This is the accessible text file for GAO report number GAO-05-20 
entitled 'Financial Management: Improved Financial Systems Are Key to 
FFMIA Compliance' which was released on October 01, 2004.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Report to Congressional Committees:

October 2004:

FINANCIAL MANAGEMENT:

Improved Financial Systems Are Key to FFMIA Compliance:

GAO-05-20:

GAO Highlights:

Highlights of GAO-05-20, a report to the Senate Committee on 
Governmental Affairs and the House Committee on Government Reform.

Why GAO Did This Study:

The ability to produce the data needed to efficiently and effectively 
manage the day-to-day operations of the federal government and provide 
accountability to taxpayers has been a long-standing challenge to most 
federal agencies. To help address this challenge, the Federal Financial 
Management Improvement Act of 1996 (FFMIA) requires the 23 Chief 
Financial Officers Act agencies to implement and maintain financial 
management systems that comply substantially with (1) federal 
financial management systems requirements, (2) applicable federal 
accounting standards, and (3) the U.S. Government Standard General 
Ledger (SGL) at the transaction level. FFMIA also requires GAO to 
report annually on the implementation of the act.

What GAO Found:

Federal agencies continue to make progress in addressing their 
financial management weaknesses; however, for fiscal year 2003, 
auditors for 17 of the 23 CFO Act agencies still reported that 
agencies’ financial management systems failed to comply with FFMIA. 
The nature and severity of the reported problems indicate that 
generally agency management lacked the full range of reliable, useful, 
and timely information needed for accountability, performance 
reporting, and decision making. As shown in the figure below, six main 
types of problems related to agencies’ systems were consistently 
identified. 

Problems Reported by Auditors for Fiscal Years 2000 through 2003: 

[See PDF for image]

Note: Based on independent auditors’ reports for fiscal years 2000 –
2003, prepared by agency inspectors general and contract auditors.

[End of table]

As prescribed in OMB’s reporting guidance, auditors for six agencies 
provided negative assurance on agency systems’ FFMIA compliance for 
fiscal year 2003. This means that nothing came to their attention to 
indicate that financial management systems did not meet FFMIA 
requirements. GAO continues to believe that this type of reporting is 
not sufficient under the act and that report users may have the false 
impression that auditors have reported agency systems to be compliant.

To address problems such as nonintegrated systems, inadequate 
reconciliations, and lack of SGL compliance, agencies are implementing 
or upgrading financial management systems. Agencies anticipate the new 
systems will provide reliable, useful, and timely data to support 
managerial decision making. However, our work at DOD, HHS, and NASA 
has shown significant problems exist in implementing financial 
management systems and that agencies are not following the necessary 
disciplined processes for efficient and effective implementation of 
these systems. Disciplined processes have been shown to reduce the 
risks associated with software development and acquisition efforts to 
acceptable levels and are fundamental to successful system acquisition 
and implementation. Moreover, governmentwide initiatives to improve 
financial management systems can help enhance the government’s 
performance and services for citizens.

What GAO Recommends:

GAO reaffirms its prior recommendations that OMB revise its FFMIA 
audit guidance to:

(1) include a statement of positive assurance when reporting an 
agency’s systems to be in substantial compliance with FFMIA, and 
(2) clarify the definition of “substantial compliance” to promote 
consistent reporting of FFMIA compliance.

As in the past, OMB did not agree with our view on the need for 
auditors to provide positive assurance on FFMIA, but agreed to 
consider clarifying the definition of “substantial compliance” in 
future policy and guidance updates.

www.gao.gov/cgi-bin/getrpt?GAO-05-20.

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Sally Thompson at (202) 
512-2600 or thompsons@gao.gov.

[End of section]

Contents:

Letter:

Results in Brief:

Background:

Scope and Methodology:

Continued Systems Weaknesses Impede Financial Management 
Accountability:

Agencies Struggle to Implement New Financial Systems:

Conclusions:

Agency Comments and Our Evaluation:

Appendixes:

Appendix I: Requirements and Standards Supporting Federal Financial 
Management:

Appendix II: Publications in the Federal Financial Management Systems 
Requirements Series:

Appendix III: Statements of Federal Financial Accounting Concepts, 
Statements of Federal Financial Accounting Standards, and 
Interpretations:

Appendix IV: AAPC Technical Releases:

Appendix V: Checklists for Reviewing Systems under the Federal 
Financial Management Improvement Act:

Appendix VI: Comments from the Office of Management and Budget:

Appendix VII: GAO Contacts and Staff Acknowledgments:

GAO Contacts:

Acknowledgments:

Table:

Table 1: PMO-Certified Core Financial Systems:

Figures:

Figure 1: Problems Reported by Auditors for Fiscal Years 2000 through 
2003:

Figure 2: Pyramid to Accountability and Useful Management Information:

Figure 3: Auditors' FFMIA Assessments for Fiscal Years 2000 through 
2003:

Figure 4: Problems Reported by Auditors for Fiscal Years 2000 through 
2003:

Figure 5: Agency Systems Architecture:

Abbreviations:

AAPC: Accounting and Auditing Policy Committee:

AID: Agency for International Development:

ARS: Accrual Reporting System:

BSM: Business Systems Modernization:

CDC: Centers for Disease Control and Prevention:

CFO: chief financial officer:

CMS: Centers for Medicare and Medicaid Services:

CoreFLS: Core Financial and Logistics System:

COTS: commercial off-the-shelf:

DHS: Department of Homeland Security:

DLA: Defense Logistics Agency:

DOD: Department of Defense:

EPA: Environmental Protection Agency:

FAM: GAO/PCIE Financial Audit Manual:

FASAB: Federal Accounting Standards Advisory Board:

FFMIA: Federal Financial Management Improvement Act:

FFMSR: Federal Financial Management System Requirements:

FIA: Federal Managers' Financial Integrity Act:

FISMA: Federal Information Security Management Act:

GSA: General Services Administration:

HHS: Department of Health and Human Services:

IEEE: Institute of Electrical and Electronic Engineers:

IFMP: Integrated Financial Management Program:

IRS: Internal Revenue Service:

JFMIP: Joint Financial Management Improvement Program:

LOB: Line of Business:

LMP: Logistics Modernization Program:

NASA: National Aeronautics and Space Administration:

NBRSS: NIH Business and Research Support System:

NIH: National Institutes of Health:

NRC: Nuclear Regulatory Commission:

NSF: National Science Foundation:

OIG: Office of Inspector General:

OMB: Office of Management and Budget:

OPM: Office of Personnel Management:

PART: Performance and Assessment Rating Tool:

PCIE: President's Council on Integrity and Efficiency:

PMA: President's Management Agenda:

PMO: Program Management Office:

SEI: Software Engineering Institute:

SFFAC: Statements of Federal Financial Accounting Concepts:

SFFAS: Statement of Federal Financial Accounting Standards:

SGL: U.S. Government Standard General Ledger:

SSA: Social Security Administration:

UFMS: Unified Financial Management System:

VA: Department of Veterans Affairs:

Letter October 1, 2004:

The Honorable Susan M. Collins:
Chairman: 
The Honorable Joseph I. Lieberman:
Ranking Minority Member: 
Committee on Governmental Affairs: 
United States Senate:

The Honorable Tom Davis: 
Chairman: 
The Honorable Henry A. Waxman: 
Ranking Minority Member: 
Committee on Government Reform: 
House of Representatives:

Many federal agencies still lack the ability to produce the data needed 
to efficiently and effectively manage day-to-day operations and provide 
an acceptable level of accountability to taxpayers. To address this 
long-standing weakness of the federal government, the Chief Financial 
Officers (CFO) Act of 1990[Footnote 1] designates executive branch 
officials with responsibility for the modernization of financial 
management systems, so that the systematic measurement of performance; 
the development of cost information; and the integration of program, 
budget, and financial information for management reporting can be 
achieved.

The Federal Financial Management Improvement Act of 1996[Footnote 2] 
(FFMIA) builds on the foundation laid by the CFO Act by reflecting the 
need for agencies to have systems that can generate reliable, useful, 
and timely information with which to make fully informed decisions and 
to ensure accountability on an ongoing basis. FFMIA requires the CFO 
Act agencies[Footnote 3] to implement and maintain financial management 
systems that comply substantially with (1) federal financial management 
systems requirements, (2) applicable federal accounting standards, and 
(3) the U.S. Government Standard General Ledger (SGL) at the 
transaction level. The act also requires auditors to state in their 
audit reports whether the agencies' financial management systems 
substantially comply with the act's requirements. Furthermore, we are 
required to report annually on the implementation of the act. This 
report, our eighth, discusses (1) the auditors' assessments of agency 
systems' compliance with FFMIA for fiscal year 2003 and the financial 
management systems problems that continue to affect systems' FFMIA 
compliance and (2) the challenges agencies have faced when implementing 
financial systems to help move toward FFMIA compliance.

We conducted our work from April through August 2004 in the Washington, 
D.C., area in accordance with U.S. generally accepted government 
auditing standards.

Results in Brief:

Although agencies continue to make some progress in addressing their 
financial management systems weaknesses, the fiscal year 2003 audit 
reports disclose that agencies' financial management systems continue 
to have serious deficiencies. As a result of these deficiencies, most 
agencies' financial management systems are still unable to routinely 
produce reliable, useful, and timely financial information. This 
weakness manifests itself by limiting the federal government's capacity 
to manage with timely and objective data, and thereby hampers its 
ability to effectively manage and oversee its major programs.

Auditors for 17 of the 23 CFO Act agencies reported that their 
agencies' financial management systems did not comply substantially 
with one or more of the three FFMIA requirements. Auditors' assessments 
for three agencies changed from fiscal year 2002 to 2003. For fiscal 
year 2003, auditors for the Department of Commerce were able to provide 
negative assurance due to the implementation of a new integrated 
financial management system and improvements in general information 
technology controls. Auditors at the Nuclear Regulatory Commission 
(NRC) were also able to provide negative assurance due to a redesign of 
the agency's cost accounting system and enhancement of the internal 
controls and operating procedures documentation. Systems of both 
agencies had been reported as lacking substantial compliance with FFMIA 
for fiscal year 2002. Conversely, auditors for the General Services 
Administration (GSA), which implemented a new financial management 
system in fiscal year 2002, reported that GSA's systems lacked 
substantial compliance for fiscal year 2003 because they did not 
substantially comply with federal financial management systems 
requirements. Specifically, the auditors found that GSA lacked adequate 
policies and procedures for reconciliations and that the 
reconciliations performed were not completed in a timely manner, a 
downgrade from the fiscal year 2002 assessment.

The Department of Homeland Security (DHS) is currently not subject to 
the CFO Act and, consequently, is not required to comply with FFMIA. 
Accordingly, DHS' auditors did not report on the department's 
compliance with FFMIA. However, the auditors did identify and report 
certain deficiencies that relate to the three FFMIA requirements. Based 
on its budget, DHS is the largest entity in the federal government that 
is neither subject to the CFO Act nor required to comply with FFMIA 
system requirements. Given the need for strong financial management, 
consideration is now being given by each house of Congress to adding 
DHS to the list of CFO Act agencies.

Auditors for six agencies[Footnote 4] reported that the results of 
their tests disclosed no instances in which the agencies' systems did 
not substantially comply with FFMIA. The auditors did not provide 
positive assurance by definitively stating whether the agencies' 
financial management systems substantially complied with FFMIA. 
Instead, the auditors provided negative assurance of FFMIA compliance 
as permitted by the Office of Management and Budget's (OMB) audit 
guidance. To provide positive assurance as required by the act, more 
testing is necessary than that performed for the purposes of rendering 
an opinion on the financial statements.

Based on our review of the fiscal year 2003 audit reports for the 17 
agencies reported to have noncompliant systems, we identified six 
continuing, primary problems that affect FFMIA compliance. (See fig. 
1.) While more severe at some agencies than others, the nature and 
seriousness of the reported problems indicate that generally most 
agencies' financial management systems are not yet able to routinely 
produce reliable, useful, and timely financial information.

Figure 1: Problems Reported by Auditors for Fiscal Years 2000 through 
2003:

[See PDF for image]

Note: Based on independent auditors' reports for fiscal years 2000-
2003, prepared by agency inspectors general and contract auditors.

[End of figure]

Many agencies are in the process of updating or replacing their core 
financial systems as part of their financial management system 
improvement efforts. However, our work at the Department of Defense 
(DOD), the Department of Health and Human Services (HHS), and the 
National Aeronautics and Space Administration (NASA) and the work of 
the Department of Veterans Affairs (VA) Office of Inspector General 
(OIG) have shown that agencies face significant risk in implementing 
financial management systems and have not always followed accepted best 
practices for systems development and implementation, commonly referred 
to as disciplined processes, for efficient and effective system 
development and implementation of financial management systems.

Disciplined processes have been shown to reduce the risks associated 
with software development and acquisition efforts to acceptable levels 
and are fundamental to successful system acquisition and 
implementation. A disciplined software development and acquisition 
process can maximize the likelihood of achieving the intended results 
within established costs and on schedule. The key to having a 
disciplined system acquisition and implementation effort is to have 
disciplined processes in multiple areas, including requirements 
management, testing, project planning and oversight, risk management, 
and quality assurance.

We found in our review of agencies' implementation of new financial 
management systems and a review by the VA OIG[Footnote 5] also reported 
that disciplined processes are not being followed. For example:

* In May 2004, we reported[Footnote 6] that for two major DOD financial 
management systems, the initial deployments did not operate as intended 
and, therefore, did not meet component-level needs. In large part, 
these operational problems were due to DOD not effectively implementing 
the disciplined processes that are necessary to manage the development 
and implementation of the systems in the areas of requirements 
management and testing. DOD program officials have acknowledged that 
the initial deployments of these systems experienced problems that 
could be attributed to requirements and testing.

* In September 2004, we reported[Footnote 7] that the lack of 
disciplined processes puts implementation of HHS' financial system at 
risk. HHS had not developed sufficient quantitative measures for 
determining the impact of process weaknesses, cannot be assured that 
the system will provide all of the functionality needed, and had not 
developed the necessary framework for testing requirements. Further, 
its schedule left little time for correcting process weaknesses and 
identified defects. As a result, HHS has decided to delay the 
implementation of a significant amount of functionality associated with 
the initial full deployment from October 2004 until April 2005 in order 
to address the issues that had been identified with the project.

* As we have reported[Footnote 8] numerous times in 2003 and 2004, NASA 
faces considerable challenges in implementing a financial management 
system--the Integrated Financial Management Program (IFMP). NASA is on 
its third attempt in 12 years to modernize its financial management 
process and systems, and has spent about $180 million on its two prior 
failed efforts. NASA was not following key best practices for acquiring 
and implementing the system. For example, NASA lacked disciplined 
requirements management and testing processes. As a result, NASA 
increased its risk that IFMP would cost more and do less than planned. 
The core financial module, which was fully deployed in June 2003 as 
called for in the project schedule, still did not address many of the 
agency's most challenging external reporting issues, such as external 
reporting problems related to property accounting and budgetary 
accounting. Additionally, NASA deferred the configuration and testing 
of several essential capabilities of the financial module and is not 
FFMIA compliant.

* VA recently halted implementation of its new core financial system in 
July 2004 that had cost about $249 million. The VA OIG reported that 
contracting and monitoring of the VA project were not adequate and the 
pilot deployment of the system encountered multiple problems.

As the federal government moves forward on new initiatives to enhance 
financial management and provide results-oriented information, it is 
crucial that disciplined processes are effectively used to reduce risks 
related to implementing governmentwide solutions. Moreover, ensuring 
that staff with the requisite skills are in place to implement and 
operate new financial management systems is critical to success.

While we are not making any new recommendations in this report, we 
reaffirm our prior recommendations[Footnote 9] aimed at enhancing OMB's 
audit guidance related to FFMIA assessments. Specifically, we 
recommended that OMB (1) require agency auditors to provide a statement 
of positive assurance when reporting an agency's systems to be in 
substantial compliance with FFMIA and (2) further clarify the 
definition of "substantial compliance" to encourage consistent 
reporting.

In commenting on a draft of this report, OMB agreed with our assessment 
that agencies have a long way to go before federal managers receive the 
data needed to efficiently and effectively manage the day-to-day 
operations of the federal government. Moreover, OMB agreed with us that 
financial management success encompasses more than agencies receiving 
unqualified opinions on their financial statements. As in previous 
years, we and OMB have differing views on the level of audit assurance 
necessary for assessing substantial compliance with FFMIA. We will 
continue to work with OMB on this issue. Our detailed evaluation of 
OMB's comments can be found at the end of this letter.

Background:

FFMIA and other financial management reform legislation have emphasized 
the importance of improving financial management across the federal 
government. Beginning in 1990, the Congress has passed a series of 
management reform legislation to improve the general and financial 
management of the federal government. As shown in figure 2, the 
combination of reforms ushered in by the (1) CFO Act of 1990, (2) 
Government Performance and Results Act of 1993,[Footnote 10] (3) 
Government Management Reform Act of 1994,[Footnote 11] (4) FFMIA, (5) 
Clinger-Cohen Act of 1996,[Footnote 12] and (6) Accountability of Tax 
Dollars Act of 2002,[Footnote 13] if successfully implemented, provides 
a solid basis for improving accountability of government programs and 
operations as well as routinely producing valuable cost and operating 
performance information.

Figure 2 shows the three levels of the pyramid that result in the end 
goal, accountability and useful management information. The bottom 
level of the pyramid is the legislative framework that underpins the 
improvement of the general and financial management of the federal 
government. The second level shows the drivers that build on the 
legislative requirements and influence agency actions to meet these 
requirements. The three drivers are the (1) President's Management 
Agenda (PMA), (2) congressional and other oversight, and (3) the Joint 
Financial Management Improvement Program (JFMIP). The third level of 
the pyramid represents the key success factors for accountability and 
meaningful management information--integrating core and feeder 
financial systems, producing reliable financial and performance data 
for reporting, and ensuring effective internal control. The result of 
these three levels, as shown at the top of the pyramid, is 
accountability and meaningful management information needed to assess 
and improve the government's effectiveness, financial condition, and 
operating performance.

Figure 2: Pyramid to Accountability and Useful Management Information:

[See PDF for image]

[End of figure]

Building on the foundation laid by the CFO Act, FFMIA reflects the need 
for agencies to have systems that can generate reliable, useful, and 
timely information with which to make fully informed decisions and to 
ensure accountability on an ongoing basis. FFMIA requires the 
departments and agencies covered by the CFO Act to implement and 
maintain financial management systems that comply substantially with 
(1) federal financial management systems requirements, (2) applicable 
federal accounting standards,[Footnote 14] and (3) the SGL[Footnote 15] 
at the transaction level. FFMIA also requires auditors to state in 
their CFO Act financial statement audit reports whether the agencies' 
financial management systems substantially comply with FFMIA's systems 
requirements.

President's Management Agenda Supported by FFMIA Initiatives:

The PMA, announced in the summer of 2001, is a plan for improving the 
management and performance of the federal government. It targets the 
most apparent deficiencies, where the opportunity to improve 
performance is the greatest. The modernization of agency financial 
management systems, as reflected in FFMIA, is critical to the success 
of all five PMA initiatives.[Footnote 16] Although FFMIA implementation 
relates directly to the improved financial performance initiative, 
development and maintenance of FFMIA-compliant systems will also affect 
the implementation of the other initiatives.

A key element of PMA's performance budgeting initiative is the 
Performance and Assessment Rating Tool (PART). The development of PART 
represents a step toward a more structured involvement of program and 
performance analysis in the budget. It is a systematic method of 
assessing the performance of program activities across the federal 
government, consisting of a set of general questions on (1) program 
purpose and design, (2) strategic planning, (3) program management, and 
(4) program results. It also includes a set of more specific questions, 
which vary according to the type of delivery mechanism or approach an 
individual program uses, and calls for timely, reliable data to perform 
those assessments.

Congressional Oversight Helps Provide Accountability:

The leadership demonstrated by the Congress has been an important 
catalyst to reforming financial management in the federal government. 
As previously discussed, the legislative framework provided by the CFO 
Act and FFMIA, among others, produces a solid foundation to stimulate 
change needed to achieve sound financial systems management. For 
example, in November 2002, the Congress enacted the Accountability of 
Tax Dollars Act to extend the financial statements audit requirements 
of the CFO Act to additional federal agencies. Further, the Congress is 
currently contemplating adding DHS to the list of CFO Act agencies and 
requiring DHS to obtain an audit opinion on its internal controls. 
There is value in sustained congressional interest in these issues, as 
demonstrated by hearings on federal financial management and reform 
held over the past several years. It will be key that the 
appropriations, budget, authorizing, and oversight committees hold 
agency top management accountable for resolving these problems and that 
they support improvement efforts. The continued attention by the 
Congress to these issues will be critical to sustaining momentum for 
financial management reform.

JFMIP Works to Improve Federal Financial Management:

JFMIP is a joint and cooperative undertaking of the U.S. Department of 
the Treasury, GAO, OMB, and the Office of Personnel Management (OPM), 
working in cooperation to improve financial management practices in the 
federal government.[Footnote 17] Leadership is provided by the four 
principals of JFMIP--the Comptroller General of the United States, the 
Secretary of the Treasury, and the Directors of OMB and OPM. Since 
August 2001, the JFMIP principals have met regularly to discuss 
financial management issues, such as the acceleration of financial 
statement reporting. The Program Management Office (PMO), managed by 
the Executive Director of the JFMIP using funds provided by the CFO 
Council agencies, is responsible for the testing and certification of 
commercial off-the-shelf (COTS) core financial systems for use by 
federal agencies and coordinating the development and publication of 
functional requirements for financial management systems.[Footnote 18] 
OMB Circular No. A-127, Financial Management Systems, requires agencies 
to purchase only COTS packages sold by vendors whose core financial 
systems software has been certified by PMO. As shown in table 1, in 
2003 and 2004, PMO certified that six core financial software packages 
met the core financial systems requirements.

Table 1: PMO-Certified Core Financial Systems:

Vendor name: SAP Public Services, Inc. (SAP); 
Product: mySAP ERP with Enterprise Add-on for Public Sector and 
Extension Set; 
Version: v4.7; 
Effective Date: 6/10/2003.

Vendor name: American Management Systems, Inc. (AMS); 
Product: Momentum Financials; 
Version: v5.0; 
Effective Date: 6/12/2003.

Vendor name: Digital Systems Group, Inc; 
Product: Integrated Financial Management Information Systems (IFMIS); 
Version: v6.0; 
Effective Date: 6/25/2003.

Vendor name: Oracle Corporation; 
Product: Oracle E-Business Suite 11i; 
Version: v11i.9; 
Effective Date: 9/10/2003.

Vendor name: PeopleSoft, Inc; 
Product: PeopleSoft Financial Management Solutions (FMS); 
Version: v8.8; 
Effective Date: 2/10/2004.

Vendor name: Savantage Solutions, Inc; 
Product: Altimate; 
Version: v3.0; 
Effective Date: 3/16/2004. 

Source: PMO.

[End of table]

PMO assesses COTS packages for conformity with the minimum level or 
"floor" of system requirements. Therefore agencies should be aware that 
simply implementing a core financial system that has been certified by 
PMO does not ensure that these agencies will have financial systems 
that are compliant with FFMIA or provide reliable, useful, and timely 
data for day-to-day management. Factors that affect the FFMIA 
compliance and the effectiveness of an implemented COTS core financial 
system include how the software package has been configured to work in 
the agency's environment, whether any customization is made to the 
software, the success of converting data from legacy systems to new 
systems, and the quality of transaction data in the feeder systems.

Guidance for FFMIA Issued by OMB:

OMB sets governmentwide financial management policies and requirements 
and has issued two sources of guidance related to FFMIA. First, OMB 
Bulletin No. 01-02, Audit Requirements for Federal Financial 
Statements, dated October 16, 2000, prescribes specific language 
auditors should use when reporting on an agency system's substantial 
compliance with FFMIA. Specifically, this guidance calls for auditors 
to provide negative assurance when reporting on an agency system's 
FFMIA compliance. Second, in OMB Memorandum, Revised Implementation 
Guidance for the Federal Financial Management Improvement Act (Jan. 4, 
2001), OMB provides guidance for agencies and auditors to use in 
assessing substantial compliance. The guidance describes the factors 
that should be considered in determining whether an agency's systems 
substantially comply with FFMIA's requirements. Further, the guidance 
provides examples of the types of indicators that should be used as a 
basis in assessing whether an agency's systems are in substantial 
compliance with each of the three FFMIA requirements. Finally, the 
guidance discusses the corrective action plans, to be developed by 
agency heads, for bringing their systems into compliance with FFMIA.

Financial Audit Manual Section on FFMIA Developed by PCIE and GAO:

We worked with representatives from the President's Council on 
Integrity and Efficiency (PCIE) to revise the joint GAO/PCIE Financial 
Audit Manual[Footnote 19] (FAM) to include sections[Footnote 20] that 
provide specific procedures auditors should perform when assessing 
FFMIA compliance. These sections include detailed audit steps for 
testing agency systems' substantial compliance with FFMIA. The FAM 
guidance on FFMIA assessments recognizes that while financial statement 
audits offer some assurance regarding FFMIA compliance, auditors should 
design and implement additional testing to satisfy FFMIA criteria. For 
example, in performing financial statement audits, auditors generally 
focus on the ability of the financial management systems to process and 
summarize financial information that flows into annual agency financial 
statements. In contrast, FFMIA requires auditors to assess whether an 
agency's financial management systems comply with system requirements. 
To do this, auditors need to consider whether agency systems provide 
reliable, useful, and timely information for managing day-to-day 
operations so that agency managers would have the necessary information 
to measure performance on an ongoing basis rather than just at year-
end.

Scope and Methodology:

We reviewed the fiscal year 2003 financial statement audit reports for 
the 23 CFO Act agencies to identify the auditors' assessments of agency 
financial systems' compliance and the problems that affect FFMIA 
compliance. We also reviewed the fiscal year 2003 financial statement 
audit report for DHS to identify any FFMIA-related issues. Our prior 
experience with these auditors and our review of their reports provided 
the basis to determine the sufficiency and relevancy of evidence 
provided in these documents. Based on the audit reports, we identified 
problems reported by the auditors that affect agency systems' 
compliance with FFMIA. The problems identified in these reports are 
consistent with long-standing financial management weaknesses that we 
have reported based on our work at the Department of Agriculture, NASA, 
Treasury, and other agencies. However, we caution that the occurrence 
of problems in a particular category may be even greater than auditors' 
reports of FFMIA noncompliance would suggest because auditors may not 
have included all problems in their reports.

We also reviewed our previously issued reports and those by the 
inspectors general to identify the challenges federal agencies face 
when implementing new systems. Finally, we held discussions with OMB 
officials to obtain information about its current efforts to help 
agencies develop systems that will comply with FFMIA.

We conducted our work from April through August 2004 in the Washington, 
D.C., area in accordance with U.S. generally accepted government 
auditing standards. We requested comments on a draft of this report 
from the Director of OMB or his designee. Comments from OMB are 
discussed in the "Agency Comments and Our Evaluation" section and 
reprinted in appendix VI.

Continued Systems Weaknesses Impede Financial Management 
Accountability:

While agencies are making some progress in producing auditable 
financial statements and addressing their financial management systems 
weaknesses, the vast majority of agency systems are still not 
substantially compliant with FFMIA's requirements. Figure 3 summarizes 
auditors' assessments of FFMIA compliance for fiscal years 2000 through 
2003 and suggests that the instances of noncompliance with FFMIA's 
three requirements have remained fairly constant. For fiscal year 2003, 
OIGs and their contract auditors reported that the systems of 17 of the 
23 CFO Act agencies did not substantially comply with at least one of 
FFMIA's three requirements--federal financial management systems 
requirements, applicable federal accounting standards, or the SGL at 
the transaction level.[Footnote 21]

In fiscal year 2002, auditors for five agencies (SSA, Energy, NSF, EPA, 
and GSA) provided negative assurance that the agencies' financial 
systems were in compliance with FFMIA. In fiscal year 2003, the 
auditors at two additional agencies, Commerce and NRC, provided 
negative assurance that the systems at those agencies were in 
compliance with FFMIA, while auditors reported GSA's systems to be 
noncompliant.

At Commerce, the auditors were able to provide negative assurance due 
to the implementation of a new integrated financial management system, 
combined with improvements in general information technology controls. 
Auditors at NRC provided negative assurance due to a redesign of the 
agency's cost accounting system and enhancement of the internal 
controls and operating procedures documentation. In contrast, for 
fiscal year 2003, GSA's systems were found to be noncompliant by its 
auditors due to reconciliation issues related to a newly implemented 
system. Specifically, the auditors concluded that the systems GSA 
relied on during fiscal year 2003 failed to perform timely 
reconciliations of accounts payable and undelivered orders, Fund 
Balance with Treasury, and accounts receivable, which represented a 
lack of substantial compliance with FFMIA. In total, for 6 of the 23 
CFO Act agencies, the auditors provided negative assurance by stating 
that nothing came to their attention that would indicate the systems 
did not comply with FFMIA for fiscal year 2003.

Figure 3: Auditors' FFMIA Assessments for Fiscal Years 2000 through 
2003:

[See PDF for image]

Note: Based on independent auditors' reports for fiscal years 2000-
2003, prepared by agency inspectors general and contract auditors.

[End of figure]

While more CFO Act agencies have obtained clean or unqualified audit 
opinions on their financial statements, there is little evidence of 
marked improvements in agencies' capacities to create the full range of 
information needed to manage day-to-day operations. The number of 
unqualified opinions has been increasing over the past 7 years, from 11 
in fiscal year 1997 to 20 for fiscal year 2003; but the number of 
agencies reported to have substantially noncompliant systems has 
remained relatively steady. While the increase in unqualified opinions 
is noteworthy, a more important measure of financial systems' 
capability and reliability is that the number of agencies for which 
auditors provided negative assurance of FFMIA compliance has remained 
relatively constant throughout this same period. In our view, this has 
led to an expectation gap since, as more agencies receive clean 
opinions, expectations are raised that the government has sound 
financial management and can produce reliable, useful, and timely 
information on demand throughout the year, whereas FFMIA assessments 
offer a different perspective.

All CFO Act agencies issued their audited financial statements by the 
accelerated reporting deadline of February 1, 2004, for agency fiscal 
year 2003 financial statements. However, the deadline for issuance of 
fiscal year 2004 audited financial statements is November 15, 2004, 
just 45 days after the close of the fiscal year. Auditors at several of 
the CFO Act agencies reported that the agencies may not be able to 
produce auditable financial statements within the accelerated time 
frame for fiscal year 2004 without making fundamental changes to 
improve a number of their financial management practices.

DHS Is Not Required To Comply with FFMIA:

DHS is not subject to the CFO Act and, consequently, is not required to 
comply with FFMIA. Accordingly, DHS' auditors did not report on the 
department's compliance with FFMIA in fiscal year 2003. However, the 
auditors identified and reported deficiencies that relate to the three 
FFMIA requirements.

Based on its budget, DHS is the largest entity in the federal 
government that is not subject to the CFO Act nor required to comply 
with FFMIA system requirements. Creating strong financial management at 
DHS is particularly challenging because most of the 22 entities brought 
together to form the department have their own financial management 
systems; processes; and in some cases, deficiencies. For example, five 
of the seven major agencies that transferred to DHS had 30 reportable 
conditions, 18 of which were considered material internal control 
weaknesses for fiscal year 2002 and four of the major agencies--that 
had previously been subject to stand-alone audits--had financial 
management systems that were not in substantial compliance with FFMIA. 
Some progress has been made in addressing the internal control 
weaknesses it inherited from component agencies. Nine of the 30 
inherited internal control weaknesses have been closed as of September 
30, 2003. For DHS to develop a strong financial management 
infrastructure, it will need to address these and many other financial 
management issues.

We fully support the objectives of the CFO Act to provide reliable 
financial information and improve financial management systems and 
controls and, as recently reported,[Footnote 22] we believe that it is 
critical that DHS be statutorily required to comply with important 
financial management reforms legislated in the CFO Act and FFMIA. 
Consideration is now being given by each house of Congress to adding 
DHS to the list of CFO Act agencies in the Department of Homeland 
Security Financial Accountability Act, H.R. 4259 and S. 1567, 108th 
Congress.

FFMIA Compliance Findings Based on Negative Assurance:

Auditors for six agencies (Commerce, Energy, EPA, NRC, NSF, and SSA) 
provided negative assurance that the agencies' systems were in 
compliance with FFMIA in fiscal year 2003, and five agencies did so in 
fiscal year 2002. Auditors provide negative assurance when they include 
language stating that nothing came to their attention during the course 
of their planned procedures to indicate that these agencies' financial 
management systems did not meet FFMIA requirements. If readers are not 
familiar with the concept of negative assurance, they may incorrectly 
assume that these systems have been fully tested by the auditors and 
that the agencies have achieved compliance.

OMB's current audit guidance[Footnote 23]calls for auditors to provide 
negative assurance when reporting whether an agency's systems are in 
substantial compliance with FFMIA. To provide positive assurance of 
FFMIA compliance, auditors would need to perform more comprehensive 
audit procedures than those necessary to render an opinion for a 
financial statement audit. In performing financial statement audits, 
auditors generally focus on the capability of the financial management 
systems to process and summarize financial information that flows into 
financial statements. In contrast, FFMIA is much broader and requires 
auditors to assess whether an agency's financial management systems 
substantially comply with systems requirements. To do this, auditors 
need to consider whether agency systems provide complete, accurate, and 
timely information for managing day-to-day operations. We believe that 
providing positive assurance of an agency's financial management system 
would identify weaknesses and lead to systems improvements that result 
in enhancing the performance, productivity, and efficiency of federal 
financial management, which is a goal of the PMA. Therefore, as we 
discussed in prior reports,[Footnote 24] we reaffirm our prior 
recommendation that OMB require agency auditors to provide a statement 
of positive assurance when reporting an agency's systems to be in 
substantial compliance with FFMIA.

OMB continues to support the requirement for negative assurance of 
FFMIA compliance due to cost-benefit concerns. While OMB agrees that 
testing should occur, and its guidance on FFMIA calls for it, OMB 
officials are concerned that the level of testing needed for positive 
assurance may be too time-consuming and costly. OMB officials stated 
that different, more coordinated approaches toward assessing an 
agency's internal controls and FFMIA compliance might provide 
sufficient assurance on an agency's systems. For example, in preparing 
the PMA scorecard assessments, OMB officials meet with agencies to 
discuss a number of financial management issues and have systems 
demonstrations. Agencies are asked to identify key business questions 
and related cost drivers. Then, the agencies must develop systems that 
can produce the information needed on those cost drivers to help 
management at all levels focus on results. OMB officials stated they 
believed the PMA scorecard framework offers an alternative route toward 
substantial compliance that is similar to that offered by positive 
assurance. In its written comments on a draft of this report (see app. 
VI) OMB stated that the processes used in evaluating agencies against 
the PMA standards can provide a corroborative mechanism in evaluating 
compliance with FFMIA. Our concern is that the information provided by 
this approach does not come under audit scrutiny and may not be 
reliable. For example, the PMA scorecard does not examine the nature 
and extent of adjustments that agencies make to their year-end 
financial statements. As long as extensive year-end adjustments are 
needed, there is no assurance that the financial information being 
provided by the systems is complete and accurate for day-to-day 
operations.

A joint CFO Council/PCIE group is also currently investigating how 
internal control reporting similar to that required by the Sarbanes-
Oxley Act of 2002[Footnote 25] might be useful in the federal 
government. OMB officials told us that the results of this CFO Council/
PCIE study might provide another method of assessing and reporting on 
internal control and FFMIA compliance. Auditor reporting on internal 
control is a critical component of monitoring the effectiveness of an 
organization's accountability, especially for large, complex, or 
challenged entities that use taxpayers' dollars. Auditors can better 
serve their clients and other financial statement users and better 
protect the public interest by having a greater role in providing 
assurances of the effectiveness of internal control in deterring 
fraudulent financial reporting and protecting assets. Financial systems 
are an important element of an entity's internal control over financial 
reporting. Although enhanced internal control reporting would not 
necessarily address the full capability of the financial management 
systems in place, such reporting would include reportable internal 
control weaknesses caused by financial systems problems. However, the 
full value of independent auditors' assessments of FFMIA compliance 
will not be fully realized until auditors perform a sufficient level of 
audit work to be able to provide positive assurance that agencies are 
in compliance with FFMIA. When reporting an agency's financial 
management systems to be in substantial compliance, positive assurance 
will provide users with confidence that the agency systems provide the 
reliable, useful, and timely information envisioned by the act.

In addition, we also previously recommended[Footnote 26] that OMB 
explore clarifying the definition of "substantial compliance" to help 
ensure consistent application of the term. As we noted[Footnote 27] in 
our prior reports, auditors we interviewed had concerns about providing 
positive assurance in reporting on agency systems' FFMIA compliance 
because of a need for clarification regarding the meaning of 
substantial compliance. Therefore, we also reaffirm this 
recommendation. In its comments, OMB stated that its growing experience 
assisting agencies in implementing the PMA performance standards will 
enable it to refine the existing FFMIA indicators associated with 
substantial compliance. Accordingly, OMB officials stated that they 
will consider our recommendation in any future policy and guidance 
updates.

Reasons for Noncompliance:

Based on our review of the fiscal year 2003 audit reports for the 17 
agencies reported to have systems not in substantial compliance with 
one or more of FFMIA's three requirements, we identified six primary 
reasons cited by the auditors for agency systems not being compliant. 
The weaknesses reported by the auditors ranged from serious, pervasive 
systems problems to less serious problems that may affect one aspect of 
an agency's accounting operation:

* nonintegrated financial management systems,

* inadequate reconciliation procedures,

* lack of accurate and timely recording of financial information,

* noncompliance with the SGL,

* lack of adherence to federal accounting standards, and:

* weak security controls over information systems.

Figure 4 shows the relative frequency of these problems at the 17 
agencies reported to have noncompliant systems and the problems 
relevant to FFMIA that were reported by their auditors. The same six 
types of problems were cited by auditors in their fiscal years 2000, 
2001, and 2002 audit reports, although the auditors may not have 
reported these problems as specific reasons for their systems' lack of 
substantial compliance with FFMIA. In addition, we caution that the 
occurrence of problems in a particular category may be even greater 
than auditors' reports of FFMIA noncompliance would suggest because 
auditors may not have identified all problems in their reviews.

Figure 4: Problems Reported by Auditors for Fiscal Years 2000 through 
2003:

[See PDF for image]

Note: Based on independent auditors' reports for fiscal years 2000-
2003, prepared by agency inspectors general and contract auditors.

[End of figure]

Nonintegrated Financial Management Systems:

The CFO Act calls for agencies to develop and maintain an integrated 
accounting and financial management system[Footnote 28] that complies 
with federal systems requirements and provides for (1) complete, 
reliable, consistent, and timely information that is responsive to the 
financial information needs of the agency and facilitates the 
systematic measurement of performance; (2) the development and 
reporting of cost management information; and (3) the integration of 
accounting, budgeting, and program information. OMB Circular No. A-127, 
Financial Management Systems, requires each agency to establish and 
maintain a single integrated financial management system that conforms 
to functional requirements published by PMO.

Agencies that do not have integrated financial management systems 
typically must expend major effort and resources, including in some 
cases hiring external consultants, to develop information that their 
systems should be able to provide on a daily or recurring basis. 
Agencies with nonintegrated financial systems are also more likely to 
be required to devote more resources to collecting information than 
those with integrated systems. In addition, opportunities for errors 
are increased when agencies' systems are not integrated.

Auditors frequently mentioned the lack of modern, integrated financial 
management systems in their fiscal year 2003 audit reports. As shown in 
figure 4, auditors for 11 of the 17 agencies with noncompliant systems 
reported this to be a problem, compared with 13 of the 19 agencies 
reported with noncompliant systems in fiscal year 2002.[Footnote 29] 
For example, auditors determined that the Department of State's 
financial and accounting system, as of September 30, 2003, was 
inadequate, preventing the department from routinely issuing timely 
financial statements and increasing the risk of materially misstating 
financial information. The principal areas of weakness included (1) 
certain elements, including, but not limited to, personal property, 
capital leases, and certain accounts payable, were developed from 
sources outside the general ledger and (2) several different systems 
were used for the management of grants and other types of federal 
awards. These systems for grants management and other federal awards 
lacked standard data classifications and were not integrated with the 
department's centralized financial management system.

In another case, as auditor for Treasury's Internal Revenue Service 
(IRS),[Footnote 30] we reported that IRS' general ledger system 
consists of two independent general ledgers that are not integrated 
with each other or with their supporting records for material balances. 
Further, the information contained in the general ledgers was not 
supported by adequate audit trails for federal tax revenue, federal tax 
refunds, taxes receivable, or property and equipment. IRS' use of two 
separate general ledgers to account for its tax collection activities 
and the costs of conducting those activities, respectively, greatly 
complicates efforts to measure the cost of IRS' tax collection efforts. 
The use of multiple ledgers also causes difficulties in the production 
of the reliable, useful, and timely financial and performance 
information that IRS needs for decision making on an ongoing basis.

Inadequate Reconciliation Procedures:

A reconciliation process, whether manual or automated, is a necessary 
and valuable part of a sound financial management system. The less 
integrated the financial management system, the greater the need for 
adequate reconciliations because data may be accumulated from a number 
of different sources. Reconciliations are needed to ensure that data 
have been recorded properly between the various systems and manual 
records. The Comptroller General's Standards for Internal Control in 
the Federal Government[Footnote 31] highlights reconciliation as a key 
control activity.

As shown in figure 4, auditors for 11 of the 17 agencies with 
noncompliant systems in fiscal year 2003 reported that the agencies had 
reconciliation problems, compared with 11 of the 19 agencies reported 
with noncompliant systems in fiscal year 2002. These reconciliation 
problems included difficulty in reconciling their fund balance with 
Treasury accounts[Footnote 32] with Treasury's records. Treasury policy 
requires agencies to reconcile their accounting records with Treasury 
records on a monthly basis (comparable to individuals reconciling their 
personal checkbooks to their monthly bank statements).

For fiscal year 2003, NASA's auditors reported a lack of effective 
internal controls surrounding its fund balance with Treasury 
reconciliations. Based on a review of NASA headquarters' fund balance 
with Treasury reconciliations as of September 30, 2003, auditors 
reported an agencywide difference of approximately $43 million, net, 
between NASA's general ledger and Treasury's reported balance. NASA did 
not provide sufficient documentary evidence to explain these 
differences. Further, NASA made approximately 20 additional adjustments 
outside of its financial management system, which indicated the 
difference between its fund balance with Treasury balance and 
Treasury's reported balance was significantly greater than disclosed in 
its year-end reconciliations. In total, NASA recorded adjustments of 
approximately $2 billion, net, to decrease its fund balance with 
Treasury balance in order to agree to Treasury's reported balance as of 
September 30, 2003. NASA was unable to provide the auditor 
documentation to explain the reasons for such a large dollar amount of 
reconciliations.

Lack of Accurate and Timely Recording of Financial Information:

As shown in figure 4, auditors for 15 of the 17 agencies with 
noncompliant systems reported the lack of accurate and timely recording 
of financial information as a problem for fiscal year 2003, compared 
with 17 of the 19 agencies reported with noncompliant systems in fiscal 
year 2002. Accurate and timely recording of financial information is 
essential for successful financial management. Timely recording of 
transactions facilitates accurate reporting in agencies' financial 
reports and other management reports used to guide managerial decision 
making. In addition, having systems that record information in a timely 
and accurate manner is critical for key governmentwide initiatives, 
such as integrating budget and performance information.

In contrast, untimely recording of transactions during the fiscal year 
can result in agencies making substantial efforts at fiscal year-end to 
perform extensive manual financial statement preparation efforts that 
are susceptible to error and increase the risk of misstatements. For 
example, auditors at the Department of the Interior reported in fiscal 
year 2003 that the department (1) needed to improve controls over 
property, plant, and equipment in order to prepare financial reports in 
a timely and reliable manner; (2) capitalized assets that were 
transferred from other agencies at incorrect amounts and also 
capitalized assets in the current year that had been accidentally 
expensed in prior years; and (3) did not ensure that journal vouchers 
were properly recorded by failing to include proper general ledger 
accounts. As a result, the department recorded over 180 adjustments 
after issuing the final year-end trial balance, requiring that 
significant time and resources be dedicated to making manual 
adjustments.

Noncompliance with the SGL:

As shown in figure 4, auditors for 10 of the 17 agencies reported to 
have noncompliant systems for fiscal year 2003 stated that the 
agencies' systems did not comply with SGL requirements for fiscal year 
2003, as compared with 9 of the 19 agencies reported with noncompliant 
systems in fiscal year 2002. Implementing the SGL at the transaction 
level is one of the specific requirements of FFMIA. Using the SGL 
promotes consistency in financial transaction processing and reporting 
by providing a uniform chart of accounts and pro forma transactions. 
The SGL also provides a basis for comparison at the agency and 
governmentwide levels. The defined accounts and pro forma transactions 
standardize the accumulation of agency financial information as well as 
enhance financial control and support financial statement preparation 
and other external reporting. By not implementing the SGL, agencies may 
experience difficulties in providing consistent financial information 
across their components and functions.

Auditors for HHS reported that some of its systems were not designed to 
apply the SGL at the transaction level. For example, the auditors 
stated that the National Institutes of Health (NIH) recorded 1,900 
nonstandard accounting entries totaling $14.2 billion during the year. 
According to the auditors, these nonstandard entries were needed to 
properly adjust account balances, including inventory, accrued leave, 
personal property, receipt of donations, and other revenues. Moreover, 
NIH developed a process to record at year-end the effect of current-
year, day-to-day entries in its budgetary and expended appropriations 
accounts. In their report, the auditors stated that the use of 
nonstandard accounting entries increased the risks of (1) bypassing 
accounting controls and (2) errors. To address these issues, during 
fiscal year 2003, NIH reconfigured its transaction codes to be SGL 
compliant and on October 1, 2003, implemented a new general ledger 
system as part of the NIH Business and Research Support System (NBRSS) 
initiative. NBRSS is expected to be fully implemented in 2006.

Furthermore, approximately 2,300 nonstandard accounting entries with an 
absolute value of about $41 billion were recorded in HHS' Program 
Support Center's (PSC)[Footnote 33] CORE Accounting system[Footnote 34] 
to compensate for noncompliance with the SGL. These nonstandard 
accounting entries were recorded to correct for misstatements and 
recorded balances, and to record reclassifications.

Lack of Adherence to Federal Accounting Standards:

One of FFMIA's requirements is that agencies' financial management 
systems account for transactions in accordance with federal accounting 
standards. Agencies face significant challenges implementing these 
standards. As shown in figure 4, auditors for 11 of the 17 agencies 
with noncompliant systems for fiscal year 2003 reported that these 
agencies had problems complying with one or more federal accounting 
standards, compared with 13 of the 19 agencies with noncompliant 
systems in fiscal year 2002.

Auditors reported that agencies are having problems implementing 
standards that have been in effect for some time--such as Statement of 
Federal Financial Accounting Standards (SFFAS) No. 1, Accounting for 
Selected Assets and Liabilities--as well as standards that have been 
promulgated in the last few years--such as SFFAS No. 21, Reporting 
Corrections of Errors and Changes in Accounting Principles. For 
example, in fiscal year 2003, auditors for the U.S. Agency for 
International Development (USAID) found that the agency's Accrual 
Reporting System (ARS)[Footnote 35] was not in compliance with SFFAS 
No. 1, paragraph 77. That standard requires that when an entity accepts 
goods (or services), it should recognize a liability for the unpaid 
amount of these goods or services. If related invoices are not 
available when the financial statements are prepared, amounts owed 
should be estimated. USAID uses ARS to develop quarterly estimates of 
accrued expenses recorded against individual contract and grant awards. 
However, auditors discovered that ARS' financial information was not 
reliable and, since the system-generated estimates were based on the 
financial information contained in the system, USAID had no assurance 
that the resulting estimates were reliable or supported by adequate 
accrual methodology. Further, simply eliminating the system-generated 
estimates might cause the agency to materially understate its accounts 
payable. Consequently, as a result of revised ARS estimates proposed by 
the OIG, USAID reduced its year-end accrued expenses and accounts 
payable by $244 million to more accurately reflect the activity in 
accounts affected by accruals.

Weak Security Controls over Information Systems:

Information security weaknesses are a major concern for federal 
agencies and the general public and are one of the frequently cited 
reasons for noncompliance with FFMIA. These control weaknesses place 
vast amounts of government assets at risk of inadvertent or deliberate 
misuse, financial information at risk of unauthorized modification or 
destruction, sensitive information at risk of inappropriate disclosure, 
and critical operations at risk of disruption. Accordingly, we have 
considered information security to be a governmentwide high-risk area 
since 1997.[Footnote 36]

The Congress and the executive branch have taken action to address the 
risks associated with persistent information security weaknesses. The 
Federal Information Security Management Act of 2002 (FISMA)[Footnote 
37] provides the overall framework for ensuring the effectiveness of 
information security controls that support federal operations and 
assets and requires agencies and OMB to report annually to the Congress 
on their information security programs. As we testified in March 
2004,[Footnote 38] fiscal year 2003 agency reporting required by FISMA 
showed apparent progress in implementing FISMA's information security 
requirements, but most agencies still had not reached the level of 
performance that demonstrates they have implemented the agencywide 
information security program mandated by the act. Only 6 agencies 
reported that they had authorized 90 to 100 percent of their systems, 
and 11 agencies reported that they had authorized less than half of 
their systems. While OMB monitors agency performance by requiring 
agencies to provide quarterly updates on this and other key performance 
measures, the fiscal year 2004 annual reports that agencies must submit 
to the Congress are due to OMB by October 6, 2004, and should provide 
updated information on agency progress in implementing FISMA's 
information security requirements.

As shown in figure 4, auditors for all 17 of the 17 agencies with 
noncompliant systems reported security weaknesses in information 
systems to be a problem, compared with 19 of the 19 agencies reported 
with noncompliant systems in fiscal year 2002. Unresolved information 
security weaknesses could adversely affect the ability of agencies to 
produce accurate data for decision making and financial reporting 
because such weaknesses could compromise the reliability and 
availability of data that are recorded in or transmitted by an agency's 
financial management system.

As a case in point, in fiscal year 2003, the auditors for the 
Department of Education noted that the department needs improvement in 
seven key security control areas. These seven areas are (1) 
consistently updating application versions, virus/data protection 
packages, and security packages; (2) testing mission-critical systems 
for platform and database level vulnerabilities; (3) enforcing the rule 
requiring complex passwords across the enterprise; (4) deploying 
network and host based intrusion detection systems to provide alerts of 
intrusions and malicious internal activity; (5) implementing firewall 
rules to logically segregate database servers containing sensitive data 
from servers within the Web-hosting environment; (6) implementing 
access controls to protect mission-critical systems from certain 
internal networks; and (7) correcting security weaknesses previously 
identified at contractor facilities.

Agencies Struggle to Implement New Financial Systems:

In an effort to address problems such as nonintegrated systems, 
inadequate reconciliations, and lack of compliance with the SGL, a 
number of agencies have efforts under way to implement new financial 
management systems or to upgrade existing systems. Agencies anticipate 
that the new systems will provide reliable, useful, and timely data to 
support managerial decision making and assist taxpayer and 
congressional oversight. However, implementing and upgrading systems 
bring new risks. Organizations that follow and effectively implement 
accepted best practices in systems development and implementation 
(commonly referred to as disciplined processes) can reduce these risks 
to acceptable levels. However, our work at DOD, HHS, and NASA has shown 
that agencies face significant problems in implementing financial 
management systems and are not following the necessary disciplined 
processes for efficient and effective implementation of such systems. 
Further, VA recently halted its pilot implementation of its new core 
financial system for which $249 million had been invested. The VA OIG 
reported that the contracting and monitoring of the VA project was not 
adequate, and the pilot deployment of the system encountered multiple 
problems. The problems the VA OIG cited were similar to those we noted 
at DOD, HHS, and NASA. As the federal government moves forward with 
ambitious modernization efforts to identify opportunities to eliminate 
redundant systems and enhance information accuracy and availability, 
adherence to these disciplined processes will be a crucial element to 
reduce risks to acceptable levels.

Most Agencies Are Implementing New Financial Systems:

Throughout the government, agencies have worked diligently to minimize 
financial management weaknesses by implementing or upgrading current 
financial systems. As we previously reported,[Footnote 39] 17 CFO Act 
agencies advised us that as of September 2002 they were planning to or 
were in the process of implementing new core financial systems. Eleven 
of these 17 CFO Act agencies had chosen software packages certified by 
PMO,[Footnote 40] while the remaining 6 agencies had at that time yet 
to arrive at the software selection phase of their acquisition 
processes. Target implementation dates ranged from fiscal years 2003 to 
2008 for 16 of the 17 agencies. DOD had not yet determined its 
implementation date. Moreover, JFMIP recently surveyed federal agencies 
about their plans to purchase core financial system and feeder system 
software between fiscal years 2005 and 2009. Survey responses indicated 
that 7 of the 23 CFO Act agencies and DHS plan to purchase core 
financial software. Additionally, 13 agencies and DHS have plans to 
purchase feeder system software between fiscal years 2005 and 2009. 
Thus, the majority of the CFO Act agencies and DHS were either 
implementing or planning to purchase core financial or feeder system 
software.

An agency's implementation of a certified core financial system does 
not guarantee that the financial system is FFMIA compliant. Two major 
factors affecting FFMIA compliance that agencies must consider are (1) 
the integration of the core financial system with the agency's 
administrative and programmatic systems, especially with regard to the 
completeness and validity of system data, and (2) the existence of 
modifications or customizations to the certified core financial system 
software.

As indicated in our prior report,[Footnote 41] some agencies stated in 
their performance and accountability assessments that complete 
implementation of new core financial systems will also address their 
systems' substantial noncompliance with FFMIA. However, as we 
previously discussed, implementing a new core financial system may not 
eliminate all of an agency's financial management weaknesses. Agencies 
must consider various problems that extend beyond their core financial 
systems. Despite this realization, the implementation of agencywide 
core financial systems is a solid step toward successful systems 
performance.

Agencies Are Not Following Disciplined Processes:

Implementing new financial management systems provides the groundwork 
for improved financial management, including providing financial 
managers with more timely information for better informed financial 
management decisions, and will help meet OMB's accelerated financial 
reporting deadline. However, with implementation comes risk. 
Organizations that follow and effectively implement accepted best 
practices in systems development and implementation (commonly referred 
to as disciplined processes) can reduce these risks to acceptable 
levels. Our work at DOD, HHS, and NASA has shown that agencies face 
significant problems in implementing financial management systems and 
are not following the necessary disciplined processes for efficient and 
effective implementation of financial management systems. VA recently 
halted implementation of its new core financial system, due in part to 
reported concerns about the inadequate contracting and monitoring of 
the project and multiple problems with the pilot deployment of the 
system.

Disciplined processes have been shown to mitigate some of the risks 
associated with software development and acquisition efforts to 
acceptable levels. The term "acceptable levels" acknowledges that any 
systems acquisition effort has risks and will suffer the risk of not 
achieving the intended results (performance) within the established 
resources (costs) on schedule. However, effective implementation of the 
disciplined processes reduces these risks and helps prevent any actual 
problems from having any significant adverse impact on achieving the 
performance, cost, and schedule of the project.

Although a standard set of practices that will guarantee success does 
not exist, several organizations, such as the Software Engineering 
Institute (SEI)[Footnote 42] and the Institute of Electrical and 
Electronic Engineers (IEEE),[Footnote 43] as well as individual experts 
have identified and developed the types of policies, procedures, and 
practices that have been demonstrated to reduce development time and 
enhance effectiveness. The key to having a disciplined system 
development effort is to have disciplined processes in several areas, 
including the following:

* Requirements management. Requirements are the specifications that 
system developers and program managers use to design, develop, and 
acquire a system.

* Testing. Testing is the process of executing a program with the 
intent of finding errors. Testing is a critical process that improves 
an entity's confidence that the system will satisfy the requirements of 
the end user and operate as intended.

* Project planning and oversight. Project planning is the process used 
to establish reasonable plans for carrying out and managing the 
software project. It includes estimating resources needed for the work 
to be performed, establishing commitments, and defining the work plan.

* Risk management. Risk management is a set of activities for 
identifying, analyzing, planning, tracking, and controlling risks. Risk 
management starts with identifying the risks before they can become 
problems.

Organizations that do not effectively implement the disciplined 
processes lose the productive benefits of these processes as a project 
moves through its development and implementation and are forced to 
implement them later when it takes more time and they are less 
effective. A major consumer of project resources in undisciplined 
efforts is rework. Rework occurs when the original work has defects or 
is no longer needed because of changes in project direction. 
Disciplined organizations focus their efforts on reducing the amount of 
rework because it is expensive. Studies have shown that correcting a 
defect during the testing phase costs anywhere from 10 to 100 times the 
cost of correcting it during the design or requirements phase.[Footnote 
44] Projects that are unable to adopt disciplined processes 
successfully will eventually only be spending their efforts on rework 
and the associated processes that are needed rather than productive 
work. In other words, the project may find itself continually reworking 
items.

We found in our review of three agencies' implementation of new 
financial management systems that these agencies are not following the 
disciplined processes that are necessary to reduce the risks to 
acceptable levels. In our May 2004 report,[Footnote 45] we reported 
that long-standing problems continue at DOD despite the significant 
investments made in DOD business systems[Footnote 46] each year. GAO's 
two case study examples of logistics systems modernization efforts, 
Business Systems Modernization (BSM) at the Defense Logistics Agency 
(DLA) and the Army's Logistics Modernization Program (LMP), found that 
disciplined processes were not implemented. We also reported in 
September 2004[Footnote 47] that HHS had not followed key disciplined 
processes and is at risk of implementing a new financial management 
system that will not fully meet the needs of its users. Further, in 
2003 and 2004 we issued five reports and testified[Footnote 48] about 
the considerable challenges facing NASA's implementation of a new 
financial management program. NASA is on its third attempt in 12 years 
to modernize its financial management process and systems and has spent 
about $180 million on its two prior failed efforts.

Department of Defense:

DOD reported in April 2003 that its business systems environment 
consisted of 2,274 systems. DOD requested approximately $19 billion for 
fiscal year 2004 to operate, maintain, and modernize its reported 2,274 
business systems. More recently, DOD stated that its inventory of 
business systems was over 4,000 and more systems are expected to be 
identified. Despite its substantial investment over many years, DOD's 
business systems remain fundamentally flawed; unable to provide timely, 
reliable information; and leave DOD vulnerable to fraud, waste, and 
abuse. The duplication and stovepiped nature of DOD's systems 
environment is illustrated by the numerous systems it has in the same 
functional areas, such as over 450 personnel systems and 200 inventory 
systems. These systems are not integrated and thus have multiple points 
of data entry, which can result in data integrity problems.

Two of the business system modernization efforts DOD has undertaken to 
address some of its inventory problems are DLA's BSM and the Army's 
LMP. BSM and LMP incorporate part of the inventory management portion 
of the COTS software package used by both DLA and the Army. In November 
1999, DLA initiated an effort to replace two of its materiel management 
systems with BSM. BSM is intended to transform how DLA conducts its 
operations in five core business processes: order fulfillment, demand 
and supply planning, procurement, technical/quality assurance, and 
financial management. In February 1998, the Army began its effort to 
replace its two material management systems with LMP. LMP is intended 
to transform the U.S. Army Materiel Command's logistic operations in 
six core processes: order fulfillment, demand and supply planning, 
procurement, asset management, materiel maintenance, and financial 
management.

Our May 2004 report[Footnote 49] of DOD's business system modernization 
found numerous problems with both projects, BSM and LMP, including such 
issues as failure to follow necessary disciplined processes, lack of 
financial system integration, and system deployment schedule slippage. 
We found that DLA's and Army's program officials did not effectively 
implement the disciplined processes associated with requirements 
management and testing in developing and implementing their systems. 
For almost all of the requirements we analyzed, we found that the 
forward and backward traceability was not maintained. Traceability 
allows the user to follow the life of the requirement both forward and 
backward through the DLA and Army approaches and management plans and 
is critical to understanding the parentage, interconnections, and 
dependencies among the individual requirements. Testing, the process of 
executing the program with the intent of finding errors, was not 
effectively implemented for BSM or LMP. DLA and the Army, therefore, 
did not achieve the important goal of reducing the risk that BSM and 
LMP would not operate as intended. Although DLA and the Army have 
asserted that BSM and LMP, respectively, are compliant with the 
requirements of FFMIA, we have concerns.

In the case of LMP, we found that the Army relied upon PMO testing for 
147 requirements because PMO had validated these requirements when it 
tested the vendor's commercial software used for LMP during fiscal year 
1999. PMO testing should not be considered a substitute for individual 
system testing of the actual data that will be used by the entity. 
Further, PMO's tests of software do not address entity-specific 
integrated tests of end-to-end transactions or systems interfaces. 
Because the Army had to make modifications to the basic commercial 
software package to accommodate some of its business operations, the 
Army cannot be assured, without retesting, that these 147 requirements 
will produce the intended results. In the case of BSM, for one 
requirement the contractor stated that "a sample of transactions were 
reviewed, [and] it appears that BSM properly records transactions 
consistent with the SGL posting rules." However, we found no indication 
that this requirement was tested, and therefore, we cannot conclude 
whether BSM has the capability to meet this requirement. Without 
adequate documentation to support testing of the FFMIA requirements, it 
is questionable whether either system is substantially compliant with 
FFMIA.

Additionally, we found that the system interfaces were not fully tested 
for BSM and LMP and when they became operational, it became clear that 
the system interfaces were not working as intended. Costly manual 
reentry of inventory transactions was necessary. Further, both BSM and 
LMP have experienced cost increase and schedule slippage. BSM was 
originally scheduled to be fully operational in September of 2005. 
However, the date has shifted to midyear 2006 and the cost has 
increased from $764 million to $850 million. LMP has a current 
estimated cost of over $1 billion. As of March 2004, the Army had not 
determined when LMP would be fully operational at all locations. In 
1999, we reported that the Army's estimated cost was $421 million over 
a 10-year period. DOD cannot be assured that the two systems in our 
case study will provide the functionality needed and fully meet DLA and 
Army objectives.

Successful reform of DOD's fundamentally flawed financial and business 
management operations must simultaneously focus on its systems, 
processes, and people. While DOD has made some encouraging progress in 
addressing specific challenges, it is still in the very early stages of 
a departmentwide reform that will take many years to accomplish. 
Secretary Rumsfeld has made business transformation a priority. For 
example, through its Business Management Modernization Program, DOD is 
continuing its efforts to develop and implement a business enterprise 
architecture and establish effective management oversight and control 
over its business systems modernization investments. However, after 
about 3 years of effort and over $203 million in reported obligations, 
we have not seen significant change in the content of DOD's 
architecture or in its approach to investing billions of dollars 
annually in existing and new systems. We have made numerous 
recommendations aimed at improving DOD's plans for developing the next 
version of the architecture and implementing controls for selecting and 
managing business systems investments. To date, DOD has not addressed 
22 of our 24 recommendations.[Footnote 50]

Department of Health and Human Services:

HHS is currently implementing a new financial management system, the 
Unified Financial Management System (UFMS), to replace five outdated 
accounting systems. This project is expected to be phased in at the 
component agencies and fully implemented in fiscal year 2007. Our 2004 
analysis and evaluation focused on the system implementation efforts 
associated with all the HHS entities except for the Centers for 
Medicare and Medicaid Services (CMS) and NIH.[Footnote 51] We found 
that the lack of disciplined processes puts the implementation of HHS' 
new financial management system at risk.

We reported[Footnote 52] that HHS had not followed key disciplined 
processes and was at risk of implementing a new financial management 
system that would not fully meet the needs of its users. While HHS had 
executive sponsorship for the development of UFMS, it had focused on 
meeting its implementation schedule to deploy the system at its 
component agency, the Centers for Disease Control and Prevention (CDC) 
in October 2004 to the detriment of disciplined processes. HHS had not 
implemented effective disciplined processes in such areas as 
requirements management, testing, project management and oversight, and 
risk management.

We found significant problems with HHS' requirements management and 
testing process. Problems with requirements management practices 
include the lack of (1) a concept of operations to guide the 
development of requirements, (2) traceability of a requirement from the 
concept of operations through testing to ensure requirements were 
adequately addressed in the system, and (3) specificity in the 
requirements to minimize confusion in the implementation. These 
problems with requirements have resulted in a questionable foundation 
for the system testing process.

Additionally, testing activities were scheduled too late in the 
implementation cycle, leaving little time to ensure that the defects 
found were addressed before the system was implemented at CDC. While 
adherence to schedule goals is generally desirable, it is key that 
project decisions are based on objective data and demonstrated project 
accomplishments, and are not schedule-driven. Otherwise, the risk of 
costly rework or failure appreciably increases.

We further found that HHS had not developed the quantitative data 
necessary to assess whether UFMS will provide the needed functionality. 
HHS did not have a metrics measurement process to understand its 
capability to help manage the entire UFMS effort; or how its process 
will affect the UFMS cost, schedule, and performance objectives; or 
what corrective action is needed to reduce the risks associated with 
the problems identified. We also reported problems with HHS' initial 
data conversion and system interfaces.

In addition to the disciplined processes weaknesses, we noted that HHS 
had weaknesses in its information technology investment management, 
enterprise architecture, and information security. Serious 
understaffing and incomplete workforce planning have also plagued the 
UFMS project. The cumulative effects of these weaknesses increase the 
risk that UFMS will not fully serve the needs of its users nor achieve 
its budget and schedule goals.

In September 2004, HHS decided to delay the implementation of a 
significant amount of functionality associated with the CDC deployment 
from October 2004 until April 2005 in order to address the issues that 
had been identified with the project.

National Aeronautics and Space Administration:

In April 2000, NASA began its third attempt to modernize its financial 
management system. This effort, IFMP, is expected to produce an 
integrated, NASA-wide financial management system through the 
acquisition and incremental implementation of COTS and related hardware 
and software components. As of June 30, 2003, NASA reported that it had 
fully implemented the core financial module, which NASA considers the 
backbone of IFMP, at all of its 10 operating locations.

As we have reported numerous times,[Footnote 53] NASA faces 
considerable challenges in meeting its IFMP commitments and providing 
the necessary tools to oversee its contracts and manage its programs. 
In April 2003, we reported that the core financial module does not 
provide agency managers or the Congress with useful cost and related 
information with which to make informed decisions, manage daily 
operations, and ensure accountability on an ongoing basis, and NASA was 
not following key best practices for acquiring and implementing the 
system. As we reported, key users, such as program managers, cost 
estimators, and congressional staffs, were not included in defining the 
system requirements. According to IFMP officials, NASA chose to forgo 
certain system capabilities to expedite implementation of the core 
financial model. As a result, managers and cost estimators continued to 
rely on means outside IFMP to capture data needed to manage programs.

We have also reported that NASA's approach to implementing its new 
system did not optimize the system's performance and would likely cost 
more and take longer to implement than necessary. Specifically, NASA 
was not following key best practices for acquiring and implementing the 
system, which may affect the agency's ability to fully benefit from the 
new system's capabilities. First, NASA did not analyze the 
relationships among selected and proposed IFMP components to understand 
the logical and physical relationships among the components it 
acquired. By acquiring these IFMP components without first 
understanding system component relationships, NASA increased its risks 
of implementing a system that will not optimize mission performance and 
will cost more and take longer to implement than necessary. Second, 
although industry best practices and NASA's own system planning 
documents indicate that detailed requirements are needed as the basis 
for effective system testing, NASA did not require documentation of 
detailed system requirements prior to system implementation and 
testing. NASA's approach instead relied on certain subject matter 
experts' knowledge of the detailed requirements necessary to evaluate 
the functionality actually provided. As a result, NASA increased its 
risk that IFMP would cost more and do less than planned.

Further, we reported that NASA's new financial management system did 
not provide key external reporting capabilities, such as the generation 
of complete and accurate information necessary for external reporting 
of NASA property and budgetary data, and the new system did not comply 
substantially with the requirements of FFMIA.

Department of Veterans Affairs:

VA recently halted implementation of its new core financial system, 
Core Financial and Logistics System (CoreFLS), at a potential loss of 
almost $250 million. VA provides federal benefits, including disability 
compensation, pensions, education, life insurance, home loan 
assistance, and medical care, to the 26 million living veterans and 
veterans' survivors and dependents. VA began the detailed planning and 
acquisition of CoreFLS in June 1999 and was planning to have it fully 
implemented throughout VA by March 2006. The VA OIG reported that the 
contracting and monitoring of the CoreFLS project was not adequate and 
the pilot deployment of CoreFLS at a VA medical center encountered 
multiple problems. These problems are similar to the concerns we noted 
at DOD, HHS, and NASA.

The VA OIG noted that the success of CoreFLS greatly depends on the 
ability of the software to integrate with existing legacy systems, 
which in turn requires that existing legacy systems are properly 
implemented and maintained. The VA OIG found that most of the VA legacy 
systems at the pilot location contained inaccurate data because they 
had not been used properly and that this may be a systemic problem 
throughout VA. The effect of transferring inaccurate data to CoreFLS at 
this pilot location interrupted patient care and medical center 
operations. This was compounded by VA inadequately training employees 
on how to use the system, unreliable test procedures and results, and 
unsubstantiated performance results. Problems were also identified with 
reconciling accounts payable, accounts receivable, undelivered orders, 
and real property.

When CoreFLS was deployed at the pilot location in October 2003, it did 
not function as project managers expected because of inaccurate or 
incomplete vendor and inventory system data. Because of these problems 
with vendor and inventory systems, the VA pilot location made excessive 
purchases of medical supplies. For example, on February 23, 2004, the 
pilot location purchased 100 cup biopsy forceps with a total value of 
$30,700, which were shipped overnight to the medical center, but 
returned to the vendor less than a month later. In addition, late 
payment penalties by the medical center for the first two quarters of 
fiscal year 2004 totaled $10,800, compared to $600 for the entire 
fiscal year 2003. The VA OIG's review also found that the inventory was 
overstated by approximately $2.3 million out of $3.6 million recorded, 
because an item valued at $23 showed a quantity on-hand of 100,000 
when, in fact, the on-hand quantity was only one.

As a result of these problems, patient care was interrupted by supply 
outages and other problems. The inability to provide sterile equipment 
and needed supplies to the operating room resulted in the cancellation 
of 81 elective surgeries for a week in both November 2003 and February 
2004. In addition, the operating room was forced to operate at two-
thirds of its prior capacity. Because of the serious nature of the 
problems raised with CoreFLS, VA management decided to focus on 
transitioning back to the previous financial management software and 
pull together a senior leadership team to examine the results of the 
pilot and make recommendations to the VA Secretary regarding the future 
of CoreFLS.

Governmentwide Initiatives to Improve Financial Management Systems Spur 
Needed Change:

As agencies move forward with initiatives to address FFMIA-related 
problems, it is important that consideration be given to the numerous 
governmentwide initiatives under way to address long-standing financial 
management weaknesses. As stated in the PMA, there are few items more 
urgent than ensuring that the federal government operates efficiently 
and is results-oriented. While FFMIA implementation relates directly to 
the improved financial performance initiative, development and 
maintenance of FFMIA-compliant systems will also affect the 
implementation of the other four PMA initiatives. Notably, OMB is 
developing a federal enterprise architecture that is intended to 
facilitate the government's ability to make significant progress across 
the PMA. For example, as part of the e-gov PMA initiative, the number 
of federal payroll providers is being consolidated. Numerous agencies 
had targeted their payroll operations for costly modernization, and 
according to OMB, millions of dollars will be saved through shared 
resources and processes and by modernizing on a cross-agency, 
governmentwide basis.

The Clinger-Cohen Act sets forth a variety of initiatives to support 
better decision making for capital investments in information 
technology, which has led to the development of the Federal Enterprise 
Architecture and better-informed capital investment and control 
processes within agencies and across government. This has produced 
another broad shift in the financial systems environment--one that 
acknowledges that financial systems planning can no longer take place 
within an isolated environment or "stovepipe," but must now be 
integrated with enterprise goals. Managed properly, an enterprise 
architecture can clarify and help optimize the interdependencies and 
relationships among an organization's business operations and the 
underlying information technology infrastructure and applications that 
support those operations.

Moreover, developing such an architecture will help address the 
government's inability to properly reconcile and report on 
intragovernmental transactions. We have reported[Footnote 54] for years 
that the heart of the intragovernmental transactions issue was that the 
federal government lacked clearly articulated business rules for these 
transactions so that they would be handled consistently by agencies. 
This is compounded by limitations and incompatibility of agency and 
trading partner systems, among other issues. OMB and Treasury have 
taken steps to help transform and standardize intragovernmental 
transactions, including instituting an e-gov project[Footnote 55] to 
define a governmentwide data architecture and provide a single source 
of detailed trading partner data. The Intragovernmental Transaction 
Exchange was piloted from October 2003 to April 2004, and provided 
information about the business processes and technologies used to 
interact with it. After evaluating the results of the pilot, OMB 
expects to phase it into use at all agencies.

Building upon the efforts of the Federal Enterprise Architecture 
program to support the PMA for e-gov, OMB and designated agency task 
forces have launched the line of business (LOB) initiative. This 
initiative seeks to develop business-driven, common solutions for five 
lines of business that span across the federal government. The five 
initiatives are financial management, human resources management, 
grants management, federal health architecture, and case management. 
Each of the lines of business shares similar business requirements and 
business processes. OMB and the LOB task forces plan to use either 
enterprise architecture-based principles and best practices to identify 
common solutions for business processes, technology-based shared 
services to be made available to government agencies, or both. Driven 
from a business perspective rather than a technology focus, the 
solutions are expected to address distinct business improvements to 
enhance government's performance and services for citizens. The results 
of LOB efforts are expected to save taxpayer dollars, reduce 
administrative burden, and significantly improve service delivery.

The financial management LOB goals are to (1) achieve or enhance 
process improvements and cost savings in the acquisition, development, 
implementation, and operation of financial management systems through 
shared services, joint procurements, consolidation, and other means; 
(2) promote seamless data exchange between and among federal agencies; 
(3) provide for the standardization of business processes and data 
elements; and (4) strengthen internal controls through real-time 
integration of core financial and subsidiary systems. OMB has an 
ambitious time frame, September 2004, for identifying a common solution 
and developing a target architecture and a joint business case. At the 
time of our review, OMB had not completed this effort. Agency business 
cases submitted as part of the budget cycle are expected to reflect the 
proposed common solutions. GAO has long supported and called for such 
initiatives to standardize and streamline common systems, which cannot 
only reduce costs but, if done correctly, can improve accountability.

The problems we have seen related to requirements, testing, interfaces, 
and data conversion at the agency level indicate that attention to 
these disciplined processes will continue to be important as OMB and 
the LOB task forces move forward. These initiatives and the 
intragovernmental transaction exchange will be required to address 
broader sets of requirements, interfaces, and data conversion issues 
than those at an individual agency level, thus amplifying the 
complexity of the task. Disciplined process can play an important role 
in helping governmentwide systems initiatives reduce the risk of these 
projects to acceptable levels.

In addition, with many new financial management systems being 
implemented in the federal government, it is crucial that the federal 
government have a qualified workforce with the right mix of skills to 
implement financial systems successfully. Our report[Footnote 56] on 
effective strategic workforce planning highlighted five principles that 
such a process should address irrespective of the context in which 
planning is done. Among the principles are determining the critical 
skills and competencies that will be needed to achieve current and 
future results, and developing strategies tailored to address gaps in 
the number, deployment, and alignment of human capital approaches. At a 
JFMIP-sponsored forum on successful integration and interoperability of 
business management systems held in May 2004, the participants noted 
that agencies are losing experienced people for a variety of reasons 
and relying excessively on outside contractors because they have no 
other choice. Participants expressed concern that internally, staff 
lack the technical expertise needed. Agency officials overseeing 
implementations have expertise on the functional requirements, such as 
government accounting standards, but vendors and integrators have 
little expertise in these areas. This is extremely high risk and 
costly, and greater oversight and close monitoring of contractors is 
needed. Further, our executive guide[Footnote 57] emphasizes the need 
for developing a financial management team with the right mix of skills 
and competencies. A changing financial management business vision 
requires shifting workforce capacities and providing a financial 
management workforce that is more analytic and capable of providing 
decision support.

Conclusions:

Long-standing problems with agencies' financial systems continue to 
make it difficult for agencies to routinely produce reliable, useful, 
and timely financial information. While a number of agencies are 
receiving unqualified ("clean") opinions on their financial statements, 
the continued widespread noncompliance with FFMIA shows that agencies 
still have a long way to go to having systems, processes, and controls 
that routinely generate reliable, useful, and timely information.

The FFMIA-related problems reported in agency audit reports indicate 
that federal financial management systems are not currently providing 
federal managers the financial data needed for day-to-day management of 
their programs or for external reporting in an efficient or timely 
manner. Yet we remain concerned that the full nature and scope of the 
problems have not been identified because auditors have only provided 
negative assurance in their FFMIA reports. We believe the law requires 
auditors to provide positive assurance on FFMIA compliance. Therefore, 
we reaffirm our recommendation made in prior reports that OMB revise 
its current FFMIA guidance to require agency auditors to provide a 
statement of positive assurance when reporting an agency's systems to 
be in substantial compliance, which entails a more thorough examination 
of the agency's systems. We also reaffirm our other prior 
recommendation for OMB to explore further clarification of the 
definition of "substantial compliance" in its FFMIA guidance to 
encourage consistent reporting among agency auditors. As we 
stated[Footnote 58] in our prior reports, auditors we interviewed had 
concerns about providing positive assurance in reporting on agency 
systems' FFMIA compliance because of a need for clarification regarding 
the meaning of substantial compliance.

Implementing new COTS core financial systems is a formidable challenge 
since financial management systems are not only needed for external 
reporting but, most importantly, are needed to provide the financial 
information program managers need to manage operations on a day-to-day 
basis. Reliable, useful, and timely financial management information is 
key to achieving the goals of the PMA and its related initiatives, such 
as PART. As the federal government moves forward with agency 
implementations of new financial management systems and for systems 
implemented to satisfy governmentwide initiatives, adherence to proven 
disciplined processes to minimize risks and improve management of these 
implementations is critical. Moreover, people with the right skill sets 
in the right places at the right times are critical to efficiently and 
effectively implementing a financial management system and operating it 
once it is in place. Improvements in federal financial management 
systems are in some cases a long-term goal, but with sustained 
attention from important decision makers, including the Congress and 
OMB, the goals of the CFO Act and FFMIA can be achieved.

Agency Comments and Our Evaluation:

In written comments (reprinted in app. VI) on a draft of this report, 
OMB agreed with our assessment that while federal agencies continue to 
make progress in addressing financial management systems weaknesses, 
many agencies still lack the ability to produce the data needed to 
efficiently and effectively manage day-to-day operations. As in 
previous years, OMB disagreed with our recommendation that agency 
auditors be required to provide a statement of positive assurance when 
reporting agency systems to be in substantial compliance with FFMIA. 
OMB said that the PMA and FFMIA should be viewed as complementary 
methods for achieving improvements in financial management systems. OMB 
stated that the framework of performance standards established under 
the PMA provides a corroborative mechanism for evaluating FFMIA 
compliance, which together with existing audit processes can provide an 
accurate assessment of substantial compliance. Therefore, OMB does not 
believe that the addition of a statement of positive assurance on FFMIA 
compliance would be beneficial. While we agree that the initiatives of 
the PMA are stimulating improvements, auditors need to consider other 
aspects of financial management systems when assessing FFMIA compliance 
that are not fully addressed through the current reporting structure. 
Our concern is that some of the information provided by this approach, 
such as monthly financial performance metrics for managing activities, 
does not come under audit scrutiny and may not be reliable. In 
contrast, an opinion by an independent auditor of FFMIA compliance 
would confirm that an agency's systems substantially met the 
requirements of FFMIA and provide additional confidence in the 
information provided by the PMA. Finally, as we have stated in previous 
reports, a statement of positive assurance is a statutory requirement 
under the act.

With regard to our prior recommendation, which we reaffirmed in this 
report, for revised guidance that clarifies the definition of 
substantial compliance, OMB said that the performance results obtained 
from the PMA initiatives will allow a further refinement of the 
existing substantial compliance indicators. OMB agreed to consider 
clarifying the definition of "substantial compliance" in future policy 
and guidance updates. As we noted in our prior reports,[Footnote 59] 
auditors we interviewed expressed a need for clarification regarding 
the meaning of substantial compliance.

OMB also provided additional oral comments, which we incorporated as 
appropriate.

We are sending copies of this report to the Chairman and Ranking 
Minority Member, Subcommittee on Financial Management, the Budget, and 
International Security, Senate Committee on Governmental Affairs, and 
to the Chairman and Ranking Minority Member, Subcommittee on Government 
Efficiency and Financial Management, House Committee on Government 
Reform. We are also sending copies to the Director of the Office of 
Management and Budget, the Secretary of Homeland Security, the heads of 
the 23 CFO Act agencies, and agency CFOs and IGs. Copies will be made 
available to others upon request. In addition, this report will be 
available at no charge on the GAO Web site at 
[Hyperlink, http://www.gao.gov].

This report was prepared under the direction of Sally E. Thompson, 
Director, Financial Management and Assurance, who may be reached at 
(202) 512-2600 or by e-mail at [Hyperlink, thompsons@gao.gov] if you 
have any questions. Staff contacts and other key contributors to this 
report are listed in appendix VII.

Signed by: 

David M. Walker: 
Comptroller General of the United States:

[End of section]

Appendixes:

Appendix I: Requirements and Standards Supporting Federal Financial 
Management:

Financial Management Systems Requirements:

The policies and standards prescribed for executive agencies to follow 
in developing, operating, evaluating, and reporting on financial 
management systems are defined in Office of Management and Budget (OMB) 
Circular No. A-127, Financial Management Systems. The components of an 
integrated financial management system include the core financial 
system,[Footnote 60] managerial cost accounting system, and 
administrative and programmatic systems. Administrative systems are 
those that are common to all federal agency operations,[Footnote 61] 
and programmatic systems are those needed to fulfill an agency's 
mission. The Program Management Office (PMO), managed by the Executive 
Director of the Joint Financial Management Improvement Program (JFMIP) 
and funded by the Chief Financial Officers (CFO) Council, has issued 
federal financial management systems requirements (FFMSR)[Footnote 62] 
for the core financial system and managerial cost accounting system, 
and is in the process of issuing these requirements for the 
administrative and programmatic systems. Appendix II lists the federal 
financial management systems requirements published to date. Figure 5 
is the PMO model that illustrates how these systems interrelate in an 
agency's overall systems architecture.

Figure 5: Agency Systems Architecture:

[See PDF for image]

[End of figure]

OMB Circular No. A-127 requires agencies to purchase commercial off-
the-shelf (COTS) software that has been tested and certified through 
the PMO software certification process when acquiring core financial 
systems. PMO's certification process, however, does not eliminate or 
significantly reduce the need for agencies to develop and conduct 
comprehensive testing efforts to ensure that the COTS software meets 
their requirements. Moreover, according to PMO, core financial systems 
certification does not mean that agencies that install these packages 
will have financial management systems that are compliant with the 
Federal Financial Management Improvement Act (FFMIA) of 1996. Many 
other factors can affect the capability of the systems to comply with 
FFMIA, including modifications made to the PMO-certified core financial 
management systems software and the validity and completeness of data 
from feeder systems.

Federal Accounting Standards:

The Federal Accounting Standards Advisory Board (FASAB)[Footnote 63] 
promulgates federal accounting standards that agency CFOs use in 
developing financial management systems and preparing financial 
statements. FASAB develops the appropriate accounting standards after 
considering the financial and budgetary information needs of the 
Congress, executive agencies, and other users of federal financial 
information and comments from the public. FASAB forwards the standards 
to the three Sponsors--the Comptroller General, the Secretary of the 
Treasury, and the Director of OMB--for a 90-day review. If there are no 
objections during the review period, the standards are considered final 
and FASAB publishes them on its Web site and in print.

The American Institute of Certified Public Accountants has recognized 
the federal accounting standards promulgated by FASAB as generally 
accepted accounting principles for the federal government. This 
recognition enhances the acceptability of the standards, which form the 
foundation for preparing consistent and meaningful financial statements 
both for individual agencies and the government as a whole. Currently, 
there are 25 Statements of Federal Financial Accounting Standards 
(SFFAS) and 4 Statements of Federal Financial Accounting Concepts 
(SFFAC).[Footnote 64] The concepts and standards are the basis for 
OMB's guidance to agencies on the form and content of their financial 
statements and for the government's consolidated financial statements. 
Appendix III lists the concepts, standards, and 
interpretations[Footnote 65] along with their respective effective 
dates.

FASAB's Accounting and Auditing Policy Committee (AAPC)[Footnote 66] 
assists in resolving issues related to the implementation of accounting 
standards. AAPC's efforts result in guidance for preparers and auditors 
of federal financial statements in connection with implementation of 
accounting standards and the reporting and auditing requirements 
contained in OMB's Form and Content of Agency's Financial Statements 
Bulletin and Audit Requirements for Federal Financial Statements 
Bulletin. To date, AAPC has issued six technical releases, which are 
listed in appendix IV along with their release dates.

U.S. Government Standard General Ledger:

The U.S. Government Standard General Ledger (SGL) was established by an 
interagency task force under the direction of OMB and mandated for use 
by agencies in OMB and Department of the Treasury regulations in 1986. 
The SGL promotes consistency in financial transaction processing and 
reporting by providing a uniform chart of accounts and pro forma 
transactions used to standardize federal agencies' financial 
information accumulation and processing throughout the year; enhance 
financial control; and support budget and external reporting, including 
financial statement preparation. For example, agency use of the SGL 
accounts and OMB's new intergovernmental business rules for 
standardizing intragovernmental activity and balances are key to 
removing one of the material weaknesses that GAO has reported on the 
governmentwide consolidated statements since fiscal year 1997. The SGL 
is intended to improve data stewardship throughout the federal 
government, enabling consistent reporting at all levels within the 
agencies and providing comparable data and financial analysis 
governmentwide.[Footnote 67]

Internal Control Standards:

The Congress enacted legislation, 31 U.S.C. 3512(c),(d) (commonly 
referred to as the Federal Managers' Financial Integrity Act of 1982 
(FIA)), to strengthen internal controls and accounting systems 
throughout the federal government, among other purposes. Issued 
pursuant to FIA, the Comptroller General's Standards for Internal 
Control in the Federal Government[Footnote 68] provides standards 
directed at helping agency managers implement effective internal 
control, an integral part of improving financial management systems. 
Internal control is a major part of managing an organization and 
comprises the plans, methods, and procedures used to meet missions, 
goals, and objectives. In summary, internal control, which under OMB's 
guidance for FIA is synonymous with management control, helps 
government program managers achieve desired results through effective 
stewardship of public resources.

Effective internal control also helps in managing change to cope with 
shifting environments and evolving demands and priorities. As programs 
change and agencies strive to improve operational processes and 
implement new technological developments, management must continually 
assess and evaluate its internal control to ensure that the control 
objectives are being achieved.

[End of section]

Appendix II: Publications in the Federal Financial Management Systems 
Requirements Series:

FFMSR document: FFMSR-8 Systems Requirements for Managerial Cost 
Accounting; 
Issue date: February 1998.

FFMSR document: JFMIP-SR-99-5 Human Resources & Payroll Systems 
Requirements; 
Issue date: April 1999.

FFMSR document: JFMIP-SR-99-8 Direct Loan System Requirements; 
Issue date: June 1999.

FFMSR document: JFMIP-SR-99-9 Travel System Requirements; 
Issue date: July 1999.

FFMSR document: JFMIP-SR-99-14 Seized Property and Forfeited Asset 
Systems Requirements; 
Issue date: December 1999.

FFMSR document: JFMIP-SR-00-01 Guaranteed Loan System Requirements; 
Issue date: March 2000.

FFMSR document: JFMIP-SR-00-3 Grant Financial System Requirements; 
Issue date: June 2000.

FFMSR document: JFMIP-SR-00-4 Property Management Systems Requirements; 
Issue date: October 2000.

FFMSR document: JFMIP-SR-01-01 Benefit System Requirements; 
Issue date: September 2001.

FFMSR document: JFMIP-SR-02-01 Core Financial System Requirements; 
Issue date: November 2001.

FFMSR document: JFMIP-SR-02-02 Acquisition/Financial Systems Interface 
Requirements; 
Issue date: June 2002.

FFMSR document: JFMIP-SR-03-01 Revenue System Requirements; 
Issue date: January 2003.

FFMSR document: JFMIP-SR-03-02 Inventory, Supplies and Materials System 
Requirements; 
Issue date: August 2003.

FFMSR document: JFMIP-SR-02-01 Addendum to Core Financial System 
Requirements; 
Issue date: March 2004.

FFMSR document: JFMIP-SR-01-04 Framework for Federal Financial 
Management Systems; 
Issue date: April 2004.

Source: JFMIP.

[End of table]

[End of section]

Appendix III: Statements of Federal Financial Accounting Concepts, 
Statements of Federal Financial Accounting Standards, and 
Interpretations:

Concepts: SFFAC No. 1 Objectives of Federal Financial Reporting.

Concepts: SFFAC No. 2 Entity and Display.

Concepts: SFFAC No. 3 Management's Discussion and Analysis.

Concepts: SFFAC No. 4 Intended Audience and Qualitative Characteristics 
for the Consolidated Financial Report of the United States Government; 

Standards: SFFAS No. 1 Accounting for Selected Assets and Liabilities; 
Effective for fiscal year[A]: 1994.

Standards: SFFAS No. 2 Accounting for Direct Loans and Loan Guarantees; 
Effective for fiscal year[A]: 1994.

Standards: SFFAS No. 3 Accounting for Inventory and Related Property; 
Effective for fiscal year[A]: 1994.

Standards: SFFAS No. 4 Managerial Cost Accounting Concepts and 
Standards; 
Effective for fiscal year[A]: 1998.

Standards: SFFAS No. 5 Accounting for Liabilities of the Federal 
Government; 
Effective for fiscal year[A]: 1997.

Standards: SFFAS No. 6 Accounting for Property, Plant, and Equipment; 
Effective for fiscal year[A]: 1998.

Standards: SFFAS No. 7 Accounting for Revenue and Other Financing 
Sources; 
Effective for fiscal year[A]: 1998.

Standards: SFFAS No. 8 Supplementary Stewardship Reporting; 
Effective for fiscal year[A]: 1998.

Standards: SFFAS No. 9 Deferral of the Effective Date of Managerial 
Cost Accounting Standards for the Federal Government in SFFAS No. 4; 
Effective for fiscal year[A]: 1998.

Standards: SFFAS No. 10 Accounting for Internal Use Software; 
Effective for fiscal year[A]: 2001.

Standards: SFFAS No. 11 Amendments to Accounting for Property, Plant, 
and Equipment--Definitional Changes; 
Effective for fiscal year[A]: 1999.

Standards: SFFAS No. 12 Recognition of Contingent Liabilities Arising 
from Litigation: An Amendment of SFFAS No. 5, Accounting for 
Liabilities of the Federal Government; 
Effective for fiscal year[A]: 1998.

Standards: SFFAS No. 13 Deferral of Paragraph 65-2--Material Revenue-
Related Transactions Disclosures; 
Effective for fiscal year[A]: 1999.

Standards: SFFAS No. 14 Amendments to Deferred Maintenance Reporting; 
Effective for fiscal year[A]: 1999.

Standards: SFFAS No. 15 Management's Discussion and Analysis; 
Effective for fiscal year[A]: 2000.

Standards: SFFAS No. 16 Amendments to Accounting for Property, Plant, 
and Equipment; 
Effective for fiscal year[A]: 2000.

Standards: SFFAS No. 17 Accounting for Social Insurance; 
Effective for fiscal year[A]: 2000.

Standards: SFFAS No. 18 Amendments to Accounting Standards for Direct 
Loans and Loan Guarantees in SFFAS No. 2; 
Effective for fiscal year[A]: 2001.

Standards: SFFAS No. 19 Technical Amendments to Accounting Standards 
for Direct Loans and Loan Guarantees in SFFAS No. 2; 
Effective for fiscal year[A]: 2003.

Standards: SFFAS No. 20 Elimination of Certain Disclosures Related to 
Tax Revenue Transactions by the Internal Revenue Service, Customs, and 
Others; 
Effective for fiscal year[A]: 2001.

Standards: SFFAS No. 21 Reporting Corrections of Errors and Changes in 
Accounting Principles; 
Effective for fiscal year[A]: 2002.

Standards: SFFAS No. 22 Change in Certain Requirements for Reconciling 
Obligations and Net Cost of Operations; 
Effective for fiscal year[A]: 2001.

Standards: SFFAS No. 23 Eliminating the Category National Defense 
Property, Plant, and Equipment; 
Effective for fiscal year[A]: 2003.

Standards: SFFAS No. 24 Selected Standards for the Consolidated 
Financial Report of the United States Government; 
Effective for fiscal year[A]: 2002.

Standards: SFFAS No. 25 Reclassification of Stewardship 
Responsibilities and Eliminating the Current Services Assessment; 
Effective for fiscal year[A]: 2005.

Interpretations: No. 1 Reporting on Indian Trust Funds.

Interpretations: No. 2 Accounting for Treasury Judgment Fund 
Transactions; 


Interpretations: No. 3 Measurement Date for Pension and Retirement 
Health Care Liabilities; 


Interpretations: No. 4 Accounting for Pension Payments in Excess of 
Pension Expense; 


Interpretations: No. 5 Recognition by Recipient Entities of Receivable 
Nonexchange Revenue; 


Interpretations: No. 6 Accounting for Imputed Intra-departmental Costs; 

Source: FASAB.

[A] Effective dates do not apply to Statements of Federal Financial 
Accounting Concepts and Interpretations.

[End of table]

[End of section]

Appendix IV: AAPC Technical Releases:

Technical release: TR-1 Audit Legal Letter Guidance; 
AAPC release date: March 1, 1998.

Technical release: TR-2 Environmental Liabilities Guidance; 
AAPC release date: March 15, 1998.

Technical release: TR-3 Preparing and Auditing Direct Loan and Loan 
Guarantee Subsidies Under the Federal Credit Reform Act; 
AAPC release date: July 31, 1999.

Technical release: TR-4 Reporting on Non-Valued Seized and Forfeited 
Property; 
AAPC release date: July 31, 1999.

Technical release: TR-5 Implementation Guidance on SFFAS No. 10: 
Accounting for Internal Use Software; 
AAPC release date: May 14, 2001.

Technical release: TR-6 Preparing Estimates for Direct Loan and Loan 
Guarantee Subsidies Under the Federal Credit Reform Act (Amendments to 
TR-3); 
AAPC release date: January 2004.

Source: FASAB.

[End of table]

[End of section]

Appendix V: Checklists for Reviewing Systems under the Federal 
Financial Management Improvement Act:

Checklist: GAO/AIMD-00-21.2.3 Human Resources and Payroll Systems 
Requirements; 
Issue date: March 2000.

Checklist: GAO-01-99G Seized Property and Forfeited Assets Systems 
Requirements; 
Issue date: October 2000.

Checklist: GAO/AIMD-21.2.6 Direct Loan System Requirements; 
Issue date: April 2000.

Checklist: GAO/AIMD-21.2.8 Travel System Requirements; 
Issue date: May 2000.

Checklist: GAO/AIMD-99-21.2.9 System Requirements for Managerial Cost 
Accounting; 
Issue date: January 1999.

Checklist: GAO-01-371G Guaranteed Loan System Requirements; 
Issue date: March 2001.

Checklist: GAO-01-911G Grant Financial System Requirements; 
Issue date: September 2001.

Checklist: GAO-02-171G Property Management Systems Requirements; 
Issue date: December 2001.

Checklist: GAO-04-22G Benefit System Requirements; 
Issue date: October 2003.

Checklist: GAO-04-650G Acquisition/Financial Systems Interface 
Requirements; 
Issue date: June 2004.

Checklist: GAO-04-763G Core Financial System Requirements (Exposure 
Draft); 
Issue date: July 2004.

Source: GAO. 

[End of table]

[End of section]

Appendix VI: Comments from the Office of Management and Budget:

EXECUTIVE OFFICE OF THE PRESIDENT: 
OFFICE OF MANAGEMENT AND BUDGET: 
WASHINGTON, D: C. 20503:

THE CONTROLLER:

SEP 24 2004:

Ms. Sally E. Thompson:
Director, Financial Management and Assurance: 
United States Government Accountability Office: 
Washington, DC 20548:

Dear Ms. Thompson:

Thank you for the opportunity to comment on the GAO draft report 
entitled "Financial Management: Improved Financial Systems are Key to 
FFMIA Compliance."

Overall, OMB: agrees with your assessment that many Federal agencies 
continue to make progress implementing the Federal Financial Management 
Improvement Act (FFMIA). We also agree that agencies have a long way to 
go before Federal managers begin receiving the financial information 
they need to efficiently and effectively-manage day-to-day operations. 
Indeed, our common goal goes far beyond attaining unqualified opinions 
on agency financial statements. We are both striving for the creation 
and use - for both government managers and the. taxpayer - of reliable, 
useful and timely management information.

Nevertheless, Federal agencies have continued to show significantly 
improved financial performance: most agencies are filing quarterly and 
annual financial statements on a timely basis; financial statement 
quality is improving as most agencies receive unqualified audit 
opinions; long-standing material weaknesses are being resolved; and 
monthly financial performance metrics for managing activities are in 
widespread use.

We believe a major factor in bringing about the financial improvements 
at Federal agencies has been the homework of performance standards we 
established under the President's Management Agenda. The processes used 
in evaluating agencies against these standards can also provide a 
robust corroborative mechanism in evaluating compliance with the FFMIA. 
They are more than an alternate route to substantial compliance - they 
greatly buttress the already thorough audit processes currently in use. 
When used in combination with information provided by an agency's 
auditors, an accurate assessment of substantial compliance can be 
attained.

Accordingly, as we indicated in our comments on last year's draft. 
report, OMB believes that the addition of a statement of positive 
assurance on FFMIA compliance would not be beneficial.

The draft report also recommends that OMB explore clarifying the 
definition of "substantial compliance." We believe that our growing 
experience helping agencies implement the high standards incorporated 
in the President's Management Agenda will enable us to further refine 
the existing FFMIA indicators associated with substantial compliance. 
As such, we will consider this recommendation, as appropriate; in any 
future policy and guidance updates.

We appreciate the opportunity to comment on the draft report and look 
forward to continue working with GAO in improving Federal financial 
management systems. If you have any questions please feel free to 
contact David Alekson, Financial Systems Branch at 202.395.5642.

Sincerely,

Signed by: 

Linda M. Springer: 
Controller: 

[End of section]

Appendix VII: GAO Contacts and Staff Acknowledgments:

GAO Contacts:

Sally E. Thompson, (202) 512-2600 Kay L. Daly, (202) 512-9312:

Acknowledgments:

In addition to those named above, Alberto Garza, Lisa M. Knight, 
Michael S. LaForge, W. Stephen Lowrey, Gina K. Ross, Sandra S. Silzer, 
and Bryan D. Weisbard made key contributions to this report.

(193054):

FOOTNOTES

[1] Pub. L. No. 101-576, 104 Stat. 2838 (1990).

[2] Federal Financial Management Improvement Act of 1996, Pub. L. No. 
104-208, div. A., § 101(f), title VIII, 110 Stat. 3009, 3009-389 (Sept. 
30, 1996).

[3] There were initially 24 CFO Act agencies. (See Pub. L. No. 101-576, 
§205, 104 Stat. 2838, 2842-43 (1990)). The Federal Emergency Management 
Agency, one of the 24 CFO Act agencies, was subsequently transferred to 
the new Department of Homeland Security (DHS) created effective March 
1, 2003. DHS must prepare audited financial statements under the 
Accountability of Tax Dollars Act of 2002 (Pub. L. No. 107-289, 116 
Stat. 2049 (Nov. 7, 2002)). However, DHS was not established as a CFO 
Act agency and therefore is not subject to FFMIA. Consideration is now 
being given by each house of Congress to adding DHS to the list of CFO 
Act agencies in the Department of Homeland Security Financial 
Accountability Act, H.R. 4259 and S. 1567, 108th Congress.

[4] The Department of Commerce (Commerce), the Department of Energy 
(Energy), the Environmental Protection Agency (EPA), the National 
Science Foundation (NSF), the Nuclear Regulatory Commission (NRC), and 
the Social Security Administration (SSA). 

[5] U.S. Department of Veterans Affairs, Office of Inspector General, 
Issues at VA Medical Center Bay Pines, Florida and Procurement and 
Deployment of the Core Financial and Logistics System (CoreFLS), 04-
01371-177 (Washington, D.C.: August 2004).

[6] GAO, DOD Business Systems Modernization: Billions Continue to Be 
Invested with Inadequate Management Oversight and Accountability, GAO-
04-615 (Washington, D.C.: May 27, 2004).

[7] GAO, Financial Management Systems: Lack of Disciplined Processes 
Puts Implementation of HHS' Financial System at Risk, GAO-04-1008 
(Washington, D.C.: Sept. 23, 2004).

[8] GAO, Business Modernization: Improvements Needed in Management of 
NASA's Integrated Financial Management Program, GAO-03-507 
(Washington, D.C.: Apr. 30, 2003); Information Technology: Architecture 
Needed to Guide NASA's Financial Management Modernization, GAO-04-43 
(Washington, D.C.: Nov. 21, 2003); Business Modernization: Disciplined 
Processes Needed to Better Manage NASA's Integrated Financial 
Management Program, GAO-04-118 (Washington, D.C.: Nov. 21, 2003); 
Business Modernization: NASA's Integrated Financial Management Program 
Does Not Fully Address Agency's External Report Issues, GAO-04-151 
(Washington, D.C.: Nov. 21, 2003); Business Modernization: NASA's 
Challenges in Managing Its Integrated Financial Management Program, 
GAO-04-255 (Washington, D.C.: Nov. 21, 2003); and National Aeronautics 
and Space Administration: Significant Actions Needed to Address Long-
standing Financial Management Problems, GAO-04-754T (Washington, D.C.: 
May 19, 2004). 

[9] GAO, Financial Management: FFMIA Implementation Critical for 
Federal Accountability, GAO-02-29 (Washington, D.C.: Oct. 1, 2001); 
Financial Management: FFMIA Implementation Necessary to Achieve 
Accountability, GAO-03-31 (Washington, D.C.: Oct. 1, 2002); and 
Financial Management: Sustained Efforts Needed to Achieve FFMIA 
Accountability, GAO-03-1062 (Washington, D.C.: Sept. 30, 2003). 

[10] Pub. L. No. 103-62, 107 Stat. 285 (Aug. 3, 1993).

[11] Pub. L. No. 103-356, 108 Stat. 3410 (Oct. 13, 1994).

[12] Pub. L. No. 104-106, div. E, 110 Stat. 186, 679 (Feb. 10, 1996).

[13] The Accountability of Tax Dollars Act of 2002 extends the 
requirement to prepare and submit audited financial statements to most 
executive agencies not subject to the CFO Act unless they are exempted 
by OMB. However, these agencies are not required to have systems that 
are compliant with FFMIA. 

[14] The American Institute of Certified Public Accountants recognizes 
the federal accounting standards promulgated by the Federal Accounting 
Standards Advisory Board as generally accepted accounting principles. 
For a further description of federal accounting standards, see app. I.

[15] The SGL provides a standard chart of accounts and standardized 
transactions that agencies are to use in all their financial systems. 

[16] These five crosscutting initiatives are (1) improved financial 
performance, (2) strategic human capital management, (3) competitive 
sourcing, (4) expanded electronic government, and (5) budget and 
performance integration. 

[17] The authority for the creation of JFMIP is statutorily based. See 
the Budget and Accounting Procedures Act of 1950, now codified at 31 
U.S.C. 3511(d). 

[18] See app. III for the systems requirements documents issued to 
date.

[19] GAO/PCIE, Financial Audit Manual, GAO-01-765G (Washington, D.C.: 
July 2004). 

[20] GAO-01-765G, sections 701, 701A, 701B, and 260.58-.60. 

[21] Of these 17 agencies, systems for 8 agencies were reported not to 
be in substantial compliance with all three FFMIA requirements. 

[22] GAO, Financial Management: Department of Homeland Security Faces 
Significant Financial Management Challenges, GAO-04-774 (Washington, 
D.C.: July 19, 2004).

[23] OMB Bulletin No. 01-02, Audit Requirements for Federal Financial 
Statements (Oct. 16, 2000).

[24] GAO-02-29, GAO-03-31, and GAO-03-1062.

[25] A final rule issued by the Securities and Exchange Commission that 
took effect in August 2003 provides guidance for implementations of 
Sections 302, 404, and 906 of the Sarbanes-Oxley Act of 2002 (Pub. L. 
No. 107-204, §§302, 404, 906 116 Stat. 745, 777, 789, 806 (July 30, 
2002)), which requires publicly traded companies to establish and 
maintain an adequate internal control structure and procedures for 
financial reporting and include in the annual report a statement of 
management's responsibility for and assessment of the effectiveness of 
those controls and procedures in accordance with standards adopted by 
the Securities and Exchange Commission. 

[26] GAO-02-29.

[27] GAO-02-29 and GAO-03-31.

[28] Federal financial system requirements define an integrated 
financial system as one that coordinates a number of previously 
unconnected functions to improve overall efficiency and control. 
Characteristics of such a system include (1) standard data 
classifications for recording financial events, (2) common processes 
for processing similar transactions, (3) consistent control over data 
entry, transaction processing, and reporting, and (4) a system design 
that eliminates unnecessary duplication of transaction entry. 

[29] In our October 2003 FFMIA report, we stated that auditors had 
discussed problems relating to nonintegrated financial management 
systems at 12 agencies. As part of our analysis of the most recent 
reports, it became apparent that the auditors for 1 additional agency 
concluded that nonintegrated systems were a factor contributing to its 
financial reporting difficulties for fiscal year 2002. Therefore, the 
revised number of agencies with nonintegrated systems for fiscal year 
2002 is 13. 

[30] GAO, Financial Audit: IRS's Fiscal Years 2003 and 2002 Financial 
Statements, GAO-04-126 (Washington, D.C.: Nov. 13, 2003).

[31] GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).

[32] Agencies record their budget spending authorizations in their fund 
balance with Treasury accounts. Agencies increase or decrease these 
accounts as they collect or disburse funds. 

[33] PSC is an administrative office that provides program support 
services to HHS components and other federal agencies through fee-for-
service. PSC's major business lines include financial management and 
administrative operations. 

[34] The PSC CORE Accounting system is the nucleus of PSC's accounting 
operations and accepts and processes data supplied by 8 of the 12 HHS 
agencies as well as from Payroll, Travel, and Payment Management 
Systems.

[35] USAID's ARS obtains obligation and contract data and uses this 
information to calculate estimated quarterly expenses against 
individual contracts, grants, or obligation line items.

[36] GAO, High-Risk Series: An Update, GAO-03-119 (Washington, D.C.: 
January 2003).

[37] Pub. L. 107-347, title III, §301, 116 Stat. 2899, 2946-2961 
(December 17, 2002).

[38] GAO, Information Security: Continued Efforts Needed to Sustain 
Progress in Implementing Statutory Requirements, GAO-04-483T 
(Washington, D.C.: Mar. 16, 2004). 

[39] GAO-03-1062.

[40] The PMO, which is managed by JFMIP's Executive Director, with 
funds provided by the CFO Council agencies, tests vendor COTS packages 
and certifies that they meet certain financial management system 
requirements for core financial systems.

[41] GAO-03-1062.

[42] SEI is a federally funded research and development center operated 
by Carnegie Mellon University and sponsored by DOD. The SEI objective 
is to provide leadership in software engineering and in the transition 
of new software engineering technology into practice.

[43] IEEE develops standards for a broad range of global industries, 
including the information technology and information assurance 
industries.

[44] Steve McConnell, Rapid Development: Taming Wild Software Schedules 
(Redmond, Wash.: Microsoft Press, 1996).

[45] GAO-04-615. 

[46] Business systems include those that are used to support civilian 
and military personnel, finance, logistics, procurement, and 
transportation.

[47] GAO-04-1008.

[48] GAO-03-507, GAO-04-43, GAO-04-118, GAO-04-151, GAO-04-255, and 
GAO-04-754T. 

[49] GAO-04-615.

[50] See GAO, Department of Defense: Long-standing Problems Continue to 
Impede Financial and Business Management Transformation, GAO-04-907T 
(Washington, D.C.: July 7, 2004).

[51] NIH and CMS have efforts under way to replace their financial 
systems that are expected to be fully implemented in 2006 and 2007, 
respectively.

[52] GAO-04-1008.

[53] GAO-03-507, GAO-04-43, GAO-04-118, GAO-04-151, GAO-04-255, and 
GAO-04-754T.

[54] GAO, Fiscal Year 2003 U.S. Government Financial Statements: 
Sustained Improvement in Federal Financial Management Is Crucial to 
Addressing Our Nation's Future Fiscal Challenges, GAO-04-477T 
(Washington, D.C.: Mar. 3, 2004).

[55] E-gov is a PMA initiative. OMB has selected 25 presidential e-gov 
efforts that focus on a wide variety of services, aiming to simplify 
and unify agency work processes and information flows, provide one-stop 
services to citizens, and enable information to be collected online 
once and reused rather than being collected many times.

[56] GAO, Human Capital: Key Principles for Effective Strategic 
Workforce Planning, GAO-04-39 (Washington, D.C.: Dec. 11, 2003).

[57] GAO, Executive Guide: Creating Value Through World-class Financial 
Management, GAO/AIMD-00-134 (Washington, D.C.: April 2000). 

[58] GAO-02-29 and GAO-03-31.

[59] GAO-02-29 and GAO-03-31.

[60] Core financial systems, as defined by the Program Management 
Office, include those systems for managing general ledger, funding, 
payments, receivables, and certain basic cost functions. 

[61] Examples of administrative systems include budget, acquisition, 
travel, property, and human resources and payroll. 

[62] OMB Circular No. A-127 references the series of publications 
called FFMSRs, issued by PMO, as the primary source of governmentwide 
requirements for financial management systems. 

[63] In October 1990, the Secretary of the Treasury, the Director of 
OMB, and the Comptroller General established FASAB to develop a set of 
generally accepted accounting standards for the federal government. 
Effective October 1, 2003, FASAB consists of six nonfederal or public 
members, one member from the Congressional Budget Office, and the three 
Sponsors. 

[64] Accounting standards are authoritative statements of how 
particular types of transactions and other events should be reflected 
in financial statements. SFFACs explain the objectives and ideas upon 
which FASAB develops the standards.

[65] An interpretation is a document of narrow scope that provides 
clarifications of original meaning, additional definitions, or other 
guidance pertaining to an existing federal accounting standard.

[66] In 1997, FASAB, in conjunction with OMB, Treasury, GAO, the CFO 
Council, and the President's Council on Integrity and Efficiency, 
established AAPC to assist the federal government in improving 
financial reporting.

[67] SGL guidance is published in the Treasury Financial Manual. 
Treasury's Financial Management Service is responsible for maintaining 
the SGL and answering agency inquiries.

[68] GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3 (Washington, D.C.: November 1999).

GAO's Mission:

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony:

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics.

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading.

Order by Mail or Phone:

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:

U.S. Government Accountability Office

441 G Street NW, Room LM

Washington, D.C. 20548:

To order by Phone:

 

Voice: (202) 512-6000:

TDD: (202) 512-2537:

Fax: (202) 512-6061:

To Report Fraud, Waste, and Abuse in Federal Programs:

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470:

Public Affairs:

Jeff Nelligan, managing director,

NelliganJ@gao.gov

(202) 512-4800

U.S. Government Accountability Office,

441 G Street NW, Room 7149

Washington, D.C. 20548: