Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Financial systems"

    11 publications with a total of 50 open recommendations
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: To effectively manage its information security program, the Chairman of the SEC should maintain up-to-date network diagrams and asset inventories in the system security plans for General Support System and a key financial system to accurately and completely reflect the current operating environment.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To effectively manage its information security program, the Chairman of the SEC should perform continuous monitoring using automated configuration and vulnerability scanning on the operating systems, databases, and network devices.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Nick Marinos
    Phone: (202) 512-9342

    1 open recommendations
    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer to update the procedure for granting access to the key financial application, to include responsibilities and steps for ensuring that the access privileges granted have been approved by the users' supervisor.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Lawrance L. Evans, Jr.
    Phone: (202) 512-8678

    17 open recommendations
    Recommendation: To help improve the consistency of federal banking regulators' stress test requirements and help ensure that institutions overseen by different regulators receive consistent regulatory treatment, the heads of the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency should harmonize their agencies' approach to granting extensions and exemptions from stress test requirements.

    Agency: Department of the Treasury: Office of the Comptroller of the Currency
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the consistency of federal banking regulators' stress test requirements and help ensure that institutions overseen by different regulators receive consistent regulatory treatment, the heads of the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency should harmonize their agencies' approach to granting extensions and exemptions from stress test requirements.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the consistency of federal banking regulators' stress test requirements and help ensure that institutions overseen by different regulators receive consistent regulatory treatment, the heads of the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency should harmonize their agencies' approach to granting extensions and exemptions from stress test requirements.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help provide stronger incentives for companies to perform company-run stress tests in a manner consistent with Federal Reserve goals, the Federal Reserve should remove company-run stress tests from the CCAR quantitative assessment.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase transparency and improve CCAR effectiveness, the Federal Reserve should publicly disclose additional information that would allow for a better understanding of the methodology for completing qualitative assessments, such as the role of ratings and rankings and the extent to which they affect final determination decisions.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase transparency and improve CCAR effectiveness, the Federal Reserve should, for future determinations to object or conditionally not object to a company's capital plan on qualitative grounds, disclose additional information about the reasons for the determinations.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase transparency and improve CCAR effectiveness, the Federal Reserve should publicly disclose, on a periodic basis, information on capital planning practices observed during CCAR qualitative assessments, including practices the Federal Reserve considers stronger or leading practices.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase transparency and improve CCAR effectiveness, the Federal Reserve should improve policies for official responses to CCAR companies by establishing procedures for notifying companies about time frames relating to Federal Reserve responses to company inquiries.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To strengthen the scenario design process, the Federal Reserve should assess--and adjust as necessary--the overall level of severity of its severely adverse scenario by establishing a process to facilitate proactive consideration of levels of severity that may fall outside U.S. postwar historical experience.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To strengthen the scenario design process, the Federal Reserve should assess--and adjust as necessary--the overall level of severity of its severely adverse scenario by expanding consideration of the trade-offs associated with different degrees of severity.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve understanding of the range of potential crises against which the banking system would be resilient and the outcomes that might result from different scenarios, the Federal Reserve should assess whether a single severe supervisory scenario is sufficient to inform CCAR decisions and promote the resilience of the banking system. Such an assessment could include conducting sensitivity analysis involving multiple severe supervisory scenarios--potentially using CCAR data for a cycle that is already complete, to avoid concerns about tailoring the scenario to achieve a particular outcome.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure that Federal Reserve stress tests do not amplify future economic cycles, the Federal Reserve should develop a process to test its proposed severely adverse scenario for procyclicality annually before finalizing and publicly releasing the supervisory scenarios.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should apply its model development principles to the combined system of models used in the supervisory stress tests.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should create an appropriate set of system-level model documentation, including an overview of how component models interact and key assumptions made in the design of model interactions.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process to test and document the sensitivity and uncertainty of the model system's output--the post-stress capital ratios used to make CCAR quantitative assessment determinations--including, at a minimum, the cumulative uncertainty surrounding the capital ratios and their sensitivity to key model parameters, specifications, and assumptions from across the system of models.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process to communicate information about the range and sources of uncertainty surrounding the post-stress capital ratio estimates to the Board during CCAR deliberations.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process for the Board and senior staff to articulate tolerance levels for key risks identified through sensitivity testing and for the degree of uncertainty in the projected capital ratios.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Valerie Melvin
    Phone: (202) 512-6304

    4 open recommendations
    Recommendation: To address weaknesses in the department's financial management systems modernization efforts, the Secretary of HUD should direct the Chief Financial Officer to work with the Chief Information Officer in managing subsequent initiatives to define a high-level depiction of the IT systems anticipated in the future state, a description of the operations that must be performed and who must perform them, and an explanation of where and how the operations are to be carried out.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In May 2017, HUD's Deputy Chief Information Officer reported that that the office was managing multiple enterprise-level initiatives no longer classified as financial management modernization efforts, but which are intended to address certain previously reported financial systems modernization needs. The department provided early high-level requirements and a solution architecture for one such initiative, including a future requirement to support data required for HUD's financial reporting needs from Treasury. However, HUD does not yet have a plan to develop a high-level concept of operations for IT systems anticipated in the future state. We intend to follow up on HUD's actions.
    Recommendation: To address weaknesses in the department's financial management systems modernization efforts, the Secretary of HUD should direct the Chief Financial Officer to work with the Chief Information Officer in managing subsequent initiatives to develop comprehensive plans for scope, schedule and cost.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In May 2017, the department provided an early project oversight plan and critical task schedule for one initiative related to enterprise data management, but these plans are not comprehensive and do not include, among other things, detailed cost estimates. We intend to follow up on HUD's actions.
    Recommendation: To address weaknesses in the department's financial management systems modernization efforts, the Secretary of HUD should direct the Chief Financial Officer to work with the Chief Information Officer in managing subsequent initiatives to ensure requirements are fully documented and traceable.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In March 2017, the department reported that the Chief Financial Officer and the Chief Information Officer intend to partner on future departmental financial management systems modernization efforts to fully document requirements and trace requirements to the functionality in the modernized system. In May 2017, department officials reported that the subsequent initiatives underway were following an Agile process yielding product-release backlogs as documentation of requirements for ongoing initiatives. They provided the initial backlog for an enterprise data management initiative. However, HUD could not demonstrate that these requirements were complete and traceable to mission needs. We intend to follow up on HUD's actions.
    Recommendation: The Secretary of HUD should also direct the Deputy Secretary to ensure that the Chief Information Officer takes action to improve IT governance control activities used for monitoring programs and identifying needed corrective actions, and strengthen investment oversight by improving coordination with stakeholders and alignment among IT modernization efforts.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In March 2017, the department reported on its fiscal year 2016 updates to charters of its IT governance boards, which provide oversight of all its IT investments, including financial management initiatives, and noted that business cases for proposed development and modernization initiatives had been discussed at governance meetings. HUD also reported that it had set up steering committees to supplement board governance and monitoring two enterprise-level modernization efforts and planned to apply mechanisms, such as project health assessments, intended to establish effective investment oversight. However, HUD has not yet demonstrated that the updated governance control activities have improved program monitoring and identified any needed corrective actions or that planned oversight mechanisms have improved coordination with stakeholders or alignment of modernization efforts. We intend to follow up on HUD's actions to ensure that planned improvements to governance and oversight mechanisms are effectively implemented and institutionalized.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer develop and implement a policy that requires monitoring changes to critical files for the platforms identified during the audit.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: According to officials in FDIC's Division of Information Technology, the corporation plans to implement a new solution in 2017 to enable security personnel to identify users making file system changes. Subsequent to FDIC implementing a new solution, we plan to validate FDIC's actions.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    4 open recommendations
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to document artifacts that support recommendation closure consistent with SEC policy.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to document a comprehensive physical inventory of the systems and applications in the production environment.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to provide personnel appropriate access to continuous monitoring reports and tools to monitor, evaluate, and remedy identified weaknesses.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To more effectively manage its information security program, the Chair should direct the Chief Information Officer to institute a process and assign the necessary personnel to review information produced by the vulnerability scanning tools to monitor, evaluate, and remedy identified weaknesses.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In its response to our draft report, SEC concurred with the recommendation. However, SEC has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Lawrance Evans, Jr.
    Phone: (202) 512-8678

    6 open recommendations
    Recommendation: Congress should consider whether additional changes to the financial regulatory structure are needed to reduce or better manage fragmentation and overlap in the oversight of financial institutions and activities to improve (1) the efficiency and effectiveness of oversight; (2) the consistency of consumer and investor protections; and (3) the consistency of financial oversight for similar institutions, products, risks, and services. For example, Congress could consider consolidating the number of federal agencies involved in overseeing the safety and soundness of depository institutions, combining the entities involved in overseeing the securities and derivatives markets, transferring the remaining prudential regulators' consumer protection authorities over large depository institutions to the Consumer Financial Protection Bureau, and the optimal role for the federal government in insurance regulation, among other considerations.

    Agency: Congress
    Status: Open

    Comments: One bill has been introduced in the 115th Congress that would change the financial regulatory structure to address fragmented and overlapping regulatory authorities among agencies, as GAO suggested in February 2016. H.R. 594 was introduced on January 20, 2017, and calls for the functions of the Commodity Futures Trading Commission and the Securities and Exchange Commission to be combined in a single independent regulatory commission. Such an action could help to address fragmentation and overlap between the two agencies, and reduce opportunities for inefficiencies in the regulatory process and inconsistencies in how regulators conduct oversight activities over similar types of institutions, products, and risks.
    Recommendation: Congress should consider whether legislative changes are necessary to align FSOC's authorities with its mission to respond to systemic risks. Congress could do so by making changes to FSOC's mission, its authorities, or both, or to the missions and authorities of one or more of the FSOC member agencies to support a stronger link between the responsibility and capacity to respond to systemic risks. In doing so, Congress could solicit information from FSOC on the effective scope of its collective designation authorities, including any gaps.

    Agency: Congress
    Status: Open

    Comments: No legislative action identified. As of March 1, 2017, no legislation had been introduced that would align FSOC's authorities with its mission to respond to systemic risks, as GAO suggested in February 2016. Without such legislative changes, FSOC may lack the tools it needs to comprehensively address systemic risks that may emerge, and a gap will continue to exist in the post Dodd-Frank Wall Street Reform and Consumer Protection Act mechanisms for the mitigation of systemic risks.
    Recommendation: To help regulators address regulatory fragmentation and improve FSOC's ability to identify emerging systemic risks, as OFR develops and refines its financial stability monitoring tools, it should work with FSOC to determine ways in which to fully and regularly incorporate current and future monitors and assessments into Systemic Risk Committee deliberations, including, where relevant, those that present disaggregated or otherwise confidential supervisory information.

    Agency: Department of the Treasury: Financial Stability Oversight Council: Office of Financial Research
    Status: Open

    Comments: At the FSOC Systemic Risk Committee meeting held in December 2016, Treasury indicated that Office of Financial Research staff presented on the agency's Financial Stability Report. Officials indicated that they provided an assessment on potential financial stability risks, including macroeconomic, market, credit, funding and liquidity, and contagion risks. Systemic Risk Committee meeting attendees were able to compare and contrast these with the results from the Federal Reserve's systemic risk monitoring activities, which were also presented at the meeting. Office of Financial Research officials stated that there was general consensus at the meeting that these discussions were useful and that they should continue. GAO does not believe that this action is consistent with the intent of if February 2016 recommendation to fully and regularly incorporate current and future monitors and assessments into FSOC's Systemic Risk Committee deliberations. While GAO encourages sharing this type of information, the Office of Financial Research's Financial Stability Report is a publicly-available report. The intent of GAO's recommendation was to encourage the agency to fully incorporate all of its monitors into Systemic Risk Committee discussions, including its Financial Stability Monitor--its benchmark tool for assessing risks across the financial system. In addition, in its February 2016 report, GAO encouraged the agency to seek ways in which monitors that present disaggregated or otherwise confidential supervisory information can be incorporated in committee discussions. Without sharing such monitors and information, the Systemic Risk Committee may identify and advance the analysis of only a subset of systemic risks in a timely manner and may identify others too late or miss others altogether. The Financial CHOICE Act of 2016 was introduced in the 114th Congress. The act called for the Office of Financial Research to be eliminated. It was not passed before the end of the 114th Congress.
    Recommendation: To help regulators address regulatory fragmentation and improve FSOC's ability to identify emerging systemic risks, the Federal Reserve should work with FSOC to regularly incorporate the comprehensive results of its systemic risk monitoring activities into Systemic Risk Committee deliberations.

    Agency: Federal Reserve System
    Status: Open

    Comments: As of March 1, 2017, Federal Reserve officials indicated that they provided a presentation to FSOC's Systemic Risk Committee in December 2016, which included comprehensive results from its systemic risk monitoring activities. This action appears to be consistent with GAO's February 2016 recommendation, but the documentation provided by the Federal Reserve did not provide sufficient evidence that the agency has regularly incorporated these results into Systemic Risk Committee meetings. GAO will continue to monitor the Federal Reserve's participation in Systemic Risk Committee meetings to ensure that the agency continues to provide both regular and comprehensive results to the committee. Without better access to systemic risk monitoring tools and other outputs, the Systemic Risk Committee may identify and advance the analysis of only a subset of systemic risks in a timely manner and may identify others too late or miss others altogether.
    Recommendation: To more efficiently and effectively monitor the financial system for systemic risks and reduce the risk of unnecessary duplication, OFR and the Federal Reserve should jointly articulate individual and common goals for their systemic risk monitoring activities, including a plan to monitor progress toward articulated goals, and formalize regular strategic and technical discussions around their activities and outputs to support those goals.

    Agency: Department of the Treasury: Financial Stability Oversight Council: Office of Financial Research
    Status: Open

    Comments: As of March 1, 2017, the Federal Reserve and the Office of Financial Research had coordinated to organize semi-annual meetings to jointly discuss views from their respective monitoring of the financial system for risks; but these meetings had not yet taken place. The first of these meetings is to be held in May 2017 following the agencies' respective systemic risk exercises. Initiating these discussions addresses part of GAO's February 2016 recommendation. GAO plans to review documentation from these meetings in 2017 to further assess if the agencies will use these meetings to jointly articulate individual and common goals, including developing a plan to monitor progress toward the goals. Fully addressing GAO's recommendation could help to ensure comprehensiveness in systemic risk surveillance and reduced risk of duplication. On September 9, 2016, the Financial CHOICE Act of 2016 was introduced. It called for the Office of Financial Research to be eliminated. The legislation did not pass before the 114th Congress ended.
    Recommendation: To more efficiently and effectively monitor the financial system for systemic risks and reduce the risk of unnecessary duplication, OFR and the Federal Reserve should jointly articulate individual and common goals for their systemic risk monitoring activities, including a plan to monitor progress toward articulated goals, and formalize regular strategic and technical discussions around their activities and outputs to support those goals.

    Agency: Federal Reserve System
    Status: Open

    Comments: As of March 1, 2017, the Federal Reserve and the Office of Financial Research had coordinated to organize semi-annual meetings to jointly discuss views from their respective monitoring of the financial system for risks; but these meetings had not yet taken place. The first of these meetings is to be held in May 2017 following the agencies' respective systemic risk exercises. Initiating these discussions addresses part of GAO's February 2016 recommendation. GAO plans to review documentation from these meetings in 2017 to further assess if the agencies will use these meetings to jointly articulate individual and common goals, including developing a plan to monitor progress toward the goals. Fully addressing GAO's recommendation could help to ensure comprehensiveness in systemic risk surveillance and reduced risk of duplication. On September 9, 2016, the Financial CHOICE Act of 2016 was introduced. It called for the Office of Financial Research to be eliminated. The legislation did not pass before the 114th Congress ended.
    Director: David Powner
    Phone: (202) 512-9286

    5 open recommendations
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to establish and implement an improvement plan to guide the agency in adopting recognized best practices and following agency policy.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA developed a Strategic IT Roadmap to assist the agency's business and IT leadership in prioritizing IT investments. In addition, FSA stated that it will develop and document a comprehensive improvement plan that is to delineate tactical steps, timelines, and performance metrics to track incremental progress in adopting recognized best practices and program management capabilities. We will continue to monitor the agency's progress in documenting and implementing its improvement plan.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in developing and managing system requirements before proceeding with any further system development to deliver previously envisioned MIDAS functionality. Specifically, the Administrator should ensure that requirements are complete, unambiguous, and prioritized; commitment to requirements is obtained through a formal requirements baseline; differences (or gaps) between the requirements and capabilities of the intended solution (including commercial off-the-shelf solutions) are analyzed; strategies to address any gaps are developed; and requirements are traced forward and backward among development products.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA reported that it will improve the rigor and adherence to requirements management processes for all IT projects, utilizing processes and tools that will support the integrity of the requirements throughout the lifecycle, to ensure that requirements are complete, formally baselined, gaps are analyzed, and fully traceable forward and backward. FSA also noted that it is pursuing an enhanced, more comprehensive governance structure that will further support its commitment to increasing rigor and adherence to defined requirements management processes. We will continue to monitor the agency's implementation of these efforts.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in planning and monitoring projects. Specifically, the Administrator should ensure that project plans include predefined expectations for cost, schedule, and deliverables before proceeding with any further system development; updates to the project plan are made through change control processes; and progress against the project plan, including work performed by contractors, is monitored.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA noted that it began an initiative to improve the agency's use of capital planning guidance from the Office of Management and Budget and would prepare corrective action plans to address identified weaknesses in fiscal year 2016. FSA also noted that it was conducting a series of training classes on capital planning and IT project management across the agency, developing a risk management program, and strengthening the use of earned value management. We will continue to monitor the agency's progress on its project planning efforts.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in system testing. Specifically, the Administrator should establish well-defined test plans before proceeding with any further system development, and ensure that testing of (a) individual system components, (b) the integration of system components, and (c) the end-to-end system are conducted.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA stated that going forward the agency will adhere to recognized best practices and agency policy in pursuing consistent or increased rigor around system testing. The agency noted that it plans to demonstrate that its testing capabilities are consistent and repeatable across all FSA IT projects. We will continue to monitor the agency's implementation of these efforts.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in executive-level IT governance before proceeding with any further system development. Specifically, an executive-level governance board should (1) review and approve a comprehensive business case that includes a life cycle cost estimate, a cost-benefit analysis, and an analysis of alternatives for proposed solutions that are to provide former MIDAS requirements prior to their implementation; (2) ensure that any programs that are to accommodate former MIDAS requirements are fully implementing the IT program management disciplines and practices identified in this report; (3) conduct a post-implementation review and document lessons learned for the MIDAS investment; and (4) reassess the viability of the MIDAS technical solution before investing in further modernization technologies.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA stated that, as part of its organizational transformation efforts, the CIO is evaluating its governance structure and updating the charter for the agency-wide IT investment review board with the support of the agency's Executive Leadership Council. FSA also noted that it will adhere to the department's governance framework and processes. We will continue to monitor the agency's implementation of these efforts and how they address our recommendation.
    Director: Lawrance L. Evans, Jr.
    Phone: (202) 512-8678

    5 open recommendations
    Recommendation: To improve FSOC's control activities and help ensure that it better manages its determination process and achieves intended results, the Secretary of the Treasury, in his capacity as the Chairperson of FSOC and in consultation with FSOC members, should systematically record the staff contributing to determination evaluations, and monitor such information to help assess the progress and efficiency of determination evaluations..

    Agency: Department of the Treasury: Financial Stability Oversight Council
    Status: Open

    Comments: FSOC has created a document to track agencies participating in evaluations and has said that it will record and monitor information as new companies are evaluated. Although FSOC has created a template to record agency participation, FSOC still needs to collect and monitor such information including information on the agency staff participating in determination evaluations.
    Recommendation: To enhance disclosure and strengthen transparency, the Secretary of the Treasury, in consultation with FSOC members, for future determinations, to the maximum extent possible, should include additional details in its public basis documentation about why FSOC determined that the company met one or both of the statutory determination standards. Specifically, in addition to identifying that the size, significance, or other attributes of the company's characteristics could pose a threat to U.S. financial stability, FSOC should explain--without revealing sensitive information--how it concluded that the characteristics were sufficiently large or significant enough, or had other attributes, to meet one or both of the statutory determination standards.

    Agency: Department of the Treasury: Financial Stability Oversight Council
    Status: Open

    Comments: FSOC stated that it intends to include more detail in its public basis document while meeting its legal obligations to protect confidential information. In February 2015, FSOC issued supplemental procedures for nonbank financial company designations that stated its commitment to continuing to set forth sufficient information in its public bases to provide the public with an understanding of the Council's analysis while protecting sensitive, confidential information submitted by the company to the Council. FSOC's public basis document for its most recent designation, issued on December 18, 2014, included additional information compared to prior basis documents. However, the recent basis document did not fully explain how FSOC concluded that the company's characteristics were sufficiently large or significant enough, or had other attributes, to meet a determination standard.
    Recommendation: To help ensure that FSOC is comprehensively identifying and considering companies, the Secretary of the Treasury in consultation with FSOC members, should establish procedures to evaluate companies in Stage 2 and Stage 3 under both statutory determination standards when an evaluation in either stage concludes that a company does not meet one of the standards, or document--on a company-specific or more general basis--why the second determination standard is not relevant for determination evaluations.

    Agency: Department of the Treasury: Financial Stability Oversight Council
    Status: Open

    Comments: FSOC conducted a review of its nonbank designation procedures, including consideration of this recommendation, which resulted in issuance of supplemental procedures in February 2015. FSOC stated that it has not adopted formal changes to implement this recommendation but noted that the Council will continue to work to identify and evaluate potential changes to its practices and procedures and will revisit this recommendation in mid-2016.
    Recommendation: To help ensure that FSOC is comprehensively identifying and considering companies, the Secretary of the Treasury in consultation with FSOC members, should develop a process to collect information necessary for Stage 1 analysis, as appropriate, from certain nonbank financial companies for which public or regulatory information is otherwise unavailable. For example, FSOC could have companies for which such information is unavailable and that meet certain characteristics (such as quantitative thresholds similar to those used in Stage 1) report necessary information to the Office of Financial Research.

    Agency: Department of the Treasury: Financial Stability Oversight Council
    Status: Open

    Comments: FSOC staff are currently reviewing potential ways to supplement the existing public and regulatory information available to identify companies for evaluation in Stage 1. FSOC stated that it will revisit this recommendation in mid-2016.
    Recommendation: To improve FSOC's control activities and help ensure that it better manages its determination process and achieves intended results, the Secretary of the Treasury, in his capacity as the Chairperson of FSOC and in consultation with FSOC members, should systematically record the dates of key process steps.

    Agency: Department of the Treasury: Financial Stability Oversight Council
    Status: Open

    Comments: FSOC has created a document to centrally track key dates in each evaluation and has said that it will record and monitor the information as new companies are evaluated. However, FSOC has not yet recorded these dates in the document that it has created for this purpose.
    Director: Beryl H. Davis
    Phone: (202) 512-2623

    2 open recommendations
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare and Medicaid Services to develop and implement policies and procedures for responding to nonroutine CCIIO-related financial management information requests, including procedures for documenting the preparation process and the review and approval of the results.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) disagreed with this recommendation. HHS management indicated that it has up-to-date and clearly documented standard operating procedures (SOP) for its normal day-to-day work processes, and did not believe that non-standard data requests lend themselves to documented, standard SOPs. In May 2016, HHS indicated that its position on this issue has not changed. In June 2017, HHS indicated that its position on this issue has not changed. GAO believes the recommendation is still valid.
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare and Medicaid Services to identify and evaluate options to facilitate more timely and independently verifiable reporting of CCIIO-related financial management information, such as enhancing Healthcare Integrated General Ledger Accounting System's standard reporting or custom reporting capabilities.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) disagreed with this recommendation. HHS indicated that it tracks appropriations in accordance with all relevant federal laws and regulations, and that the information was complete and verifiable. Federal accounting concepts and standards concerning managerial cost accounting allow flexibility for agency managers to develop costing methods that are best suited to their operational environment. HHS indicated that would continue to evaluate options of enhancing the standard and/or custom reporting capabilities of its core financial system; the Health Integrated General Ledger System (HIGLAS). In May 2016, HHS indicated that its position on this issue has not changed. In June 2017, HHS indicated that its position on this issue has not changed. GAO believes the recommendation is still valid.
    Director: Dinapoli, Timothy J
    Phone: (202) 512-4841

    3 open recommendations
    Recommendation: To better position DOD to determine whether its actions have improved service acquisition, the Principal Deputy Under Secretary of Defense for Acquisition, Technology, and Logistics, in consultation with the military departments' senior services managers, should identify baseline data on the status of service acquisition, in part, by using budget and spending data and leveraging its ongoing efforts to gauge the effects of its actions to improve service acquisition.

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: DOD concurred with our recommendation and is in the process of developing baseline data on the current status of its service acquisitions. In July 2014, DOD issued its annual Performance of the Defense Acquisition report. For the first time, this report included information on its contracted services, such obligations for each service portfolio group, competition rates, and small business participation information. DOD expects to develop service acquisition related goals and metrics in 2017 from which it can develop additional baseline data.
    Recommendation: To better position DOD to determine whether its actions have improved service acquisition, the Principal Deputy Under Secretary of Defense for Acquisition, Technology, and Logistics, in consultation with the military departments' senior services managers, should develop specific goals associated with their actions to improve service acquisition.

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: DOD concurred with our recommendation and is in the process of developing service acquisition goals and metrics as well as an action plan for improving service acquisition. As of February 2017, DOD began a review of internal guidance that will include an analysis of the roles, responsibilities, authorities, goals, metrics, and structure associated with managing service acquisitions.
    Recommendation: To better position DOD to determine whether its actions have improved service acquisition, the Principal Deputy Under Secretary of Defense for Acquisition, Technology, and Logistics, in consultation with the military departments' senior services managers, should establish metrics to assess progress in meeting these goals.

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: DOD concurred with our recommendation and is in the process of developing service acquisition goals and metrics as well as an action plan for improving service acquisition. As of February 2017, DOD began a review of internal guidance that will include an analysis of the roles, responsibilities, authorities, goals, metrics, and structure associated with managing service acquisitions.