This is the accessible text file for GAO report number GAO-03-1062 entitled 'Financial Management: Sustained Efforts Needed to Achieve FFMIA Accountability' which was released on September 30, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: September 2003: FINANCIAL MANAGEMENT: Sustained Efforts Needed to Achieve FFMIA Accountability: [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-1062] GAO-03- 1062: GAO Highlights: Highlights of GAO-03-1062, a report to the Senate Committee on Governmental Affairs and the House Committee on Government Reform Why GAO Did This Study: The ability to produce the data needed to efficiently and effectively manage the day-to-day operations of the federal government and provide accountability to taxpayers has been a long-standing challenge to most federal agencies. To help address this challenge, the Federal Financial Management Improvement Act of 1996 (FFMIA) requires the 24 Chief Financial Officers Act agencies to implement and maintain financial management systems that comply substantially with (1) federal financial management systems requirements, (2) federal accounting standards, and (3) the U.S. Government Standard General Ledger (SGL). FFMIA also requires GAO to report annually on the implementation of the act. What GAO Found: Federal agencies are making progress to address financial management systems weaknesses. At the same time, for fiscal year 2002, 19 of the 24 CFO Act agency inspectors general or their contract auditors reported that these agencies’ financial management systems did not comply with FFMIA. The nature and seriousness of the reported problems indicate that, generally, agency management does not yet have the full range of reliable information needed for accountability, performance reporting, and decision making. As shown in the chart below, audit reports highlight six recurring problems that have been consistently reported for those agencies whose auditors reported noncompliant systems. Problems Reported by Auditors for Fiscal Years 2000 through 2002: [See PDF for image] [End of figure] Following OMB’s reporting guidance, auditors for 5 agencies provided negative assurance on agency systems’ FFMIA compliance for fiscal year 2002. This means that nothing came to their attention indicating that these agencies’ financial management systems did not meet FFMIA requirements. GAO does not believe that this type of reporting is sufficient for reporting under the act. FFMIA requires the auditor to state “whether” the agency systems are in substantial compliance, which in our view, requires the auditor to perform sufficient audit tests to be able to provide positive assurance. Agencies have recognized the seriousness of their financial systems weaknesses, and as of September 30, 2002, 17 of the 24 CFO Act agencies were planning to or were implementing a new core financial system. It is imperative that agencies adopt leading practices, such as top management commitment and business process reengineering, to ensure successful systems implementation. The JFMIP Principals, congressional oversight, and the President’s Management Agenda are driving governmentwide initiatives to transform federal financial management. Modernization of agency financial systems and continued attention is needed to sustain momentum on these initiatives. What GAO Recommends: GAO reaffirms its prior recommendations that OMB revise its FFMIA audit testing and reporting guidance to: (1) include a statement of positive assurance when reporting an agency’s systems to be in substantial compliance with FFMIA, and (2) clarify the definition of “substantial compliance” to promote consistent reporting of FFMIA compliance. As in the past, OMB did not agree with our view on the need for auditors to provide positive assurance on FFMIA, but agreed to consider clarifying the definition of “substantial compliance” in future policy and guidance updates. www.gao.gov/cgi-bin/getrpt?GAO-03-1062. To view the full product, including the scope and methodology, click on the link above. For more information, contact Sally Thompson (202) 512-9450 or thompsons@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Scope and Methodology: Continued Systems Weaknesses Impair Financial Management Accountability: Agency Efforts to Implement New Financial Systems: Successful Implementation of Financial Management Systems Is Key for Improved Financial Reporting: Status of Governmentwide Financial Management Improvement Efforts: Conclusions: Agency Comments and Our Evaluation: Appendixes: Appendix I: Requirements and Standards Supporting Federal Financial Management: Appendix II: Publications in the Federal Financial Management Systems Requirements Series: Appendix III: Statements of Federal Financial Accounting Concepts, Statements of Federal Financial Accounting Standards, and Interpretations: Appendix IV: AAPC Technical Releases: Appendix V: Checklists for Reviewing Systems under the Federal Financial Management Improvement Act: Appendix VI: Comments from the Office of Management and Budget: Appendix VII: GAO Contacts and Staff Acknowledgments: GAO Contacts: Acknowledgments: Table: Table 1: Agency Status and Progress Scores for the Improved Financial Performance Initiative: Figures: Figure 1: Problems Reported by Auditors for Fiscal Years 2000 through 2002: Figure 2: Pyramid to Accountability and Useful Management Information: Figure 3: Auditors' FFMIA Assessments for Fiscal Years 2000, 2001, and 2002: Figure 4: Problems Reported by Auditors for Fiscal Years 2000 through 2002: Figure 5: Agency Target Dates for Implementation of Core Financial Systems as of September 30, 2002: Figure 6: Agency Systems Architecture: Abbreviations: AAPC: Accounting and Auditing Policy Committee: AID: Agency for International Development: BPN: Business Partner Network: CAP: Commercial Activities Panel: CFO: chief financial officer: CIM: Corporate Information Management: COTS: commercial off-the-shelf: DAFIS: Departmental Accounting and Financial Information System: DHS: Department of Homeland Security: DOD: Department of Defense: DOL: Department of Labor: DOT: Department of Transportation: E-gov: Electronic Government Initiative: EPA: Environmental Protection Agency: FAA: Federal Aviation Administration: FAM: Financial Audit Manual: FASAB: Federal Accounting Standards Advisory Board: FEA: Federal Enterprise Architecture: FEAPMO: Federal Enterprise Architecture Program Management Office: FEMA: Federal Emergency Management Agency: FFMIA: Federal Financial Management Improvement Act: FFMSR: Federal Financial Management Systems Requirements: FHA: Federal Housing Administration: FIA: Federal Managers' Financial Integrity Act: FISMA: Federal Information Security Management Act: FMIS: Fiscal Management Information System: FTA: Federal Transit Administration: GAAP: generally accepted accounting principles: GISRA: Government Information Security Reform: GSA: General Services Administration: HHS: Department of Health and Human Services: HUD: Department of Housing and Urban Development: HUDCAPS: Department of Housing and Urban Development Central Accounting and Program System: IAE: Integrated Acquisition Environment: IFMP: Integrated Financial Management Program: IG: inspector general: IT: information technology: JFMIP: Joint Financial Management Improvement Program: NASA: National Aeronautics and Space Administration: NRC: Nuclear Regulatory Commission: NSF: National Science Foundation: OMB: Office of Management and Budget: OPM: Office of Personnel Management: PART: Program Assessment Rating Tool: PCIE: President's Council on Integrity and Efficiency: PMA: President's Management Agenda: PMO: Program Management Office: SBA: Small Business Administration: SFFAC: Statement of Federal Financial Accounting Concepts: SFFAS: Statement of Federal Financial Accounting Standards: SGL: U.S. Government Standard General Ledger: SSA: Social Security Administration: Letter September 30, 2003: The Honorable Susan M. Collins Chairman The Honorable Joseph I. Lieberman Ranking Minority Member Committee on Governmental Affairs United States Senate: The Honorable Tom Davis Chairman The Honorable Henry A. Waxman Ranking Minority Member Committee on Government Reform House of Representatives: The ability to produce the data needed to efficiently and effectively manage the day-to-day operations of the federal government and provide accountability to taxpayers and the Congress has been a long-standing challenge at most federal agencies. To address this challenge, the Chief Financial Officers (CFO) Act of 1990[Footnote 1] calls for the modernization of financial management systems, so that the systematic measurement of performance, the development of cost information, and the integration of program, budget, and financial information for management reporting can be achieved. The Federal Financial Management Improvement Act of 1996 (FFMIA)[Footnote 2] builds on the foundation laid by the CFO Act by emphasizing the need for agencies to have systems that can generate reliable, useful, and timely information with which to make fully informed decisions and to ensure accountability on an ongoing basis. FFMIA requires the major departments: and agencies covered by the CFO Act[Footnote 3] to implement and maintain financial management systems that comply substantially with (1) federal financial management systems requirements, (2) applicable federal accounting standards,[Footnote 4] and (3) the U.S. Government Standard General Ledger (SGL)[Footnote 5] at the transaction level. FFMIA also requires auditors to report in their CFO Act financial statement audit reports whether the agencies' financial management systems substantially comply with FFMIA's systems requirements. We are required to report annually on the implementation of the act. This, our seventh annual report, discusses (1) auditors' FFMIA assessments for fiscal year 2002 and the problems, reported by the auditors, that continue to impair agency accountability, (2) agency efforts to implement financial systems, (3) key characteristics of successful systems implementation efforts and the challenges federal agencies face, and (4) the status of federal financial management improvement efforts. Results in Brief: Federal agencies are making progress to address financial management systems weaknesses. At the same time, the results of the fiscal year 2002 FFMIA assessments performed and reported by the 24 CFO Act agency inspectors general (IG) or their contract auditors show that most agencies' financial management systems continue to have shortcomings. While much more severe at some agencies than others, the nature and seriousness of the reported problems indicate that, generally, agency management does not yet have the full range of reliable information needed for accountability, performance reporting, and decision making. Auditors for 19 of the 24 CFO Act agencies reported that their agencies' financial management systems did not comply substantially with one or more of the three FFMIA requirements for fiscal year 2002. Auditors' assessments of financial systems' compliance with FFMIA for fiscal years 2001 and 2002 differed for three agencies. Auditors for the Environmental Protection Agency (EPA) and the National Science Foundation (NSF) reported that these agencies' systems were in substantial compliance[Footnote 6] for fiscal year 2002, a change from the fiscal year 2001 assessments. Auditors for the Department of Labor (DOL) concluded that the department's systems were not in substantial compliance with the managerial cost standard and thus not in compliance with FFMIA--also a changed assessment from fiscal year 2001. Based on our review of the fiscal year 2002 audit reports for the 19 agencies reported to have noncompliant systems, we identified six continuing, primary problems that affect FFMIA compliance. As a result of these reported problems, most agencies' financial management systems are not yet able to routinely produce reliable, useful, and timely financial information. For example, agency financial management systems are required to produce information on the full cost of programs and projects. Currently, some agencies are only able to provide cost accounting information at a high level, but not that needed to evaluate programs and activities on their full costs and merits as envisioned by FFMIA. Agencies are experimenting with methods of accumulating and assigning costs to obtain the managerial cost information needed to enhance programs, improve processes, establish fees, develop budgets, prepare financial reports, make competitive sourcing decisions, and report on performance. Figure 1: Problems Reported by Auditors for Fiscal Years 2000 through 2002: [See PDF for image] [End of figure] Auditors for the remaining five agencies--the Department of Energy, EPA, the General Services Administration (GSA), NSF, and the Social Security Administration (SSA)--provided negative assurance in reporting on FFMIA compliance for fiscal year 2002. In their respective reports, they included language stating that while they did not opine as to FFMIA compliance, nothing came to their attention during the course of their planned procedures indicating that these agencies' financial management systems did not meet FFMIA requirements. If readers do not understand the concept of negative assurance, which is the type of reporting specified in the Office of Management and Budget's (OMB) auditing guidance, they may have gained an incorrect impression that these systems have been fully tested by the auditors and found to be substantially compliant. Because the act requires auditors to "report whether" agency systems are substantially compliant, we believe the auditor needs to provide positive assurance, which would be a definitive statement as to whether agency financial management systems substantially comply with FFMIA, as required under the statute. This is what we will do for the financial statement audits we perform when reporting that an entity's financial management systems were in substantial compliance. To provide positive assurance, auditors need to consider many other aspects of financial management systems than those applicable for the purposes of rendering an opinion on the financial statements. Across government, agencies have many efforts underway to implement or upgrade financial systems to alleviate long-standing problems in financial management. As of September 30, 2002, 17 agencies[Footnote 7] advised us that they were planning to or were in the process of implementing a new core financial system.[Footnote 8] Target implementation dates for 16 of these 17 agencies ranged from fiscal year 2003 to fiscal year 2008. The remaining agency, the Department of Defense (DOD), had not yet determined its target date for full implementation. Under OMB Circular A-127, agencies are required to purchase commercial off-the-shelf (COTS) packages sold by vendors whose core financial systems software have been certified.[Footnote 9] Some of the key factors that affect the FFMIA compliance of an implemented COTS package include how the software works in the agency's environment, whether any customizations or modifications[Footnote 10] have been made to the software, and the success of converting data from legacy systems to new systems. Successful implementation efforts of financial management systems are supported by the presence of several key characteristics, which apply to both the public and private sectors. These characteristics include, among others: (1) involvement by the users, (2) support of executive management, (3) leadership provided by experienced project managers, (4) clear definition and management of project requirements, (5) proper planning, and (6) realistic expectations. Conversely, financial systems implementation projects are often hindered by the lack of executive support, poor communication between managers and stakeholders, poor estimation and planning, and poor documentation and updating of user requirements. Agencies who have or are implementing new financial management systems have faced some of the challenges mentioned above. For example, the National Aeronautics and Space Administration (NASA) began its Integrated Financial Management Program (IFMP) in April 2000, its third attempt in recent years at modernizing financial management processes and systems. NASA's previous two efforts were eventually abandoned after a total of 12 years and a reported $180 million in spending. We recently reported[Footnote 11] that NASA is not following key best practices for acquiring and implementing the IFMP and therefore faces increased risk of a third unsuccessful attempt to transform its financial management and business operations. DOD has begun and suspended a number of departmentwide reform initiatives to improve its financial operations as well as other key business support processes. While these initiatives produced some incremental improvements, they did not result in the fundamental reform necessary to resolve these long-standing management challenges. Our recent reports[Footnote 12] highlight investment management and project weaknesses at DOD. As we recently reported,[Footnote 13] Secretary of Defense Rumsfeld has initiated a program to transform DOD's business processes, including establishing a new management structure to oversee reform efforts. While DOD has already taken a number of positive actions, it has not yet developed an overarching plan tying key reform efforts together in an integrated program. Modern financial management systems are needed to produce reliable data for competitive sourcing and congressional decisions on the budget, as well as managing day-to-day operations. The JFMIP Principals,[Footnote 14] congressional oversight, and the President's Management Agenda (PMA) are the driving forces behind several governmentwide efforts now underway to improve federal financial management. For example, in fiscal year 2002, the JFMIP Principals continued the series of regular, deliberative meetings that focused on key financial management reform issues. The Congress has demonstrated leadership in improving federal financial management by enacting laws and through oversight hearings. The PMA,being implemented by the administration as an agenda for improving the management and performance of the federal government, targets the most apparent deficiencies where the opportunity to improve performance is the greatest. The PMA includes five crosscutting initiatives, which are (1) improved financial performance, (2) strategic human capital management, (3) competitive sourcing, (4) expanded electronic government, and (5) budget and performance integration. Several current governmentwide financial management improvement efforts are directly related to the PMA's five crosscutting initiatives. For example, arising from the electronic government initiative (e-gov), OMB has established the Federal Enterprise Architecture Program Management Office (FEAPMO), which is developing a federal enterprise architecture to enable agencies to derive maximum benefit from applying information technology (IT) to their missions. These types of efforts, aside from systems enhancement, can also lead to positive cost reduction outcomes. Moreover, as part of the e-gov initiative, the number of government entities processing the federal civilian payroll is being reduced from 22 to 2 to standardize business processes and realize economies of scale. Related to PMA's crosscutting initiative to integrate budget and performance information, the administration has introduced a formal assessment tool in its deliberations, the Program Assessment Rating Tool (PART) to use performance information more explicitly in formulating the federal budget. OMB, for PMA's competitive sourcing initiative, recently released a revised Circular A-76, which is generally consistent with the principles and: recommendations made by the Commercial Activities Panel (CAP). As we recently testified,[Footnote 15] implementation of the competitive sourcing initiative will be challenging for many agencies. The modernization of agency financial management systems is critical to the success of all of these initiatives. We reaffirm our prior recommendations[Footnote 16] aimed at enhancing OMB's audit guidance related to FFMIA assessments. Specifically, we recommended that OMB (1) require agency auditors to provide a statement of positive assurance when reporting an agency's systems to be in substantial compliance with FFMIA, and (2) further clarify the definition of "substantial compliance" to encourage consistent reporting. In commenting on a draft of this report, OMB agreed with our view that financial management success encompasses more than agencies receiving unqualified opinions on their financial statements. As in previous years, we and OMB have differing views on the level of audit assurance necessary for assessing compliance with FFMIA. We will continue to work with OMB on this issue. Our detailed evaluation of OMB's comments can be found at the end of this letter. Background: FFMIA and other financial management reform legislation have emphasized the importance of improving financial management across the federal government. The primary purpose of FFMIA is to ensure that agency financial management systems routinely generate timely, accurate, and useful information. With such information, government leaders will be better positioned to invest resources, reduce costs, oversee programs, and hold agency managers accountable for the way they run government programs. Financial management systems' compliance with federal financial management systems requirements, applicable accounting standards, and the SGL are building blocks to help achieve these goals. Beginning in 1990, the Congress has passed management reform legislation to improve the general and financial management of the federal government. As shown in figure 2, the combination of reforms ushered in by the (1) CFO Act of 1990, (2) Government Performance and Results Act of 1993, (3) Government Management Reform Act of 1994, (4) FFMIA, (5) Clinger-Cohen Act of 1996, and (6) Accountability of Tax Dollars Act of 2002,[Footnote 17] if successfully implemented, provides a basis for improving accountability of government programs and operations as well as routinely producing valuable cost and operating performance information. Figure 2 shows the three levels of the pyramid that result in the end goal, accountability and useful management information. The bottom level of the pyramid is the legislative framework that underpins the improvement of the general and financial management of the federal government. The second level shows the drivers that build on the legislative requirements and influence agency actions to meet these requirements. The three drivers are the (1) PMA, (2) congressional and other oversight, and (3) the activities of the JFMIP Principals. The third level of the pyramid represents the key success factors for accountability and meaningful management information--integrating core and feeder financial systems, producing reliable financial and performance data for reporting, and ensuring effective internal control. The result of these three levels, as shown at the top of the pyramid, is accountability and meaningful management information needed to assess and improve the government's effectiveness, financial condition, and operating performance. Figure 2: Pyramid to Accountability and Useful Management Information: [See PDF for image] [End of figure] FFMIA Guidance Issued by OMB: OMB sets governmentwide financial management policies and requirements and currently has two sources of guidance related to FFMIA. First, OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, dated October 16, 2000, prescribes specific language auditors should use when reporting on an agency system's substantial compliance with FFMIA. Specifically, this guidance calls for auditors to provide negative assurance when reporting on an agency system's FFMIA compliance. Second, in a January 4, 2001, Memorandum, Revised Implementation Guidance for the Federal Financial Management Improvement Act, OMB provided guidance for agencies and auditors to use in assessing substantial compliance. The guidance describes the factors that should be considered in determining an agency's systems compliance with FFMIA. In addition, examples are provided in the guidance as to the types of indicators that should be used as a basis in assessing whether an agency's systems are in substantial compliance with each of the three FFMIA requirements. The guidance also discusses the corrective action plans, to be developed by agency heads, for bringing their systems into compliance with FFMIA. Financial Audit Manual Section on FFMIA: Relating to our recommendation[Footnote 18] that OMB develop specific procedures auditors should perform when assessing FFMIA compliance, we worked with representatives from the President's Council on Integrity and Efficiency (PCIE) to develop a section for the joint [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/PCIE] GAO/PCIE Financial Audit Manual (FAM). This section, part of the FAM update issued in April 2003, includes detailed audit steps for testing agency systems' substantial compliance with FFMIA. The FAM guidance on FFMIA assessments recognizes that while financial statement audits offer some assurances regarding FFMIA compliance, auditors should design and implement additional testing to satisfy FFMIA criteria. For example, in performing financial statement audits, auditors generally focus on the capability of the financial management systems to process and summarize financial information that flows into agency financial statements. In contrast, FFMIA requires auditors to assess whether an agency's financial management systems comply with system requirements. To do this, auditors need to consider whether agency systems provide complete, accurate, and timely information for managing day-to-day operations so that agency managers would have the necessary information to measure performance on an ongoing basis rather than just at year- end. Scope and Methodology: We reviewed the fiscal year 2002 financial statement audit reports for the 24 CFO Act agencies to identify the (1) auditors' assessments of agency financial systems' compliance, (2) problems that affect FFMIA compliance, and (3) agency management's FFMIA assessments. While we did not independently verify or test the data in the agency audit reports or make efforts to validate auditor conclusions regarding agency systems' compliance with FFMIA's requirements, our prior experience with these auditors and our review of their reports provided the basis to determine the sufficiency and relevancy of evidence provided in these documents. Based on the audit reports, we identified problems reported by the auditors that affect agency systems' compliance with FFMIA. The problems identified in these reports are consistent with long-standing financial management weaknesses that we have reported based on our work at agencies such as DOD, NASA, and the Departments of Agriculture, Education, and Housing and Urban Development (HUD). However, we caution that the occurrence of problems in a particular category may be even greater than auditors' reports of FFMIA noncompliance would suggest because auditors may not have included all problems in their reports. To identify the status of agency efforts to modernize core financial management systems, we reviewed publicly available information that we then confirmed with agency officials. However, we did not validate the information provided by agency officials on efforts to modernize these core systems. Furthermore, we researched current literature on private sector and other financial management systems implementations to identify the key factors leading to success. We also reviewed reports issued by GAO and the IGs to identify the challenges federal agencies face when implementing new systems. Based on publicly available information, we summarized the status of governmentwide efforts to improve federal financial management. We also summarized the status and progress scores received by the agencies for PMA's five crosscutting initiatives. Furthermore, we reviewed documents pertaining to governmentwide efforts to implement PMA, including the efforts to develop a federal enterprise architecture and consolidate the number of federal civilian payroll providers. We also obtained information about OMB and its role in helping to integrate budget and performance data. Finally, we held discussions with OMB officials to obtain current information about its efforts to help agencies develop systems that will comply with FFMIA. We conducted our work from March through July 2003 in the Washington, D.C. area in accordance with generally accepted government auditing standards. We requested comments on a draft of this report from the Director of OMB or his designee. These comments are discussed in the "Agency Comments and Our Evaluation" section and reprinted in appendix VI. We also requested oral comments from agency officials whose financial management systems are discussed in the report. These comments, which are of an editorial or technical nature, have been incorporated as appropriate. Continued Systems Weaknesses Impair Financial Management Accountability: Most agencies still do not have reliable, useful, and timely financial information, including cost data, with which to make informed decisions and help ensure accountability on an ongoing basis. While agencies are making progress in producing auditable financial statements and addressing their financial management systems weaknesses, most agency systems are still not substantially compliant with FFMIA's requirements. Figure 3 summarizes auditors' assessments of FFMIA compliance for fiscal years 2000 through 2002 and suggests that the instances of noncompliance with FFMIA's three requirements remain fairly constant. For fiscal year 2002, IGs and their contract auditors reported that the systems of 19 of the 24 CFO Act agencies did not substantially comply with at least one of FFMIA's three requirements-- federal financial management systems requirements, applicable federal accounting standards, or the SGL.[Footnote 19] Auditors' assessments of financial systems' compliance with FFMIA for three agencies--DOL, EPA, and NSF--changed from fiscal years 2001 to 2002. For fiscal year 2002, the auditors for DOL concluded that its systems were not in substantial compliance with the managerial cost standard and thus were not in compliance with FFMIA. Auditors for EPA and NSF found the agencies' respective systems to be in substantial compliance, a change from the fiscal year 2001 assessments. Figure 3: Auditors' FFMIA Assessments for Fiscal Years 2000, 2001, and 2002: [See PDF for image] [End of figure] Agencies' inability to meet the federal financial management systems requirements continues to be the major barrier to achieving compliance with FFMIA. As shown in figure 3, auditors most frequently reported instances of noncompliance with federal financial management systems requirements. These instances of noncompliance identified by auditors affected not only the core financial systems, but also administrative and programmatic systems. The creation of DHS[Footnote 20] will affect future FFMIA reporting by the federal agencies and components it has absorbed. While DHS must prepare audited financial statements under the Accountability of Tax Dollars Act of 2002,[Footnote 21] DHS is not a CFO Act agency and therefore is not subject to FFMIA. However, for fiscal year 2003, DHS has agreed to have its auditors report on the FFMIA compliance of the department's systems, which we view as a key positive action by the department. One CFO Act agency, FEMA, was moved in its entirety to DHS, effective March 1, 2003. Accordingly, FEMA is no longer a CFO Act agency and will not be required to prepare audited stand-alone financial statements under the CFO Act and be subject to FFMIA. DHS is also being formed from components of other CFO Act agencies. For example, the Immigration and Naturalization Service, formerly part of the Department of Justice, is merging into DHS. The U.S. Coast Guard and the Transportation Security Administration are moving from the Department of Transportation (DOT) to DHS. Finally, the U.S. Customs Service is moving from the Department of the Treasury to DHS. As we reported,[Footnote 22] each of these components faces at least one management problem, such as strategic human capital risks, information technology management challenges, or financial management vulnerabilities. While more CFO Act agencies have obtained clean or unqualified audit opinions on their financial statements, there is little evidence of marked improvements in agencies' capacities to create the full range of information needed to manage day-to-day operations. The number of unqualified opinions has been increasing over the past 6 years, from 11 in fiscal year 1997 to 21 for fiscal year 2002; but the number of agencies reported to have substantially noncompliant systems has remained relatively steady. As stated in OMB's May 2002 report[Footnote 23] on the status of governmentwide financial management, many agencies have worked around systems problems for years to obtain unqualified opinions by expending significant resources and making extensive manual adjustments after the end of the fiscal year. The result is a 5-month- old[Footnote 24] snapshot of an agency's financial position as of September 30 of any given year, which is not useful for day-to-day decision making. While the increase in unqualified opinions is noteworthy, a more important barometer of financial systems' capability and reliability is that the number of agencies for which auditors provided negative assurance of FFMIA compliance has remained relatively constant throughout this same period. In our view, this has led to an expectation gap. When more agencies receive clean opinions, expectations are raised that the government has sound financial management and can produce reliable, useful, and timely information on demand throughout the year, whereas FFMIA assessments offer a different perspective. While all agencies met the February 1, 2003, deadline for fiscal year 2002 agency performance and accountability reports, the deadline for the fiscal year 2004 reports is November 15, 2004, just 45 days after the close of the fiscal year. Auditors have expressed concern that agencies will have difficulty meeting the accelerated reporting dates for audited financial statements generated from the agencies' existing financial management systems because of nonintegrated systems and manual processes. In their fiscal year 2002 reports, auditors for nine agencies--Agriculture, Commerce, Education, the Department of Health and Human Services (HHS), Justice, FEMA, GSA, NASA, and the Small Business Administration (SBA)--reported concerns about the agencies meeting these accelerated reporting deadlines. For example, Agriculture's IG cautioned that unless management implements a departmentwide quality control process,[Footnote 25] there is a high risk that the opinion on its financial statements could deteriorate. Auditors for Commerce reported that an integrated financial management system for Commerce will be key to achieving the accelerated reporting dates in future years. Similarly, auditors for HHS reported that they remain concerned that HHS's nonintegrated financial management systems will be an obstacle to meeting the accelerated reporting dates.[Footnote 26] Crosscutting Reasons for Noncompliance Indicate Serious Problems Remain: Based on our review of the fiscal year 2002 audit reports for the 19 agencies reported to have systems not in substantial compliance with one or more of FFMIA's three requirements, we identified several primary reasons related to FFMIA noncompliance. The weaknesses reported by the auditors, which we grouped into the following six categories, ranged from serious, pervasive systems problems to less serious problems that may affect one aspect of an agency's accounting operation: * nonintegrated financial management systems, * inadequate reconciliation procedures, * lack of accurate and timely recording of financial information, * noncompliance with the SGL, * lack of adherence to federal accounting standards, and: * weak security controls over information systems. Figure 4 shows the relative frequency of these problems at the 19 agencies reported to have noncompliant systems and the problems relevant to FFMIA that were reported by their auditors. The same six types of problems were cited by auditors in their fiscal years 2000 and 2001 audit reports, as highlighted in figure 4. However, the auditors may not have reported these problems as specific reasons for lack of substantial compliance with FFMIA. In addition, we caution that the occurrence of problems in a particular category may be even greater than auditors' reports of FFMIA noncompliance would suggest because auditors may not have included all problems in their reports. As we discuss later, the FFMIA testing may not be comprehensive and other problems may exist that were not identified and reported. For some agencies, the problems are so serious and well known that the auditor can readily determine that the systems are not substantially compliant without examining every facet of FFMIA compliance. Figure 4: Problems Reported by Auditors for Fiscal Years 2000 through 2002: [See PDF for image] [End of figure] Nonintegrated Financial Management Systems: The CFO Act calls for agencies to develop and maintain an integrated accounting and financial management system[Footnote 27] that complies with federal systems requirements and provides for (1) complete, reliable, consistent, and timely information that is responsive to the financial information needs of the agency and facilitates the systematic measurement of performance, (2) the development and reporting of cost management information, and (3) the integration of accounting, budgeting, and program information. In this regard, OMB Circular A-127, Financial Management Systems, requires agencies to establish and maintain a single integrated financial management system that conforms with functional requirements published by JFMIP. An integrated financial system coordinates a number of functions to improve overall efficiency and control. For example, integrated financial management systems are designed to avoid unnecessary duplication of transaction entry and greatly lessen reconciliation issues. With integrated systems, transactions are entered only once and are available for multiple purposes or functions. Moreover, with an integrated financial management system, an agency is more likely to have reliable, useful, and timely financial information for day-to-day decision making as well as external reporting. Agencies that do not have integrated financial management systems typically must expend major effort and resources, including in some cases hiring external consultants, to develop information that their systems should be able to provide on a daily or recurring basis. In addition, opportunities for errors are increased when agencies' systems are not integrated. Agencies with nonintegrated financial systems are more likely to be required to devote more resources to collecting information than those with integrated systems. Auditors frequently mentioned the lack of modern, integrated financial management systems in their fiscal year 2002 audit reports. As shown in figure 4, auditors for 12 of the 19 agencies with noncompliant systems reported this as a problem. For example, auditors for DOT reported that its major agencies still use the Departmental Accounting and Financial Information System (DAFIS), the existing departmentwide accounting system[Footnote 28] and cannot produce auditable financial statements based on the information in DAFIS. For example, DOT's IG reported that DOT made about 860 adjustments outside of DAFIS totaling $51 billion in order to prepare the financial statements.[Footnote 29] DOT's IG also reported that there were problems linking some information between DAFIS and the Federal Highway Administration's Fiscal Management Information System (FMIS). DOT uses FMIS to record initial obligations for federal aid grants to states. However, due to problems resulting from upgrades and changes made to the FMIS system, all obligations are not electronically transferred from FMIS to DAFIS. As of September 30, 2002, valid obligations of about $388 million were understated. Moreover, problems linking information also existed between Delphi, DOT's new financial management system, and the Federal Transit Administration's (FTA) financial feeder systems that prevented FTA from electronically processing about $350 million in payments related to its Electronic Clearing House Operation. These transactions had to be manually processed into Delphi. What is important here is that the information developed to prepare auditable annual financial statements is not available on an ongoing basis for day-to-day management of DOT's programs and operations. As we have reported,[Footnote 30] cultural resistance to change, military service parochialism, and stovepiped operations have played a significant role in impeding previous attempts to implement broad-based reforms at DOD. The department's stovepiped approach is most evident in its current financial management systems environment, which DOD recently estimated to include approximately 2,300 systems and systems development projects--many of which were developed in piecemeal fashion and evolved to accommodate different organizations, each with its own policies and procedures. As DOD management has acknowledged,[Footnote 31] the department's current financial environment is comprised of many discrete systems characterized by poor integration and minimal data standardization and prevents managers from making more timely and cost- effective decisions. Inadequate Reconciliation Procedures: A reconciliation process, even if performed manually, is a valuable part of a sound financial management system. In fact, the less integrated the financial management system, the greater the need for adequate reconciliations because data are accumulated from various sources. For example, the HHS IG reported[Footnote 32] that the department's lack of an integrated financial management system continues to impair the ability of certain operating divisions to prepare timely information. Moreover, certain reconciliation processes were not adequately performed to ensure that differences are properly identified, researched, and resolved in a timely manner and that account balances were complete and accurate. Reconciliations are needed to ensure that data has been recorded properly between the various systems and manual records. The Comptroller General's Standards for Internal Control in the Federal Government highlights reconciliation as a key control activity. As shown in figure 4, auditors for 11 of the 19 agencies with noncompliant systems reported that the agencies had reconciliation problems, including difficulty reconciling their fund balance with Treasury accounts[Footnote 33] with Treasury's records. Treasury policy requires agencies to reconcile their accounting records with Treasury records monthly, which is comparable to individuals reconciling their checkbooks to their monthly bank statements. As we recently testified,[Footnote 34] DOD had at least $7.5 billion in unexplained differences between Treasury and DOD fund activity records. Many of these differences represent disbursements made and reported to Treasury that had not yet been properly matched to obligations and recorded in DOD accounting records. In addition to these unreconciled amounts, DOD identified and reported an additional $3.6 billion in payment recording errors. These include disbursements that DOD has specifically identified as containing erroneous or missing information and that cannot be properly recorded and charged against the correct, valid fund account. DOD records many of these payment problems in suspense accounts. While DOD made $1.6 billion in unsupported adjustments to its fund balances at the end of fiscal year 2002 to account for a portion of these payment recording errors, these adjustments did not resolve the related errors. Inadequate reconciliation procedures also complicate the identification and elimination of intragovernmental activity and balances, which is one of the principal reasons we continue to disclaim on the government's consolidated financial statements. As we testified in April 2003,[Footnote 35] agencies had not reconciled intragovernmental activity and balances with their trading partners[Footnote 36] and, as a result, information reported to Treasury is not reliable. For several years, OMB and Treasury have required CFO Act agencies to reconcile selected intragovernmental activity and balances with their trading partners. However, a substantial number of CFO Act agencies did not perform such reconciliations for fiscal years 2002 and 2001, citing such reasons as (1) trading partners not providing needed data, (2) limitations and incompatibility of agency and trading partner systems, and (3) human resource issues. For both of these years, amounts reported for federal trading partners for certain intragovernmental accounts were significantly out of balance. As discussed later in this report, actions are being taken governmentwide under OMB's leadership to address problems associated with intragovernmental activity and balances. Lack of Accurate and Timely Recording of Financial Information: Auditors for 17 agencies reported the lack of accurate and timely recording of financial information for fiscal year 2002 compared to the 14 agencies[Footnote 37] for which auditors noted similar problems last year. Accurate and timely recording of financial information is key to successful financial management. Timely recording of transactions can facilitate accurate reporting in agencies' financial reports and other management reports that are used to guide managerial decision making. The Comptroller General's Standards for Internal Control in the Federal Government states that transactions should be promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. Untimely recording of transactions during the fiscal year can result in agencies making substantial efforts at fiscal year-end to perform extensive manual financial statement preparation efforts that are susceptible to error and increase the risk of misstatements. Gathering financial data only at year-end does not provide adequate time to analyze transactions or account balances. Further, it impedes management's ability throughout the year to have timely and useful information for decision making. For example, auditors reported[Footnote 38] that, for fiscal year 2002, Justice components did not adjust the status of obligations on a quarterly basis as required, and as a result, extensive manual efforts had to be performed at year-end to correct the status of obligation records. This process of reviewing the status of obligations only at the end of the year increases the risk that errors will go undetected, does not provide managers with accurate information during the year for decision making, and results in misstatements in the financial statements. Noncompliance with the SGL: Implementing the SGL at the transaction level is one of the specific requirements of FFMIA. However, as shown in figure 4, auditors for 9 of the 19 noncompliant agencies reported that the agencies' systems did not comply with SGL requirements. The SGL promotes consistency in financial transaction processing and reporting by providing a uniform chart of accounts and pro forma transactions. Use of the SGL also provides a basis for comparison at the agency and governmentwide levels. These defined accounts and pro forma transactions are used to standardize the accumulation of agency financial information, as well as enhance financial control and support financial statement preparation and other external reporting. By not implementing the SGL, agencies are challenged to provide consistent financial information across their components and functions. As in previous years, HUD's auditors reported that the Federal Housing Administration's (FHA) systems were noncompliant with the SGL for fiscal year 2002 because FHA must use several manual processing steps to convert its commercial accounts to SGL accounts.[Footnote 39] FHA's 19 legacy insurance systems, which fed transactions to its commercial general ledger system, lacked the capabilities to process transactions in the SGL format. Therefore, FHA provided only consolidated summary- level data to HUD's Central Accounting and Program System (HUDCAPS). As we reported,[Footnote 40] FHA used several manual processing steps to provide summary-level data, including the use of personal-computer- based software to convert the summary-level commercial accounts to government SGL, and transfer the balances to HUDCAPS. This process did not comply with JFMIP requirements that the core financial system provide for automated month-and year-end closing of SGL accounts and the roll-over of the SGL account balances. Lack of Adherence to Federal Accounting Standards: One of FFMIA's requirements is that agencies' financial management systems account for transactions in accordance with federal accounting standards. Agencies face significant challenges implementing these standards. As shown in figure 4, auditors for 13 of the 19 agencies with noncompliant systems reported that these agencies had problems complying with one or more federal accounting standards. Auditors reported that agencies are having problems implementing standards that have been in effect for some time, as well as standards that have been promulgated in the last few years. For example, auditors for three agencies--DOD, Justice, and FEMA--reported weaknesses in compliance with Statement of Federal Financial Accounting Standards (SFFAS) No. 6, Accounting for Property, Plant, and Equipment, which became effective for fiscal year 1998. Auditors for DOD reported that DOD did not capture the correct acquisition date and cost of its property, plant, and equipment, due to system limitations. Therefore, DOD could not provide reliable information for reporting account balances and computing depreciation. Auditors for 2 agencies-- HUD and Justice--reported weaknesses in compliance with SFFAS No. 7, Revenue and Other Financing Sources, which also became effective for fiscal year 1998. For example, auditors reported a material weakness for FHA's budget execution and fund control. According to the auditors, FHA's financial systems and processes are not capable of fully monitoring and controlling budgetary resources. Finally, auditors for 3 agencies--the Agency for International Development (AID), NASA, and NRC--reported trouble with implementing SFFAS No. 10, Accounting for Internal Use Software, which became effective at the beginning of fiscal year 2001. For example, auditors reported that NASA's policies and procedures do not specifically address purchasing software as part of a package of products and services. In their testing, NASA's auditors identified errors for costs that were originally recorded as expenses, but instead should have been capitalized as assets. The requirement for managerial cost information has been in place since 1990 under the CFO Act and since 1998 as a federal accounting standard. Auditors for five agencies reported problems implementing SFFAS No. 4, Managerial Cost Accounting Concepts and Standards. For example, auditors for DOL reported that the department has not developed the capability to routinely report the cost of outputs used to manage program operations at the operating program and activity levels. Moreover, DOL does not use managerial cost information for purposes of performance measurement, planning, budgeting, or forecasting. At DOT, auditors stated that its agencies, other than the Federal Aviation Administration (FAA) and the U.S. Coast Guard,[Footnote 41] have begun to identify requirements for implementing cost accounting systems. DOT's existing accounting system, DAFIS, does not have the capability to capture full costs, including direct and indirect costs assigned to DOT programs. The Secretary recently advised OMB that as the remaining DOT agencies migrate to Delphi, DOT's new core financial system, Delphi will provide them enhanced cost accounting capabilities. Managerial cost information is critical for implementing the PMA. According to the PMA, the accomplishment of the other four crosscutting initiatives[Footnote 42] will matter little without the integration of agency budgets with performance. Although the lack of a consistent information and reporting framework for performance, budgeting, and accounting may obscure how well government programs are performing as well as inhibit comparisons, no one presentation can meet all users' needs. Any framework should support an understanding of the links between performance, budgeting, and accounting information measured and reported for different purposes. However, even the most meaningful links between performance results and resources consumed are only as good as the underlying data. Moreover, this link between resources consumed and performance results is necessary to make public-private competition decisions as part of competitive sourcing. Therefore, agencies must address long-standing problems within their financial systems. As agencies implement and upgrade their financial management systems, opportunities exist for developing cost management information as an integral part of the system to provide important information that is timely, reliable, and useful. As we recently reported,[Footnote 43] DOD's continuing inability to capture and report the full cost of its programs represents one of the most significant impediments facing the department. DOD does not have the systems and processes in place to capture the required cost information from the hundreds of millions of transactions it processes each year. Lacking complete and accurate overall life-cycle cost information for weapons systems impairs DOD's and congressional decision makers' ability to make fully informed decisions about which weapons, or how many, to buy. DOD has acknowledged that the lack of a cost accounting system is its largest impediment to controlling and managing weapon systems costs. Weak Security Controls over Information Systems: Information security weaknesses are one of the frequently cited reasons for noncompliance with FFMIA and are a major concern for federal agencies and the general public. These weaknesses are placing enormous amounts of government assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption. Auditors for all 19 of the agencies reported as noncompliant with FFMIA identified weaknesses in security controls over information systems. Unresolved information security weaknesses could adversely affect the ability of agencies to produce accurate data for decision making and financial reporting because such weaknesses could compromise the reliability and availability of data that are recorded in or transmitted by an agency's financial management system. General controls are the policies, procedures, and technical controls that apply to all or a large segment of an entity's information systems and help ensure their proper operation. The six major areas are (1) security program management, which provides the framework for ensuring that risks are understood and that effective controls are selected and properly implemented, (2) access controls, which ensure that only authorized individuals can read, alter, or delete data, (3) software development and change controls, which ensure that only authorized software programs are implemented, (4) segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection, (5) operating systems controls, which protect sensitive programs that support multiple applications from tampering and misuse, and (6) service continuity, which ensures that computer-dependent operations experience no significant disruption. As we discussed in our April 2003 testimony,[Footnote 44] our analyses of audit reports issued from October 2001 through October 2002 for 24 of the largest federal agencies continued to show significant weaknesses in federal computer systems that put critical operations and assets at risk. Weaknesses continued to be reported in each of the 24 agencies included in our review, and they covered all six major areas of general controls. Although our analyses showed the most agencies had significant weaknesses in these six control areas, weaknesses were most often cited for access controls and security program management. Since 1997, GAO has considered information security a governmentwide high-risk area.[Footnote 45] As shown by our work and work performed by the IGs, security program management continues to be a widespread problem. Concerned with reports of significant weaknesses in federal computer systems that make them vulnerable to attack, the Congress enacted Government Information Security Reform provisions[Footnote 46] (commonly known as GISRA) to reduce these risks and provide more effective oversight of federal information security. GISRA required agencies to implement an information security program that is founded on a continuing risk management cycle and largely incorporates existing security policies found in OMB Circular A-130, Management of Federal Information Resources, Appendix III. GISRA provided an overall framework for managing information security and established new annual review, independent evaluation, and reporting requirements to help ensure agency implementation and both OMB and congressional oversight. In its required fiscal year 2002 GISRA report to the Congress, OMB stated that the federal government had made significant strides in addressing serious and pervasive information technology security problems, but that more needed to be done, particularly to address both the governmentwide weaknesses identified in its fiscal year 2001 report to the Congress and new challenges.[Footnote 47] Also, OMB reported significant progress in agencies' information technology security performance, primarily as indicated by quantitative governmentwide performance measures that OMB required agencies to disclose beginning with their fiscal year 2002 reports. These include measures such as the number of systems that have been assessed for risk, have an up-to-date security plan, and for which security controls have been tested. As discussed in our June 2003 testimony,[Footnote 48] the governmentwide weaknesses identified by OMB, as well as the limited progress in implementing key information security requirements, continue to emphasize that, overall, agencies are not effectively implementing and managing their information security programs. For example, of the 24 large federal agencies we reviewed, 11 reported that they had assessed risk for 90 to 100 percent of their systems for fiscal year 2002, but 8 reported that they had assessed risk for less than half of their systems. The information security program, evaluation, and reporting requirements established by GISRA have been permanently authorized and strengthened through the recently enacted Federal Information Security Management Act of 2002 (FISMA).[Footnote 49] In addition, FISMA provisions establish additional requirements that can assist the agencies in implementing effective information security programs, help ensure that agency systems incorporate appropriate controls, and provide information for administration and congressional oversight. These requirements include the designation of and establishment of specific responsibilities for an agency senior information security officer, implementation of minimum information security requirements for agency information and information systems, and required agency reporting to the Congress. Agencies' fiscal year 2003 FISMA reports, due to OMB in September 2003, should provide additional information on the status of agencies' efforts to implement federal information security requirements. In addition, FISMA requires each agency to report any significant deficiency in an information security policy, procedure, or practice, if relating to financial management systems, as an instance of a lack of substantial compliance under FFMIA.[Footnote 50] Auditors Provided Negative Assurance of Substantial Compliance: Auditors for five agencies--the Department of Energy, EPA,[Footnote 51] GSA, NSF, and SSA--provided negative assurance in reporting on FFMIA compliance for fiscal year 2002. In their respective reports, they included language stating that while they did not opine as to compliance with FFMIA, nothing had come to their attention indicating that these agencies' financial management systems did not meet FFMIA requirements. While this form of reporting has useful applications, it is not relevant or appropriate for this particular type of engagement given the requirements of FFMIA. Our fundamental concern is that this type of reporting may provide a false impression that the systems have been found to be substantially compliant by the auditors, which is not what the auditors are saying. In fact, the provisions of FFMIA require auditors to "…report whether the agency financial management systems comply with the requirements of [the act]." In providing guidance on reporting on substantial compliance with FFMIA, OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, states that auditors should report that "the results of our tests disclosed no instances in which the agency's financial management systems did not substantially comply [with FFMIA]." If testing disclosed that the agencies' systems are not substantially compliant, auditors are required to report the instances of noncompliance identified. This is an important distinction because the term "disclosed no instances" carries a commonly accepted and well- known interpretation across the audit community that providing negative assurance requires only limited testing because the auditor is not giving an opinion on whether the systems are substantially compliant. While work performed in auditing financial statements would naturally offer some perspective regarding FFMIA compliance, the work needed to assess substantial compliance of systems with FFMIA would have to be more comprehensive than that performed for purposes of rendering an opinion on the financial statements. In performing financial statement audits, auditors generally focus on the capability of the financial management systems to process and summarize financial information that flows into the financial statements. In contrast, FFMIA is much broader, and auditors need to consider many other aspects of the financial management system including whether an agency's systems comply with systems requirements and provide reliable, useful, and timely financial-related information for managing day-to-day operations. FFMIA was designed to identify weaknesses and lead to system improvements that would result in agency managers being routinely provided with reliable, useful, and timely financial-related information to measure performance and increase accountability throughout the year, rather than just at year-end. One important consideration is that the law does not specify when FFMIA compliance testing must be done. Thus, auditors can perform FFMIA assessments at any time throughout the fiscal year, as long as the assessment is updated to the end of the reporting period. FFMIA assessments can be a separate review that could be staggered throughout the year when the auditors' workloads are not as burdensome or to spread out the work. Today, for some agencies, the auditor may have sufficient knowledge to conclude that an agency is not in substantial compliance with FFMIA without performing additional testing beyond that needed for the financial statement audit opinion, because systems deficiencies are well known and well documented. Because not all areas were tested, additional weaknesses might exist that were not identified and reported. However, as agencies' systems move toward substantial compliance with FFMIA, auditors will need to perform more comprehensive testing to assess agencies' systems compliance with FFMIA. In addition to recommending that OMB require agency auditors to provide a statement of positive assurance when reporting substantial compliance, we also previously recommended[Footnote 52] that OMB (1) explore further clarifications of the definition of "substantial compliance" to help ensure consistent application of the term, (2) reiterate that the indicators of compliance in its January 4, 2001, guidance are not meant to be all inclusive, (3) develop additional guidance, in accordance with the [Hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO/PCIE] GAO/PCIE FAM,[Footnote 53] to specify procedures that auditors should perform when assessing FFMIA compliance, and (4) emphasize the importance of cost accounting to managers by requesting that auditors pay special attention to agencies' ability to meet the requirements of SFFAS No. 4, Managerial Cost Accounting Concepts and Standards. As mentioned previously, PCIE, working with GAO, has issued a new section of its joint [Hyperlink, http://www.gao.gov/cgi-bin/ getrpt?GAO/PCIE] GAO/PCIE FAM that provided detailed audit steps for testing agency systems' substantial compliance with FFMIA. The new FAM guidance also emphasized the importance of assessing cost management and reiterated that OMB's indicators of compliance were examples and therefore are not all-inclusive. Appropriately implemented by agency auditors, this FAM guidance would provide a sufficient basis to conclude whether agencies' systems substantially comply with FFMIA. While the new FAM guidance addresses three of our prior recommendations, the other two recommendations have not yet been addressed. Accordingly, we reaffirm the remaining two prior recommendations,[Footnote 54] aimed at enhancing OMB's FFMIA audit guidance, relating to requiring agency auditors to provide a statement of positive assurance when reporting an agency's systems to be in substantial compliance with FFMIA, and further clarifying the definition of "substantial compliance" to encourage consistent reporting. As stated in its comments on a draft of this report, OMB disagreed with our recommendation that it require agency auditors to provide a statement of positive assurance when reporting that agency systems substantially comply with FFMIA. OMB stated that, in its view, positive assurance does not measure the quality or usefulness of the financial information. To the contrary, in our view, positive assurance can lead to improvements in both the quality and usefulness of the financial information by providing a higher standard for the auditors' FFMIA assessment. In response to our reaffirmation of our recommendation to clarify the meaning of substantial compliance so that agency auditors and management can consistently interpret the term, OMB commented that clear performance and results standards are better at promoting such consistency. OMB added that it will consider this recommendation in that context in any future policy and guidance updates. Agency Efforts to Implement New Financial Systems: Across government, agencies have many efforts underway to implement or upgrade financial systems to alleviate long-standing weaknesses in financial management. As we recently reported,[Footnote 55] as of September 30, 2002, 17 agencies advised us that they were planning to or were in the process of implementing a new core financial system.[Footnote 56] Of these 17 agencies, 11 had selected a software product certified by the Program Management Office (PMO).[Footnote 57] According to OMB Circular A-127, agencies are required to purchase COTS packages sold by vendors whose core financial systems software have been certified[Footnote 58] by the PMO. The other 6 agencies have not reached the software selection phase of their acquisition process. Implementing a core financial system that has been certified does not guarantee that these agencies will have financial systems that are compliant with FFMIA. One critical factor affecting FFMIA compliance is the integration of the core system with the agency's administrative[Footnote 59] and programmatic[Footnote 60] systems and the validity and completeness of data from systems. Another factor affecting the capability of agency systems to comply with FFMIA is whether modifications or customizations[Footnote 61] have been made to the certified core financial system software. As of September 30, 2002, target implementation dates for 16 of the 17 agencies planning to implement new core financial systems ranged from fiscal years 2003 to 2008. One agency--DOD--had not yet determined its target date for full implementation. As shown in figure 5, 3 of the 16 agencies--Agriculture, GSA, and NASA--planned to complete implementation in fiscal year 2003. Three other agencies--SSA, Commerce, and DOT--planned to complete their implementations in fiscal year 2004. The Department of Energy established fiscal year 2005 as its target implementation date and 3 agencies--the Departments of State and Veterans Affairs and AID--have targeted fiscal year 2006 for completion. Moreover, as shown in figure 5, 4 agencies--DOL, HHS, EPA, and HUD--have set fiscal year 2007 as their implementation target date. Finally, 2 agencies--the Departments of the Interior and Justice[Footnote 62]--projected fiscal year 2008 for completion of their core financial systems implementation. Figure 5: Agency Target Dates for Implementation of Core Financial Systems as of September 30, 2002: [See PDF for image] [End of figure] The remaining 7 of the 24 CFO Act agencies that advised us that they had no plans to implement a new system had either recently implemented a new core financial system in the last several years or were not planning to implement an agencywide core financial system. Five of the 7 agencies had fully implemented new core financial systems since the beginning of fiscal year 2001--including the Department of Education, NSF,[Footnote 63] the Nuclear Regulatory Commission (NRC), SBA, and OPM. FEMA had implemented a new system prior to fiscal year 2001. The remaining agency, Treasury,[Footnote 64] is not planning to implement an agencywide core financial system, but several of its subcomponent agencies--including the Internal Revenue Service and the Office of the Comptroller of the Currency--are in the process of implementing core financial system software packages. In their performance and accountability reports, management for some agencies stated that full implementation of these new systems will address their systems' substantial noncompliance with FFMIA. However, as we previously discussed, implementation of a new core financial system may not resolve all of an agency's financial management weaknesses because of the myriad of problems affecting agencies beyond their core financial systems. Nevertheless, it is imperative that agencies adopt leading practices to help ensure successful systems implementation. Successful Implementation of Financial Management Systems Is Key for Improved Financial Reporting: Implementing new financial management systems provides a foundation for improved financial management, including enhanced financial reporting capabilities that will help financial managers meet OMB's accelerated reporting deadlines and make better financial management decisions due to more timely information. Successful implementation of financial management systems has been a continuous challenge for both federal agencies and private sector entities. In the past, federal agencies have experienced setbacks and delays in their implementation processes. According to OMB's former Associate Director for Information Technology and e-Government, agencies have experienced lengthy or delayed deployment schedules and implementation cost overruns. These delays were caused by various factors, including a lack of executive level involvement, poor communication between managers and users, and inadequate project planning. Our work at NASA and DOD, for example, has also shown the need for consistent executive support, communication with all stakeholders, full identification of user requirements, and adequate planning. Federal agencies, such as NASA and DOD, have experienced many of these challenges in attempting to implement new financial management systems. For example, NASA began its IFMP in April 2000, its third attempt in recent years at modernizing financial processes and systems. NASA's previous two efforts were eventually abandoned after a total of 12 years and a reported $180 million in spending. As part of this effort, NASA recently implemented a new core financial module that was expected to provide financial and program managers with timely, consistent, and reliable cost and performance information for management decisions. However, earlier this year we reported[Footnote 65] that NASA's core financial module was not being implemented to accommodate the information needed by program managers, cost estimators, and the Congress. The need for ongoing communication between project managers and systems users is crucial to any successful systems implementation project. Project managers need to understand the basic requirements of users while users should be involved in the project's planning process. NASA's program officials chose to defer the development of some functions and related user requirements in order to expedite the systems implementation process. As a result, the new system will not meet the needs of some key users who will continue to rely on information from nonintegrated programs outside of the core financial module, or use other labor-intensive means, to capture the data they need to manage programs. NASA has also not followed certain other best practices for acquiring and implementing its new financial management system. NASA's implementation plan calls for the system to be constructed using commercial components; however, NASA has not analyzed the interdependencies of the various subsystems. When constructing a system from commercial components, it is essential to understand the features and characteristics of each component in order to select compatible systems that can be integrated without having to build and maintain expensive interfaces. By acquiring components without first understanding their relationships, NASA has increased its risks of implementing a system that will not optimize mission performance, will cost more, and take longer to implement than necessary. Past DOD initiatives to improve its financial operations and other key business support processes, such as the Corporate Information Management (CIM) initiative,[Footnote 66] failed in part because the department did not obtain and sustain departmentwide senior management leadership, commitment, and support. In recognition of the far-reaching nature of DOD's financial management problems, on September 10, 2001, Secretary Rumsfeld announced a broad, top-priority initiative intended to "transform the way the department works and what it works on." For its current business enterprise architecture, DOD established two executive committees to provide program guidance; however, these committees are not responsible for directing and overseeing the architecture effort, nor are they accountable for approving the architecture. Our recent reports[Footnote 67] highlight this and other investment management and project weaknesses at DOD. GAO recommended[Footnote 68] that DOD ensure that the executive committee members are singularly and collectively made accountable for the delivery and approval of the enterprise architecture. DOD agreed and has a proposed governance structure to implement the architecture. Private sector entities have also encountered a number of challenges and setbacks when implementing new systems. These challenges have included competition between internal organizational units, user resistance to the new systems, and frequent changes in management and to underlying corporate strategy. Entities are overcoming their challenges because better tools have been created to monitor and control progress and skilled project managers with better management processes are being used. The Standish Group International, Inc[Footnote 69] has reported that the number of successful systems implementation projects in the private sector is increasing. From 1994 to 2000, successful projects increased from 28,000 to 78,000. The Standish Group,[Footnote 70] through its research, has identified 10 project success factors. These factors include: * user involvement, * executive support, * experienced project managers, * firm basic requirements, * clear business objectives, * minimized scope, * standard software infrastructure, * formal methodology, * reliable estimates, and: * other, including small milestones, proper planning, competent staff, and ownership. Also, according to the Standish Group, although no project requires all 10 factors to be successful,[Footnote 71] the more factors that are present in the project strategy, the higher the chance of a successful implementation. As discussed above, many of these factors have been challenges for both private sector and federal entities. By its very nature, the implementation of a new financial management system is a risky proposition. Therefore, it is crucial that federal departments and agencies follow accepted best practices and embrace as many of the key characteristics for successful implementation projects as possible to help minimize the risk of failed projects and result in systems that provide the necessary data for management's needs. Our executive guide[Footnote 72] on creating value through world-class financial management describes 11 practices critical for establishing and maintaining sound financial operations. These practices include reengineering processes in conjunction with new technology. As a result, using commercial components such as COTS packages may require significant changes in the way federal departments conduct their business. According to the leading finance organizations that formed the basis for our executive guide, a key to successful implementation of COTS systems is reengineering business processes to fit the new software applications that are based on best practices. Moreover, OMB's former Associate Director for Information Technology and e-Government has stated that "IT will not solve management problems - re-engineering processes will.": The conversion of data from an old system to a new system is also critical. In December 2002, JFMIP issued its "White Paper: Financial Systems Data Conversion - Considerations." The purpose of this JFMIP document is to raise awareness of financial systems data conversion considerations to be addressed by financial management executives and project managers when planning or implementing a new financial management system. The JFMIP paper addresses (1) key considerations regarding data conversion and cutover to the new system, (2) best approaches for completing the data conversion and cutover, and (3) ways to reduce the risks associated with these approaches. Status of Governmentwide Financial Management Improvement Efforts: In addition to individual agency efforts as discussed in a prior section, the JFMIP Principals, congressional oversight, and the PMA are key drivers of governmentwide efforts now underway to improve federal financial management. In fiscal year 2002, the JFMIP Principals continued the series of regular, deliberative meetings that focused in key financial management reform issues. Legislation enacted by the Congress as well as its oversight of federal financial management also has had a significant impact on stimulating change. The PMA,being implemented by the administration as an agenda for improving the management and performance of the federal government, targets the most apparent deficiencies where the opportunity to improve performance is the greatest. The success of agency implementation of FFMIA impacts all five of the PMA's crosscutting initiatives[Footnote 73] to a greater or lesser extent. Furthermore, the modernization of agency financial management systems, as envisioned by FFMIA, is critical to the success of all of these initiatives. JFMIP Principals: Starting in August 2001, the JFMIP Principals[Footnote 74] have been meeting regularly to deliberate and reach agreements focused on financial management reform issues including (1) defining success measures for financial performance that go far beyond an unqualified audit opinion,[Footnote 75] (2) significantly accelerating financial statement reporting to improve timeliness for decision making, and (3) addressing difficult accounting and reporting issues, including impediments to an audit opinion on the federal government's consolidated financial statements. This forum has provided an opportunity to reach decisions on key issues and undertake strategic activities that reinforce the effectiveness of groups such as the CFO Council in making progress toward federal financial management. In fiscal year 2002, the JFMIP Principals continued the series of these deliberative meetings. Continued personal involvement of the JFMIP Principals is critical to the full and successful implementation of federal financial management reform and to providing greater transparency and accountability in managing federal programs and resources. One effort attributable to the JFMIP Principals is the ongoing governmentwide effort to resolve the problems accounting for intragovernmental activity and balances. As we have reported,[Footnote 76] the federal government's inability to properly account for intragovernmental activity and balances impedes achieving the goal of a clean opinion on the U.S. consolidated financial statements. OMB has identified the lack of standardization in processing and recording intragovernmental activity as a major contributing factor to the federal government's inability to properly account for intragovernmental activity and balances. As a step to resolve this weakness, OMB, which is providing important leadership for this effort, and the Integrated Acquisition Environment (IAE)[Footnote 77] steering committee have established basic requirements for processing and recording intragovernmental activity for all agencies. The vision for intragovernmental activity is that they will eventually be fed through a central portal system and tracked. The IAE has established the Business Partner Network (BPN)[Footnote 78] to provide information on all trading partners, including commercial, government, and grantees. Moreover, a Web-based portal, the Intragovernmental Transaction Portal, has been developed and a small group of agencies will be testing two types of transactions--space rental and information technology--as part of a pilot project. Congressional Oversight: The leadership demonstrated by the Congress has been an important catalyst to reforming financial management in the federal government. As previously discussed, the legislative framework provided by the CFO Act and FFMIA, among others, produces a solid foundation to stimulate needed change. For example, in November 2002, the Congress enacted the Accountability of Tax Dollars Act of 2002[Footnote 79] to extend the financial statements audit requirements of the CFO Act to additional federal agencies. In addition, there is value in sustained congressional interest in these issues, as demonstrated by hearings on federal financial management and reform held over the past several years. It will be key that the appropriations, budget, authorizing, and oversight committees hold agency top management accountable for resolving these problems and that they support improvement efforts. The continued attention by the Congress to these issues will be critical to sustaining momentum for financial management reform. President's Management Agenda: As stated in the PMA, there are few items more urgent than ensuring that the federal government operates efficiently and is results- oriented. Several of the governmentwide efforts underway to improve federal financial management support the implementation of the PMA's five crosscutting initiatives. While FFMIA implementation relates directly to the improved financial performance initiative, development and maintenance of FFMIA-compliant systems will also affect the implementation of the other four initiatives. Notably, OMB is developing a federal enterprise architecture that will impact the government's ability to make significant progress across the PMA. For example, as part of the e-gov initiative, the number of federal payroll providers is being consolidated. Numerous agencies had targeted their payroll operations for costly modernization efforts. According to OMB, millions of dollars will be saved through shared resources and processes and by modernizing on a cross-agency, governmentwide basis. The administration's implementation of its Program Assessment Rating Tool (PART) relates specifically to the PMA initiative of integration of budget and performance information. Reliable cost data, so crucial to effective FFMIA implementation, is critical not only for the improved financial performance and budget and performance integration initiatives, but also for competitive sourcing. For effective management, this cost information must not only be timely and reliable, but also both useful and used. The administration is using the Executive Branch Management Scorecard, based on governmentwide standards for success, to highlight agencies' progress in achieving the improvements embodied in the PMA. OMB uses a grading system of red, yellow, and green to indicate agencies' status in achieving the standards for success for each of the five crosscutting initiatives. It also assesses and reports progress using a similar "stoplight" system. Information about agencies' status scores and progress scores will be provided later in this report. Financial Performance Initiative: The PMA initiative to improve financial performance is aimed at ensuring that federal financial systems produce accurate and timely information to support operating, budget, and policy decisions. It focuses on key issues such as data reliability, clean financial statement audit opinions, and effective financial management systems and internal control. The standards for success used for scoring agency status and progress for the improved financial performance initiative not only recognize the importance of achieving an unqualified or "clean" opinion, but also focus on the fundamental and systemic issues that must be addressed to routinely generate timely, accurate, and useful financial information and provide a sound environment of internal control and effective systems. For example, the scorecard measures whether agencies have material internal control weaknesses or material noncompliance with laws and regulations, and whether agency systems meet FFMIA requirements. As stated in the PMA, without sound internal controls and accurate and timely financial information, it will not be possible to accomplish the President's agenda to secure the best performance and highest measure of accountability for the American people. FFMIA embodies the same things--systems that can generate reliable, useful, and timely information with which to make fully informed decisions and to ensure accountability on an ongoing basis. E-gov Initiative: To implement this PMA initiative, OMB has selected 25 presidential e- gov efforts that focus on a wide variety of services, aiming to simplify and unify agency work processes and information flows, provide one-stop services to citizens, and enable information to be collected online once and reused, rather than being collected many times. One of the 25 presidential e-gov efforts is "e-payroll," which is intended to consolidate the federal government's many incompatible payroll systems into just two that would service all government employees. GAO has long supported and called for such initiatives to standardize and streamline common systems, which can not only reduce costs, but if done correctly, can improve accountability. OMB and OPM, the managing partner for the e-payroll initiative, announced on January 10, 2003, the selection of two partnerships for federal civilian payroll processing--one partnership between DOD's Defense Finance and Accounting Service and GSA, and another between Agriculture's National Finance Center and Interior's National Business Center. According to the former Director of OMB, the e-payroll effort, by consolidating duplicative payroll modernization efforts, should save the federal government an estimated $1.2 billion over the next decade in future information technology investments given the economies of scale and cost avoidance. According to OMB, the need for a federal enterprise architecture[Footnote 80] has arisen from the e-gov effort. OMB has stated that the development of a Federal Enterprise Architecture (FEA) is a cornerstone to the federal government's success in managing its nearly $60 billion[Footnote 81] in IT spending. Among other things, the FEA, being developed by the Federal Enterprise Architecture Program Management Office (FEAPMO),[Footnote 82] has been described as a tool to enable the federal government to identify opportunities to leverage technology and alleviate redundancy, or to highlight where agency overlap limits the value of IT investments. OMB recently reported[Footnote 83] that by using the FEA Business Reference Model to evaluate agency IT budget requests for fiscal year 2004, it has been able to identify potential redundancies in six business lines. According to OMB, the Business Reference Model, one of five reference models, is the foundation of the FEA and is intended to describe the business operations of the federal government independent of the agencies that perform them. Budget and Performance Integration Initiative: The PMA recognized that improvements in the management of human capital, financial performance, expanding electronic government, and competitive sourcing matter little if they are not linked to program performance and resource allocation decisions. Although the lack of a consistent information and reporting framework for performance, budgeting, and accounting may obscure how well government programs are performing as well as inhibit comparisons, no one presentation can meet all users' needs. Any framework should support an understanding of the links between performance, budgeting, and accounting information measured and reported for different purposes. However, even the most meaningful links between performance results and resources consumed are only as good as the underlying data. Therefore, agencies must address long-standing problems within their financial systems. As agencies implement and upgrade their financial management systems, opportunities exist for developing cost management information as an integral part of the system to provide important information that is timely, reliable, and useful. The administration has set forth an ambitious agenda for performance budgeting, calling for agencies to better align their budgets with their performance goals and focus on capturing full budgetary cost and matching these costs with output and outcome goals. Performance-based budgeting can help shift the focus of debate from inputs to outcomes and results, enhancing the government's ability to gauge performance and assess competing claims for scarce resources. While budget reviews have always involved discussions of program performance, such discussions have not always been conducted in a common language or with transparency. Last year, the administration introduced a formal assessment tool into its deliberations, PART, that is the central element of the PMA's performance budgeting initiative. PART represents a step toward more structured involvement of program and performance analysis in the budget and includes general questions on (1) program purpose and design, (2) strategic planning, (3) program management, and (4) program results. It also includes a set of more specific questions that vary according to the type of delivery mechanism or approach the program uses, and calls for timely, reliable data to perform those assessments. PART was applied during the fiscal year 2004 budget cycle to 234 "programs."[Footnote 84] OMB's four-point scale rated programs as "effective," "moderately effective," "adequate," or "ineffective" based on program design, strategic planning, management, and results. Programs that do not have acceptable performance measures or have not yet collected performance data generally received a fifth rating of "results not demonstrated." In the fiscal year 2004 President's budget request, OMB rated 50 percent of PART-assessed programs as "results not demonstrated" because OMB found that the programs did not have adequate performance goals and/or data to gauge program performance were not available. The administration plans to review approximately one-fifth of all federal programs every year, so that every program will have been evaluated using PART by the fiscal year 2008 budget submission. PART could be useful in focusing discussions about progress toward planned performance; about what progress has been made toward achieving specific program goals and objectives; and about what tools and strategies may be used to bring about improvements. Furthermore, performance budgeting should not be expected to provide the answers to resource allocation questions in some automatic or formula-driven process. Because budgeting is the allocation of resources, it involves setting priorities--making choices among competing claims. Performance information is an important factor, but it cannot substitute for difficult political choices. It can, however, help move the debate to a more informed plane--one in which the focus is on competing claims and priorities. As OMB has stated, "The PART serves its purpose if it produces an honest starting point for spending decisions that take results seriously.": Competitive Sourcing Initiative: Among the factors that agencies must consider as they determine how best to meet their missions is whether the public or private sector would be the most appropriate provider of the services the government needs. As we recently testified,[Footnote 85] the government's competitive sourcing process--set forth in OMB Circular A-76--has been difficult to implement and has profoundly impacted the morale of the federal workforce. Due to these difficulties, the Congress enacted legislation mandating a study of the government's competitive sourcing process. In April 2002, following a yearlong study, the Commercial Activities Panel (CAP), chaired by the Comptroller General, reported its findings on competitive sourcing in the federal government. The report lays out 10 sourcing principles and several recommendations, which provide a road map for improving sourcing decisions across the federal government. On May 29, 2003, OMB issued a revised Circular A-76 to simplify and improve the procedures for evaluating public and private sources. Overall, the revised circular is generally consistent with the CAP principles and recommendations. Implementing the revised circular, however, will likely be challenging. Agencies will need to consider how competitive sourcing relates to the other four PMA crosscutting initiatives. For example, accurate cost information from financial management systems and other sources clearly will be needed to make reliable cost calculations in conducting public- private competitions. DOD has been at the forefront of federal agencies in using the A-76 process and, since the mid-to-late 1990s, we have tracked DOD's progress in implementing its A-76 program. While the revised circular includes a major section on calculating public-private competition costs, DOD's experiences with public-private competitions suggest important lessons on financial calculations that agencies should consider as they implement their competitive sourcing initiatives.[Footnote 86] Notably, we have found that costs and resources required for the competitions were underestimated, and determining and maintaining reliable estimates of savings were difficult. In addition, DOD's IG recently issued a report[Footnote 87] regarding errors in a public/private competition for the department's military retired and annuitant pay functions. Although DOD awarded the contract to a private contractor, more accurate cost estimates may have led to a different decision. The cost estimate for performing this function in- house included $33.7 million of overhead costs. In calculating this estimate, DOD followed OMB Circular A-76 guidance that required the department to use the standard 12 percent cost factor for overhead costs. This was because DOD had not developed and submitted for OMB approval a reliable overhead factor for the department. The DOD IG stated that using the mandatory overhead factor affected the results of the competition because a reduced overhead cost factor would have lowered the in-house cost estimate. According to the IG, two of the main premises of OMB Circular A-76 cost comparison studies are fairness of the competitions and achieving realistic cost savings. These premises can only be achieved when supportable cost data are used. Strategic Human Capital Management: People are an agency's most important organizational asset, and strategic human capital management should be the centerpiece of any serious change management initiative or any effort to transform the cultures of government agencies. One step in meeting the government's human capital challenges is for agency leaders to identify and make use of all the appropriate administrative authorities available to them to manage their people both effectively and equitably. As we reported,[Footnote 88] much of the authority agency leaders need to manage human capital strategically is already available under current laws and regulations, as recognized by PMA. Another step in meeting the government's human capital challenges is for policymakers to continue to pursue incremental legislative reforms to give agencies additional tools and flexibilities to hire, manage, and retain the human capital they need, particularly in critical operations. As more agency systems are automated and integrated, those working in the federal financial management community will require new skills. In its recent final report,[Footnote 89] JFMIP mentioned a skill imbalance as one of the challenges facing today's financial management workforce. Specifically, the federal financial management workforce will shift from primarily transaction processing support to performing multiskilled analysis for decision making. According to JFMIP, to meet this skill imbalance, agencies must not only acquire the right skills, but must develop them. One of several ways to do this is to design a broader financial management career concept to support the new culture. Proud To Be Initiative: Specific goals to be achieved by July 1, 2004, have been established for each of the five crosscutting initiatives under the "Proud To Be" initiative. According to an April 2003 memorandum from the OMB Deputy Director for Management-designate, progress on the PMA had reached a point where it is appropriate to think about where the administration would be proud to be a year or so from now, after 3 full years of implementing the PMA. To begin this effort, the owners[Footnote 90] of the five crosscutting initiatives assessed where he/she would be "proud to be" on July 1, 2004. For example, for the improved financial performance initiative, specific goals include (1) 50 percent of agencies completing their fiscal year 2003 financial statement audits by November 15, 2003, (2) all CFO Act agencies, except for DOD, having unqualified audit opinions on their fiscal year 2003 financial statements, and (3) financial audits for fiscal year 2003 achieving a 50 percent reduction in material weaknesses. Financial Performance Metrics: The CFO Council has developed a draft list of financial performance metrics to be reviewed monthly for all agencies. The financial performance metrics under consideration include (1) reconciled and unreconciled balances relating to fund balance with Treasury accounts, (2) delinquent accounts receivable from the public, (3) purchase and travel card delinquency trends, and (4) electronic payments. According to OMB officials, an online system has been developed to capture this information and the agency-level metrics reported will roll up into governmentwide metrics. Executive Branch Management Scorecard: As mentioned previously, the administration assesses agency status[Footnote 91] in achieving the standards for success for each of the five crosscutting initiatives using a grading system of red, yellow, and green.[Footnote 92] It also assesses progress[Footnote 93] using a similar "stoplight" system.[Footnote 94] Although we collaborated in some cases with OMB and the lead agencies regarding the broad standards for success, we have not had the opportunity to review the more specific criteria that OMB uses to assess each agency's progress on these initiatives nor have we examined the specific evidence that OMB used to assess the agency's accomplishments. Table 1 shows the Scorecard status and progress scores for the improved financial performance initiative at the CFO Act agencies starting with the December 2002 scorecard. Table 1: Agency Status and Progress Scores for the Improved Financial Performance Initiative: Score: Red; December 2002 scorecard: Status: 15; December 2002 scorecard: Progress: 2; March 2003 scorecard: Status: 15; March 2003 scorecard: Progress: 1; June 2003: scorecard: Status: 15; June 2003: Progress: 0. Score: Yellow; December 2002 scorecard: Status: 6; December 2002 scorecard: Progress: 2; March 2003 scorecard: Status: 6; March 2003 scorecard: Progress: 3; June 2003: scorecard: Status: 4; June 2003: Progress: 2. Score: Green; December 2002 scorecard: Status: 1; December 2002 scorecard: Progress: 18; March 2003 scorecard: Status: 1; March 2003 scorecard: Progress: 18; June 2003: scorecard: Status: 3; June 2003: Progress: 20. Score: Total; December 2002 scorecard: Status: 22; December 2002 scorecard: Progress: 22; March 2003 scorecard: Status: 22; March 2003 scorecard: Progress: 22; June 2003: scorecard: Status: 22; June 2003: Progress: 22. Source: GAO analysis of the OMB Executive Branch Management Scorecards for three quarters. Note: The Federal Emergency Management Agency, which was consolidated into DHS, and NRC were not scored. While DHS received red status scores in improving financial performance as of December 31, 2002, and March 31, 2003, the department was scored as green in progress for those two quarters. [End of table] The focus that the administration's scorecard approach brings to improving management and performance, including financial management performance, is certainly a step in the right direction. The value of the scorecard is not in the scoring per se, but the degree to which the scores lead to sustained focus and demonstrable improvements. This will depend on continued efforts to assess progress and maintain accountability to ensure that the agencies are able to, in fact, improve their performance. It will be important that there be continuous rigor in the scoring process for this approach to be credible and effective in providing incentives that produce lasting results. Also, it is important to recognize that many of the challenges the federal government faces, such as improving financial management, are long-standing and complex, and will require sustained attention. Conclusions: The ultimate objective of FFMIA is to ensure that agency financial management systems routinely provide reliable, useful, and timely financial information, not just at year-end or for financial statements, so that government leaders will be better positioned to invest resources, reduce costs, oversee programs, and hold agency managers accountable for the efficiency of their programs. To achieve the financial management improvements envisioned by the CFO Act, FFMIA, and more recently, the PMA, agencies need to modernize their financial management systems to generate reliable, useful, and timely financial information throughout the year and at year-end. Meeting the requirements of FFMIA presents long-standing, significant challenges that will be attained only through time, investment, and sustained emphasis on correcting deficiencies in federal financial management systems. To provide positive assurance when reporting on compliance with FFMIA, auditors need to perform detailed audit procedures that are more comprehensive than those necessary to render an opinion in a financial statement audit. Such an assessment of an agency's financial management system is essential to improving the performance, productivity, and efficiency of federal financial management and achieving the PMA. If auditors do more comprehensive testing for FFMIA compliance, as described in the [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/ PCIE] GAO/PCIE FAM, they will be able to provide positive assurance when reporting on substantial compliance with FFMIA, which is what we believe the law requires. Therefore, we reaffirm our prior recommendation that OMB require agency auditors to provide a statement of positive assurance when reporting an agency's systems to be in substantial compliance with FFMIA. While the current language that auditors are using to report substantial compliance with FFMIA may have useful applications, it is not relevant or appropriate given the requirements of FFMIA. The term "disclosed no instances" carries a commonly accepted and well-known interpretation among the audit community that only limited testing is required because the auditor is not giving an opinion on whether the systems are substantially compliant. However, our concern is that this type of reporting may give the general public the false impression that the systems have been found to be substantially compliant. We also reaffirm our other prior recommendation for OMB to explore further clarification of the definition of "substantial compliance" in its FFMIA guidance to encourage consistent reporting among agency auditors. As we stated[Footnote 95] last year, auditors we interviewed had concerns about providing positive assurance in reporting on agency systems' FFMIA compliance because of a need for clarification regarding the meaning of substantial compliance. Agencies that do not have integrated financial systems typically must expend major efforts and resources to develop information that their systems should be able to provide on a daily and recurring basis. Across government, agencies have many efforts underway to implement or upgrade financial systems to alleviate long-standing weaknesses in financial management. However, the size and complexity of many federal agencies and the discipline needed to upgrade or replace their financial management systems present a significant challenge. While progress continues to be made to improve financial management systems, for some agencies there is a long way to go. To be successful, agencies need to identify the root causes as to why systems have these continuing financial management weaknesses. The widespread systems problems facing the federal government need sustained management commitment at the highest levels of government. Today, we are seeing a strong commitment from the President, the JFMIP Principals, and the secretaries of major departments, such as DOD-- which has taken positive steps to transform its business operations and systems--to ensuring that needed modernization efforts come to fruition. This commitment is critical to the success of these efforts underway, as well as those still in a formative stage, to achieve the goals of the CFO Act and FFMIA. Agency Comments and Our Evaluation: In written comments (reprinted in app. VI) on a draft of this report, OMB agreed with our view that financial management success encompasses more than agencies receiving unqualified opinions on their financial statements. However, as indicated by its comments, OMB and GAO continue to have a philosophical difference as to the breadth and nature of activities related to FFMIA compliance. In discussing FFMIA compliance, OMB focuses on the compliance requirements of FFMIA. We have a broader view when considering agency systems' FFMIA compliance. From our viewpoint, the primary purpose of FFMIA is to ensure that agency financial management systems routinely provide reliable, useful, and timely financial information for managerial decision making on a day- to-day basis. With such information, government leaders will be better positioned to invest resources, reduce costs, oversee programs, and hold agency managers accountable for the way they run government programs. By enacting FFMIA, Congress envisioned that agency managers would have necessary financial information to measure performance on an ongoing basis rather than just at year-end. Financial management systems' compliance with federal financial management systems requirements, applicable accounting standards, and the SGL at the transaction level are the building blocks to help achieve these goals. Specifically, OMB disagreed with our recommendation that OMB require agency auditors to provide a statement of positive assurance when reporting that agency systems substantially comply with FFMIA. OMB stated that, in its view, positive assurance does not measure the quality or usefulness of the financial information. To the contrary, positive assurance does provide a more meaningful measure of the quality and usefulness of the financial information by providing a higher standard for the auditors' FFMIA assessment. When providing negative assurance with FFMIA, auditors state that nothing came to their attention indicating that these agencies' financial management systems did not substantially meet FFMIA requirements. Providing positive assurance, as we believe the law requires, means that the auditors must report unequivocally whether the agency financial management systems substantially comply with the act's requirements. OMB also pointed out that preliminary data suggest such an additional reporting burden would raise audit costs without a commensurate improvement in financial information. As discussed in the FAM, there are a number of techniques auditors could use to minimize the burden and associated cost of providing positive assurance. For example, under 31 U.S.C. 3512(c),(d) (commonly referred to as the Federal Managers' Financial Integrity Act of 1982 (FIA)), agency management is responsible for systematically developing, assessing, and reporting on internal controls and financial management systems. Auditors can review the related FIA documentation to determine the degree of reliance that can be placed on management's FIA process. Depending on the thoroughness and completeness of the annual FIA assessment of agency financial management systems done by management, auditors may not need to significantly increase their workload to provide positive assurance. In its comments, OMB also stated that FFMIA compliance is determined by the agency head, after considering all relevant information, including the results of the independent audit. While we agree that the law requires agency heads to make an FFMIA determination, the auditor's FFMIA assessment is a key element of this FFMIA determination due to auditor independence. The act specifically states that the determination should be based on a review of the auditor's report on the applicable agencywide audited financial statements as well as other information the agency head considers relevant and appropriate. Moreover, as the legislative history shows, Congress intended to use the financial statement audit process to assure that FFMIA's requirements are implemented and maintained in agency financial management systems. As with financial statement audits, an auditor's FFMIA assessment provides an objective and independent view of an agency systems' compliance with FFMIA. OMB, in reference to our recommendation that it explore further clarifications of the definition of "substantial compliance" to help ensure the consistent application of this term, suggested that clear performance and results standards are better at promoting such consistency. OMB added that it will consider our recommendation in that context in any future policy and guidance updates. As we previously reported,[Footnote 96] auditors we interviewed that performed FFMIA assessments saw a need for clarification of the meaning of substantial compliance to help them perform the assessments. OMB also stated that the report overlooks progress agencies have made across all areas of IT security performance measures. Similarly, in its fiscal year 2002 report to the Congress, OMB reported that the federal government had made significant strides in addressing serious and pervasive IT security problems, but that much work remained. However, our analyses of governmentwide performance measures showed more limited progress. Further, our analyses of individual agency reports showed that significant challenges remained in implementing information security requirements. OMB also commented that this progress has been demonstrated in the federal government's general success in withstanding malicious code activity. As we recently testified,[Footnote 97] the federal government has taken several steps to address security vulnerabilities that affect federal agency systems, but we identified additional steps that can be taken to address software vulnerabilities. In its comments, OMB stated that we should limit the scope of this report to agencies' efforts to implement and maintain financial systems that comply with the act in fulfilling our statutory requirement to report annually on FFMIA compliance. We disagree with OMB's view that this report includes considerable information that is not germane to our statutory reporting requirements. To the contrary, the governmentwide financial management improvement efforts, discussed in our report, have a direct impact on agency systems' compliance with FFMIA and provide additional context on the importance of financial management systems in achieving certain initiatives. For example, the e-payroll effort, part of the e-gov initiative, if successful, should substantially reduce the number of individual agency payroll systems, which affects agencies' financial systems architecture and the flow of information through their financial management systems. Similarly, as we discuss in the report, PART represents a step toward more structured involvement of program and performance analysis in the budget. This initiative is dependent upon meaningful links between performance results and resources consumed that are supported by reliable, useful, and timely underlying information, including financial data. In our view, it will be difficult, if not impossible, to achieve success with these governmentwide financial management improvement efforts without the modernization of agency financial systems envisioned by the CFO Act and FFMIA. OMB and several agencies also provided other technical comments that we incorporated as appropriate. : We are sending copies of this report to the Chairman and Ranking Minority Member, Subcommittee on Financial Management, the Budget, and International Security, Senate Committee on Governmental Affairs; and to the Chairman and Ranking Minority Member, Subcommittee on Government Efficiency and Financial Management, House Committee on Government Reform. We are also sending copies to the Director of the Office of Management and Budget, the Secretary of the Department of Homeland Security, the heads of the 23 CFO Act agencies, and agency CFOs and IGs. Copies will also be made available to others upon request. This report was prepared under the direction of Sally E. Thompson, Director, Financial Management and Assurance, who may be reached at (202) 512-9450 or by e-mail at [Hyperlink, thompsons@gao.gov] thompsons@gao.gov if you have any questions. Staff contacts and other key contributors to this report are listed in appendix VII. David M. Walker Comptroller General of the United States: Signed by David M. Walker: [End of section] Appendixes: Appendix I: Requirements and Standards Supporting Federal Financial Management: Financial Management Systems Requirements: The policies and standards prescribed for executive agencies to follow in developing, operating, evaluating, and reporting on financial management systems are defined in OMB Circular A-127, Financial Management Systems. The components of an integrated financial management system include the core financial system,[Footnote 98] managerial cost accounting system, and administrative and programmatic systems. Administrative systems are those that are common to all federal agency operations[Footnote 99] and programmatic systems are those needed to fulfill an agency's mission. JFMIP has issued federal financial management systems requirements (FFMSR)[Footnote 100] for the core financial system and managerial cost accounting system, and is in the process of issuing these requirements for the administrative and programmatic systems. Appendix II lists the federal financial management systems requirements published to date. Figure 6 is the JFMIP model that illustrates how these systems interrelate in an agency's overall systems architecture. Figure 6: Agency Systems Architecture: [See PDF for image] [End of figure] OMB Circular A-127 requires agencies to purchase commercial off-the- shelf (COTS) software that has been tested and certified through the JFMIP software certification process when acquiring core financial systems. JFMIP's certification process, however, does not eliminate or significantly reduce the need for agencies to develop and conduct a comprehensive testing effort to ensure that the COTS software meets their requirements. Moreover, according to JFMIP, core financial systems certification does not mean that agencies that install these packages will have financial management systems that are compliant with FFMIA. Many other factors can affect the capability of the systems to comply with FFMIA, including modifications made to the JFMIP-certified core financial management systems software, and the validity and completeness of data from feeder systems. Federal Accounting Standards: The Federal Accounting Standards Advisory Board (FASAB)[Footnote 101] promulgates federal accounting standards that agency CFOs use in developing financial management systems and preparing financial statements. FASAB develops the appropriate accounting standards after considering the financial and budgetary information needs of the Congress, executive agencies, and other users of federal financial information and comments from the public. FASAB forwards the standards to the three Sponsors--the Comptroller General, the Secretary of the Treasury, and the Director of OMB--for a 90-day review. If there are no objections during the review period, the standards are considered final and FASAB publishes them on its Web site and in print. The American Institute of Certified Public Accountants has recognized the federal accounting standards promulgated by FASAB as being generally accepted accounting principles for the federal government. This recognition enhances the acceptability of the standards, which form the foundation for preparing consistent and meaningful financial statements both for individual agencies and the government as a whole. Currently, there are 25 statements of federal financial accounting standards (SFFAS) and 4 statements of federal financial accounting concepts (SFFAC).[Footnote 102] The concepts and standards are the basis for OMB's guidance to agencies on the form and content of their financial statements and for the government's consolidated financial statements. Appendix III lists the concepts, standards, and interpretations[Footnote 103] along with their respective effective dates. FASAB's Accounting and Auditing Policy Committee (AAPC)[Footnote 104] assists in resolving issues related to the implementation of accounting standards. AAPC's efforts result in guidance for preparers and auditors of federal financial statements in connection with implementation of accounting standards and the reporting and auditing requirements contained in OMB's Form and Content of Agency's Financial Statements Bulletin and Audit Requirements for Federal Financial Statements Bulletin. To date, AAPC has issued five technical releases, which are listed in appendix IV along with their release dates. Standard General Ledger: The SGL was established by an interagency task force under the direction of OMB and mandated for use by agencies in OMB and Treasury regulations in 1986. The SGL promotes consistency in financial transaction processing and reporting by providing a uniform chart of accounts and pro forma transactions used to standardize federal agencies' financial information accumulation and processing throughout the year, enhance financial control, and support budget and external reporting, including financial statement preparation. For example, agency use of the SGL accounts and OMB's new intragovernmental business rules for standardizing intragovernmental activity and balances are key to removing one of the material weaknesses that GAO has reported on the governmentwide consolidated statements since fiscal year 1997. The SGL is intended to improve data stewardship throughout the federal government, enabling consistent reporting at all levels within the agencies and providing comparable data and financial analysis at the governmentwide level.[Footnote 105] Internal Control Standards: The Congress enacted legislation, 31 U.S.C. 3512(c),(d) (commonly referred to as the Federal Managers' Financial Integrity Act of 1982 (FIA)), to strengthen internal controls and accounting systems throughout the federal government, among other purposes. Issued pursuant to FIA, the Comptroller General's Standards for Internal Control in the Federal Government[Footnote 106] provides the standards that are directed at helping agency managers implement effective internal control, an integral part of improving financial management systems. Internal control is a major part of managing an organization and comprises the plans, methods, and procedures used to meet missions, goals, and objectives. In summary, internal control, which under OMB's guidance for FIA is synonymous with management control, helps government program managers achieve desired results through effective stewardship of public resources. Effective internal control also helps in managing change to cope with shifting environments and evolving demands and priorities. As programs change and agencies strive to improve operational processes and implement new technological developments, management must continually assess and evaluate its internal control to ensure that the control activities being used are effective and updated when necessary. [End of section] Appendix II: Publications in the Federal Financial Management Systems Requirements Series: FFMSR document: FFMSR-0 Framework for Federal Financial Management Systems; Issue date: January 1995. FFMSR document: FFMSR-7 Inventory System Requirements; Issue date: June 1995. FFMSR document: FFMSR-8 Managerial Cost Accounting System Requirements; Issue date: February 1998. FFMSR document: JFMIP-SR-01-02 Core Financial System Requirements; Issue date: November 2001. FFMSR document: JFMIP-SR-99-5 Human Resources & Payroll Systems Requirements; Issue date: April 1999. FFMSR document: JFMIP-SR-99-8 Direct Loan System Requirements; Issue date: June 1999. FFMSR document: JFMIP-SR-99-9 Travel System Requirements; Issue date: July 1999. FFMSR document: JFMIP-SR-99-14 Seized Property and Forfeited Asset Systems Requirements; Issue date: December 1999. FFMSR document: JFMIP-SR-00-01Guaranteed Loan System Requirements; Issue date: March 2000. FFMSR document: JFMIP-SR-00-3 Grant Financial System Requirements; Issue date: June 2000. FFMSR document: JFMIP-SR-00-4 Property Management Systems Requirements; Issue date: October 2000. FFMSR document: JFMIP-SR-01-01 Benefit System Requirements; Issue date: September 2001. FFMSR document: JFMIP-SR-02-02 Acquisition/Financial Systems Interface Requirements; Issue date: June 2002. FFMSR document: JFMIP-SR-03-01 Revenue System Requirements; Issue date: January 2003. FFMSR document: JFMIP-SR-03-02 Inventory, Supplies and Materials System Requirements; Issue date: August 2003. [End of table] [End of section] Appendix III: Statements of Federal Financial Accounting Concepts, Statements of Federal Financial Accounting Standards, and Interpretations: Concepts: Concepts: SFFAC No. 1 Objectives of Federal Financial Reporting. Concepts: SFFAC No. 2 Entity and Display. Concepts: SFFAC No. 3 Management's Discussion and Analysis. Concepts: SFFAC No. 4 Intended Audience and Qualitative Characteristics for the Consolidated Financial Report of the United States Government. [End of table] Standards: SFFAS No. 1 Accounting for Selected Assets and Liabilities; Effective for fiscal year[A]: 1994. Standards: SFFAS No. 2 Accounting for Direct Loans and Loan Guarantees; Effective for fiscal year[A]: 1994. Standards: SFFAS No. 3 Accounting for Inventory and Related Property; Effective for fiscal year[A]: 1994. Standards: SFFAS No. 4 Managerial Cost Accounting Concepts and Standards; Effective for fiscal year[A]: 1998. Standards: SFFAS No. 5 Accounting for Liabilities of the Federal Government; Effective for fiscal year[A]: 1997. Standards: SFFAS No. 6 Accounting for Property, Plant, and Equipment; Effective for fiscal year[A]: 1998. Standards: SFFAS No. 7 Accounting for Revenue and Other Financing Sources; Effective for fiscal year[A]: 1998. Standards: SFFAS No. 8 Supplementary Stewardship Reporting; Effective for fiscal year[A]: 1998. Standards: SFFAS No. 9 Deferral of the Effective Date of Managerial Cost Accounting Standards for the Federal Government in SFFAS No. 4; Effective for fiscal year[A]: 1998. Standards: SFFAS No. 10 Accounting for Internal Use Software; Effective for fiscal year[A]: 2001. Standards: SFFAS No. 11 Amendments to Accounting for Property, Plant, and Equipment--Definitional Changes; Effective for fiscal year[A]: 1999. Standards: SFFAS No. 12 Recognition of Contingent Liabilities Arising from Litigation: An Amendment of SFFAS No. 5, Accounting for Liabilities of the Federal Government; Effective for fiscal year[A]: 1998. Standards: SFFAS No. 13 Deferral of Paragraph 65-2--Material Revenue- Related Transactions Disclosures; Effective for fiscal year[A]: 1999. Standards: SFFAS No. 14 Amendments to Deferred Maintenance Reporting; Effective for fiscal year[A]: 1999. Standards: SFFAS No. 15 Management's Discussion and Analysis; Effective for fiscal year[A]: 2000. Standards: SFFAS No. 16 Amendments to Accounting for Property, Plant, and Equipment; Effective for fiscal year[A]: 2000. Standards: SFFAS No. 17 Accounting for Social Insurance; Effective for fiscal year[A]: 2000. Standards: SFFAS No. 18 Amendments to Accounting Standards for Direct Loans and Loan Guarantees in SFFAS No. 2; Effective for fiscal year[A]: 2001. Standards: SFFAS No. 19 Technical Amendments to Accounting Standards for Direct Loans and Loan Guarantees in SFFAS No. 2; Effective for fiscal year[A]: 2003. Standards: SFFAS No. 20 Elimination of Certain Disclosures Related to Tax Revenue Transactions by the Internal Revenue Service, Customs, and Others; Effective for fiscal year[A]: 2001. Standards: SFFAS No. 21 Reporting Corrections of Errors and Changes in Accounting Principles; Effective for fiscal year[A]: 2002. Standards: SFFAS No. 22 Change in Certain Requirements for Reconciling Obligations and Net Cost of Operations; Effective for fiscal year[A]: 2001. Standards: SFFAS No. 23 Eliminating the Category National Defense Property, Plant, and Equipment; Effective for fiscal year[A]: 2003. Standards: SFFAS No. 24 Selected Standards for the Consolidated Financial Report of the United States Government; Effective for fiscal year[A]: 2002. Standards: SFFAS No. 25 Reclassification of Stewardship Responsibilities and Eliminating the Current Services Assessment; Effective for fiscal year[A]: 2005. [A] Effective dates do not apply to Statements of Federal Financial Accounting Concepts and Interpretations. [End of table] Interpretations: No. 1 Reporting on Indian Trust Funds. Interpretations: No. 2 Accounting for Treasury Judgment Fund Transactions. Interpretations: No. 3 Measurement Date for Pension and Retirement Health Care Liabilities. Interpretations: No. 4 Accounting for Pension Payments in Excess of Pension Expense. Interpretations: No. 5 Recognition by Recipient Entities of Receivable Nonexchange Revenue. Interpretations: No. 6 Accounting for Imputed Intra-departmental Costs. [End of table] [End of section] Appendix IV: AAPC Technical Releases: Technical release: TR-1 Audit Legal Letter Guidance; AAPC release date: March 1, 1998. Technical release: TR-2 Environmental Liabilities Guidance; AAPC release date: March 15, 1998. Technical release: TR-3 Preparing and Auditing Direct Loan and Loan Guarantee Subsidies Under the Federal Credit Reform Act; AAPC release date: July 31, 1999. Technical release: TR-4 Reporting on Non-Valued Seized and Forfeited Property; AAPC release date: July 31, 1999. Technical release: TR-5 Implementation Guidance on SFFAS No. 10: Accounting for Internal Use Software; AAPC release date: May 14, 2001. [End of table] [End of section] Appendix V: Checklists for Reviewing Systems under the Federal Financial Management Improvement Act: Checklist: GAO/AIMD-98-21.2.1 Framework for Federal Financial Management System Checklist; Issue date: May 1998. Checklist: GAO/AIMD-00-21.2.2 Core Financial System Requirements Checklist; Issue date: February 2000. Checklist: GAO/AIMD-00-21.2.3 Human Resources and Payroll Systems Requirements Checklist; Issue date: March 2000. Checklist: GAO/AIMD-98-21.2.4 Inventory System Checklist; Issue date: May 1998. Checklist: GAO/01-99G Seized Property and Forfeited Assets Systems Requirements Checklist; Issue date: October 2000. Checklist: GAO/AIMD-21-2.6 Direct Loan System Requirements Checklist; Issue date: April 2000. Checklist: GAO/AIMD-21.2.8 Travel System Requirements Checklist; Issue date: May 2000. Checklist: GAO/AIMD-99-21.2.9 System Requirements for Managerial Cost Accounting Checklist; Issue date: January 1999. Checklist: GAO-01-371G Guaranteed Loan System Requirements Checklist; Issue date: March 2001. Checklist: GAO-01-911G Grant Financial System Requirements Checklist; Issue date: September 2001. Checklist: GAO-02-171G Property Management Systems Requirements Checklist; Issue date: December 2001. Checklist: GAO-02-762G Benefit System Requirements (Exposure Draft); Issue date: September 2002. [End of table] [End of section] Appendix VI: Comments from the Office of Management and Budget: EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D. C. 20503: OFFICE OF FEDERAL FINANCIAL MANAGEMENT: September 26, 2003: Ms. Sally E. Thompson: Director, Financial Management and Assurance United States General Accountinq Office Washington, DC 20548: Thank you for the opportunity to comment on the draft report entitled "Financial Management: Sustained Efforts Are Needed to Achieve FFMIA Accountability." We have included substantive comments below and will be providing more detailed, editing remarks under separate cover. Overall, OMB agrees with your assessment that many Federal agencies are continuing to make progress on implementing the Federal Financial Management Improvement Act (FFMIA). In fact there is considerable evidence to show significantly improved performance: agencies are filing quarterly and annual financial statements on an almost constantly accelerating basis; quality is improving as more and more agencies receive unqualified opinions from their auditors; long- standing material weaknesses are being resolved; and monthly financial performance metrics for managing activities are becoming the norm. We believe a major factor in the agencies' improvements has been the performance standards we established under the President's Management Agenda. As you may recall, these standards, agreed to by the Joint Financial Management Improvement Program (JFMTP) principals, include the key components of the FFMIA. Thus, as agencies upgrade their financial management performance they must and indeed will surpass the compliance requirements in FFMIA. Accordingly, we do not agree with the draft recommendation for OMB to require auditors to provide a statement of positive assurance when reporting an agency's systems to be in substantial compliance with FFMIA. Such an assurance measures neither the quality nor usefulness of the financial information. Moreover, preliminary data suggest such an additional reporting burden could raise audit costs by as much as 20- 508, without a commensurate improvement in financial information. We also suggest your report be clear about the requirements of the Act, and that under FFMIA, compliance is determined by the agency head, after taking into consideration all relevant information, including that which is provided by the Inspector General (IG). We agree with the FFMIA that it is rightfully management's prerogative to determine if in fact management has the requisite, reliable and timely financial information it needs to manage the agency on a day-to-day basis. The draft report suggests that OMB clarify the definition of "substantial compliance" to promote consistent reporting by auditors on FFMIA. Here again, we believe that clear performance and results standards are better at promoting such consistency, and will consider this recommendation in that context in any future policy and guidance updates. The draft report overlooks progress agencies have made across all areas of IT security performance measures as reported in agency FY02 Federal Information Security Management Act (FISMA) reports. While many IT security weaknesses remain, agencies and IGs are able to quantify real advancement in closing IT security performance gaps and have strengthened management, operational, and technical controls. Recently, this progress has been demonstrated in the Federal government's general success in withstanding recent malicious code activity. OMB works with agencies and the Congress to ensure that appropriate countermeasures are in place to reduce the impact o^ viruses and worms, and in partnership.with the CIO Council has developed and deployed processes to rapidly counteract identified threats and vulnerabilities. Finally, we believe that the report should focus on GAO's statutory FFMIA reporting requirement, which is the agencies' efforts to implement and maintain financial systems that comply with the Act. The current draft report includes considerable information unrelated to these statutory reporting requirements. We appreciate the opportunity to comment on the draft report and to continue working with GAO to improve Federal financial management systems. Respectfully, Signed by: Joseph L. Kull Deputy Controller: [End of section] Appendix VII: GAO Contacts and Staff Acknowledgments: GAO Contacts: Sally E. Thompson, (202) 512-9450 Kay L. Daly, (202) 512-9312: Acknowledgments: In addition to those named above, Debra S. David, Rosa R. Harris, Kristen A. Kociolek, Kelly A. Lehr, William S. Lowrey, Sandra S. Silzer, and Bridget A. Skjoldal made key contributions to this report. (193048): FOOTNOTES [1] Pub. L. No. 101-576, 104 Stat. 2838 (1990). [2] Title VIII of Public Law 104-208 is entitled the Federal Financial Management Improvement Act of 1996. [3] There were initially 24 CFO Act agencies (see footnote 1 above). The Federal Emergency Management Agency (FEMA), one of the 24 CFO Act agencies, was subsequently transferred to the new Department of Homeland Security (DHS) effective March 1, 2003. With this transfer, FEMA will no longer be required to prepare audited stand-alone financial statements under the CFO Act. We included FEMA in our review because FEMA was a CFO Act agency as of September 30, 2002. DHS must prepare audited financial statements under the Accountability of Tax Dollars Act of 2002, because it is a "covered executive agency" for purposes of 31 U.S.C. 3515. However, DHS was not established as a CFO Act agency and therefore is not subject to FFMIA. [4] The American Institute of Certified Public Accountants recognizes the federal accounting standards promulgated by the Federal Accounting Standards Advisory Board (FASAB) as generally accepted accounting principles (GAAP). [5] The SGL provides a standard chart of accounts and standardized transactions that agencies are to use in all their financial systems. [6] Auditors for these two agencies provided negative assurance of FFMIA compliance, meaning that nothing came to their attention indicating that the financial management systems did not meet FFMIA requirements. [7] U.S. General Accounting Office, Core Financial Systems at the 24 Chief Financial Officers Act Agencies, GAO-03-903R (Washington, D.C.: June 27, 2003). [8] Core financial systems, as defined by the Joint Financial Management Improvement Program (JFMIP), include managing general ledger, funding, payments, receivables, and certain basic cost functions. Core financial systems receive data from other financial and feeder systems--such as acquisition, grant, and human resource and payroll systems--as well as from direct user input, and provide data for financial performance measurement and analysis and for financial statement preparation. [9] The Program Management Office, managed by the Executive Director of the JFMIP, with funds provided by the CFO Council agencies, tests vendor COTS packages and certifies that they meet certain federal financial management system requirements for core financial systems. [10] Customization is the process of setting parameters within an application to make it operate in accordance with the entity's business rules. Customizations are normally supported by vendors in subsequent upgrades. Modification is the process of writing or changing code and modifications are not supported by vendors in subsequent upgrades. [11] U.S. General Accounting Office, Business Modernization: Improvements Needed in Management of NASA's Integrated Financial Management Program, GAO-03-507 (Washington, D.C.: Apr. 30, 2003). [12] U.S. General Accounting Office, DOD Business Systems Modernization: Continued Investment in Key Accounting Systems Needs to Be Justified, GAO-03-465 (Washington, D.C.: Mar. 28, 2003), and DOD Business Systems Modernization: Improvements to Enterprise Architecture Development and Implementation Efforts Needed, GAO-03-458 (Washington, D.C.: Feb. 28, 2003). [13] U.S. General Accounting Office, Department of Defense: Status of Financial Management Weaknesses and Progress Toward Reform, GAO-03-931T (Washington, D.C.: June 2003). [14] The JFMIP Principals are the Secretary of the Treasury, the Directors of OMB and the Office of Personnel Management (OPM), and the Comptroller General of the United States. [15] U.S. General Accounting Office, Competitive Sourcing: Implementation Will Be Challenging for Federal Agencies, GAO-03-1022T (Washington, D.C.: July 24, 2003). [16] U.S. General Accounting Office, Financial Management: FFMIA Implementation Critical for Federal Accountability, GAO-02-29 (Washington, D.C.: Oct. 1, 2001). [17] The Accountability of Tax Dollars Act of 2002 extends the requirement to prepare and submit audited financial statements to most executive agencies not subject to the CFO Act unless exempted by OMB. However, these agencies are not required to have systems that are compliant with FFMIA. [18] GAO-02-29. [19] Of these 19 agencies, systems for 8 agencies were reported not to be in substantial compliance with all three FFMIA requirements. [20] Pub. L. No. 107-296, 116 Stat. 2135 (2002). [21] Pub. L. No. 107-289, 116 Stat. 2049 (2002). [22] U.S. General Accounting Office, Major Management Challenges and Program Risks: Department of Homeland Security, GAO-03-102 (Washington, D.C.: January 2003). [23] Office of Management and Budget, Financial Management Status Report and Government-wide 5-Year Financial Management Plan (May 1, 2002). [24] Agency audited financial statements for fiscal year 2001 were due to OMB by February 27, 2002. The cited OMB report gives the results of the fiscal year 2001 audits. [25] The offices of the IG and CFO are working to address audit concerns related to the fiscal year 2003 audit. [26] In its performance and accountability report for fiscal year 2002, HHS management stated that timeliness in preparing financial statements will become a greater focus for the department as it strives to comply with the accelerated reporting requirements and deadlines. [27] Federal financial system requirements define an integrated financial system as one that coordinates a number of previously unconnected functions to improve overall efficiency and control. Characteristics of such a system include (1) standard data classifications for recording financial events, (2) common processes for processing similar transactions, (3) consistent control over data entry, transaction processing, and reporting, and (4) a system design that eliminates unnecessary duplication of transaction entry. [28] DOT is implementing a COTS-based core financial system called Delphi. DOT management projects that the implementation will be complete in fiscal year 2004. [29] Office of Inspector General, Department of Transportation, Consolidated Financial Statements for Fiscal Years 2002 and 2001, FI- 2003-018 (Jan. 27, 2003). [30] U.S. General Accounting Office, Department of Defense: Status of Financial Management Weaknesses and Progress Toward Reform, GAO-03-931T (Washington, D.C.: June 25, 2003). [31] Department of Defense, Performance and Accountability Report, Fiscal Year 2002 (Jan. 31, 2003). [32] Office of Inspector General, Independent Auditor's Report on Financial Statements, A-17-02-0001, Fiscal Year 2002 Performance and Accountability Report, U.S. Department of Health and Human Services. [33] Agencies record their budget spending authorizations in their fund balance with Treasury accounts. Agencies increase or decrease these accounts as they collect or disburse funds. [34] GAO-03-931T. [35] U.S. General Accounting Office, Fiscal Year 2002 U.S. Government Financial Statements: Sustained Leadership and Oversight Needed for Effective Implementation of Financial Management Reform, GAO-03-572T (Washington, D.C.: Apr. 8, 2003). [36] Trading partners are U.S. government agencies, departments, or other components that do business with each other. [37] In our October 2002 FFMIA report, we stated that auditors had discussed the lack of accurate and timely recording of transactions at 12 agencies. As part of our analysis of most recent agency audit reports, it became apparent that these problems were reported in prior years for 2 additional agencies, but the earlier audit reports did not include sufficient detail to make these assessments. [38] PricewaterhouseCoopers, Report of Independent Accountants, January 15, 2003, FY 2002 Performance & Accountability Report, U.S. Department of Justice. [39] To help address deficiencies with its legacy general ledger system, as a first step in upgrading its overall financial management system, FHA implemented the general ledger module of a COTS software package on October 1, 2002. This module automates the monthly interface of summary-level balances with HUDCAPS. [40] U.S. General Accounting Office, Department of Housing and Urban Development: Status of Efforts to Implement an Integrated Financial Management System, GAO-03-447R (Washington, D.C.: Apr. 9, 2003). [41] FAA has efforts underway to implement a cost accounting system as required by the Federal Aviation Reauthorization Act of 1996 (Pub. L. No. 104-264, 110 Stat. 3213, 3248 (1996)). The U.S. Coast Guard has a cost accounting system used for determining vessel documentation user fees. [42] The other four crosscutting initiatives are improved financial performance, strategic human capital management, competitive sourcing, and expanded electronic government. [43] GAO-03-931T. [44] U.S. General Accounting Office, Information Security: Progress Made, But Challenges Remain to Protect Federal Systems and the Nation's Critical Infrastructures, GAO-03-564T (Washington, D.C.: Apr. 8, 2003). [45] U.S. General Accounting Office, High-Risk Series: An Update, GAO- 01-263 (Washington, D.C.: January 2001). [46] These provisions are part of the Floyd D. Spence National Defense Authorization Act for Fiscal Year 2001, Pub. L. No. 106-398, 114 Stat. 1654, 1654A-266 (2000). [47] Office of Management and Budget, FY 2002 Report to Congress on Federal Government Information Security Reform (May 16, 2003). [48] U.S. General Accounting Office, Information Security: Continued Efforts Needed to Fully Implement Statutory Requirements, GAO-03-852T (Washington, D.C.: June 24, 2003). [49] Pub. L. No. 107-347, title III, 116 Stat. 2899, 2946 (2002). [50] 44 U.S.C. 3544(c)(3). [51] EPA's systems were found by its auditors to be in substantial compliance with the managerial cost accounting standard. [52] GAO-02-29. [53] The Financial Audit Manual, jointly issued by GAO and the PCIE, provides the methodology for performing financial statement audits of federal entities. [54] GAO-02-29. [55] GAO-03-903R. [56] Core financial systems, as defined by JFMIP, include managing general ledger, funding, payments, receivables, and certain basic cost functions. Core financial systems receive data from other financial and feeder systems--such as acquisition, grant, and human resource and payroll systems--as well as from direct user input, and provide data for financial performance measurement and analysis and for financial statement preparation. [57] The PMO, which is managed by JFMIP's Executive Director with funds provided by the CFO Council agencies, tests vendor COTS packages and certifies that they meet certain financial management system requirements for core financial systems. [58] The certification of a new core financial system software by the PMO is applicable at the time of purchase. Agency management is responsible for implementing and maintaining the software in accordance with JFMIP's core financial system requirements. See app. I for a further discussion of systems requirements. [59] Examples of administrative systems are those common to all agencies such as budget, acquisition, travel, property, and payroll. [60] Programmatic systems are those needed to carry out an agency's mission. For example, HHS needs a grants management system to carry out its mission. [61] Customization is the process of setting parameters within an application to make it operate in accordance with the entity's business rules. Customizations are normally supported by vendors in subsequent upgrades. Modification is the process of writing or changing code and modifications are not supported by vendors in subsequent upgrades. [62] Justice plans a staggered implementation approach of its new core financial system in its component agencies with target completion dates ranging from October 2004 to October 2007. [63] NSF's core financial system was implemented in 1992. The maintenance needed to migrate the system to a client-server platform was completed in April 2001. [64] Although Treasury does not have an agencywide core financial system, it does utilize automated tools and a central data warehouse for analysis and reporting. [65] GAO-03-507. [66] DOD intended CIM to reform all of its functional areas--including finance, procurement, materials management, and human resources-- through the consolidation, standardization, and integration of its numerous, duplicative information systems. After 8 years and about $20 billion in expenditures, DOD abandoned the initiative. [67] GAO-03-465 and GAO-03-458. [68] GAO-03-458. [69] The Standish Group is a well-known research advisory firm that focuses on mission-critical software applications, management techniques, and technologies. [70] The Standish Group's research is done through focus groups, in- depth surveys, and extensive interviews with Fortune 500 Companies. [71] Successful implementation is defined as a project that is completed on time, on budget, and with all the features and functions originally specified. [72] U.S. General Accounting Office, Executive Guide: Creating Value Through World-class Financial Management, GAO/AIMD-00-134 (Washington, D.C.: April 2000). [73] These five crosscutting initiatives are (1) improved financial performance, (2) strategic human capital management, (3) competitive sourcing, (4) expanded electronic government, and (5) budget and performance integration. [74] The JFMIP Principals are the Secretary of the Treasury, the Directors of OMB and OPM, and the Comptroller General of the United States. [75] These success measures include financial management systems that routinely provide timely, reliable, and useful financial information and no material control weaknesses or material noncompliance with laws and regulations as well as FFMIA. [76] GAO-03-572T. [77] The Integrated Acquisition Environment is one of the 25 projects of the e-gov initiative. [78] The BPN is the single point of registration and validation of vendor data for all agencies. [79] Pub. L. No. 107-289, 116 Stat. 2049 (2002). [80] An enterprise architecture provides a clear and comprehensive picture of an entity, whether it is an organization (e.g., federal department or agency) or a functional or mission area that cuts across more than one organization (e.g., financial management). This picture consists of snapshots of both the enterprise's current or "As Is" operational and technological environment and its target or "To Be" environment, as well as a capital investment road map for transitioning from the current to the target environment. These snapshots further consist of "views," which are basically one or more architecture products that provide conceptual or logical representations of the enterprise. [81] The President's budget request for IT spending was $59.4 billion for fiscal year 2004. [82] OMB has established the FEAPMO to develop a comprehensive, business-driven blueprint for modernizing the federal government. [83] Office of Management and Budget, Implementing the President's Management Agenda for E-Government, E-Government Strategy (April 2003). [84] There is no consistent definition for the term "program." For purposes of PART, the unit of analysis (program) should have a discrete level of funding clearly associated with it. [85] GAO-03-1022T. [86] U.S. General Accounting Office, Competitive Sourcing: Challenges in Expanding A-76 Governmentwide, GAO-02-498T (Washington, D.C.: Mar. 6, 2002). [87] Office of the Inspector General, Department of Defense, Infrastructure and Environment: Public/Private Competition for the Defense Finance and Accounting Service Military Retired and Annuitant Pay Functions, D-2003-056 (Mar. 21, 2003). [88] U.S. General Accounting Office, Management Reform: Continuing Progress in Implementing Initiatives in the President's Management Agenda, GAO-03-556T (Washington, D.C.: Mar. 26, 2003). [89] Joint Financial Management Improvement Program, The Federal Financial Management Workforce Of the Future--Building a World Class Financial Workforce (September 2003). [90] The owner of the improved financial performance initiative is Linda M. Springer, Controller, Office of Federal Financial Management, Office of Management and Budget. [91] The "status" is assessed against the standards of success developed for each initiative and published in the fiscal year 2003 budget. [92] As defined by OMB, green is the appropriate score when all of the standards for success are met. Yellow is the score given when some, but not all, of the criteria have been achieved. Red is given when there are any one of a number of serious flaws. [93] The administration assesses "progress" on a case-by-case basis against the deliverables and timelines, established for the five initiatives, agreed upon with each agency. [94] As defined by OMB, green is the appropriate score when implementation is occurring according to plans. Yellow is given when some slippage or other issues requiring adjustment by the agency is needed to achieve the initiative objectives on a timely basis. The red score is given when the initiative is in serious jeopardy and the objectives are unlikely to be realized unless there is significant management intervention. [95] GAO-03-31. [96] GAO-03-31. [97] U.S. General Accounting Office, Information Security: Effective Patch Management Is Critical to Mitigating Software Vulnerabilities, GAO-03-1138T (Washington, D.C.: Sept. 10, 2003). [98] Core financial systems, as defined by JFMIP, include managing general ledger, funding, payments, receivables, and certain basic cost functions. JFMIP's most recent update of its core financial system requirements publication was issued in November 2001. [99] Examples of administrative systems include budget, acquisition, travel, property, and human resources and payroll. [100] Circular A-127 references the series of publications entitled Federal Financial Management Systems Requirements, issued by JFMIP, as the primary source of governmentwide requirements for financial management systems. [101] In October 1990, the Secretary of the Treasury, the Director of OMB, and the Comptroller General established FASAB to develop a set of generally accepted accounting standards for the federal government. Effective July 1, 2002, FASAB is comprised of six nonfederal or public members and the three Sponsors. Moreover, effective October 1, 2003, FASAB will also include one member from the Congressional Budget Office. [102] Accounting standards are authoritative statements of how particular types of transactions and other events should be reflected in financial statements. SFFACs explain the objectives and ideas upon which FASAB develops the standards. [103] An interpretation is a document of narrow scope that provides clarifications of original meaning, additional definitions, or other guidance pertaining to an existing federal accounting standard. [104] In 1997, FASAB, in conjunction with OMB, Treasury, GAO, the CFO Council, and the President's Council on Integrity and Efficiency, established AAPC to assist the federal government in improving financial reporting. [105] SGL guidance is published in the Treasury Financial Manual. Treasury's Financial Management Service is responsible for maintaining the SGL and answering agency inquiries. [106] U.S. General Accounting Office, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3 (Washington, D.C.: November 1999). GAO's Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: