research Support System: NIH: National Institutes of Health: NRC: Nuclear Regulatory Commission: NSF: National Science Foundation: OIG: Office of Inspector General: OMB: Office of Management and Budget: OPM: Office of Personnel Management: PART: Performance and Assessment Rating Tool: PCIE: President's Council on Integrity and Efficiency: PMA: President's Management Agenda: PMO: Program Management Office: SEI: Software Engineering Institute: SFFAC: Statements of Federal Financial Accounting Concepts: SFFAS: Statement of Federal Financial Accounting Standards: SGL: U.S. Government Standard General Ledger: SSA: Social Security Administration: UFMS: Unified Financial Management System: VA: Department of Veterans Affairs: Letter October 1, 2004: The Honorable Susan M. Collins: Chairman: The Honorable Joseph I. Lieberman: Ranking Minority Member: Committee on Governmental Affairs: United States Senate: The Honorable Tom Davis: Chairman: The Honorable Henry A. Waxman: Ranking Minority Member: Committee on Government Reform: House of Representatives: Many federal agencies still lack the ability to produce the data needed to efficiently and effectively manage day-to-day operations and provide an acceptable level of accountability to taxpayers. To address this long-standing weakness of the federal government, the Chief Financial Officers (CFO) Act of 1990[Footnote 1] designates executive branch officials with responsibility for the modernization of financial management systems, so that the systematic measurement of performance; the development of cost information; and the integration of program, budget, and financial information for management reporting can be achieved. The Federal Financial Management Improvement Act of 1996[Footnote 2] (FFMIA) builds on the foundation laid by the CFO Act by reflecting the need for agencies to have systems that can generate reliable, useful, and timely information with which to make fully informed decisions and to ensure accountability on an ongoing basis. FFMIA requires the CFO Act agencies[Footnote 3] to implement and maintain financial management systems that comply substantially with (1) federal financial management systems requirements, (2) applicable federal accounting standards, and (3) the U.S. Government Standard General Ledger (SGL) at the transaction level. The act also requires auditors to state in their audit reports whether the agencies' financial management systems substantially comply with the act's requirements. Furthermore, we are required to report annually on the implementation of the act. This report, our eighth, discusses (1) the auditors' assessments of agency systems' compliance with FFMIA for fiscal year 2003 and the financial management systems problems that continue to affect systems' FFMIA compliance and (2) the challenges agencies have faced when implementing financial systems to help move toward FFMIA compliance. We conducted our work from April through August 2004 in the Washington, D.C., area in accordance with U.S. generally accepted government auditing standards. Results in Brief: Although agencies continue to make some progress in addressing their financial management systems weaknesses, the fiscal year 2003 audit reports disclose that agencies' financial management systems continue to have serious deficiencies. As a result of these deficiencies, most agencies' financial management systems are still unable to routinely produce reliable, useful, and timely financial information. This weakness manifests itself by limiting the federal government's capacity to manage with timely and objective data, and thereby hampers its ability to effectively manage and oversee its major programs. Auditors for 17 of the 23 CFO Act agencies reported that their agencies' financial management systems did not comply substantially with one or more of the three FFMIA requirements. Auditors' assessments for three agencies changed from fiscal year 2002 to 2003. For fiscal year 2003, auditors for the Department of Commerce were able to provide negative assurance due to the implementation of a new integrated financial management system and improvements in general information technology controls. Auditors at the Nuclear Regulatory Commission (NRC) were also able to provide negative assurance due to a redesign of the agency's cost accounting system and enhancement of the internal controls and operating procedures documentation. Systems of both agencies had been reported as lacking substantial compliance with FFMIA for fiscal year 2002. Conversely, auditors for the General Services Administration (GSA), which implemented a new financial management system in fiscal year 2002, reported that GSA's systems lacked substantial compliance for fiscal year 2003 because they did not substantially comply with federal financial management systems requirements. Specifically, the auditors found that GSA lacked adequate policies and procedures for reconciliations and that the reconciliations performed were not completed in a timely manner, a downgrade from the fiscal year 2002 assessment. The Department of Homeland Security (DHS) is currently not subject to the CFO Act and, consequently, is not required to comply with FFMIA. Accordingly, DHS' auditors did not report on the department's compliance with FFMIA. However, the auditors did identify and report certain deficiencies that relate to the three FFMIA requirements. Based on its budget, DHS is the largest entity in the federal government that is neither subject to the CFO Act nor required to comply with FFMIA system requirements. Given the need for strong financial management, consideration is now being given by each house of Congress to adding DHS to the list of CFO Act agencies. Auditors for six agencies[Footnote 4] reported that the results of their tests disclosed no instances in which the agencies' systems did not substantially comply with FFMIA. The auditors did not provide positive assurance by definitively stating whether the agencies' financial management systems substantially complied with FFMIA. Instead, the auditors provided negative assurance of FFMIA compliance as permitted by the Office of Management and Budget's (OMB) audit guidance. To provide positive assurance as required by the act, more testing is necessary than that performed for the purposes of rendering an opinion on the financial statements. Based on our review of the fiscal year 2003 audit reports for the 17 agencies reported to have noncompliant systems, we identified six continuing, primary problems that affect FFMIA compliance. (See fig. 1.) While more severe at some agencies than others, the nature and seriousness of the reported problems indicate that generally most agencies' financial management systems are not yet able to routinely produce reliable, useful, and timely financial information. Figure 1: Problems Reported by Auditors for Fiscal Years 2000 through 2003: [See PDF for image] Note: Based on independent auditors' reports for fiscal years 2000- 2003, prepared by agency inspectors general and contract auditors. [End of figure] Many agencies are in the process of updating or replacing their core financial systems as part of their financial management system improvement efforts. However, our work at the Department of Defense (DOD), the Department of Health and Human Services (HHS), and the National Aeronautics and Space Administration (NASA) and the work of the Department of Veterans Affairs (VA) Office of Inspector General (OIG) have shown that agencies face significant risk in implementing financial management systems and have not always followed accepted best practices for systems development and implementation, commonly referred to as disciplined processes, for efficient and effective system development and implementation of financial management systems. Disciplined processes have been shown to reduce the risks associated with software development and acquisition efforts to acceptable levels and are fundamental to successful system acquisition and implementation. A disciplined software development and acquisition process can maximize the likelihood of achieving the intended results within established costs and on schedule. The key to having a disciplined system acquisition and implementation effort is to have disciplined processes in multiple areas, including requirements management, testing, project planning and oversight, risk management, and quality assurance. We found in our review of agencies' implementation of new financial management systems and a review by the VA OIG[Footnote 5] also reported that disciplined processes are not being followed. For example: * In May 2004, we reported[Footnote 6] that for two major DOD financial management systems, the initial deployments did not operate as intended and, therefore, did not meet component-level needs. In large part, these operational problems were due to DOD not effectively implementing the disciplined processes that are necessary to manage the development and implementation of the systems in the areas of requirements management and testing. DOD program officials have acknowledged that the initial deployments of these systems experienced problems that could be attributed to requirements and testing. * In September 2004, we reported[Footnote 7] that the lack of disciplined processes puts implementation of HHS' financial system at risk. HHS had not developed sufficient quantitative measures for determining the impact of process weaknesses, cannot be assured that the system will provide all of the functionality needed, and had not developed the necessary framework for testing requirements. Further, its schedule left little time for correcting process weaknesses and identified defects. As a result, HHS has decided to delay the implementation of a significant amount of functionality associated with the initial full deployment from October 2004 until April 2005 in order to address the issues that had been identified with the project. * As we have reported[Footnote 8] numerous times in 2003 and 2004, NASA faces considerable challenges in implementing a financial management system--the Integrated Financial Management Program (IFMP). NASA is on its third attempt in 12 years to modernize its financial management process and systems, and has spent about $180 million on its two prior failed efforts. NASA was not following key best practices for acquiring and implementing the system. For example, NASA lacked disciplined requirements management and testing processes. As a result, NASA increased its risk that IFMP would cost more and do less than planned. The core financial module, which was fully deployed in June 2003 as called for in the project schedule, still did not address many of the agency's most challenging external reporting issues, such as external reporting problems related to property accounting and budgetary accounting. Additionally, NASA deferred the configuration and testing of several essential capabilities of the financial module and is not FFMIA compliant. * VA recently halted implementation of its new core financial system in July 2004 that had cost about $249 million. The VA OIG reported that contracting and monitoring of the VA project were not adequate and the pilot deployment of the system encountered multiple problems. As the federal government moves forward on new initiatives to enhance financial management and provide results-oriented information, it is crucial that disciplined processes are effectively used to reduce risks related to implementing governmentwide solutions. Moreover, ensuring that staff with the requisite skills are in place to implement and operate new financial management systems is critical to success. While we are not making any new recommendations in this report, we reaffirm our prior recommendations[Footnote 9] aimed at enhancing OMB's audit guidance related to FFMIA assessments. Specifically, we recommended that OMB (1) require agency auditors to provide a statement of positive assurance when reporting an agency's systems to be in substantial compliance with FFMIA and (2) further clarify the definition of "substantial compliance" to encourage consistent reporting. In commenting on a draft of this report, OMB agreed with our assessment that agencies have a long way to go before federal managers receive the data needed to efficiently and effectively manage the day-to-day operations of the federal government. Moreover, OMB agreed with us that financial management success encompasses more than agencies receiving unqualified opinions on their financial statements. As in previous years, we and OMB have differing views on the level of audit assurance necessary for assessing substantial compliance with FFMIA. We will continue to work with OMB on this issue. Our detailed evaluation of OMB's comments can be found at the end of this letter. Background: FFMIA and other financial management reform legislation have emphasized the importance of improving financial management across the federal government. Beginning in 1990, the Congress has passed a series of management reform legislation to improve the general and financial management of the federal government. As shown in figure 2, the combination of reforms ushered in by the (1) CFO Act of 1990, (2) Government Performance and Results Act of 1993,[Footnote 10] (3) Government Management Reform Act of 1994,[Footnote 11] (4) FFMIA, (5) Clinger-Cohen Act of 1996,[Footnote 12] and (6) Accountability of Tax Dollars Act of 2002,[Footnote 13] if successfully implemented, provides a solid basis for improving accountability of government programs and operations as well as routinely producing valuable cost and operating performance information. Figure 2 shows the three levels of the pyramid that result in the end goal, accountability and useful management information. The bottom level of the pyramid is the legislative framework that underpins the improvement of the general and financial management of the federal government. The second level shows the drivers that build on the legislative requirements and influence agency actions to meet these requirements. The three drivers are the (1) President's Management Agenda (PMA), (2) congressional and other oversight, and (3) the Joint Financial Management Improvement Program (JFMIP). The third level of the pyramid represents the key success factors for accountability and meaningful management information--integrating core and feeder financial systems, producing reliable financial and performance data for reporting, and ensuring effective internal control. The result of these three levels, as shown at the top of the pyramid, is accountability and meaningful management information needed to assess and improve the government's effectiveness, financial condition, and operating performance. Figure 2: Pyramid to Accountability and Useful Management Information: [See PDF for image] [End of figure] Building on the foundation laid by the CFO Act, FFMIA reflects the need for agencies to have systems that can generate reliable, useful, and timely information with which to make fully informed decisions and to ensure accountability on an ongoing basis. FFMIA requires the departments and agencies covered by the CFO Act to implement and maintain financial management systems that comply substantially with (1) federal financial management systems requirements, (2) applicable federal accounting standards,[Footnote 14] and (3) the SGL[Footnote 15] at the transaction level. FFMIA also requires auditors to state in their CFO Act financial statement audit reports whether the agencies' financial management systems substantially comply with FFMIA's systems requirements. President's Management Agenda Supported by FFMIA Initiatives: The PMA, announced in the summer of 2001, is a plan for improving the management and performance of the federal government. It targets the most apparent deficiencies, where the opportunity to improve performance is the greatest. The modernization of agency financial management systems, as reflected in FFMIA, is critical to the success of all five PMA initiatives.[Footnote 16] Although FFMIA implementation relates directly to the improved financial performance initiative, development and maintenance of FFMIA-compliant systems will also affect the implementation of the other initiatives. A key element of PMA's performance budgeting initiative is the Performance and Assessment Rating Tool (PART). The development of PART represents a step toward a more structured involvement of program and performance analysis in the budget. It is a systematic method of assessing the performance of program activities across the federal government, consisting of a set of general questions on (1) program purpose and design, (2) strategic planning, (3) program management, and (4) program results. It also includes a set of more specific questions, which vary according to the type of delivery mechanism or approach an individual program uses, and calls for timely, reliable data to perform those assessments. Congressional Oversight Helps Provide Accountability: The leadership demonstrated by the Congress has been an important catalyst to reforming financial management in the federal government. As previously discussed, the legislative framework provided by the CFO Act and FFMIA, among others, produces a solid foundation to stimulate change needed to achieve sound financial systems management. For example, in November 2002, the Congress enacted the Accountability of Tax Dollars Act to extend the financial statements audit requirements of the CFO Act to additional federal agencies. Further, the Congress is currently contemplating adding DHS to the list of CFO Act agencies and requiring DHS to obtain an audit opinion on its internal controls. There is value in sustained congressional interest in these issues, as demonstrated by hearings on federal financial management and reform held over the past several years. It will be key that the appropriations, budget, authorizing, and oversight committees hold agency top management accountable for resolving these problems and that they support improvement efforts. The continued attention by the Congress to these issues will be critical to sustaining momentum for financial management reform. JFMIP Works to Improve Federal Financial Management: JFMIP is a joint and cooperative undertaking of the U.S. Department of the Treasury, GAO, OMB, and the Office of Personnel Management (OPM), working in cooperation to improve financial management practices in the federal government.[Footnote 17] Leadership is provided by the four principals of JFMIP--the Comptroller General of the United States, the Secretary of the Treasury, and the Directors of OMB and OPM. Since August 2001, the JFMIP principals have met regularly to discuss financial management issues, such as the acceleration of financial statement reporting. The Program Management Office (PMO), managed by the Executive Director of the JFMIP using funds provided by the CFO Council agencies, is responsible for the testing and certification of commercial off-the-shelf (COTS) core financial systems for use by federal agencies and coordinating the development and publication of functional requirements for financial management systems.[Footnote 18] OMB Circular No. A-127, Financial Management Systems, requires agencies to purchase only COTS packages sold by vendors whose core financial systems software has been certified by PMO. As shown in table 1, in 2003 and 2004, PMO certified that six core financial software packages met the core financial systems requirements. Table 1: PMO-Certified Core Financial Systems: Vendor name: SAP Public Services, Inc. (SAP); Product: mySAP ERP with Enterprise Add-on for Public Sector and Extension Set; Version: v4.7; Effective Date: 6/10/2003. Vendor name: American Management Systems, Inc. (AMS); Product: Momentum Financials; Version: v5.0; Effective Date: 6/12/2003. Vendor name: Digital Systems Group, Inc; Product: Integrated Financial Management Information Systems (IFMIS); Version: v6.0; Effective Date: 6/25/2003. Vendor name: Oracle Corporation; Product: Oracle E-Business Suite 11i; Version: v11i.9; Effective Date: 9/10/2003. Vendor name: PeopleSoft, Inc; Product: PeopleSoft Financial Management Solutions (FMS); Version: v8.8; Effective Date: 2/10/2004. Vendor name: Savantage Solutions, Inc; Product: Altimate; Version: v3.0; Effective Date: 3/16/2004. Source: PMO. [End of table] PMO assesses COTS packages for conformity with the minimum level or "floor" of system requirements. Therefore agencies should be aware that simply implementing a core financial system that has been certified by PMO does not ensure that these agencies will have financial systems that are compliant with FFMIA or provide reliable, useful, and timely data for day-to-day management. Factors that affect the FFMIA compliance and the effectiveness of an implemented COTS core financial system include how the software package has been configured to work in the agency's environment, whether any customization is made to the software, the success of converting data from legacy systems to new systems, and the quality of transaction data in the feeder systems. Guidance for FFMIA Issued by OMB: OMB sets governmentwide financial management policies and requirements and has issued two sources of guidance related to FFMIA. First, OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, dated October 16, 2000, prescribes specific language auditors should use when reporting on an agency system's substantial compliance with FFMIA. Specifically, this guidance calls for auditors to provide negative assurance when reporting on an agency system's FFMIA compliance. Second, in OMB Memorandum, Revised Implementation Guidance for the Federal Financial Management Improvement Act (Jan. 4, 2001), OMB provides guidance for agencies and auditors to use in assessing substantial compliance. The guidance describes the factors that should be considered in determining whether an agency's systems substantially comply with FFMIA's requirements. Further, the guidance provides examples of the types of indicators that should be used as a basis in assessing whether an agency's systems are in substantial compliance with each of the three FFMIA requirements. Finally, the guidance discusses the corrective action plans, to be developed by agency heads, for bringing their systems into compliance with FFMIA. Financial Audit Manual Section on FFMIA Developed by PCIE and GAO: We worked with representatives from the President's Council on Integrity and Efficiency (PCIE) to revise the joint GAO/PCIE Financial Audit Manual[Footnote 19] (FAM) to include sections[Footnote 20] that provide specific procedures auditors should perform when assessing FFMIA compliance. These sections include detailed audit steps for testing agency systems' substantial compliance with FFMIA. The FAM guidance on FFMIA assessments recognizes that while financial statement audits offer some assurance regarding FFMIA compliance, auditors should design and implement additional testing to satisfy FFMIA criteria. For example, in performing financial statement audits, auditors generally focus on the ability of the financial management systems to process and summarize financial information that flows into annual agency financial statements. In contrast, FFMIA requires auditors to assess whether an agency's financial management systems comply with system requirements. To do this, auditors need to consider whether agency systems provide reliable, useful, and timely information for managing day-to-day operations so that agency managers would have the necessary information to measure performance on an ongoing basis rather than just at year- end. Scope and Methodology: We reviewed the fiscal year 2003 financial statement audit reports for the 23 CFO Act agencies to identify the auditors' assessments of agency financial systems' compliance and the problems that affect FFMIA compliance. We also reviewed the fiscal year 2003 financial statement audit report for DHS to identify any FFMIA-related issues. Our prior experience with these auditors and our review of their reports provided the basis to determine the sufficiency and relevancy of evidence provided in these documents. Based on the audit reports, we identified problems reported by the auditors that affect agency systems' compliance with FFMIA. The problems identified in these reports are consistent with long-standing financial management weaknesses that we have reported based on our work at the Department of Agriculture, NASA, Treasury, and other agencies. However, we caution that the occurrence of problems in a particular category may be even greater than auditors' reports of FFMIA noncompliance would suggest because auditors may not have included all problems in their reports. We also reviewed our previously issued reports and those by the inspectors general to identify the challenges federal agencies face when implementing new systems. Finally, we held discussions with OMB officials to obtain information about its current efforts to help agencies develop systems that will comply with FFMIA. We conducted our work from April through August 2004 in the Washington, D.C., area in accordance with U.S. generally accepted government auditing standards. We requested comments on a draft of this report from the Director of OMB or his designee. Comments from OMB are discussed in the "Agency Comments and Our Evaluation" section and reprinted in appendix VI. Continued Systems Weaknesses Impede Financial Management Accountability: While agencies are making some progress in producing auditable financial statements and addressing their financial management systems weaknesses, the vast majority of agency systems are still not substantially compliant with FFMIA's requirements. Figure 3 summarizes auditors' assessments of FFMIA compliance for fiscal years 2000 through 2003 and suggests that the instances of noncompliance with FFMIA's three requirements have remained fairly constant. For fiscal year 2003, OIGs and their contract auditors reported that the systems of 17 of the 23 CFO Act agencies did not substantially comply with at least one of FFMIA's three requirements--federal financial management systems requirements, applicable federal accounting standards, or the SGL at the transaction level.[Footnote 21] In fiscal year 2002, auditors for five agencies (SSA, Energy, NSF, EPA, and GSA) provided negative assurance that the agencies' financial systems were in compliance with FFMIA. In fiscal year 2003, the auditors at two additional agencies, Commerce and NRC, provided negative assurance that the systems at those agencies were in compliance with FFMIA, while auditors reported GSA's systems to be noncompliant. At Commerce, the auditors were able to provide negative assurance due to the implementation of a new integrated financial management system, combined with improvements in general information technology controls. Auditors at NRC provided negative assurance due to a redesign of the agency's cost accounting system and enhancement of the internal controls and operating procedures documentation. In contrast, for fiscal year 2003, GSA's systems were found to be noncompliant by its auditors due to reconciliation issues related to a newly implemented system. Specifically, the auditors concluded that the systems GSA relied on during fiscal year 2003 failed to perform timely reconciliations of accounts payable and undelivered orders, Fund Balance with Treasury, and accounts receivable, which represented a lack of substantial compliance with FFMIA. In total, for 6 of the 23 CFO Act agencies, the auditors provided negative assurance by stating that nothing came to their attention that would indicate the systems did not comply with FFMIA for fiscal year 2003. Figure 3: Auditors' FFMIA Assessments for Fiscal Years 2000 through 2003: [See PDF for image] Note: Based on independent auditors' reports for fiscal years 2000- 2003, prepared by agency inspectors general and contract auditors. [End of figure] While more CFO Act agencies have obtained clean or unqualified audit opinions on their financial statements, there is little evidence of marked improvements in agencies' capacities to create the full range of information needed to manage day-to-day operations. The number of unqualified opinions has been increasing over the past 7 years, from 11 in fiscal year 1997 to 20 for fiscal year 2003; but the number of agencies reported to have substantially noncompliant systems has remained relatively steady. While the increase in unqualified opinions is noteworthy, a more important measure of financial systems' capability and reliability is that the number of agencies for which auditors provided negative assurance of FFMIA compliance has remained relatively constant throughout this same period. In our view, this has led to an expectation gap since, as more agencies receive clean opinions, expectations are raised that the government has sound financial management and can produce reliable, useful, and timely information on demand throughout the year, whereas FFMIA assessments offer a different perspective. All CFO Act agencies issued their audited financial statements by the accelerated reporting deadline of February 1, 2004, for agency fiscal year 2003 financial statements. However, the deadline for issuance of fiscal year 2004 audited financial statements is November 15, 2004, just 45 days after the close of the fiscal year. Auditors at several of the CFO Act agencies reported that the agencies may not be able to produce auditable financial statements within the accelerated time frame for fiscal year 2004 without making fundamental changes to improve a number of their financial management practices. DHS Is Not Required To Comply with FFMIA: DHS is not subject to the CFO Act and, consequently, is not required to comply with FFMIA. Accordingly, DHS' auditors did not report on the department's compliance with FFMIA in fiscal year 2003. However, the auditors identified and reported deficiencies that relate to the three FFMIA requirements. Based on its budget, DHS is the largest entity in the federal government that is not subject to the CFO Act nor required to comply with FFMIA system requirements. Creating strong financial management at DHS is particularly challenging because most of the 22 entities brought together to form the department have their own financial management systems; processes; and in some cases, deficiencies. For example, five of the seven major agencies that transferred to DHS had 30 reportable conditions, 18 of which were considered material internal control weaknesses for fiscal year 2002 and four of the major agencies--that had previously been subject to stand-alone audits--had financial management systems that were not in substantial compliance with FFMIA. Some progress has been made in addressing the internal control weaknesses it inherited from component agencies. Nine of the 30 inherited internal control weaknesses have been closed as of September 30, 2003. For DHS to develop a strong financial management infrastructure, it will need to address these and many other financial management issues. We fully support the objectives of the CFO Act to provide reliable financial information and improve financial management systems and controls and, as recently reported,[Footnote 22] we believe that it is critical that DHS be statutorily required to comply with important financial management reforms legislated in the CFO Act and FFMIA. Consideration is now being given by each house of Congress to adding DHS to the list of CFO Act agencies in the Department of Homeland Security Financial Accountability Act, H.R. 4259 and S. 1567, 108th Congress. FFMIA Compliance Findings Based on Negative Assurance: Auditors for six agencies (Commerce, Energy, EPA, NRC, NSF, and SSA) provided negative assurance that the agencies' systems were in compliance with FFMIA in fiscal year 2003, and five agencies did so in fiscal year 2002. Auditors provide negative assurance when they include language stating that nothing came to their attention during the course of their planned procedures to indicate that these agencies' financial management systems did not meet FFMIA requirements. If readers are not familiar with the concept of negative assurance, they may incorrectly assume that these systems have been fully tested by the auditors and that the agencies have achieved compliance. OMB's current audit guidance[Footnote 23]calls for auditors to provide negative assurance when reporting whether an agency's systems are in substantial compliance with FFMIA. To provide positive assurance of FFMIA compliance, auditors would need to perform more comprehensive audit procedures than those necessary to render an opinion for a financial statement audit. In performing financial statement audits, auditors generally focus on the capability of the financial management systems to process and summarize financial information that flows into financial statements. In contrast, FFMIA is much broader and requires auditors to assess whether an agency's financial management systems substantially comply with systems requirements. To do this, auditors need to consider whether agency systems provide complete, accurate, and timely information for managing day-to-day operations. We believe that providing positive assurance of an agency's financial management system would identify weaknesses and lead to systems improvements that result in enhancing the performance, productivity, and efficiency of federal financial management, which is a goal of the PMA. Therefore, as we discussed in prior reports,[Footnote 24] we reaffirm our prior recommendation that OMB require agency auditors to provide a statement of positive assurance when reporting an agency's systems to be in substantial compliance with FFMIA. OMB continues to support the requirement for negative assurance of FFMIA compliance due to cost-benefit concerns. While OMB agrees that testing should occur, and its guidance on FFMIA calls for it, OMB officials are concerned that the level of testing needed for positive assurance may be too time-consuming and costly. OMB officials stated that different, more coordinated approaches toward assessing an agency's internal controls and FFMIA compliance might provide sufficient assurance on an agency's systems. For example, in preparing the PMA scorecard assessments, OMB officials meet with agencies to discuss a number of financial management issues and have systems demonstrations. Agencies are asked to identify key business questions and related cost drivers. Then, the agencies must develop systems that can produce the information needed on those cost drivers to help management at all levels focus on results. OMB officials stated they believed the PMA scorecard framework offers an alternative route toward substantial compliance that is similar to that offered by positive assurance. In its written comments on a draft of this report (see app. VI) OMB stated that the processes used in evaluating agencies against the PMA standards can provide a corroborative mechanism in evaluating compliance with FFMIA. Our concern is that the information provided by this approach does not come under audit scrutiny and may not be reliable. For example, the PMA scorecard does not examine the nature and extent of adjustments that agencies make to their year-end financial statements. As long as extensive year-end adjustments are needed, there is no assurance that the financial information being provided by the systems is complete and accurate for day-to-day operations. A joint CFO Council/PCIE group is also currently investigating how internal control reporting similar to that required by the Sarbanes- Oxley Act of 2002[Footnote 25] might be useful in the federal government. OMB officials told us that the results of this CFO Council/ PCIE study might provide another method of assessing and reporting on internal control and FFMIA compliance. Auditor reporting on internal control is a critical component of monitoring the effectiveness of an organization's accountability, especially for large, complex, or challenged entities that use taxpayers' dollars. Auditors can better serve their clients and other financial statement users and better protect the public interest by having a greater role in providing assurances of the effectiveness of internal control in deterring fraudulent financial reporting and protecting assets. Financial systems are an important element of an entity's internal control over financial reporting. Although enhanced internal control reporting would not necessarily address the full capability of the financial management systems in place, such reporting would include reportable internal control weaknesses caused by financial systems problems. However, the full value of independent auditors' assessments of FFMIA compliance will not be fully realized until auditors perform a sufficient level of audit work to be able to provide positive assurance that agencies are in compliance with FFMIA. When reporting an agency's financial management systems to be in substantial compliance, positive assurance will provide users with confidence that the agency systems provide the reliable, useful, and timely information envisioned by the act. In addition, we also previously recommended[Footnote 26] that OMB explore clarifying the definition of "substantial compliance" to help ensure consistent application of the term. As we noted[Footnote 27] in our prior reports, auditors we interviewed had concerns about providing positive assurance in reporting on agency systems' FFMIA compliance because of a need for clarification regarding the meaning of substantial compliance. Therefore, we also reaffirm this recommendation. In its comments, OMB stated that its growing experience assisting agencies in implementing the PMA performance standards will enable it to refine the existing FFMIA indicators associated with substantial compliance. Accordingly, OMB officials stated that they will consider our recommendation in any future policy and guidance updates. Reasons for Noncompliance: Based on our review of the fiscal year 2003 audit reports for the 17 agencies reported to have systems not in substantial compliance with one or more of FFMIA's three requirements, we identified six primary reasons cited by the auditors for agency systems not being compliant. The weaknesses reported by the auditors ranged from serious, pervasive systems problems to less serious problems that may affect one aspect of an agency's accounting operation: * nonintegrated financial management systems, * inadequate reconciliation procedures, * lack of accurate and timely recording of financial information, * noncompliance with the SGL, * lack of adherence to federal accounting standards, and: * weak security controls over information systems. Figure 4 shows the relative frequency of these problems at the 17 agencies reported to have noncompliant systems and the problems relevant to FFMIA that were reported by their auditors. The same six types of problems were cited by auditors in their fiscal years 2000, 2001, and 2002 audit reports, although the auditors may not have reported these problems as specific reasons for their systems' lack of substantial compliance with FFMIA. In addition, we caution that the occurrence of problems in a particular category may be even greater than auditors' reports of FFMIA noncompliance would suggest because auditors may not have identified all problems in their reviews. Figure 4: Problems Reported by Auditors for Fiscal Years 2000 through 2003: [See PDF for image] Note: Based on independent auditors' reports for fiscal years 2000- 2003, prepared by agency inspectors general and contract auditors. [End of figure] Nonintegrated Financial Management Systems: The CFO Act calls for agencies to develop and maintain an integrated accounting and financial management system[Footnote 28] that complies with federal systems requirements and provides for (1) complete, reliable, consistent, and timely information that is responsive to the financial information needs of the agency and facilitates the systematic measurement of performance; (2) the development and reporting of cost management information; and (3) the integration of accounting, budgeting, and program information. OMB Circular No. A-127, Financial Management Systems, requires each agency to establish and maintain a single integrated financial management system that conforms to functional requirements published by PMO. Agencies that do not have integrated financial management systems typically must expend major effort and resources, including in some cases hiring external consultants, to develop information that their systems should be able to provide on a daily or recurring basis. Agencies with nonintegrated financial systems are also more likely to be required to devote more resources to collecting information than those with integrated systems. In addition, opportunities for errors are increased when agencies' systems are not integrated. Auditors frequently mentioned the lack of modern, integrated financial management systems in their fiscal year 2003 audit reports. As shown in figure 4, auditors for 11 of the 17 agencies with noncompliant systems reported this to be a problem, compared with 13 of the 19 agencies reported with noncompliant systems in fiscal year 2002.[Footnote 29] For example, auditors determined that the Department of State's financial and accounting system, as of September 30, 2003, was inadequate, preventing the department from routinely issuing timely financial statements and increasing the risk of materially misstating financial information. The principal areas of weakness included (1) certain elements, including, but not limited to, personal property, capital leases, and certain accounts payable, were developed from sources outside the general ledger and (2) several different systems were used for the management of grants and other types of federal awards. These systems for grants management and other federal awards lacked standard data classifications and were not integrated with the department's centralized financial management system. In another case, as auditor for Treasury's Internal Revenue Service (IRS),[Footnote 30] we reported that IRS' general ledger system consists of two independent general ledgers that are not integrated with each other or with their supporting records for material balances. Further, the information contained in the general ledgers was not supported by adequate audit trails for federal tax revenue, federal tax refunds, taxes receivable, or property and equipment. IRS' use of two separate general ledgers to account for its tax collection activities and the costs of conducting those activities, respectively, greatly complicates efforts to measure the cost of IRS' tax collection efforts. The use of multiple ledgers also causes difficulties in the production of the reliable, useful, and timely financial and performance information that IRS needs for decision making on an ongoing basis. Inadequate Reconciliation Procedures: A reconciliation process, whether manual or automated, is a necessary and valuable part of a sound financial management system. The less integrated the financial management system, the greater the need for adequate reconciliations because data may be accumulated from a number of different sources. Reconciliations are needed to ensure that data have been recorded properly between the various systems and manual records. The Comptroller General's Standards for Internal Control in the Federal Government[Footnote 31] highlights reconciliation as a key control activity. As shown in figure 4, auditors for 11 of the 17 agencies with noncompliant systems in fiscal year 2003 reported that the agencies had reconciliation problems, compared with 11 of the 19 agencies reported with noncompliant systems in fiscal year 2002. These reconciliation problems included difficulty in reconciling their fund balance with Treasury accounts[Footnote 32] with Treasury's records. Treasury policy requires agencies to reconcile their accounting records with Treasury records on a monthly basis (comparable to individuals reconciling their personal checkbooks to their monthly bank statements). For fiscal year 2003, NASA's auditors reported a lack of effective internal controls surrounding its fund balance with Treasury reconciliations. Based on a review of NASA headquarters' fund balance with Treasury reconciliations as of September 30, 2003, auditors reported an agencywide difference of approximately $43 million, net, between NASA's general ledger and Treasury's reported balance. NASA did not provide sufficient documentary evidence to explain these differences. Further, NASA made approximately 20 additional adjustments outside of its financial management system, which indicated the difference between its fund balance with Treasury balance and Treasury's reported balance was significantly greater than disclosed in its year-end reconciliations. In total, NASA recorded adjustments of approximately $2 billion, net, to decrease its fund balance with Treasury balance in order to agree to Treasury's reported balance as of September 30, 2003. NASA was unable to provide the auditor documentation to explain the reasons for such a large dollar amount of reconciliations. Lack of Accurate and Timely Recording of Financial Information: As shown in figure 4, auditors for 15 of the 17 agencies with noncompliant systems reported the lack of accurate and timely recording of financial information as a problem for fiscal year 2003, compared with 17 of the 19 agencies reported with noncompliant systems in fiscal year 2002. Accurate and timely recording of financial information is essential for successful financial management. Timely recording of transactions facilitates accurate reporting in agencies' financial reports and other management reports used to guide managerial decision making. In addition, having systems that record information in a timely and accurate manner is critical for key governmentwide initiatives, such as integrating budget and performance information. In contrast, untimely recording of transactions during the fiscal year can result in agencies making substantial efforts at fiscal year-end to perform extensive manual financial statement preparation efforts that are susceptible to error and increase the risk of misstatements. For example, auditors at the Department of the Interior reported in fiscal year 2003 that the department (1) needed to improve controls over property, plant, and equipment in order to prepare financial reports in a timely and reliable manner; (2) capitalized assets that were transferred from other agencies at incorrect amounts and also capitalized assets in the current year that had been accidentally expensed in prior years; and (3) did not ensure that journal vouchers were properly recorded by failing to include proper general ledger accounts. As a result, the department recorded over 180 adjustments after issuing the final year-end trial balance, requiring that significant time and resources be dedicated to making manual adjustments. Noncompliance with the SGL: As shown in figure 4, auditors for 10 of the 17 agencies reported to have noncompliant systems for fiscal year 2003 stated that the agencies' systems did not comply with SGL requirements for fiscal year 2003, as compared with 9 of the 19 agencies reported with noncompliant systems in fiscal year 2002. Implementing the SGL at the transaction level is one of the specific requirements of FFMIA. Using the SGL promotes consistency in financial transaction processing and reporting by providing a uniform chart of accounts and pro forma transactions. The SGL also provides a basis for comparison at the agency and governmentwide levels. The defined accounts and pro forma transactions standardize the accumulation of agency financial information as well as enhance financial control and support financial statement preparation and other external reporting. By not implementing the SGL, agencies may experience difficulties in providing consistent financial information across their components and functions. Auditors for HHS reported that some of its systems were not designed to apply the SGL at the transaction level. For example, the auditors stated that the National Institutes of Health (NIH) recorded 1,900 nonstandard accounting entries totaling $14.2 billion during the year. According to the auditors, these nonstandard entries were needed to properly adjust account balances, including inventory, accrued leave, personal property, receipt of donations, and other revenues. Moreover, NIH developed a process to record at year-end the effect of current- year, day-to-day entries in its budgetary and expended appropriations accounts. In their report, the auditors stated that the use of nonstandard accounting entries increased the risks of (1) bypassing accounting controls and (2) errors. To address these issues, during fiscal year 2003, NIH reconfigured its transaction codes to be SGL compliant and on October 1, 2003, implemented a new general ledger system as part of the NIH Business and Research Support System (NBRSS) initiative. NBRSS is expected to be fully implemented in 2006. Furthermore, approximately 2,300 nonstandard accounting entries with an absolute value of about $41 billion were recorded in HHS' Program Support Center's (PSC)[Footnote 33] CORE Accounting system[Footnote 34] to compensate for noncompliance with the SGL. These nonstandard accounting entries were recorded to correct for misstatements and recorded balances, and to record reclassifications. Lack of Adherence to Federal Accounting Standards: One of FFMIA's requirements is that agencies' financial management systems account for transactions in accordance with federal accounting standards. Agencies face significant challenges implementing these standards. As shown in figure 4, auditors for 11 of the 17 agencies with noncompliant systems for fiscal year 2003 reported that these agencies had problems complying with one or more federal accounting standards, compared with 13 of the 19 agencies with noncompliant systems in fiscal year 2002. Auditors reported that agencies are having problems implementing standards that have been in effect for some time--such as Statement of Federal Financial Accounting Standards (SFFAS) No. 1, Accounting for Selected Assets and Liabilities--as well as standards that have been promulgated in the last few years--such as SFFAS No. 21, Reporting Corrections of Errors and Changes in Accounting Principles. For example, in fiscal year 2003, auditors for the U.S. Agency for International Development (USAID) found that the agency's Accrual Reporting System (ARS)[Footnote 35] was not in compliance with SFFAS No. 1, paragraph 77. That standard requires that when an entity accepts goods (or services), it should recognize a liability for the unpaid amount of these goods or services. If related invoices are not available when the financial statements are prepared, amounts owed should be estimated. USAID uses ARS to develop quarterly estimates of accrued expenses recorded against individual contract and grant awards. However, auditors discovered that ARS' financial information was not reliable and, since the system-generated estimates were based on the financial information contained in the system, USAID had no assurance that the resulting estimates were reliable or supported by adequate accrual methodology. Further, simply eliminating the system-generated estimates might cause the agency to materially understate its accounts payable. Consequently, as a result of revised ARS estimates proposed by the OIG, USAID reduced its year-end accrued expenses and accounts payable by $244 million to more accurately reflect the activity in accounts affected by accruals. Weak Security Controls over Information Systems: Information security weaknesses are a major concern for federal agencies and the general public and are one of the frequently cited reasons for noncompliance with FFMIA. These control weaknesses place vast amounts of government assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption. Accordingly, we have considered information security to be a governmentwide high-risk area since 1997.[Footnote 36] The Congress and the executive branch have taken action to address the risks associated with persistent information security weaknesses. The Federal Information Security Management Act of 2002 (FISMA)[Footnote 37] provides the overall framework for ensuring the effectiveness of information security controls that support federal operations and assets and requires agencies and OMB to report annually to the Congress on their information security programs. As we testified in March 2004,[Footnote 38] fiscal year 2003 agency reporting required by FISMA showed apparent progress in implementing FISMA's information security requirements, but most agencies still had not reached the level of performance that demonstrates they have implemented the agencywide information security program mandated by the act. Only 6 agencies reported that they had authorized 90 to 100 percent of their systems, and 11 agencies reported that they had authorized less than half of their systems. While OMB monitors agency performance by requiring agencies to provide quarterly updates on this and other key performance measures, the fiscal year 2004 annual reports that agencies must submit to the Congress are due to OMB by October 6, 2004, and should provide updated information on agency progress in implementing FISMA's information security requirements. As shown in figure 4, auditors for all 17 of the 17 agencies with noncompliant systems reported security weaknesses in information systems to be a problem, compared with 19 of the 19 agencies reported with noncompliant systems in fiscal year 2002. Unresolved information security weaknesses could adversely affect the ability of agencies to produce accurate data for decision making and financial reporting because such weaknesses could compromise the reliability and availability of data that are recorded in or transmitted by an agency's financial management system. As a case in point, in fiscal year 2003, the auditors for the Department of Education noted that the department needs improvement in seven key security control areas. These seven areas are (1) consistently updating application versions, virus/data protection packages, and security packages; (2) testing mission-critical systems for platform and database level vulnerabilities; (3) enforcing the rule requiring complex passwords across the enterprise; (4) deploying network and host based intrusion detection systems to provide alerts of intrusions and malicious internal activity; (5) implementing firewall rules to logically segregate database servers containing sensitive data from servers within the Web-hosting environment; (6) implementing access controls to protect mission-critical systems from certain internal networks; and (7) correcting security weaknesses previously identified at contractor facilities. Agencies Struggle to Implement New Financial Systems: In an effort to address problems such as nonintegrated systems, inadequate reconciliations, and lack of compliance with the SGL, a number of agencies have efforts under way to implement new financial management systems or to upgrade existing systems. Agencies anticipate that the new systems will provide reliable, useful, and timely data to support managerial decision making and assist taxpayer and congressional oversight. However, implementing and upgrading systems bring new risks. Organizations that follow and effectively implement accepted best practices in systems development and implementation (commonly referred to as disciplined processes) can reduce these risks to acceptable levels. However, our work at DOD, HHS, and NASA has shown that agencies face significant problems in implementing financial management systems and are not following the necessary disciplined processes for efficient and effective implementation of such systems. Further, VA recently halted its pilot implementation of its new core financial system for which $249 million had been invested. The VA OIG reported that the contracting and monitoring of the VA project was not adequate, and the pilot deployment of the system encountered multiple problems. The problems the VA OIG cited were similar to those we noted at DOD, HHS, and NASA. As the federal government moves forward with ambitious modernization efforts to identify opportunities to eliminate redundant systems and enhance information accuracy and availability, adherence to these disciplined processes will be a crucial element to reduce risks to acceptable levels. Most Agencies Are Implementing New Financial Systems: Throughout the government, agencies have worked diligently to minimize financial management weaknesses by implementing or upgrading current financial systems. As we previously reported,[Footnote 39] 17 CFO Act agencies advised us that as of September 2002 they were planning to or were in the process of implementing new core financial systems. Eleven of these 17 CFO Act agencies had chosen software packages certified by PMO,[Footnote 40] while the remaining 6 agencies had at that time yet to arrive at the software selection phase of their acquisition processes. Target implementation dates ranged from fiscal years 2003 to 2008 for 16 of the 17 agencies. DOD had not yet determined its implementation date. Moreover, JFMIP recently surveyed federal agencies about their plans to purchase core financial system and feeder system software between fiscal years 2005 and 2009. Survey responses indicated that 7 of the 23 CFO Act agencies and DHS plan to purchase core financial software. Additionally, 13 agencies and DHS have plans to purchase feeder system software between fiscal years 2005 and 2009. Thus, the majority of the CFO Act agencies and DHS were either implementing or planning to purchase core financial or feeder system software. An agency's implementation of a certified core financial system does not guarantee that the financial system is FFMIA compliant. Two major factors affecting FFMIA compliance that agencies must consider are (1) the integration of the core financial system with the agency's administrative and programmatic systems, especially with regard to the completeness and validity of system data, and (2) the existence of modifications or customizations to the certified core financial system software. As indicated in our prior report,[Footnote 41] some agencies stated in their performance and accountability assessments that complete implementation of new core financial systems will also address their systems' substantial noncompliance with FFMIA. However, as we previously discussed, implementing a new core financial system may not eliminate all of an agency's financial management weaknesses. Agencies must consider various problems that extend beyond their core financial systems. Despite this realization, the implementation of agencywide core financial systems is a solid step toward successful systems performance. Agencies Are Not Following Disciplined Processes: Implementing new financial management systems provides the groundwork for improved financial management, including providing financial managers with more timely information for better informed financial management decisions, and will help meet OMB's accelerated financial reporting deadline. However, with implementation comes risk. Organizations that follow and effectively implement accepted best practices in systems development and implementation (commonly referred to as disciplined processes) can reduce these risks to acceptable levels. Our work at DOD, HHS, and NASA has shown that agencies face significant problems in implementing financial management systems and are not following the necessary disciplined processes for efficient and effective implementation of financial management systems. VA recently halted implementation of its new core financial system, due in part to reported concerns about the inadequate contracting and monitoring of the project and multiple problems with the pilot deployment of the system. Disciplined processes have been shown to mitigate some of the risks associated with software development and acquisition efforts to acceptable levels. The term "acceptable levels" acknowledges that any systems acquisition effort has risks and will suffer the risk of not achieving the intended results (performance) within the established resources (costs) on schedule. However, effective implementation of the disciplined processes reduces these risks and helps prevent any actual problems from having any significant adverse impact on achieving the performance, cost, and schedule of the project. Although a standard set of practices that will guarantee success does not exist, several organizations, such as the Software Engineering Institute (SEI)[Footnote 42] and the Institute of Electrical and Electronic Engineers (IEEE),[Footnote 43] as well as individual experts have identified and developed the types of policies, procedures, and practices that have been demonstrated to reduce development time and enhance effectiveness. The key to having a disciplined system development effort is to have disciplined processes in several areas, including the following: * Requirements management. Requirements are the specifications that system developers and program managers use to design, develop, and acquire a system. * Testing. Testing is the process of executing a program with the intent of finding errors. Testing is a critical process that improves an entity's confidence that the system will satisfy the requirements of the end user and operate as intended. * Project planning and oversight. Project planning is the process used to establish reasonable plans for carrying out and managing the software project. It includes estimating resources needed for the work to be performed, establishing commitments, and defining the work plan. * Risk management. Risk management is a set of activities for identifying, analyzing, planning, tracking, and controlling risks. Risk management starts with identifying the risks before they can become problems. Organizations that do not effectively implement the disciplined processes lose the productive benefits of these processes as a project moves through its development and implementation and are forced to implement them later when it takes more time and they are less effective. A major consumer of project resources in undisciplined efforts is rework. Rework occurs when the original work has defects or is no longer needed because of changes in project direction. Disciplined organizations focus their efforts on reducing the amount of rework because it is expensive. Studies have shown that correcting a defect during the testing phase costs anywhere from 10 to 100 times the cost of correcting it during the design or requirements phase.[Footnote 44] Projects that are unable to adopt disciplined processes successfully will eventually only be spending their efforts on rework and the associated processes that are needed rather than productive work. In other words, the project may find itself continually reworking items. We found in our review of three agencies' implementation of new financial management systems that these agencies are not following the disciplined processes that are necessary to reduce the risks to acceptable levels. In our May 2004 report,[Footnote 45] we reported that long-standing problems continue at DOD despite the significant investments made in DOD business systems[Footnote 46] each year. GAO's two case study examples of logistics systems modernization efforts, Business Systems Modernization (BSM) at the Defense Logistics Agency (DLA) and the Army's Logistics Modernization Program (LMP), found that disciplined processes were not implemented. We also reported in September 2004[Footnote 47] that HHS had not followed key disciplined processes and is at risk of implementing a new financial management system that will not fully meet the needs of its users. Further, in 2003 and 2004 we issued five reports and testified[Footnote 48] about the considerable challenges facing NASA's implementation of a new financial management program. NASA is on its third attempt in 12 years to modernize its financial management process and systems and has spent about $180 million on its two prior failed efforts. Department of Defense: DOD reported in April 2003 that its business systems environment consisted of 2,274 systems. DOD requested approximately $19 billion for fiscal year 2004 to operate, maintain, and modernize its reported 2,274 business systems. More recently, DOD stated that its inventory of business systems was over 4,000 and more systems are expected to be identified. Despite its substantial investment over many years, DOD's business systems remain fundamentally flawed; unable to provide timely, reliable information; and leave DOD vulnerable to fraud, waste, and abuse. The duplication and stovepiped nature of DOD's systems environment is illustrated by the numerous systems it has in the same functional areas, such as over 450 personnel systems and 200 inventory systems. These systems are not integrated and thus have multiple points of data entry, which can result in data integrity problems. Two of the business system modernization efforts DOD has undertaken to address some of its inventory problems are DLA's BSM and the Army's LMP. BSM and LMP incorporate part of the inventory management portion of the COTS software package used by both DLA and the Army. In November 1999, DLA initiated an effort to replace two of its materiel management systems with BSM. BSM is intended to transform how DLA conducts its operations in five core business processes: order fulfillment, demand and supply planning, procurement, technical/quality assurance, and financial management. In February 1998, the Army began its effort to replace its two material management systems with LMP. LMP is intended to transform the U.S. Army Materiel Command's logistic operations in six core processes: order fulfillment, demand and supply planning, procurement, asset management, materiel maintenance, and financial management. Our May 2004 report[Footnote 49] of DOD's business system modernization found numerous problems with both projects, BSM and LMP, including such issues as failure to follow necessary disciplined processes, lack of financial system integration, and system deployment schedule slippage. We found that DLA's and Army's program officials did not effectively implement the disciplined processes associated with requirements management and testing in developing and implementing their systems. For almost all of the requirements we analyzed, we found that the forward and backward traceability was not maintained. Traceability allows the user to follow the life of the requirement both forward and backward through the DLA and Army approaches and management plans and is critical to understanding the parentage, interconnections, and dependencies among the individual requirements. Testing, the process of executing the program with the intent of finding errors, was not effectively implemented for BSM or LMP. DLA and the Army, therefore, did not achieve the important goal of reducing the risk that BSM and LMP would not operate as intended. Although DLA and the Army have asserted that BSM and LMP, respectively, are compliant with the requirements of FFMIA, we have concerns. In the case of LMP, we found that the Army relied upon PMO testing for 147 requirements because PMO had validated these requirements when it tested the vendor's commercial software used for LMP during fiscal year 1999. PMO testing should not be considered a substitute for individual system testing of the actual data that will be used by the entity. Further, PMO's tests of software do not address entity-specific integrated tests of end-to-end transactions or systems interfaces. Because the Army had to make modifications to the basic commercial software package to accommodate some of its business operations, the Army cannot be assured, without retesting, that these 147 requirements will produce the intended results. In the case of BSM, for one requirement the contractor stated that "a sample of transactions were reviewed, [and] it appears that BSM properly records transactions consistent with the SGL posting rules." However, we found no indication that this requirement was tested, and therefore, we cannot conclude whether BSM has the capability to meet this requirement. Without adequate documentation to support testing of the FFMIA requirements, it is questionable whether either system is substantially compliant with FFMIA. Additionally, we found that the system interfaces were not fully tested for BSM and LMP and when they became operational, it became clear that the system interfaces were not working as intended. Costly manual reentry of inventory transactions was necessary. Further, both BSM and LMP have experienced cost increase and schedule slippage. BSM was originally scheduled to be fully operational in September of 2005. However, the date has shifted to midyear 2006 and the cost has increased from $764 million to $850 million. LMP has a current estimated cost of over $1 billion. As of March 2004, the Army had not determined when LMP would be fully operational at all locations. In 1999, we reported that the Army's estimated cost was $421 million over a 10-year period. DOD cannot be assured that the two systems in our case study will provide the functionality needed and fully meet DLA and Army objectives. Successful reform of DOD's fundamentally flawed financial and business management operations must simultaneously focus on its systems, processes, and people. While DOD has made some encouraging progress in addressing specific challenges, it is still in the very early stages of a departmentwide reform that will take many years to accomplish. Secretary Rumsfeld has made business transformation a priority. For example, through its Business Management Modernization Program, DOD is continuing its efforts to develop and implement a business enterprise architecture and establish effective management oversight and control over its business systems modernization investments. However, after about 3 years of effort and over $203 million in reported obligations, we have not seen significant change in the content of DOD's architecture or in its approach to investing billions of dollars annually in existing and new systems. We have made numerous recommendations aimed at improving DOD's plans for developing the next version of the architecture and implementing controls for selecting and managing business systems investments. To date, DOD has not addressed 22 of our 24 recommendations.[Footnote 50] Department of Health and Human Services: HHS is currently implementing a new financial management system, the Unified Financial Management System (UFMS), to replace five outdated accounting systems. This project is expected to be phased in at the component agencies and fully implemented in fiscal year 2007. Our 2004 analysis and evaluation focused on the system implementation efforts associated with all the HHS entities except for the Centers for Medicare and Medicaid Services (CMS) and NIH.[Footnote 51] We found that the lack of disciplined processes puts the implementation of HHS' new financial management system at risk. We reported[Footnote 52] that HHS had not followed key disciplined processes and was at risk of implementing a new financial management system that would not fully meet the needs of its users. While HHS had executive sponsorship for the development of UFMS, it had focused on meeting its implementation schedule to deploy the system at its component agency, the Centers for Disease Control and Prevention (CDC) in October 2004 to the detriment of disciplined processes. HHS had not implemented effective disciplined processes in such areas as requirements management, testing, project management and oversight, and risk management. We found significant problems with HHS' requirements management and testing process. Problems with requirements management practices include the lack of (1) a concept of operations to guide the development of requirements, (2) traceability of a requirement from the concept of operations through testing to ensure requirements were adequately addressed in the system, and (3) specificity in the requirements to minimize confusion in the implementation. These problems with requirements have resulted in a questionable foundation for the system testing process. Additionally, testing activities were scheduled too late in the implementation cycle, leaving little time to ensure that the defects found were addressed before the system was implemented at CDC. While adherence to schedule goals is generally desirable, it is key that project decisions are based on objective data and demonstrated project accomplishments, and are not schedule-driven. Otherwise, the risk of costly rework or failure appreciably increases. We further found that HHS had not developed the quantitative data necessary to assess whether UFMS will provide the needed functionality. HHS did not have a metrics measurement process to understand its capability to help manage the entire UFMS effort; or how its process will affect the UFMS cost, schedule, and performance objectives; or what corrective action is needed to reduce the risks associated with the problems identified. We also reported problems with HHS' initial data conversion and system interfaces. In addition to the disciplined processes weaknesses, we noted that HHS had weaknesses in its information technology investment management, enterprise architecture, and information security. Serious understaffing and incomplete workforce planning have also plagued the UFMS project. The cumulative effects of these weaknesses increase the risk that UFMS will not fully serve the needs of its users nor achieve its budget and schedule goals. In September 2004, HHS decided to delay the implementation of a significant amount of functionality associated with the CDC deployment from October 2004 until April 2005 in order to address the issues that had been identified with the project. National Aeronautics and Space Administration: In April 2000, NASA began its third attempt to modernize its financial management system. This effort, IFMP, is expected to produce an integrated, NASA-wide financial management system through the acquisition and incremental implementation of COTS and related hardware and software components. As of June 30, 2003, NASA reported that it had fully implemented the core financial module, which NASA considers the backbone of IFMP, at all of its 10 operating locations. As we have reported numerous times,[Footnote 53] NASA faces considerable challenges in meeting its IFMP commitments and providing the necessary tools to oversee its contracts and manage its programs. In April 2003, we reported that the core financial module does not provide agency managers or the Congress with useful cost and related information with which to make informed decisions, manage daily operations, and ensure accountability on an ongoing basis, and NASA was not following key best practices for acquiring and implementing the system. As we reported, key users, such as program managers, cost estimators, and congressional staffs, were not included in defining the system requirements. According to IFMP officials, NASA chose to forgo certain system capabilities to expedite implementation of the core financial model. As a result, managers and cost estimators continued to rely on means outside IFMP to capture data needed to manage programs. We have also reported that NASA's approach to implementing its new system did not optimize the system's performance and would likely cost more and take longer to implement than necessary. Specifically, NASA was not following key best practices for acquiring and implementing the system, which may affect the agency's ability to fully benefit from the new system's capabilities. First, NASA did not analyze the relationships among selected and proposed IFMP components to understand the logical and physical relationships among the components it acquired. By acquiring these IFMP components without first understanding system component relationships, NASA increased its risks of implementing a system that will not optimize mission performance and will cost more and take longer to implement than necessary. Second, although industry best practices and NASA's own system planning documents indicate that detailed requirements are needed as the basis for effective system testing, NASA did not require documentation of detailed system requirements prior to system implementation and testing. NASA's approach instead relied on certain subject matter experts' knowledge of the detailed requirements necessary to evaluate the functionality actually provided. As a result, NASA increased its risk that IFMP would cost more and do less than planned. Further, we reported that NASA's new financial management system did not provide key external reporting capabilities, such as the generation of complete and accurate information necessary for external reporting of NASA property and budgetary data, and the new system did not comply substantially with the requirements of FFMIA. Department of Veterans Affairs: VA recently halted implementation of its new core financial system, Core Financial and Logistics System (CoreFLS), at a potential loss of almost $250 million. VA provides federal benefits, including disability compensation, pensions, education, life insurance, home loan assistance, and medical care, to the 26 million living veterans and veterans' survivors and dependents. VA began the detailed planning and acquisition of CoreFLS in June 1999 and was planning to have it fully implemented throughout VA by March 2006. The VA OIG reported that the contracting and monitoring of the CoreFLS project was not adequate and the pilot deployment of CoreFLS at a VA medical center encountered multiple problems. These problems are similar to the concerns we noted at DOD, HHS, and NASA. The VA OIG noted that the success of CoreFLS greatly depends on the ability of the software to integrate with existing legacy systems, which in turn requires that existing legacy systems are properly implemented and maintained. The VA OIG found that most of the VA legacy systems at the pilot location contained inaccurate data because they had not been used properly and that this may be a systemic problem throughout VA. The effect of transferring inaccurate data to CoreFLS at this pilot location interrupted patient care and medical center operations. This was compounded by VA inadequately training employees on how to use the system, unreliable test procedures and results, and unsubstantiated performance results. Problems were also identified with reconciling accounts payable, accounts receivable, undelivered orders, and real property. When CoreFLS was deployed at the pilot location in October 2003, it did not function as project managers expected because of inaccurate or incomplete vendor and inventory system data. Because of these problems with vendor and inventory systems, the VA pilot location made excessive purchases of medical supplies. For example, on February 23, 2004, the pilot location purchased 100 cup biopsy forceps with a total value of $30,700, which were shipped overnight to the medical center, but returned to the vendor less than a month later. In addition, late payment penalties by the medical center for the first two quarters of fiscal year 2004 totaled $10,800, compared to $600 for the entire fiscal year 2003. The VA OIG's review also found that the inventory was overstated by approximately $2.3 million out of $3.6 million recorded, because an item valued at $23 showed a quantity on-hand of 100,000 when, in fact, the on-hand quantity was only one. As a result of these problems, patient care was interrupted by supply outages and other problems. The inability to provide sterile equipment and needed supplies to the operating room resulted in the cancellation of 81 elective surgeries for a week in both November 2003 and February 2004. In addition, the operating room was forced to operate at two- thirds of its prior capacity. Because of the serious nature of the problems raised with CoreFLS, VA management decided to focus on transitioning back to the previous financial management software and pull together a senior leadership team to examine the results of the pilot and make recommendations to the VA Secretary regarding the future of CoreFLS. Governmentwide Initiatives to Improve Financial Management Systems Spur Needed Change: As agencies move forward with initiatives to address FFMIA-related problems, it is important that consideration be given to the numerous governmentwide initiatives under way to address long-standing financial management weaknesses. As stated in the PMA, there are few items more urgent than ensuring that the federal government operates efficiently and is results-oriented. While FFMIA implementation relates directly to the improved financial performance initiative, development and maintenance of FFMIA-compliant systems will also affect the implementation of the other four PMA initiatives. Notably, OMB is developing a federal enterprise architecture that is intended to facilitate the government's ability to make significant progress across the PMA. For example, as part of the e-gov PMA initiative, the number of federal payroll providers is being consolidated. Numerous agencies had targeted their payroll operations for costly modernization, and according to OMB, millions of dollars will be saved through shared resources and processes and by modernizing on a cross-agency, governmentwide basis. The Clinger-Cohen Act sets forth a variety of initiatives to support better decision making for capital investments in information technology, which has led to the development of the Federal Enterprise Architecture and better-informed capital investment and control processes within agencies and across government. This has produced another broad shift in the financial systems environment--one that acknowledges that financial systems planning can no longer take place within an isolated environment or "stovepipe," but must now be integrated with enterprise goals. Managed properly, an enterprise architecture can clarify and help optimize the interdependencies and relationships among an organization's business operations and the underlying information technology infrastructure and applications that support those operations. Moreover, developing such an architecture will help address the government's inability to properly reconcile and report on intragovernmental transactions. We have reported[Footnote 54] for years that the heart of the intragovernmental transactions issue was that the federal government lacked clearly articulated business rules for these transactions so that they would be handled consistently by agencies. This is compounded by limitations and incompatibility of agency and trading partner systems, among other issues. OMB and Treasury have taken steps to help transform and standardize intragovernmental transactions, including instituting an e-gov project[Footnote 55] to define a governmentwide data architecture and provide a single source of detailed trading partner data. The Intragovernmental Transaction Exchange was piloted from October 2003 to April 2004, and provided information about the business processes and technologies used to interact with it. After evaluating the results of the pilot, OMB expects to phase it into use at all agencies. Building upon the efforts of the Federal Enterprise Architecture program to support the PMA for e-gov, OMB and designated agency task forces have launched the line of business (LOB) initiative. This initiative seeks to develop business-driven, common solutions for five lines of business that span across the federal government. The five initiatives are financial management, human resources management, grants management, federal health architecture, and case management. Each of the lines of business shares similar business requirements and business processes. OMB and the LOB task forces plan to use either enterprise architecture-based principles and best practices to identify common solutions for business processes, technology-based shared services to be made available to government agencies, or both. Driven from a business perspective rather than a technology focus, the solutions are expected to address distinct business improvements to enhance government's performance and services for citizens. The results of LOB efforts are expected to save taxpayer dollars, reduce administrative burden, and significantly improve service delivery. The financial management LOB goals are to (1) achieve or enhance process improvements and cost savings in the acquisition, development, implementation, and operation of financial management systems through shared services, joint procurements, consolidation, and other means; (2) promote seamless data exchange between and among federal agencies; (3) provide for the standardization of business processes and data elements; and (4) strengthen internal controls through real-time integration of core financial and subsidiary systems. OMB has an ambitious time frame, September 2004, for identifying a common solution and developing a target architecture and a joint business case. At the time of our review, OMB had not completed this effort. Agency business cases submitted as part of the budget cycle are expected to reflect the proposed common solutions. GAO has long supported and called for such initiatives to standardize and streamline common systems, which cannot only reduce costs but, if done correctly, can improve accountability. The problems we have seen related to requirements, testing, interfaces, and data conversion at the agency level indicate that attention to these disciplined processes will continue to be important as OMB and the LOB task forces move forward. These initiatives and the intragovernmental transaction exchange will be required to address broader sets of requirements, interfaces, and data conversion issues than those at an individual agency level, thus amplifying the complexity of the task. Disciplined process can play an important role in helping governmentwide systems initiatives reduce the risk of these projects to acceptable levels. In addition, with many new financial management systems being implemented in the federal government, it is crucial that the federal government have a qualified workforce with the right mix of skills to implement financial systems successfully. Our report[Footnote 56] on effective strategic workforce planning highlighted five principles that such a process should address irrespective of the context in which planning is done. Among the principles are determining the critical skills and competencies that will be needed to achieve current and future results, and developing strategies tailored to address gaps in the number, deployment, and alignment of human capital approaches. At a JFMIP-sponsored forum on successful integration and interoperability of business management systems held in May 2004, the participants noted that agencies are losing experienced people for a variety of reasons and relying excessively on outside contractors because they have no other choice. Participants expressed concern that internally, staff lack the technical expertise needed. Agency officials overseeing implementations have expertise on the functional requirements, such as government accounting standards, but vendors and integrators have little expertise in these areas. This is extremely high risk and costly, and greater oversight and close monitoring of contractors is needed. Further, our executive guide[Footnote 57] emphasizes the need for developing a financial management team with the right mix of skills and competencies. A changing financial management business vision requires shifting workforce capacities and providing a financial management workforce that is more analytic and capable of providing decision support. Conclusions: Long-standing problems with agencies' financial systems continue to make it difficult for agencies to routinely produce reliable, useful, and timely financial information. While a number of agencies are receiving unqualified ("clean") opinions on their financial statements, the continued widespread noncompliance with FFMIA shows that agencies still have a long way to go to having systems, processes, and controls that routinely generate reliable, useful, and timely information. The FFMIA-related problems reported in agency audit reports indicate that federal financial management systems are not currently providing federal managers the financial data needed for day-to-day management of their programs or for external reporting in an efficient or timely manner. Yet we remain concerned that the full nature and scope of the problems have not been identified because auditors have only provided negative assurance in their FFMIA reports. We believe the law requires auditors to provide positive assurance on FFMIA compliance. Therefore, we reaffirm our recommendation made in prior reports that OMB revise its current FFMIA guidance to require agency auditors to provide a statement of positive assurance when reporting an agency's systems to be in substantial compliance, which entails a more thorough examination of the agency's systems. We also reaffirm our other prior recommendation for OMB to explore further clarification of the definition of "substantial compliance" in its FFMIA guidance to encourage consistent reporting among agency auditors. As we stated[Footnote 58] in our prior reports, auditors we interviewed had concerns about providing positive assurance in reporting on agency systems' FFMIA compliance because of a need for clarification regarding the meaning of substantial compliance. Implementing new COTS core financial systems is a formidable challenge since financial management systems are not only needed for external reporting but, most importantly, are needed to provide the financial information program managers need to manage operations on a day-to-day basis. Reliable, useful, and timely financial management information is key to achieving the goals of the PMA and its related initiatives, such as PART. As the federal government moves forward with agency implementations of new financial management systems and for systems implemented to satisfy governmentwide initiatives, adherence to proven disciplined processes to minimize risks and improve management of these implementations is critical. Moreover, people with the right skill sets in the right places at the right times are critical to efficiently and effectively implementing a financial management system and operating it once it is in place. Improvements in federal financial management systems are in some cases a long-term goal, but with sustained attention from important decision makers, including the Congress and OMB, the goals of the CFO Act and FFMIA can be achieved. Agency Comments and Our Evaluation: In written comments (reprinted in app. VI) on a draft of this report, OMB agreed with our assessment that while federal agencies continue to make progress in addressing financial management systems weaknesses, many agencies still lack the ability to produce the data needed to efficiently and effectively manage day-to-day operations. As in previous years, OMB disagreed with our recommendation that agency auditors be required to provide a statement of positive assurance when reporting agency systems to be in substantial compliance with FFMIA. OMB said that the PMA and FFMIA should be viewed as complementary methods for achieving improvements in financial management systems. OMB stated that the framework of performance standards established under the PMA provides a corroborative mechanism for evaluating FFMIA compliance, which together with existing audit processes can provide an accurate assessment of substantial compliance. Therefore, OMB does not believe that the addition of a statement of positive assurance on FFMIA compliance would be beneficial. While we agree that the initiatives of the PMA are stimulating improvements, auditors need to consider other aspects of financial management systems when assessing FFMIA compliance that are not fully addressed through the current reporting structure. Our concern is that some of the information provided by this approach, such as monthly financial performance metrics for managing activities, does not come under audit scrutiny and may not be reliable. In contrast, an opinion by an independent auditor of FFMIA compliance would confirm that an agency's systems substantially met the requirements of FFMIA and provide additional confidence in the information provided by the PMA. Finally, as we have stated in previous reports, a statement of positive assurance is a statutory requirement under the act. With regard to our prior recommendation, which we reaffirmed in this report, for revised guidance that clarifies the definition of substantial compliance, OMB said that the performance results obtained from the PMA initiatives will allow a further refinement of the existing substantial compliance indicators. OMB agreed to consider clarifying the definition of "substantial compliance" in future policy and guidance updates. As we noted in our prior reports,[Footnote 59] auditors we interviewed expressed a need for clarification regarding the meaning of substantial compliance. OMB also provided additional oral comments, which we incorporated as appropriate. We are sending copies of this report to the Chairman and Ranking Minority Member, Subcommittee on Financial Management, the Budget, and International Security, Senate Committee on Governmental Affairs, and to the Chairman and Ranking Minority Member, Subcommittee on Government Efficiency and Financial Management, House Committee on Government Reform. We are also sending copies to the Director of the Office of Management and Budget, the Secretary of Homeland Security, the heads of the 23 CFO Act agencies, and agency CFOs and IGs. Copies will be made available to others upon request. In addition, this report will be available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov]. This report was prepared under the direction of Sally E. Thompson, Director, Financial Management and Assurance, who may be reached at (202) 512-2600 or by e-mail at [Hyperlink, thompsons@gao.gov] if you have any questions. Staff contacts and other key contributors to this report are listed in appendix VII. Signed by: David M. Walker: Comptroller General of the United States: [End of section] Appendixes: Appendix I: Requirements and Standards Supporting Federal Financial Management: Financial Management Systems Requirements: The policies and standards prescribed for executive agencies to follow in developing, operating, evaluating, and reporting on financial management systems are defined in Office of Management and Budget (OMB) Circular No. A-127, Financial Management Systems. The components of an integrated financial management system include the core financial system,[Footnote 60] managerial cost accounting system, and administrative and programmatic systems. Administrative systems are those that are common to all federal agency operations,[Footnote 61] and programmatic systems are those needed to fulfill an agency's mission. The Program Management Office (PMO), managed by the Executive Director of the Joint Financial Management Improvement Program (JFMIP) and funded by the Chief Financial Officers (CFO) Council, has issued federal financial management systems requirements (FFMSR)[Footnote 62] for the core financial system and managerial cost accounting system, and is in the process of issuing these requirements for the administrative and programmatic systems. Appendix II lists the federal financial management systems requirements published to date. Figure 5 is the PMO model that illustrates how these systems interrelate in an agency's overall systems architecture. Figure 5: Agency Systems Architecture: [See PDF for image] [End of figure] OMB Circular No. A-127 requires agencies to purchase commercial off- the-shelf (COTS) software that has been tested and certified through the PMO software certification process when acquiring core financial systems. PMO's certification process, however, does not eliminate or significantly reduce the need for agencies to develop and conduct comprehensive testing efforts to ensure that the COTS software meets their requirements. Moreover, according to PMO, core financial systems certification does not mean that agencies that install these packages will have financial management systems that are compliant with the Federal Financial Management Improvement Act (FFMIA) of 1996. Many other factors can affect the capability of the systems to comply with FFMIA, including modifications made to the PMO-certified core financial management systems software and the validity and completeness of data from feeder systems. Federal Accounting Standards: The Federal Accounting Standards Advisory Board (FASAB)[Footnote 63] promulgates federal accounting standards that agency CFOs use in developing financial management systems and preparing financial statements. FASAB develops the appropriate accounting standards after considering the financial and budgetary information needs of the Congress, executive agencies, and other users of federal financial information and comments from the public. FASAB forwards the standards to the three Sponsors--the Comptroller General, the Secretary of the Treasury, and the Director of OMB--for a 90-day review. If there are no objections during the review period, the standards are considered final and FASAB publishes them on its Web site and in print. The American Institute of Certified Public Accountants has recognized the federal accounting standards promulgated by FASAB as generally accepted accounting principles for the federal government. This recognition enhances the acceptability of the standards, which form the foundation for preparing consistent and meaningful financial statements both for individual agencies and the government as a whole. Currently, there are 25 Statements of Federal Financial Accounting Standards (SFFAS) and 4 Statements of Federal Financial Accounting Concepts (SFFAC).[Footnote 64] The concepts and standards are the basis for OMB's guidance to agencies on the form and content of their financial statements and for the government's consolidated financial statements. Appendix III lists the concepts, standards, and interpretations[Footnote 65] along with their respective effective dates. FASAB's Accounting and Auditing Policy Committee (AAPC)[Footnote 66] assists in resolving issues related to the implementation of accounting standards. AAPC's efforts result in guidance for preparers and auditors of federal financial statements in connection with implementation of accounting standards and the reporting and auditing requirements contained in OMB's Form and Content of Agency's Financial Statements Bulletin and Audit Requirements for Federal Financial Statements Bulletin. To date, AAPC has issued six technical releases, which are listed in appendix IV along with their release dates. U.S. Government Standard General Ledger: The U.S. Government Standard General Ledger (SGL) was established by an interagency task force under the direction of OMB and mandated for use by agencies in OMB and Department of the Treasury regulations in 1986. The SGL promotes consistency in financial transaction processing and reporting by providing a uniform chart of accounts and pro forma transactions used to standardize federal agencies' financial information accumulation and processing throughout the year; enhance financial control; and support budget and external reporting, including financial statement preparation. For example, agency use of the SGL accounts and OMB's new intergovernmental business rules for standardizing intragovernmental activity and balances are key to removing one of the material weaknesses that GAO has reported on the governmentwide consolidated statements since fiscal year 1997. The SGL is intended to improve data stewardship throughout the federal government, enabling consistent reporting at all levels within the agencies and providing comparable data and financial analysis governmentwide.[Footnote 67] Internal Control Standards: The Congress enacted legislation, 31 U.S.C. 3512(c),(d) (commonly referred to as the Federal Managers' Financial Integrity Act of 1982 (FIA)), to strengthen internal controls and accounting systems throughout the federal government, among other purposes. Issued pursuant to FIA, the Comptroller General's Standards for Internal Control in the Federal Government[Footnote 68] provides standards directed at helping agency managers implement effective internal control, an integral part of improving financial management systems. Internal control is a major part of managing an organization and comprises the plans, methods, and procedures used to meet missions, goals, and objectives. In summary, internal control, which under OMB's guidance for FIA is synonymous with management control, helps government program managers achieve desired results through effective stewardship of public resources. Effective internal control also helps in managing change to cope with shifting environments and evolving demands and priorities. As programs change and agencies strive to improve operational processes and implement new technological developments, management must continually assess and evaluate its internal control to ensure that the control objectives are being achieved. [End of section] Appendix II: Publications in the Federal Financial Management Systems Requirements Series: FFMSR document: FFMSR-8 Systems Requirements for Managerial Cost Accounting; Issue date: February 1998. FFMSR document: JFMIP-SR-99-5 Human Resources & Payroll Systems Requirements; Issue date: April 1999. FFMSR document: JFMIP-SR-99-8 Direct Loan System Requirements; Issue date: June 1999. FFMSR document: JFMIP-SR-99-9 Travel System Requirements; Issue date: July 1999. FFMSR document: JFMIP-SR-99-14 Seized Property and Forfeited Asset Systems Requirements; Issue date: December 1999. FFMSR document: JFMIP-SR-00-01 Guaranteed Loan System Requirements; Issue date: March 2000. FFMSR document: JFMIP-SR-00-3 Grant Financial System Requirements; Issue date: June 2000. FFMSR document: JFMIP-SR-00-4 Property Management Systems Requirements; Issue date: October 2000. FFMSR document: JFMIP-SR-01-01 Benefit System Requirements; Issue date: September 2001. FFMSR document: JFMIP-SR-02-01 Core Financial System Requirements; Issue date: November 2001. FFMSR document: JFMIP-SR-02-02 Acquisition/Financial Systems Interface Requirements; Issue date: June 2002. FFMSR document: JFMIP-SR-03-01 Revenue System Requirements; Issue date: January 2003. FFMSR document: JFMIP-SR-03-02 Inventory, Supplies and Materials System Requirements; Issue date: August 2003. FFMSR document: JFMIP-SR-02-01 Addendum to Core Financial System Requirements; Issue date: March 2004. FFMSR document: JFMIP-SR-01-04 Framework for Federal Financial Management Systems; Issue date: April 2004. Source: JFMIP. [End of table] [End of section] Appendix III: Statements of Federal Financial Accounting Concepts, Statements of Federal Financial Accounting Standards, and Interpretations: Concepts: SFFAC No. 1 Objectives of Federal Financial Reporting. Concepts: SFFAC No. 2 Entity and Display. Concepts: SFFAC No. 3 Management's Discussion and Analysis. Concepts: SFFAC No. 4 Intended Audience and Qualitative Characteristics for the Consolidated Financial Report of the United States Government; Standards: SFFAS No. 1 Accounting for Selected Assets and Liabilities; Effective for fiscal year[A]: 1994. Standards: SFFAS No. 2 Accounting for Direct Loans and Loan Guarantees; Effective for fiscal year[A]: 1994. Standards: SFFAS No. 3 Accounting for Inventory and Related Property; Effective for fiscal year[A]: 1994. Standards: SFFAS No. 4 Managerial Cost Accounting Concepts and Standards; Effective for fiscal year[A]: 1998. Standards: SFFAS No. 5 Accounting for Liabilities of the Federal Government; Effective for fiscal year[A]: 1997. Standards: SFFAS No. 6 Accounting for Property, Plant, and Equipment; Effective for fiscal year[A]: 1998. Standards: SFFAS No. 7 Accounting for Revenue and Other Financing Sources; Effective for fiscal year[A]: 1998. Standards: SFFAS No. 8 Supplementary Stewardship Reporting; Effective for fiscal year[A]: 1998. Standards: SFFAS No. 9 Deferral of the Effective Date of Managerial Cost Accounting Standards for the Federal Government in SFFAS No. 4; Effective for fiscal year[A]: 1998. Standards: SFFAS No. 10 Accounting for Internal Use Software; Effective for fiscal year[A]: 2001. Standards: SFFAS No. 11 Amendments to Accounting for Property, Plant, and Equipment--Definitional Changes; Effective for fiscal year[A]: 1999. Standards: SFFAS No. 12 Recognition of Contingent Liabilities Arising from Litigation: An Amendment of SFFAS No. 5, Accounting for Liabilities of the Federal Government; Effective for fiscal year[A]: 1998. Standards: SFFAS No. 13 Deferral of Paragraph 65-2--Material Revenue- Related Transactions Disclosures; Effective for fiscal year[A]: 1999. Standards: SFFAS No. 14 Amendments to Deferred Maintenance Reporting; Effective for fiscal year[A]: 1999. Standards: SFFAS No. 15 Management's Discussion and Analysis; Effective for fiscal year[A]: 2000. Standards: SFFAS No. 16 Amendments to Accounting for Property, Plant, and Equipment; Effective for fiscal year[A]: 2000. Standards: SFFAS No. 17 Accounting for Social Insurance; Effective for fiscal year[A]: 2000. Standards: SFFAS No. 18 Amendments to Accounting Standards for Direct Loans and Loan Guarantees in SFFAS No. 2; Effective for fiscal year[A]: 2001. Standards: SFFAS No. 19 Technical Amendments to Accounting Standards for Direct Loans and Loan Guarantees in SFFAS No. 2; Effective for fiscal year[A]: 2003. Standards: SFFAS No. 20 Elimination of Certain Disclosures Related to Tax Revenue Transactions by the Internal Revenue Service, Customs, and Others; Effective for fiscal year[A]: 2001. Standards: SFFAS No. 21 Reporting Corrections of Errors and Changes in Accounting Principles; Effective for fiscal year[A]: 2002. Standards: SFFAS No. 22 Change in Certain Requirements for Reconciling Obligations and Net Cost of Operations; Effective for fiscal year[A]: 2001. Standards: SFFAS No. 23 Eliminating the Category National Defense Property, Plant, and Equipment; Effective for fiscal year[A]: 2003. Standards: SFFAS No. 24 Selected Standards for the Consolidated Financial Report of the United States Government; Effective for fiscal year[A]: 2002. Standards: SFFAS No. 25 Reclassification of Stewardship Responsibilities and Eliminating the Current Services Assessment; Effective for fiscal year[A]: 2005. Interpretations: No. 1 Reporting on Indian Trust Funds. Interpretations: No. 2 Accounting for Treasury Judgment Fund Transactions; Interpretations: No. 3 Measurement Date for Pension and Retirement Health Care Liabilities; Interpretations: No. 4 Accounting for Pension Payments in Excess of Pension Expense; Interpretations: No. 5 Recognition by Recipient Entities of Receivable Nonexchange Revenue; Interpretations: No. 6 Accounting for Imputed Intra-departmental Costs; Source: FASAB. [A] Effective dates do not apply to Statements of Federal Financial Accounting Concepts and Interpretations. [End of table] [End of section] Appendix IV: AAPC Technical Releases: Technical release: TR-1 Audit Legal Letter Guidance; AAPC release date: March 1, 1998. Technical release: TR-2 Environmental Liabilities Guidance; AAPC release date: March 15, 1998. Technical release: TR-3 Preparing and Auditing Direct Loan and Loan Guarantee Subsidies Under the Federal Credit Reform Act; AAPC release date: July 31, 1999. Technical release: TR-4 Reporting on Non-Valued Seized and Forfeited Property; AAPC release date: July 31, 1999. Technical release: TR-5 Implementation Guidance on SFFAS No. 10: Accounting for Internal Use Software; AAPC release date: May 14, 2001. Technical release: TR-6 Preparing Estimates for Direct Loan and Loan Guarantee Subsidies Under the Federal Credit Reform Act (Amendments to TR-3); AAPC release date: January 2004. Source: FASAB. [End of table] [End of section] Appendix V: Checklists for Reviewing Systems under the Federal Financial Management Improvement Act: Checklist: GAO/AIMD-00-21.2.3 Human Resources and Payroll Systems Requirements; Issue date: March 2000. Checklist: GAO-01-99G Seized Property and Forfeited Assets Systems Requirements; Issue date: October 2000. Checklist: GAO/AIMD-21.2.6 Direct Loan System Requirements; Issue date: April 2000. Checklist: GAO/AIMD-21.2.8 Travel System Requirements; Issue date: May 2000. Checklist: GAO/AIMD-99-21.2.9 System Requirements for Managerial Cost Accounting; Issue date: January 1999. Checklist: GAO-01-371G Guaranteed Loan System Requirements; Issue date: March 2001. Checklist: GAO-01-911G Grant Financial System Requirements; Issue date: September 2001. Checklist: GAO-02-171G Property Management Systems Requirements; Issue date: December 2001. Checklist: GAO-04-22G Benefit System Requirements; Issue date: October 2003. Checklist: GAO-04-650G Acquisition/Financial Systems Interface Requirements; Issue date: June 2004. Checklist: GAO-04-763G Core Financial System Requirements (Exposure Draft); Issue date: July 2004. Source: GAO. [End of table] [End of section] Appendix VI: Comments from the Office of Management and Budget: EXECUTIVE OFFICE OF THE PRESIDENT: OFFICE OF MANAGEMENT AND BUDGET: WASHINGTON, D: C. 20503: THE CONTROLLER: SEP 24 2004: Ms. Sally E. Thompson: Director, Financial Management and Assurance: United States Government Accountability Office: Washington, DC 20548: Dear Ms. Thompson: Thank you for the opportunity to comment on the GAO draft report entitled "Financial Management: Improved Financial Systems are Key to FFMIA Compliance." Overall, OMB: agrees with your assessment that many Federal agencies continue to make progress implementing the Federal Financial Management Improvement Act (FFMIA). We also agree that agencies have a long way to go before Federal managers begin receiving the financial information they need to efficiently and effectively-manage day-to-day operations. Indeed, our common goal goes far beyond attaining unqualified opinions on agency financial statements. We are both striving for the creation and use - for both government managers and the. taxpayer - of reliable, useful and timely management information. Nevertheless, Federal agencies have continued to show significantly improved financial performance: most agencies are filing quarterly and annual financial statements on a timely basis; financial statement quality is improving as most agencies receive unqualified audit opinions; long-standing material weaknesses are being resolved; and monthly financial performance metrics for managing activities are in widespread use. We believe a major factor in bringing about the financial improvements at Federal agencies has been the homework of performance standards we established under the President's Management Agenda. The processes used in evaluating agencies against these standards can also provide a robust corroborative mechanism in evaluating compliance with the FFMIA. They are more than an alternate route to substantial compliance - they greatly buttress the already thorough audit processes currently in use. When used in combination with information provided by an agency's auditors, an accurate assessment of substantial compliance can be attained. Accordingly, as we indicated in our comments on last year's draft. report, OMB believes that the addition of a statement of positive assurance on FFMIA compliance would not be beneficial. The draft report also recommends that OMB explore clarifying the definition of "substantial compliance." We believe that our growing experience helping agencies implement the high standards incorporated in the President's Management Agenda will enable us to further refine the existing FFMIA indicators associated with substantial compliance. As such, we will consider this recommendation, as appropriate; in any future policy and guidance updates. We appreciate the opportunity to comment on the draft report and look forward to continue working with GAO in improving Federal financial management systems. If you have any questions please feel free to contact David Alekson, Financial Systems Branch at 202.395.5642. Sincerely, Signed by: Linda M. Springer: Controller: [End of section] Appendix VII: GAO Contacts and Staff Acknowledgments: GAO Contacts: Sally E. Thompson, (202) 512-2600 Kay L. Daly, (202) 512-9312: Acknowledgments: In addition to those named above, Alberto Garza, Lisa M. Knight, Michael S. LaForge, W. Stephen Lowrey, Gina K. Ross, Sandra S. Silzer, and Bryan D. Weisbard made key contributions to this report. (193054): FOOTNOTES [1] Pub. L. No. 101-576, 104 Stat. 2838 (1990). [2] Federal Financial Management Improvement Act of 1996, Pub. L. No. 104-208, div. A., § 101(f), title VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996). [3] There were initially 24 CFO Act agencies. (See Pub. L. No. 101-576, §205, 104 Stat. 2838, 2842-43 (1990)). The Federal Emergency Management Agency, one of the 24 CFO Act agencies, was subsequently transferred to the new Department of Homeland Security (DHS) created effective March 1, 2003. DHS must prepare audited financial statements under the Accountability of Tax Dollars Act of 2002 (Pub. L. No. 107-289, 116 Stat. 2049 (Nov. 7, 2002)). However, DHS was not established as a CFO Act agency and therefore is not subject to FFMIA. Consideration is now being given by each house of Congress to adding DHS to the list of CFO Act agencies in the Department of Homeland Security Financial Accountability Act, H.R. 4259 and S. 1567, 108th Congress. [4] The Department of Commerce (Commerce), the Department of Energy (Energy), the Environmental Protection Agency (EPA), the National Science Foundation (NSF), the Nuclear Regulatory Commission (NRC), and the Social Security Administration (SSA). [5] U.S. Department of Veterans Affairs, Office of Inspector General, Issues at VA Medical Center Bay Pines, Florida and Procurement and Deployment of the Core Financial and Logistics System (CoreFLS), 04- 01371-177 (Washington, D.C.: August 2004). [6] GAO, DOD Business Systems Modernization: Billions Continue to Be Invested with Inadequate Management Oversight and Accountability, GAO- 04-615 (Washington, D.C.: May 27, 2004). [7] GAO, Financial Management Systems: Lack of Disciplined Processes Puts Implementation of HHS' Financial System at Risk, GAO-04-1008 (Washington, D.C.: Sept. 23, 2004). [8] GAO, Business Modernization: Improvements Needed in Management of NASA's Integrated Financial Management Program, GAO-03-507 (Washington, D.C.: Apr. 30, 2003); Information Technology: Architecture Needed to Guide NASA's Financial Management Modernization, GAO-04-43 (Washington, D.C.: Nov. 21, 2003); Business Modernization: Disciplined Processes Needed to Better Manage NASA's Integrated Financial Management Program, GAO-04-118 (Washington, D.C.: Nov. 21, 2003); Business Modernization: NASA's Integrated Financial Management Program Does Not Fully Address Agency's External Report Issues, GAO-04-151 (Washington, D.C.: Nov. 21, 2003); Business Modernization: NASA's Challenges in Managing Its Integrated Financial Management Program, GAO-04-255 (Washington, D.C.: Nov. 21, 2003); and National Aeronautics and Space Administration: Significant Actions Needed to Address Long- standing Financial Management Problems, GAO-04-754T (Washington, D.C.: May 19, 2004). [9] GAO, Financial Management: FFMIA Implementation Critical for Federal Accountability, GAO-02-29 (Washington, D.C.: Oct. 1, 2001); Financial Management: FFMIA Implementation Necessary to Achieve Accountability, GAO-03-31 (Washington, D.C.: Oct. 1, 2002); and Financial Management: Sustained Efforts Needed to Achieve FFMIA Accountability, GAO-03-1062 (Washington, D.C.: Sept. 30, 2003). [10] Pub. L. No. 103-62, 107 Stat. 285 (Aug. 3, 1993). [11] Pub. L. No. 103-356, 108 Stat. 3410 (Oct. 13, 1994). [12] Pub. L. No. 104-106, div. E, 110 Stat. 186, 679 (Feb. 10, 1996). [13] The Accountability of Tax Dollars Act of 2002 extends the requirement to prepare and submit audited financial statements to most executive agencies not subject to the CFO Act unless they are exempted by OMB. However, these agencies are not required to have systems that are compliant with FFMIA. [14] The American Institute of Certified Public Accountants recognizes the federal accounting standards promulgated by the Federal Accounting Standards Advisory Board as generally accepted accounting principles. For a further description of federal accounting standards, see app. I. [15] The SGL provides a standard chart of accounts and standardized transactions that agencies are to use in all their financial systems. [16] These five crosscutting initiatives are (1) improved financial performance, (2) strategic human capital management, (3) competitive sourcing, (4) expanded electronic government, and (5) budget and performance integration. [17] The authority for the creation of JFMIP is statutorily based. See the Budget and Accounting Procedures Act of 1950, now codified at 31 U.S.C. 3511(d). [18] See app. III for the systems requirements documents issued to date. [19] GAO/PCIE, Financial Audit Manual, GAO-01-765G (Washington, D.C.: July 2004). [20] GAO-01-765G, sections 701, 701A, 701B, and 260.58-.60. [21] Of these 17 agencies, systems for 8 agencies were reported not to be in substantial compliance with all three FFMIA requirements. [22] GAO, Financial Management: Department of Homeland Security Faces Significant Financial Management Challenges, GAO-04-774 (Washington, D.C.: July 19, 2004). [23] OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements (Oct. 16, 2000). [24] GAO-02-29, GAO-03-31, and GAO-03-1062. [25] A final rule issued by the Securities and Exchange Commission that took effect in August 2003 provides guidance for implementations of Sections 302, 404, and 906 of the Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, §§302, 404, 906 116 Stat. 745, 777, 789, 806 (July 30, 2002)), which requires publicly traded companies to establish and maintain an adequate internal control structure and procedures for financial reporting and include in the annual report a statement of management's responsibility for and assessment of the effectiveness of those controls and procedures in accordance with standards adopted by the Securities and Exchange Commission. [26] GAO-02-29. [27] GAO-02-29 and GAO-03-31. [28] Federal financial system requirements define an integrated financial system as one that coordinates a number of previously unconnected functions to improve overall efficiency and control. Characteristics of such a system include (1) standard data classifications for recording financial events, (2) common processes for processing similar transactions, (3) consistent control over data entry, transaction processing, and reporting, and (4) a system design that eliminates unnecessary duplication of transaction entry. [29] In our October 2003 FFMIA report, we stated that auditors had discussed problems relating to nonintegrated financial management systems at 12 agencies. As part of our analysis of the most recent reports, it became apparent that the auditors for 1 additional agency concluded that nonintegrated systems were a factor contributing to its financial reporting difficulties for fiscal year 2002. Therefore, the revised number of agencies with nonintegrated systems for fiscal year 2002 is 13. [30] GAO, Financial Audit: IRS's Fiscal Years 2003 and 2002 Financial Statements, GAO-04-126 (Washington, D.C.: Nov. 13, 2003). [31] GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). [32] Agencies record their budget spending authorizations in their fund balance with Treasury accounts. Agencies increase or decrease these accounts as they collect or disburse funds. [33] PSC is an administrative office that provides program support services to HHS components and other federal agencies through fee-for- service. PSC's major business lines include financial management and administrative operations. [34] The PSC CORE Accounting system is the nucleus of PSC's accounting operations and accepts and processes data supplied by 8 of the 12 HHS agencies as well as from Payroll, Travel, and Payment Management Systems. [35] USAID's ARS obtains obligation and contract data and uses this information to calculate estimated quarterly expenses against individual contracts, grants, or obligation line items. [36] GAO, High-Risk Series: An Update, GAO-03-119 (Washington, D.C.: January 2003). [37] Pub. L. 107-347, title III, §301, 116 Stat. 2899, 2946-2961 (December 17, 2002). [38] GAO, Information Security: Continued Efforts Needed to Sustain Progress in Implementing Statutory Requirements, GAO-04-483T (Washington, D.C.: Mar. 16, 2004). [39] GAO-03-1062. [40] The PMO, which is managed by JFMIP's Executive Director, with funds provided by the CFO Council agencies, tests vendor COTS packages and certifies that they meet certain financial management system requirements for core financial systems. [41] GAO-03-1062. [42] SEI is a federally funded research and development center operated by Carnegie Mellon University and sponsored by DOD. The SEI objective is to provide leadership in software engineering and in the transition of new software engineering technology into practice. [43] IEEE develops standards for a broad range of global industries, including the information technology and information assurance industries. [44] Steve McConnell, Rapid Development: Taming Wild Software Schedules (Redmond, Wash.: Microsoft Press, 1996). [45] GAO-04-615. [46] Business systems include those that are used to support civilian and military personnel, finance, logistics, procurement, and transportation. [47] GAO-04-1008. [48] GAO-03-507, GAO-04-43, GAO-04-118, GAO-04-151, GAO-04-255, and GAO-04-754T. [49] GAO-04-615. [50] See GAO, Department of Defense: Long-standing Problems Continue to Impede Financial and Business Management Transformation, GAO-04-907T (Washington, D.C.: July 7, 2004). [51] NIH and CMS have efforts under way to replace their financial systems that are expected to be fully implemented in 2006 and 2007, respectively. [52] GAO-04-1008. [53] GAO-03-507, GAO-04-43, GAO-04-118, GAO-04-151, GAO-04-255, and GAO-04-754T. [54] GAO, Fiscal Year 2003 U.S. Government Financial Statements: Sustained Improvement in Federal Financial Management Is Crucial to Addressing Our Nation's Future Fiscal Challenges, GAO-04-477T (Washington, D.C.: Mar. 3, 2004). [55] E-gov is a PMA initiative. OMB has selected 25 presidential e-gov efforts that focus on a wide variety of services, aiming to simplify and unify agency work processes and information flows, provide one-stop services to citizens, and enable information to be collected online once and reused rather than being collected many times. [56] GAO, Human Capital: Key Principles for Effective Strategic Workforce Planning, GAO-04-39 (Washington, D.C.: Dec. 11, 2003). [57] GAO, Executive Guide: Creating Value Through World-class Financial Management, GAO/AIMD-00-134 (Washington, D.C.: April 2000). [58] GAO-02-29 and GAO-03-31. [59] GAO-02-29 and GAO-03-31. [60] Core financial systems, as defined by the Program Management Office, include those systems for managing general ledger, funding, payments, receivables, and certain basic cost functions. [61] Examples of administrative systems include budget, acquisition, travel, property, and human resources and payroll. [62] OMB Circular No. A-127 references the series of publications called FFMSRs, issued by PMO, as the primary source of governmentwide requirements for financial management systems. [63] In October 1990, the Secretary of the Treasury, the Director of OMB, and the Comptroller General established FASAB to develop a set of generally accepted accounting standards for the federal government. Effective October 1, 2003, FASAB consists of six nonfederal or public members, one member from the Congressional Budget Office, and the three Sponsors. [64] Accounting standards are authoritative statements of how particular types of transactions and other events should be reflected in financial statements. SFFACs explain the objectives and ideas upon which FASAB develops the standards. [65] An interpretation is a document of narrow scope that provides clarifications of original meaning, additional definitions, or other guidance pertaining to an existing federal accounting standard. [66] In 1997, FASAB, in conjunction with OMB, Treasury, GAO, the CFO Council, and the President's Council on Integrity and Efficiency, established AAPC to assist the federal government in improving financial reporting. [67] SGL guidance is published in the Treasury Financial Manual. Treasury's Financial Management Service is responsible for maintaining the SGL and answering agency inquiries. [68] GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3 (Washington, D.C.: November 1999). GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: