This is the accessible text file for GAO report number GAO-05-20
entitled 'Financial Management: Improved Financial Systems Are Key to
FFMIA Compliance' which was released on October 01, 2004.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
October 2004:
FINANCIAL MANAGEMENT:
Improved Financial Systems Are Key to FFMIA Compliance:
GAO-05-20:
GAO Highlights:
Highlights of GAO-05-20, a report to the Senate Committee on
Governmental Affairs and the House Committee on Government Reform.
Why GAO Did This Study:
The ability to produce the data needed to efficiently and effectively
manage the day-to-day operations of the federal government and provide
accountability to taxpayers has been a long-standing challenge to most
federal agencies. To help address this challenge, the Federal Financial
Management Improvement Act of 1996 (FFMIA) requires the 23 Chief
Financial Officers Act agencies to implement and maintain financial
management systems that comply substantially with (1) federal
financial management systems requirements, (2) applicable federal
accounting standards, and (3) the U.S. Government Standard General
Ledger (SGL) at the transaction level. FFMIA also requires GAO to
report annually on the implementation of the act.
What GAO Found:
Federal agencies continue to make progress in addressing their
financial management weaknesses; however, for fiscal year 2003,
auditors for 17 of the 23 CFO Act agencies still reported that
agencies’ financial management systems failed to comply with FFMIA.
The nature and severity of the reported problems indicate that
generally agency management lacked the full range of reliable, useful,
and timely information needed for accountability, performance
reporting, and decision making. As shown in the figure below, six main
types of problems related to agencies’ systems were consistently
identified.
Problems Reported by Auditors for Fiscal Years 2000 through 2003:
[See PDF for image]
Note: Based on independent auditors’ reports for fiscal years 2000 –
2003, prepared by agency inspectors general and contract auditors.
[End of table]
As prescribed in OMB’s reporting guidance, auditors for six agencies
provided negative assurance on agency systems’ FFMIA compliance for
fiscal year 2003. This means that nothing came to their attention to
indicate that financial management systems did not meet FFMIA
requirements. GAO continues to believe that this type of reporting is
not sufficient under the act and that report users may have the false
impression that auditors have reported agency systems to be compliant.
To address problems such as nonintegrated systems, inadequate
reconciliations, and lack of SGL compliance, agencies are implementing
or upgrading financial management systems. Agencies anticipate the new
systems will provide reliable, useful, and timely data to support
managerial decision making. However, our work at DOD, HHS, and NASA
has shown significant problems exist in implementing financial
management systems and that agencies are not following the necessary
disciplined processes for efficient and effective implementation of
these systems. Disciplined processes have been shown to reduce the
risks associated with software development and acquisition efforts to
acceptable levels and are fundamental to successful system acquisition
and implementation. Moreover, governmentwide initiatives to improve
financial management systems can help enhance the government’s
performance and services for citizens.
What GAO Recommends:
GAO reaffirms its prior recommendations that OMB revise its FFMIA
audit guidance to:
(1) include a statement of positive assurance when reporting an
agency’s systems to be in substantial compliance with FFMIA, and
(2) clarify the definition of “substantial compliance” to promote
consistent reporting of FFMIA compliance.
As in the past, OMB did not agree with our view on the need for
auditors to provide positive assurance on FFMIA, but agreed to
consider clarifying the definition of “substantial compliance” in
future policy and guidance updates.
www.gao.gov/cgi-bin/getrpt?GAO-05-20.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Sally Thompson at (202)
512-2600 or thompsons@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Scope and Methodology:
Continued Systems Weaknesses Impede Financial Management
Accountability:
Agencies Struggle to Implement New Financial Systems:
Conclusions:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Requirements and Standards Supporting Federal Financial
Management:
Appendix II: Publications in the Federal Financial Management Systems
Requirements Series:
Appendix III: Statements of Federal Financial Accounting Concepts,
Statements of Federal Financial Accounting Standards, and
Interpretations:
Appendix IV: AAPC Technical Releases:
Appendix V: Checklists for Reviewing Systems under the Federal
Financial Management Improvement Act:
Appendix VI: Comments from the Office of Management and Budget:
Appendix VII: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Acknowledgments:
Table:
Table 1: PMO-Certified Core Financial Systems:
Figures:
Figure 1: Problems Reported by Auditors for Fiscal Years 2000 through
2003:
Figure 2: Pyramid to Accountability and Useful Management Information:
Figure 3: Auditors' FFMIA Assessments for Fiscal Years 2000 through
2003:
Figure 4: Problems Reported by Auditors for Fiscal Years 2000 through
2003:
Figure 5: Agency Systems Architecture:
Abbreviations:
AAPC: Accounting and Auditing Policy Committee:
AID: Agency for International Development:
ARS: Accrual Reporting System:
BSM: Business Systems Modernization:
CDC: Centers for Disease Control and Prevention:
CFO: chief financial officer:
CMS: Centers for Medicare and Medicaid Services:
CoreFLS: Core Financial and Logistics System:
COTS: commercial off-the-shelf:
DHS: Department of Homeland Security:
DLA: Defense Logistics Agency:
DOD: Department of Defense:
EPA: Environmental Protection Agency:
FAM: GAO/PCIE Financial Audit Manual:
FASAB: Federal Accounting Standards Advisory Board:
FFMIA: Federal Financial Management Improvement Act:
FFMSR: Federal Financial Management System Requirements:
FIA: Federal Managers' Financial Integrity Act:
FISMA: Federal Information Security Management Act:
GSA: General Services Administration:
HHS: Department of Health and Human Services:
IEEE: Institute of Electrical and Electronic Engineers:
IFMP: Integrated Financial Management Program:
IRS: Internal Revenue Service:
JFMIP: Joint Financial Management Improvement Program:
LOB: Line of Business:
LMP: Logistics Modernization Program:
NASA: National Aeronautics and Space Administration:
NBRSS: NIH Business and Research Support System:
NIH: National Institutes of Health:
NRC: Nuclear Regulatory Commission:
NSF: National Science Foundation:
OIG: Office of Inspector General:
OMB: Office of Management and Budget:
OPM: Office of Personnel Management:
PART: Performance and Assessment Rating Tool:
PCIE: President's Council on Integrity and Efficiency:
PMA: President's Management Agenda:
PMO: Program Management Office:
SEI: Software Engineering Institute:
SFFAC: Statements of Federal Financial Accounting Concepts:
SFFAS: Statement of Federal Financial Accounting Standards:
SGL: U.S. Government Standard General Ledger:
SSA: Social Security Administration:
UFMS: Unified Financial Management System:
VA: Department of Veterans Affairs:
Letter October 1, 2004:
The Honorable Susan M. Collins:
Chairman:
The Honorable Joseph I. Lieberman:
Ranking Minority Member:
Committee on Governmental Affairs:
United States Senate:
The Honorable Tom Davis:
Chairman:
The Honorable Henry A. Waxman:
Ranking Minority Member:
Committee on Government Reform:
House of Representatives:
Many federal agencies still lack the ability to produce the data needed
to efficiently and effectively manage day-to-day operations and provide
an acceptable level of accountability to taxpayers. To address this
long-standing weakness of the federal government, the Chief Financial
Officers (CFO) Act of 1990[Footnote 1] designates executive branch
officials with responsibility for the modernization of financial
management systems, so that the systematic measurement of performance;
the development of cost information; and the integration of program,
budget, and financial information for management reporting can be
achieved.
The Federal Financial Management Improvement Act of 1996[Footnote 2]
(FFMIA) builds on the foundation laid by the CFO Act by reflecting the
need for agencies to have systems that can generate reliable, useful,
and timely information with which to make fully informed decisions and
to ensure accountability on an ongoing basis. FFMIA requires the CFO
Act agencies[Footnote 3] to implement and maintain financial management
systems that comply substantially with (1) federal financial management
systems requirements, (2) applicable federal accounting standards, and
(3) the U.S. Government Standard General Ledger (SGL) at the
transaction level. The act also requires auditors to state in their
audit reports whether the agencies' financial management systems
substantially comply with the act's requirements. Furthermore, we are
required to report annually on the implementation of the act. This
report, our eighth, discusses (1) the auditors' assessments of agency
systems' compliance with FFMIA for fiscal year 2003 and the financial
management systems problems that continue to affect systems' FFMIA
compliance and (2) the challenges agencies have faced when implementing
financial systems to help move toward FFMIA compliance.
We conducted our work from April through August 2004 in the Washington,
D.C., area in accordance with U.S. generally accepted government
auditing standards.
Results in Brief:
Although agencies continue to make some progress in addressing their
financial management systems weaknesses, the fiscal year 2003 audit
reports disclose that agencies' financial management systems continue
to have serious deficiencies. As a result of these deficiencies, most
agencies' financial management systems are still unable to routinely
produce reliable, useful, and timely financial information. This
weakness manifests itself by limiting the federal government's capacity
to manage with timely and objective data, and thereby hampers its
ability to effectively manage and oversee its major programs.
Auditors for 17 of the 23 CFO Act agencies reported that their
agencies' financial management systems did not comply substantially
with one or more of the three FFMIA requirements. Auditors' assessments
for three agencies changed from fiscal year 2002 to 2003. For fiscal
year 2003, auditors for the Department of Commerce were able to provide
negative assurance due to the implementation of a new integrated
financial management system and improvements in general information
technology controls. Auditors at the Nuclear Regulatory Commission
(NRC) were also able to provide negative assurance due to a redesign of
the agency's cost accounting system and enhancement of the internal
controls and operating procedures documentation. Systems of both
agencies had been reported as lacking substantial compliance with FFMIA
for fiscal year 2002. Conversely, auditors for the General Services
Administration (GSA), which implemented a new financial management
system in fiscal year 2002, reported that GSA's systems lacked
substantial compliance for fiscal year 2003 because they did not
substantially comply with federal financial management systems
requirements. Specifically, the auditors found that GSA lacked adequate
policies and procedures for reconciliations and that the
reconciliations performed were not completed in a timely manner, a
downgrade from the fiscal year 2002 assessment.
The Department of Homeland Security (DHS) is currently not subject to
the CFO Act and, consequently, is not required to comply with FFMIA.
Accordingly, DHS' auditors did not report on the department's
compliance with FFMIA. However, the auditors did identify and report
certain deficiencies that relate to the three FFMIA requirements. Based
on its budget, DHS is the largest entity in the federal government that
is neither subject to the CFO Act nor required to comply with FFMIA
system requirements. Given the need for strong financial management,
consideration is now being given by each house of Congress to adding
DHS to the list of CFO Act agencies.
Auditors for six agencies[Footnote 4] reported that the results of
their tests disclosed no instances in which the agencies' systems did
not substantially comply with FFMIA. The auditors did not provide
positive assurance by definitively stating whether the agencies'
financial management systems substantially complied with FFMIA.
Instead, the auditors provided negative assurance of FFMIA compliance
as permitted by the Office of Management and Budget's (OMB) audit
guidance. To provide positive assurance as required by the act, more
testing is necessary than that performed for the purposes of rendering
an opinion on the financial statements.
Based on our review of the fiscal year 2003 audit reports for the 17
agencies reported to have noncompliant systems, we identified six
continuing, primary problems that affect FFMIA compliance. (See fig.
1.) While more severe at some agencies than others, the nature and
seriousness of the reported problems indicate that generally most
agencies' financial management systems are not yet able to routinely
produce reliable, useful, and timely financial information.
Figure 1: Problems Reported by Auditors for Fiscal Years 2000 through
2003:
[See PDF for image]
Note: Based on independent auditors' reports for fiscal years 2000-
2003, prepared by agency inspectors general and contract auditors.
[End of figure]
Many agencies are in the process of updating or replacing their core
financial systems as part of their financial management system
improvement efforts. However, our work at the Department of Defense
(DOD), the Department of Health and Human Services (HHS), and the
National Aeronautics and Space Administration (NASA) and the work of
the Department of Veterans Affairs (VA) Office of Inspector General
(OIG) have shown that agencies face significant risk in implementing
financial management systems and have not always followed accepted best
practices for systems development and implementation, commonly referred
to as disciplined processes, for efficient and effective system
development and implementation of financial management systems.
Disciplined processes have been shown to reduce the risks associated
with software development and acquisition efforts to acceptable levels
and are fundamental to successful system acquisition and
implementation. A disciplined software development and acquisition
process can maximize the likelihood of achieving the intended results
within established costs and on schedule. The key to having a
disciplined system acquisition and implementation effort is to have
disciplined processes in multiple areas, including requirements
management, testing, project planning and oversight, risk management,
and quality assurance.
We found in our review of agencies' implementation of new financial
management systems and a review by the VA OIG[Footnote 5] also reported
that disciplined processes are not being followed. For example:
* In May 2004, we reported[Footnote 6] that for two major DOD financial
management systems, the initial deployments did not operate as intended
and, therefore, did not meet component-level needs. In large part,
these operational problems were due to DOD not effectively implementing
the disciplined processes that are necessary to manage the development
and implementation of the systems in the areas of requirements
management and testing. DOD program officials have acknowledged that
the initial deployments of these systems experienced problems that
could be attributed to requirements and testing.
* In September 2004, we reported[Footnote 7] that the lack of
disciplined processes puts implementation of HHS' financial system at
risk. HHS had not developed sufficient quantitative measures for
determining the impact of process weaknesses, cannot be assured that
the system will provide all of the functionality needed, and had not
developed the necessary framework for testing requirements. Further,
its schedule left little time for correcting process weaknesses and
identified defects. As a result, HHS has decided to delay the
implementation of a significant amount of functionality associated with
the initial full deployment from October 2004 until April 2005 in order
to address the issues that had been identified with the project.
* As we have reported[Footnote 8] numerous times in 2003 and 2004, NASA
faces considerable challenges in implementing a financial management
system--the Integrated Financial Management Program (IFMP). NASA is on
its third attempt in 12 years to modernize its financial management
process and systems, and has spent about $180 million on its two prior
failed efforts. NASA was not following key best practices for acquiring
and implementing the system. For example, NASA lacked disciplined
requirements management and testing processes. As a result, NASA
increased its risk that IFMP would cost more and do less than planned.
The core financial module, which was fully deployed in June 2003 as
called for in the project schedule, still did not address many of the
agency's most challenging external reporting issues, such as external
reporting problems related to property accounting and budgetary
accounting. Additionally, NASA deferred the configuration and testing
of several essential capabilities of the financial module and is not
FFMIA compliant.
* VA recently halted implementation of its new core financial system in
July 2004 that had cost about $249 million. The VA OIG reported that
contracting and monitoring of the VA project were not adequate and the
pilot deployment of the system encountered multiple problems.
As the federal government moves forward on new initiatives to enhance
financial management and provide results-oriented information, it is
crucial that disciplined processes are effectively used to reduce risks
related to implementing governmentwide solutions. Moreover, ensuring
that staff with the requisite skills are in place to implement and
operate new financial management systems is critical to success.
While we are not making any new recommendations in this report, we
reaffirm our prior recommendations[Footnote 9] aimed at enhancing OMB's
audit guidance related to FFMIA assessments. Specifically, we
recommended that OMB (1) require agency auditors to provide a statement
of positive assurance when reporting an agency's systems to be in
substantial compliance with FFMIA and (2) further clarify the
definition of "substantial compliance" to encourage consistent
reporting.
In commenting on a draft of this report, OMB agreed with our assessment
that agencies have a long way to go before federal managers receive the
data needed to efficiently and effectively manage the day-to-day
operations of the federal government. Moreover, OMB agreed with us that
financial management success encompasses more than agencies receiving
unqualified opinions on their financial statements. As in previous
years, we and OMB have differing views on the level of audit assurance
necessary for assessing substantial compliance with FFMIA. We will
continue to work with OMB on this issue. Our detailed evaluation of
OMB's comments can be found at the end of this letter.
Background:
FFMIA and other financial management reform legislation have emphasized
the importance of improving financial management across the federal
government. Beginning in 1990, the Congress has passed a series of
management reform legislation to improve the general and financial
management of the federal government. As shown in figure 2, the
combination of reforms ushered in by the (1) CFO Act of 1990, (2)
Government Performance and Results Act of 1993,[Footnote 10] (3)
Government Management Reform Act of 1994,[Footnote 11] (4) FFMIA, (5)
Clinger-Cohen Act of 1996,[Footnote 12] and (6) Accountability of Tax
Dollars Act of 2002,[Footnote 13] if successfully implemented, provides
a solid basis for improving accountability of government programs and
operations as well as routinely producing valuable cost and operating
performance information.
Figure 2 shows the three levels of the pyramid that result in the end
goal, accountability and useful management information. The bottom
level of the pyramid is the legislative framework that underpins the
improvement of the general and financial management of the federal
government. The second level shows the drivers that build on the
legislative requirements and influence agency actions to meet these
requirements. The three drivers are the (1) President's Management
Agenda (PMA), (2) congressional and other oversight, and (3) the Joint
Financial Management Improvement Program (JFMIP). The third level of
the pyramid represents the key success factors for accountability and
meaningful management information--integrating core and feeder
financial systems, producing reliable financial and performance data
for reporting, and ensuring effective internal control. The result of
these three levels, as shown at the top of the pyramid, is
accountability and meaningful management information needed to assess
and improve the government's effectiveness, financial condition, and
operating performance.
Figure 2: Pyramid to Accountability and Useful Management Information:
[See PDF for image]
[End of figure]
Building on the foundation laid by the CFO Act, FFMIA reflects the need
for agencies to have systems that can generate reliable, useful, and
timely information with which to make fully informed decisions and to
ensure accountability on an ongoing basis. FFMIA requires the
departments and agencies covered by the CFO Act to implement and
maintain financial management systems that comply substantially with
(1) federal financial management systems requirements, (2) applicable
federal accounting standards,[Footnote 14] and (3) the SGL[Footnote 15]
at the transaction level. FFMIA also requires auditors to state in
their CFO Act financial statement audit reports whether the agencies'
financial management systems substantially comply with FFMIA's systems
requirements.
President's Management Agenda Supported by FFMIA Initiatives:
The PMA, announced in the summer of 2001, is a plan for improving the
management and performance of the federal government. It targets the
most apparent deficiencies, where the opportunity to improve
performance is the greatest. The modernization of agency financial
management systems, as reflected in FFMIA, is critical to the success
of all five PMA initiatives.[Footnote 16] Although FFMIA implementation
relates directly to the improved financial performance initiative,
development and maintenance of FFMIA-compliant systems will also affect
the implementation of the other initiatives.
A key element of PMA's performance budgeting initiative is the
Performance and Assessment Rating Tool (PART). The development of PART
represents a step toward a more structured involvement of program and
performance analysis in the budget. It is a systematic method of
assessing the performance of program activities across the federal
government, consisting of a set of general questions on (1) program
purpose and design, (2) strategic planning, (3) program management, and
(4) program results. It also includes a set of more specific questions,
which vary according to the type of delivery mechanism or approach an
individual program uses, and calls for timely, reliable data to perform
those assessments.
Congressional Oversight Helps Provide Accountability:
The leadership demonstrated by the Congress has been an important
catalyst to reforming financial management in the federal government.
As previously discussed, the legislative framework provided by the CFO
Act and FFMIA, among others, produces a solid foundation to stimulate
change needed to achieve sound financial systems management. For
example, in November 2002, the Congress enacted the Accountability of
Tax Dollars Act to extend the financial statements audit requirements
of the CFO Act to additional federal agencies. Further, the Congress is
currently contemplating adding DHS to the list of CFO Act agencies and
requiring DHS to obtain an audit opinion on its internal controls.
There is value in sustained congressional interest in these issues, as
demonstrated by hearings on federal financial management and reform
held over the past several years. It will be key that the
appropriations, budget, authorizing, and oversight committees hold
agency top management accountable for resolving these problems and that
they support improvement efforts. The continued attention by the
Congress to these issues will be critical to sustaining momentum for
financial management reform.
JFMIP Works to Improve Federal Financial Management:
JFMIP is a joint and cooperative undertaking of the U.S. Department of
the Treasury, GAO, OMB, and the Office of Personnel Management (OPM),
working in cooperation to improve financial management practices in the
federal government.[Footnote 17] Leadership is provided by the four
principals of JFMIP--the Comptroller General of the United States, the
Secretary of the Treasury, and the Directors of OMB and OPM. Since
August 2001, the JFMIP principals have met regularly to discuss
financial management issues, such as the acceleration of financial
statement reporting. The Program Management Office (PMO), managed by
the Executive Director of the JFMIP using funds provided by the CFO
Council agencies, is responsible for the testing and certification of
commercial off-the-shelf (COTS) core financial systems for use by
federal agencies and coordinating the development and publication of
functional requirements for financial management systems.[Footnote 18]
OMB Circular No. A-127, Financial Management Systems, requires agencies
to purchase only COTS packages sold by vendors whose core financial
systems software has been certified by PMO. As shown in table 1, in
2003 and 2004, PMO certified that six core financial software packages
met the core financial systems requirements.
Table 1: PMO-Certified Core Financial Systems:
Vendor name: SAP Public Services, Inc. (SAP);
Product: mySAP ERP with Enterprise Add-on for Public Sector and
Extension Set;
Version: v4.7;
Effective Date: 6/10/2003.
Vendor name: American Management Systems, Inc. (AMS);
Product: Momentum Financials;
Version: v5.0;
Effective Date: 6/12/2003.
Vendor name: Digital Systems Group, Inc;
Product: Integrated Financial Management Information Systems (IFMIS);
Version: v6.0;
Effective Date: 6/25/2003.
Vendor name: Oracle Corporation;
Product: Oracle E-Business Suite 11i;
Version: v11i.9;
Effective Date: 9/10/2003.
Vendor name: PeopleSoft, Inc;
Product: PeopleSoft Financial Management Solutions (FMS);
Version: v8.8;
Effective Date: 2/10/2004.
Vendor name: Savantage Solutions, Inc;
Product: Altimate;
Version: v3.0;
Effective Date: 3/16/2004.
Source: PMO.
[End of table]
PMO assesses COTS packages for conformity with the minimum level or
"floor" of system requirements. Therefore agencies should be aware that
simply implementing a core financial system that has been certified by
PMO does not ensure that these agencies will have financial systems
that are compliant with FFMIA or provide reliable, useful, and timely
data for day-to-day management. Factors that affect the FFMIA
compliance and the effectiveness of an implemented COTS core financial
system include how the software package has been configured to work in
the agency's environment, whether any customization is made to the
software, the success of converting data from legacy systems to new
systems, and the quality of transaction data in the feeder systems.
Guidance for FFMIA Issued by OMB:
OMB sets governmentwide financial management policies and requirements
and has issued two sources of guidance related to FFMIA. First, OMB
Bulletin No. 01-02, Audit Requirements for Federal Financial
Statements, dated October 16, 2000, prescribes specific language
auditors should use when reporting on an agency system's substantial
compliance with FFMIA. Specifically, this guidance calls for auditors
to provide negative assurance when reporting on an agency system's
FFMIA compliance. Second, in OMB Memorandum, Revised Implementation
Guidance for the Federal Financial Management Improvement Act (Jan. 4,
2001), OMB provides guidance for agencies and auditors to use in
assessing substantial compliance. The guidance describes the factors
that should be considered in determining whether an agency's systems
substantially comply with FFMIA's requirements. Further, the guidance
provides examples of the types of indicators that should be used as a
basis in assessing whether an agency's systems are in substantial
compliance with each of the three FFMIA requirements. Finally, the
guidance discusses the corrective action plans, to be developed by
agency heads, for bringing their systems into compliance with FFMIA.
Financial Audit Manual Section on FFMIA Developed by PCIE and GAO:
We worked with representatives from the President's Council on
Integrity and Efficiency (PCIE) to revise the joint GAO/PCIE Financial
Audit Manual[Footnote 19] (FAM) to include sections[Footnote 20] that
provide specific procedures auditors should perform when assessing
FFMIA compliance. These sections include detailed audit steps for
testing agency systems' substantial compliance with FFMIA. The FAM
guidance on FFMIA assessments recognizes that while financial statement
audits offer some assurance regarding FFMIA compliance, auditors should
design and implement additional testing to satisfy FFMIA criteria. For
example, in performing financial statement audits, auditors generally
focus on the ability of the financial management systems to process and
summarize financial information that flows into annual agency financial
statements. In contrast, FFMIA requires auditors to assess whether an
agency's financial management systems comply with system requirements.
To do this, auditors need to consider whether agency systems provide
reliable, useful, and timely information for managing day-to-day
operations so that agency managers would have the necessary information
to measure performance on an ongoing basis rather than just at year-
end.
Scope and Methodology:
We reviewed the fiscal year 2003 financial statement audit reports for
the 23 CFO Act agencies to identify the auditors' assessments of agency
financial systems' compliance and the problems that affect FFMIA
compliance. We also reviewed the fiscal year 2003 financial statement
audit report for DHS to identify any FFMIA-related issues. Our prior
experience with these auditors and our review of their reports provided
the basis to determine the sufficiency and relevancy of evidence
provided in these documents. Based on the audit reports, we identified
problems reported by the auditors that affect agency systems'
compliance with FFMIA. The problems identified in these reports are
consistent with long-standing financial management weaknesses that we
have reported based on our work at the Department of Agriculture, NASA,
Treasury, and other agencies. However, we caution that the occurrence
of problems in a particular category may be even greater than auditors'
reports of FFMIA noncompliance would suggest because auditors may not
have included all problems in their reports.
We also reviewed our previously issued reports and those by the
inspectors general to identify the challenges federal agencies face
when implementing new systems. Finally, we held discussions with OMB
officials to obtain information about its current efforts to help
agencies develop systems that will comply with FFMIA.
We conducted our work from April through August 2004 in the Washington,
D.C., area in accordance with U.S. generally accepted government
auditing standards. We requested comments on a draft of this report
from the Director of OMB or his designee. Comments from OMB are
discussed in the "Agency Comments and Our Evaluation" section and
reprinted in appendix VI.
Continued Systems Weaknesses Impede Financial Management
Accountability:
While agencies are making some progress in producing auditable
financial statements and addressing their financial management systems
weaknesses, the vast majority of agency systems are still not
substantially compliant with FFMIA's requirements. Figure 3 summarizes
auditors' assessments of FFMIA compliance for fiscal years 2000 through
2003 and suggests that the instances of noncompliance with FFMIA's
three requirements have remained fairly constant. For fiscal year 2003,
OIGs and their contract auditors reported that the systems of 17 of the
23 CFO Act agencies did not substantially comply with at least one of
FFMIA's three requirements--federal financial management systems
requirements, applicable federal accounting standards, or the SGL at
the transaction level.[Footnote 21]
In fiscal year 2002, auditors for five agencies (SSA, Energy, NSF, EPA,
and GSA) provided negative assurance that the agencies' financial
systems were in compliance with FFMIA. In fiscal year 2003, the
auditors at two additional agencies, Commerce and NRC, provided
negative assurance that the systems at those agencies were in
compliance with FFMIA, while auditors reported GSA's systems to be
noncompliant.
At Commerce, the auditors were able to provide negative assurance due
to the implementation of a new integrated financial management system,
combined with improvements in general information technology controls.
Auditors at NRC provided negative assurance due to a redesign of the
agency's cost accounting system and enhancement of the internal
controls and operating procedures documentation. In contrast, for
fiscal year 2003, GSA's systems were found to be noncompliant by its
auditors due to reconciliation issues related to a newly implemented
system. Specifically, the auditors concluded that the systems GSA
relied on during fiscal year 2003 failed to perform timely
reconciliations of accounts payable and undelivered orders, Fund
Balance with Treasury, and accounts receivable, which represented a
lack of substantial compliance with FFMIA. In total, for 6 of the 23
CFO Act agencies, the auditors provided negative assurance by stating
that nothing came to their attention that would indicate the systems
did not comply with FFMIA for fiscal year 2003.
Figure 3: Auditors' FFMIA Assessments for Fiscal Years 2000 through
2003:
[See PDF for image]
Note: Based on independent auditors' reports for fiscal years 2000-
2003, prepared by agency inspectors general and contract auditors.
[End of figure]
While more CFO Act agencies have obtained clean or unqualified audit
opinions on their financial statements, there is little evidence of
marked improvements in agencies' capacities to create the full range of
information needed to manage day-to-day operations. The number of
unqualified opinions has been increasing over the past 7 years, from 11
in fiscal year 1997 to 20 for fiscal year 2003; but the number of
agencies reported to have substantially noncompliant systems has
remained relatively steady. While the increase in unqualified opinions
is noteworthy, a more important measure of financial systems'
capability and reliability is that the number of agencies for which
auditors provided negative assurance of FFMIA compliance has remained
relatively constant throughout this same period. In our view, this has
led to an expectation gap since, as more agencies receive clean
opinions, expectations are raised that the government has sound
financial management and can produce reliable, useful, and timely
information on demand throughout the year, whereas FFMIA assessments
offer a different perspective.
All CFO Act agencies issued their audited financial statements by the
accelerated reporting deadline of February 1, 2004, for agency fiscal
year 2003 financial statements. However, the deadline for issuance of
fiscal year 2004 audited financial statements is November 15, 2004,
just 45 days after the close of the fiscal year. Auditors at several of
the CFO Act agencies reported that the agencies may not be able to
produce auditable financial statements within the accelerated time
frame for fiscal year 2004 without making fundamental changes to
improve a number of their financial management practices.
DHS Is Not Required To Comply with FFMIA:
DHS is not subject to the CFO Act and, consequently, is not required to
comply with FFMIA. Accordingly, DHS' auditors did not report on the
department's compliance with FFMIA in fiscal year 2003. However, the
auditors identified and reported deficiencies that relate to the three
FFMIA requirements.
Based on its budget, DHS is the largest entity in the federal
government that is not subject to the CFO Act nor required to comply
with FFMIA system requirements. Creating strong financial management at
DHS is particularly challenging because most of the 22 entities brought
together to form the department have their own financial management
systems; processes; and in some cases, deficiencies. For example, five
of the seven major agencies that transferred to DHS had 30 reportable
conditions, 18 of which were considered material internal control
weaknesses for fiscal year 2002 and four of the major agencies--that
had previously been subject to stand-alone audits--had financial
management systems that were not in substantial compliance with FFMIA.
Some progress has been made in addressing the internal control
weaknesses it inherited from component agencies. Nine of the 30
inherited internal control weaknesses have been closed as of September
30, 2003. For DHS to develop a strong financial management
infrastructure, it will need to address these and many other financial
management issues.
We fully support the objectives of the CFO Act to provide reliable
financial information and improve financial management systems and
controls and, as recently reported,[Footnote 22] we believe that it is
critical that DHS be statutorily required to comply with important
financial management reforms legislated in the CFO Act and FFMIA.
Consideration is now being given by each house of Congress to adding
DHS to the list of CFO Act agencies in the Department of Homeland
Security Financial Accountability Act, H.R. 4259 and S. 1567, 108th
Congress.
FFMIA Compliance Findings Based on Negative Assurance:
Auditors for six agencies (Commerce, Energy, EPA, NRC, NSF, and SSA)
provided negative assurance that the agencies' systems were in
compliance with FFMIA in fiscal year 2003, and five agencies did so in
fiscal year 2002. Auditors provide negative assurance when they include
language stating that nothing came to their attention during the course
of their planned procedures to indicate that these agencies' financial
management systems did not meet FFMIA requirements. If readers are not
familiar with the concept of negative assurance, they may incorrectly
assume that these systems have been fully tested by the auditors and
that the agencies have achieved compliance.
OMB's current audit guidance[Footnote 23]calls for auditors to provide
negative assurance when reporting whether an agency's systems are in
substantial compliance with FFMIA. To provide positive assurance of
FFMIA compliance, auditors would need to perform more comprehensive
audit procedures than those necessary to render an opinion for a
financial statement audit. In performing financial statement audits,
auditors generally focus on the capability of the financial management
systems to process and summarize financial information that flows into
financial statements. In contrast, FFMIA is much broader and requires
auditors to assess whether an agency's financial management systems
substantially comply with systems requirements. To do this, auditors
need to consider whether agency systems provide complete, accurate, and
timely information for managing day-to-day operations. We believe that
providing positive assurance of an agency's financial management system
would identify weaknesses and lead to systems improvements that result
in enhancing the performance, productivity, and efficiency of federal
financial management, which is a goal of the PMA. Therefore, as we
discussed in prior reports,[Footnote 24] we reaffirm our prior
recommendation that OMB require agency auditors to provide a statement
of positive assurance when reporting an agency's systems to be in
substantial compliance with FFMIA.
OMB continues to support the requirement for negative assurance of
FFMIA compliance due to cost-benefit concerns. While OMB agrees that
testing should occur, and its guidance on FFMIA calls for it, OMB
officials are concerned that the level of testing needed for positive
assurance may be too time-consuming and costly. OMB officials stated
that different, more coordinated approaches toward assessing an
agency's internal controls and FFMIA compliance might provide
sufficient assurance on an agency's systems. For example, in preparing
the PMA scorecard assessments, OMB officials meet with agencies to
discuss a number of financial management issues and have systems
demonstrations. Agencies are asked to identify key business questions
and related cost drivers. Then, the agencies must develop systems that
can produce the information needed on those cost drivers to help
management at all levels focus on results. OMB officials stated they
believed the PMA scorecard framework offers an alternative route toward
substantial compliance that is similar to that offered by positive
assurance. In its written comments on a draft of this report (see app.
VI) OMB stated that the processes used in evaluating agencies against
the PMA standards can provide a corroborative mechanism in evaluating
compliance with FFMIA. Our concern is that the information provided by
this approach does not come under audit scrutiny and may not be
reliable. For example, the PMA scorecard does not examine the nature
and extent of adjustments that agencies make to their year-end
financial statements. As long as extensive year-end adjustments are
needed, there is no assurance that the financial information being
provided by the systems is complete and accurate for day-to-day
operations.
A joint CFO Council/PCIE group is also currently investigating how
internal control reporting similar to that required by the Sarbanes-
Oxley Act of 2002[Footnote 25] might be useful in the federal
government. OMB officials told us that the results of this CFO Council/
PCIE study might provide another method of assessing and reporting on
internal control and FFMIA compliance. Auditor reporting on internal
control is a critical component of monitoring the effectiveness of an
organization's accountability, especially for large, complex, or
challenged entities that use taxpayers' dollars. Auditors can better
serve their clients and other financial statement users and better
protect the public interest by having a greater role in providing
assurances of the effectiveness of internal control in deterring
fraudulent financial reporting and protecting assets. Financial systems
are an important element of an entity's internal control over financial
reporting. Although enhanced internal control reporting would not
necessarily address the full capability of the financial management
systems in place, such reporting would include reportable internal
control weaknesses caused by financial systems problems. However, the
full value of independent auditors' assessments of FFMIA compliance
will not be fully realized until auditors perform a sufficient level of
audit work to be able to provide positive assurance that agencies are
in compliance with FFMIA. When reporting an agency's financial
management systems to be in substantial compliance, positive assurance
will provide users with confidence that the agency systems provide the
reliable, useful, and timely information envisioned by the act.
In addition, we also previously recommended[Footnote 26] that OMB
explore clarifying the definition of "substantial compliance" to help
ensure consistent application of the term. As we noted[Footnote 27] in
our prior reports, auditors we interviewed had concerns about providing
positive assurance in reporting on agency systems' FFMIA compliance
because of a need for clarification regarding the meaning of
substantial compliance. Therefore, we also reaffirm this
recommendation. In its comments, OMB stated that its growing experience
assisting agencies in implementing the PMA performance standards will
enable it to refine the existing FFMIA indicators associated with
substantial compliance. Accordingly, OMB officials stated that they
will consider our recommendation in any future policy and guidance
updates.
Reasons for Noncompliance:
Based on our review of the fiscal year 2003 audit reports for the 17
agencies reported to have systems not in substantial compliance with
one or more of FFMIA's three requirements, we identified six primary
reasons cited by the auditors for agency systems not being compliant.
The weaknesses reported by the auditors ranged from serious, pervasive
systems problems to less serious problems that may affect one aspect of
an agency's accounting operation:
* nonintegrated financial management systems,
* inadequate reconciliation procedures,
* lack of accurate and timely recording of financial information,
* noncompliance with the SGL,
* lack of adherence to federal accounting standards, and:
* weak security controls over information systems.
Figure 4 shows the relative frequency of these problems at the 17
agencies reported to have noncompliant systems and the problems
relevant to FFMIA that were reported by their auditors. The same six
types of problems were cited by auditors in their fiscal years 2000,
2001, and 2002 audit reports, although the auditors may not have
reported these problems as specific reasons for their systems' lack of
substantial compliance with FFMIA. In addition, we caution that the
occurrence of problems in a particular category may be even greater
than auditors' reports of FFMIA noncompliance would suggest because
auditors may not have identified all problems in their reviews.
Figure 4: Problems Reported by Auditors for Fiscal Years 2000 through
2003:
[See PDF for image]
Note: Based on independent auditors' reports for fiscal years 2000-
2003, prepared by agency inspectors general and contract auditors.
[End of figure]
Nonintegrated Financial Management Systems:
The CFO Act calls for agencies to develop and maintain an integrated
accounting and financial management system[Footnote 28] that complies
with federal systems requirements and provides for (1) complete,
reliable, consistent, and timely information that is responsive to the
financial information needs of the agency and facilitates the
systematic measurement of performance; (2) the development and
reporting of cost management information; and (3) the integration of
accounting, budgeting, and program information. OMB Circular No. A-127,
Financial Management Systems, requires each agency to establish and
maintain a single integrated financial management system that conforms
to functional requirements published by PMO.
Agencies that do not have integrated financial management systems
typically must expend major effort and resources, including in some
cases hiring external consultants, to develop information that their
systems should be able to provide on a daily or recurring basis.
Agencies with nonintegrated financial systems are also more likely to
be required to devote more resources to collecting information than
those with integrated systems. In addition, opportunities for errors
are increased when agencies' systems are not integrated.
Auditors frequently mentioned the lack of modern, integrated financial
management systems in their fiscal year 2003 audit reports. As shown in
figure 4, auditors for 11 of the 17 agencies with noncompliant systems
reported this to be a problem, compared with 13 of the 19 agencies
reported with noncompliant systems in fiscal year 2002.[Footnote 29]
For example, auditors determined that the Department of State's
financial and accounting system, as of September 30, 2003, was
inadequate, preventing the department from routinely issuing timely
financial statements and increasing the risk of materially misstating
financial information. The principal areas of weakness included (1)
certain elements, including, but not limited to, personal property,
capital leases, and certain accounts payable, were developed from
sources outside the general ledger and (2) several different systems
were used for the management of grants and other types of federal
awards. These systems for grants management and other federal awards
lacked standard data classifications and were not integrated with the
department's centralized financial management system.
In another case, as auditor for Treasury's Internal Revenue Service
(IRS),[Footnote 30] we reported that IRS' general ledger system
consists of two independent general ledgers that are not integrated
with each other or with their supporting records for material balances.
Further, the information contained in the general ledgers was not
supported by adequate audit trails for federal tax revenue, federal tax
refunds, taxes receivable, or property and equipment. IRS' use of two
separate general ledgers to account for its tax collection activities
and the costs of conducting those activities, respectively, greatly
complicates efforts to measure the cost of IRS' tax collection efforts.
The use of multiple ledgers also causes difficulties in the production
of the reliable, useful, and timely financial and performance
information that IRS needs for decision making on an ongoing basis.
Inadequate Reconciliation Procedures:
A reconciliation process, whether manual or automated, is a necessary
and valuable part of a sound financial management system. The less
integrated the financial management system, the greater the need for
adequate reconciliations because data may be accumulated from a number
of different sources. Reconciliations are needed to ensure that data
have been recorded properly between the various systems and manual
records. The Comptroller General's Standards for Internal Control in
the Federal Government[Footnote 31] highlights reconciliation as a key
control activity.
As shown in figure 4, auditors for 11 of the 17 agencies with
noncompliant systems in fiscal year 2003 reported that the agencies had
reconciliation problems, compared with 11 of the 19 agencies reported
with noncompliant systems in fiscal year 2002. These reconciliation
problems included difficulty in reconciling their fund balance with
Treasury accounts[Footnote 32] with Treasury's records. Treasury policy
requires agencies to reconcile their accounting records with Treasury
records on a monthly basis (comparable to individuals reconciling their
personal checkbooks to their monthly bank statements).
For fiscal year 2003, NASA's auditors reported a lack of effective
internal controls surrounding its fund balance with Treasury
reconciliations. Based on a review of NASA headquarters' fund balance
with Treasury reconciliations as of September 30, 2003, auditors
reported an agencywide difference of approximately $43 million, net,
between NASA's general ledger and Treasury's reported balance. NASA did
not provide sufficient documentary evidence to explain these
differences. Further, NASA made approximately 20 additional adjustments
outside of its financial management system, which indicated the
difference between its fund balance with Treasury balance and
Treasury's reported balance was significantly greater than disclosed in
its year-end reconciliations. In total, NASA recorded adjustments of
approximately $2 billion, net, to decrease its fund balance with
Treasury balance in order to agree to Treasury's reported balance as of
September 30, 2003. NASA was unable to provide the auditor
documentation to explain the reasons for such a large dollar amount of
reconciliations.
Lack of Accurate and Timely Recording of Financial Information:
As shown in figure 4, auditors for 15 of the 17 agencies with
noncompliant systems reported the lack of accurate and timely recording
of financial information as a problem for fiscal year 2003, compared
with 17 of the 19 agencies reported with noncompliant systems in fiscal
year 2002. Accurate and timely recording of financial information is
essential for successful financial management. Timely recording of
transactions facilitates accurate reporting in agencies' financial
reports and other management reports used to guide managerial decision
making. In addition, having systems that record information in a timely
and accurate manner is critical for key governmentwide initiatives,
such as integrating budget and performance information.
In contrast, untimely recording of transactions during the fiscal year
can result in agencies making substantial efforts at fiscal year-end to
perform extensive manual financial statement preparation efforts that
are susceptible to error and increase the risk of misstatements. For
example, auditors at the Department of the Interior reported in fiscal
year 2003 that the department (1) needed to improve controls over
property, plant, and equipment in order to prepare financial reports in
a timely and reliable manner; (2) capitalized assets that were
transferred from other agencies at incorrect amounts and also
capitalized assets in the current year that had been accidentally
expensed in prior years; and (3) did not ensure that journal vouchers
were properly recorded by failing to include proper general ledger
accounts. As a result, the department recorded over 180 adjustments
after issuing the final year-end trial balance, requiring that
significant time and resources be dedicated to making manual
adjustments.
Noncompliance with the SGL:
As shown in figure 4, auditors for 10 of the 17 agencies reported to
have noncompliant systems for fiscal year 2003 stated that the
agencies' systems did not comply with SGL requirements for fiscal year
2003, as compared with 9 of the 19 agencies reported with noncompliant
systems in fiscal year 2002. Implementing the SGL at the transaction
level is one of the specific requirements of FFMIA. Using the SGL
promotes consistency in financial transaction processing and reporting
by providing a uniform chart of accounts and pro forma transactions.
The SGL also provides a basis for comparison at the agency and
governmentwide levels. The defined accounts and pro forma transactions
standardize the accumulation of agency financial information as well as
enhance financial control and support financial statement preparation
and other external reporting. By not implementing the SGL, agencies may
experience difficulties in providing consistent financial information
across their components and functions.
Auditors for HHS reported that some of its systems were not designed to
apply the SGL at the transaction level. For example, the auditors
stated that the National Institutes of Health (NIH) recorded 1,900
nonstandard accounting entries totaling $14.2 billion during the year.
According to the auditors, these nonstandard entries were needed to
properly adjust account balances, including inventory, accrued leave,
personal property, receipt of donations, and other revenues. Moreover,
NIH developed a process to record at year-end the effect of current-
year, day-to-day entries in its budgetary and expended appropriations
accounts. In their report, the auditors stated that the use of
nonstandard accounting entries increased the risks of (1) bypassing
accounting controls and (2) errors. To address these issues, during
fiscal year 2003, NIH reconfigured its transaction codes to be SGL
compliant and on October 1, 2003, implemented a new general ledger
system as part of the NIH Business and Research Support System (NBRSS)
initiative. NBRSS is expected to be fully implemented in 2006.
Furthermore, approximately 2,300 nonstandard accounting entries with an
absolute value of about $41 billion were recorded in HHS' Program
Support Center's (PSC)[Footnote 33] CORE Accounting system[Footnote 34]
to compensate for noncompliance with the SGL. These nonstandard
accounting entries were recorded to correct for misstatements and
recorded balances, and to record reclassifications.
Lack of Adherence to Federal Accounting Standards:
One of FFMIA's requirements is that agencies' financial management
systems account for transactions in accordance with federal accounting
standards. Agencies face significant challenges implementing these
standards. As shown in figure 4, auditors for 11 of the 17 agencies
with noncompliant systems for fiscal year 2003 reported that these
agencies had problems complying with one or more federal accounting
standards, compared with 13 of the 19 agencies with noncompliant
systems in fiscal year 2002.
Auditors reported that agencies are having problems implementing
standards that have been in effect for some time--such as Statement of
Federal Financial Accounting Standards (SFFAS) No. 1, Accounting for
Selected Assets and Liabilities--as well as standards that have been
promulgated in the last few years--such as SFFAS No. 21, Reporting
Corrections of Errors and Changes in Accounting Principles. For
example, in fiscal year 2003, auditors for the U.S. Agency for
International Development (USAID) found that the agency's Accrual
Reporting System (ARS)[Footnote 35] was not in compliance with SFFAS
No. 1, paragraph 77. That standard requires that when an entity accepts
goods (or services), it should recognize a liability for the unpaid
amount of these goods or services. If related invoices are not
available when the financial statements are prepared, amounts owed
should be estimated. USAID uses ARS to develop quarterly estimates of
accrued expenses recorded against individual contract and grant awards.
However, auditors discovered that ARS' financial information was not
reliable and, since the system-generated estimates were based on the
financial information contained in the system, USAID had no assurance
that the resulting estimates were reliable or supported by adequate
accrual methodology. Further, simply eliminating the system-generated
estimates might cause the agency to materially understate its accounts
payable. Consequently, as a result of revised ARS estimates proposed by
the OIG, USAID reduced its year-end accrued expenses and accounts
payable by $244 million to more accurately reflect the activity in
accounts affected by accruals.
Weak Security Controls over Information Systems:
Information security weaknesses are a major concern for federal
agencies and the general public and are one of the frequently cited
reasons for noncompliance with FFMIA. These control weaknesses place
vast amounts of government assets at risk of inadvertent or deliberate
misuse, financial information at risk of unauthorized modification or
destruction, sensitive information at risk of inappropriate disclosure,
and critical operations at risk of disruption. Accordingly, we have
considered information security to be a governmentwide high-risk area
since 1997.[Footnote 36]
The Congress and the executive branch have taken action to address the
risks associated with persistent information security weaknesses. The
Federal Information Security Management Act of 2002 (FISMA)[Footnote
37] provides the overall framework for ensuring the effectiveness of
information security controls that support federal operations and
assets and requires agencies and OMB to report annually to the Congress
on their information security programs. As we testified in March
2004,[Footnote 38] fiscal year 2003 agency reporting required by FISMA
showed apparent progress in implementing FISMA's information security
requirements, but most agencies still had not reached the level of
performance that demonstrates they have implemented the agencywide
information security program mandated by the act. Only 6 agencies
reported that they had authorized 90 to 100 percent of their systems,
and 11 agencies reported that they had authorized less than half of
their systems. While OMB monitors agency performance by requiring
agencies to provide quarterly updates on this and other key performance
measures, the fiscal year 2004 annual reports that agencies must submit
to the Congress are due to OMB by October 6, 2004, and should provide
updated information on agency progress in implementing FISMA's
information security requirements.
As shown in figure 4, auditors for all 17 of the 17 agencies with
noncompliant systems reported security weaknesses in information
systems to be a problem, compared with 19 of the 19 agencies reported
with noncompliant systems in fiscal year 2002. Unresolved information
security weaknesses could adversely affect the ability of agencies to
produce accurate data for decision making and financial reporting
because such weaknesses could compromise the reliability and
availability of data that are recorded in or transmitted by an agency's
financial management system.
As a case in point, in fiscal year 2003, the auditors for the
Department of Education noted that the department needs improvement in
seven key security control areas. These seven areas are (1)
consistently updating application versions, virus/data protection
packages, and security packages; (2) testing mission-critical systems
for platform and database level vulnerabilities; (3) enforcing the rule
requiring complex passwords across the enterprise; (4) deploying
network and host based intrusion detection systems to provide alerts of
intrusions and malicious internal activity; (5) implementing firewall
rules to logically segregate database servers containing sensitive data
from servers within the Web-hosting environment; (6) implementing
access controls to protect mission-critical systems from certain
internal networks; and (7) correcting security weaknesses previously
identified at contractor facilities.
Agencies Struggle to Implement New Financial Systems:
In an effort to address problems such as nonintegrated systems,
inadequate reconciliations, and lack of compliance with the SGL, a
number of agencies have efforts under way to implement new financial
management systems or to upgrade existing systems. Agencies anticipate
that the new systems will provide reliable, useful, and timely data to
support managerial decision making and assist taxpayer and
congressional oversight. However, implementing and upgrading systems
bring new risks. Organizations that follow and effectively implement
accepted best practices in systems development and implementation
(commonly referred to as disciplined processes) can reduce these risks
to acceptable levels. However, our work at DOD, HHS, and NASA has shown
that agencies face significant problems in implementing financial
management systems and are not following the necessary disciplined
processes for efficient and effective implementation of such systems.
Further, VA recently halted its pilot implementation of its new core
financial system for which $249 million had been invested. The VA OIG
reported that the contracting and monitoring of the VA project was not
adequate, and the pilot deployment of the system encountered multiple
problems. The problems the VA OIG cited were similar to those we noted
at DOD, HHS, and NASA. As the federal government moves forward with
ambitious modernization efforts to identify opportunities to eliminate
redundant systems and enhance information accuracy and availability,
adherence to these disciplined processes will be a crucial element to
reduce risks to acceptable levels.
Most Agencies Are Implementing New Financial Systems:
Throughout the government, agencies have worked diligently to minimize
financial management weaknesses by implementing or upgrading current
financial systems. As we previously reported,[Footnote 39] 17 CFO Act
agencies advised us that as of September 2002 they were planning to or
were in the process of implementing new core financial systems. Eleven
of these 17 CFO Act agencies had chosen software packages certified by
PMO,[Footnote 40] while the remaining 6 agencies had at that time yet
to arrive at the software selection phase of their acquisition
processes. Target implementation dates ranged from fiscal years 2003 to
2008 for 16 of the 17 agencies. DOD had not yet determined its
implementation date. Moreover, JFMIP recently surveyed federal agencies
about their plans to purchase core financial system and feeder system
software between fiscal years 2005 and 2009. Survey responses indicated
that 7 of the 23 CFO Act agencies and DHS plan to purchase core
financial software. Additionally, 13 agencies and DHS have plans to
purchase feeder system software between fiscal years 2005 and 2009.
Thus, the majority of the CFO Act agencies and DHS were either
implementing or planning to purchase core financial or feeder system
software.
An agency's implementation of a certified core financial system does
not guarantee that the financial system is FFMIA compliant. Two major
factors affecting FFMIA compliance that agencies must consider are (1)
the integration of the core financial system with the agency's
administrative and programmatic systems, especially with regard to the
completeness and validity of system data, and (2) the existence of
modifications or customizations to the certified core financial system
software.
As indicated in our prior report,[Footnote 41] some agencies stated in
their performance and accountability assessments that complete
implementation of new core financial systems will also address their
systems' substantial noncompliance with FFMIA. However, as we
previously discussed, implementing a new core financial system may not
eliminate all of an agency's financial management weaknesses. Agencies
must consider various problems that extend beyond their core financial
systems. Despite this realization, the implementation of agencywide
core financial systems is a solid step toward successful systems
performance.
Agencies Are Not Following Disciplined Processes:
Implementing new financial management systems provides the groundwork
for improved financial management, including providing financial
managers with more timely information for better informed financial
management decisions, and will help meet OMB's accelerated financial
reporting deadline. However, with implementation comes risk.
Organizations that follow and effectively implement accepted best
practices in systems development and implementation (commonly referred
to as disciplined processes) can reduce these risks to acceptable
levels. Our work at DOD, HHS, and NASA has shown that agencies face
significant problems in implementing financial management systems and
are not following the necessary disciplined processes for efficient and
effective implementation of financial management systems. VA recently
halted implementation of its new core financial system, due in part to
reported concerns about the inadequate contracting and monitoring of
the project and multiple problems with the pilot deployment of the
system.
Disciplined processes have been shown to mitigate some of the risks
associated with software development and acquisition efforts to
acceptable levels. The term "acceptable levels" acknowledges that any
systems acquisition effort has risks and will suffer the risk of not
achieving the intended results (performance) within the established
resources (costs) on schedule. However, effective implementation of the
disciplined processes reduces these risks and helps prevent any actual
problems from having any significant adverse impact on achieving the
performance, cost, and schedule of the project.
Although a standard set of practices that will guarantee success does
not exist, several organizations, such as the Software Engineering
Institute (SEI)[Footnote 42] and the Institute of Electrical and
Electronic Engineers (IEEE),[Footnote 43] as well as individual experts
have identified and developed the types of policies, procedures, and
practices that have been demonstrated to reduce development time and
enhance effectiveness. The key to having a disciplined system
development effort is to have disciplined processes in several areas,
including the following:
* Requirements management. Requirements are the specifications that
system developers and program managers use to design, develop, and
acquire a system.
* Testing. Testing is the process of executing a program with the
intent of finding errors. Testing is a critical process that improves
an entity's confidence that the system will satisfy the requirements of
the end user and operate as intended.
* Project planning and oversight. Project planning is the process used
to establish reasonable plans for carrying out and managing the
software project. It includes estimating resources needed for the work
to be performed, establishing commitments, and defining the work plan.
* Risk management. Risk management is a set of activities for
identifying, analyzing, planning, tracking, and controlling risks. Risk
management starts with identifying the risks before they can become
problems.
Organizations that do not effectively implement the disciplined
processes lose the productive benefits of these processes as a project
moves through its development and implementation and are forced to
implement them later when it takes more time and they are less
effective. A major consumer of project resources in undisciplined
efforts is rework. Rework occurs when the original work has defects or
is no longer needed because of changes in project direction.
Disciplined organizations focus their efforts on reducing the amount of
rework because it is expensive. Studies have shown that correcting a
defect during the testing phase costs anywhere from 10 to 100 times the
cost of correcting it during the design or requirements phase.[Footnote
44] Projects that are unable to adopt disciplined processes
successfully will eventually only be spending their efforts on rework
and the associated processes that are needed rather than productive
work. In other words, the project may find itself continually reworking
items.
We found in our review of three agencies' implementation of new
financial management systems that these agencies are not following the
disciplined processes that are necessary to reduce the risks to
acceptable levels. In our May 2004 report,[Footnote 45] we reported
that long-standing problems continue at DOD despite the significant
investments made in DOD business systems[Footnote 46] each year. GAO's
two case study examples of logistics systems modernization efforts,
Business Systems Modernization (BSM) at the Defense Logistics Agency
(DLA) and the Army's Logistics Modernization Program (LMP), found that
disciplined processes were not implemented. We also reported in
September 2004[Footnote 47] that HHS had not followed key disciplined
processes and is at risk of implementing a new financial management
system that will not fully meet the needs of its users. Further, in
2003 and 2004 we issued five reports and testified[Footnote 48] about
the considerable challenges facing NASA's implementation of a new
financial management program. NASA is on its third attempt in 12 years
to modernize its financial management process and systems and has spent
about $180 million on its two prior failed efforts.
Department of Defense:
DOD reported in April 2003 that its business systems environment
consisted of 2,274 systems. DOD requested approximately $19 billion for
fiscal year 2004 to operate, maintain, and modernize its reported 2,274
business systems. More recently, DOD stated that its inventory of
business systems was over 4,000 and more systems are expected to be
identified. Despite its substantial investment over many years, DOD's
business systems remain fundamentally flawed; unable to provide timely,
reliable information; and leave DOD vulnerable to fraud, waste, and
abuse. The duplication and stovepiped nature of DOD's systems
environment is illustrated by the numerous systems it has in the same
functional areas, such as over 450 personnel systems and 200 inventory
systems. These systems are not integrated and thus have multiple points
of data entry, which can result in data integrity problems.
Two of the business system modernization efforts DOD has undertaken to
address some of its inventory problems are DLA's BSM and the Army's
LMP. BSM and LMP incorporate part of the inventory management portion
of the COTS software package used by both DLA and the Army. In November
1999, DLA initiated an effort to replace two of its materiel management
systems with BSM. BSM is intended to transform how DLA conducts its
operations in five core business processes: order fulfillment, demand
and supply planning, procurement, technical/quality assurance, and
financial management. In February 1998, the Army began its effort to
replace its two material management systems with LMP. LMP is intended
to transform the U.S. Army Materiel Command's logistic operations in
six core processes: order fulfillment, demand and supply planning,
procurement, asset management, materiel maintenance, and financial
management.
Our May 2004 report[Footnote 49] of DOD's business system modernization
found numerous problems with both projects, BSM and LMP, including such
issues as failure to follow necessary disciplined processes, lack of
financial system integration, and system deployment schedule slippage.
We found that DLA's and Army's program officials did not effectively
implement the disciplined processes associated with requirements
management and testing in developing and implementing their systems.
For almost all of the requirements we analyzed, we found that the
forward and backward traceability was not maintained. Traceability
allows the user to follow the life of the requirement both forward and
backward through the DLA and Army approaches and management plans and
is critical to understanding the parentage, interconnections, and
dependencies among the individual requirements. Testing, the process of
executing the program with the intent of finding errors, was not
effectively implemented for BSM or LMP. DLA and the Army, therefore,
did not achieve the important goal of reducing the risk that BSM and
LMP would not operate as intended. Although DLA and the Army have
asserted that BSM and LMP, respectively, are compliant with the
requirements of FFMIA, we have concerns.
In the case of LMP, we found that the Army relied upon PMO testing for
147 requirements because PMO had validated these requirements when it
tested the vendor's commercial software used for LMP during fiscal year
1999. PMO testing should not be considered a substitute for individual
system testing of the actual data that will be used by the entity.
Further, PMO's tests of software do not address entity-specific
integrated tests of end-to-end transactions or systems interfaces.
Because the Army had to make modifications to the basic commercial
software package to accommodate some of its business operations, the
Army cannot be assured, without retesting, that these 147 requirements
will produce the intended results. In the case of BSM, for one
requirement the contractor stated that "a sample of transactions were
reviewed, [and] it appears that BSM properly records transactions
consistent with the SGL posting rules." However, we found no indication
that this requirement was tested, and therefore, we cannot conclude
whether BSM has the capability to meet this requirement. Without
adequate documentation to support testing of the FFMIA requirements, it
is questionable whether either system is substantially compliant with
FFMIA.
Additionally, we found that the system interfaces were not fully tested
for BSM and LMP and when they became operational, it became clear that
the system interfaces were not working as intended. Costly manual
reentry of inventory transactions was necessary. Further, both BSM and
LMP have experienced cost increase and schedule slippage. BSM was
originally scheduled to be fully operational in September of 2005.
However, the date has shifted to midyear 2006 and the cost has
increased from $764 million to $850 million. LMP has a current
estimated cost of over $1 billion. As of March 2004, the Army had not
determined when LMP would be fully operational at all locations. In
1999, we reported that the Army's estimated cost was $421 million over
a 10-year period. DOD cannot be assured that the two systems in our
case study will provide the functionality needed and fully meet DLA and
Army objectives.
Successful reform of DOD's fundamentally flawed financial and business
management operations must simultaneously focus on its systems,
processes, and people. While DOD has made some encouraging progress in
addressing specific challenges, it is still in the very early stages of
a departmentwide reform that will take many years to accomplish.
Secretary Rumsfeld has made business transformation a priority. For
example, through its Business Management Modernization Program, DOD is
continuing its efforts to develop and implement a business enterprise
architecture and establish effective management oversight and control
over its business systems modernization investments. However, after
about 3 years of effort and over $203 million in reported obligations,
we have not seen significant change in the content of DOD's
architecture or in its approach to investing billions of dollars
annually in existing and new systems. We have made numerous
recommendations aimed at improving DOD's plans for developing the next
version of the architecture and implementing controls for selecting and
managing business systems investments. To date, DOD has not addressed
22 of our 24 recommendations.[Footnote 50]
Department of Health and Human Services:
HHS is currently implementing a new financial management system, the
Unified Financial Management System (UFMS), to replace five outdated
accounting systems. This project is expected to be phased in at the
component agencies and fully implemented in fiscal year 2007. Our 2004
analysis and evaluation focused on the system implementation efforts
associated with all the HHS entities except for the Centers for
Medicare and Medicaid Services (CMS) and NIH.[Footnote 51] We found
that the lack of disciplined processes puts the implementation of HHS'
new financial management system at risk.
We reported[Footnote 52] that HHS had not followed key disciplined
processes and was at risk of implementing a new financial management
system that would not fully meet the needs of its users. While HHS had
executive sponsorship for the development of UFMS, it had focused on
meeting its implementation schedule to deploy the system at its
component agency, the Centers for Disease Control and Prevention (CDC)
in October 2004 to the detriment of disciplined processes. HHS had not
implemented effective disciplined processes in such areas as
requirements management, testing, project management and oversight, and
risk management.
We found significant problems with HHS' requirements management and
testing process. Problems with requirements management practices
include the lack of (1) a concept of operations to guide the
development of requirements, (2) traceability of a requirement from the
concept of operations through testing to ensure requirements were
adequately addressed in the system, and (3) specificity in the
requirements to minimize confusion in the implementation. These
problems with requirements have resulted in a questionable foundation
for the system testing process.
Additionally, testing activities were scheduled too late in the
implementation cycle, leaving little time to ensure that the defects
found were addressed before the system was implemented at CDC. While
adherence to schedule goals is generally desirable, it is key that
project decisions are based on objective data and demonstrated project
accomplishments, and are not schedule-driven. Otherwise, the risk of
costly rework or failure appreciably increases.
We further found that HHS had not developed the quantitative data
necessary to assess whether UFMS will provide the needed functionality.
HHS did not have a metrics measurement process to understand its
capability to help manage the entire UFMS effort; or how its process
will affect the UFMS cost, schedule, and performance objectives; or
what corrective action is needed to reduce the risks associated with
the problems identified. We also reported problems with HHS' initial
data conversion and system interfaces.
In addition to the disciplined processes weaknesses, we noted that HHS
had weaknesses in its information technology investment management,
enterprise architecture, and information security. Serious
understaffing and incomplete workforce planning have also plagued the
UFMS project. The cumulative effects of these weaknesses increase the
risk that UFMS will not fully serve the needs of its users nor achieve
its budget and schedule goals.
In September 2004, HHS decided to delay the implementation of a
significant amount of functionality associated with the CDC deployment
from October 2004 until April 2005 in order to address the issues that
had been identified with the project.
National Aeronautics and Space Administration:
In April 2000, NASA began its third attempt to modernize its financial
management system. This effort, IFMP, is expected to produce an
integrated, NASA-wide financial management system through the
acquisition and incremental implementation of COTS and related hardware
and software components. As of June 30, 2003, NASA reported that it had
fully implemented the core financial module, which NASA considers the
backbone of IFMP, at all of its 10 operating locations.
As we have reported numerous times,[Footnote 53] NASA faces
considerable challenges in meeting its IFMP commitments and providing
the necessary tools to oversee its contracts and manage its programs.
In April 2003, we reported that the core financial module does not
provide agency managers or the Congress with useful cost and related
information with which to make informed decisions, manage daily
operations, and ensure accountability on an ongoing basis, and NASA was
not following key best practices for acquiring and implementing the
system. As we reported, key users, such as program managers, cost
estimators, and congressional staffs, were not included in defining the
system requirements. According to IFMP officials, NASA chose to forgo
certain system capabilities to expedite implementation of the core
financial model. As a result, managers and cost estimators continued to
rely on means outside IFMP to capture data needed to manage programs.
We have also reported that NASA's approach to implementing its new
system did not optimize the system's performance and would likely cost
more and take longer to implement than necessary. Specifically, NASA
was not following key best practices for acquiring and implementing the
system, which may affect the agency's ability to fully benefit from the
new system's capabilities. First, NASA did not analyze the
relationships among selected and proposed IFMP components to understand
the logical and physical relationships among the components it
acquired. By acquiring these IFMP components without first
understanding system component relationships, NASA increased its risks
of implementing a system that will not optimize mission performance and
will cost more and take longer to implement than necessary. Second,
although industry best practices and NASA's own system planning
documents indicate that detailed requirements are needed as the basis
for effective system testing, NASA did not require documentation of
detailed system requirements prior to system implementation and
testing. NASA's approach instead relied on certain subject matter
experts' knowledge of the detailed requirements necessary to evaluate
the functionality actually provided. As a result, NASA increased its
risk that IFMP would cost more and do less than planned.
Further, we reported that NASA's new financial management system did
not provide key external reporting capabilities, such as the generation
of complete and accurate information necessary for external reporting
of NASA property and budgetary data, and the new system did not comply
substantially with the requirements of FFMIA.
Department of Veterans Affairs:
VA recently halted implementation of its new core financial system,
Core Financial and Logistics System (CoreFLS), at a potential loss of
almost $250 million. VA provides federal benefits, including disability
compensation, pensions, education, life insurance, home loan
assistance, and medical care, to the 26 million living veterans and
veterans' survivors and dependents. VA began the detailed planning and
acquisition of CoreFLS in June 1999 and was planning to have it fully
implemented throughout VA by March 2006. The VA OIG reported that the
contracting and monitoring of the CoreFLS project was not adequate and
the pilot deployment of CoreFLS at a VA medical center encountered
multiple problems. These problems are similar to the concerns we noted
at DOD, HHS, and NASA.
The VA OIG noted that the success of CoreFLS greatly depends on the
ability of the software to integrate with existing legacy systems,
which in turn requires that existing legacy systems are properly
implemented and maintained. The VA OIG found that most of the VA legacy
systems at the pilot location contained inaccurate data because they
had not been used properly and that this may be a systemic problem
throughout VA. The effect of transferring inaccurate data to CoreFLS at
this pilot location interrupted patient care and medical center
operations. This was compounded by VA inadequately training employees
on how to use the system, unreliable test procedures and results, and
unsubstantiated performance results. Problems were also identified with
reconciling accounts payable, accounts receivable, undelivered orders,
and real property.
When CoreFLS was deployed at the pilot location in October 2003, it did
not function as project managers expected because of inaccurate or
incomplete vendor and inventory system data. Because of these problems
with vendor and inventory systems, the VA pilot location made excessive
purchases of medical supplies. For example, on February 23, 2004, the
pilot location purchased 100 cup biopsy forceps with a total value of
$30,700, which were shipped overnight to the medical center, but
returned to the vendor less than a month later. In addition, late
payment penalties by the medical center for the first two quarters of
fiscal year 2004 totaled $10,800, compared to $600 for the entire
fiscal year 2003. The VA OIG's review also found that the inventory was
overstated by approximately $2.3 million out of $3.6 million recorded,
because an item valued at $23 showed a quantity on-hand of 100,000
when, in fact, the on-hand quantity was only one.
As a result of these problems, patient care was interrupted by supply
outages and other problems. The inability to provide sterile equipment
and needed supplies to the operating room resulted in the cancellation
of 81 elective surgeries for a week in both November 2003 and February
2004. In addition, the operating room was forced to operate at two-
thirds of its prior capacity. Because of the serious nature of the
problems raised with CoreFLS, VA management decided to focus on
transitioning back to the previous financial management software and
pull together a senior leadership team to examine the results of the
pilot and make recommendations to the VA Secretary regarding the future
of CoreFLS.
Governmentwide Initiatives to Improve Financial Management Systems Spur
Needed Change:
As agencies move forward with initiatives to address FFMIA-related
problems, it is important that consideration be given to the numerous
governmentwide initiatives under way to address long-standing financial
management weaknesses. As stated in the PMA, there are few items more
urgent than ensuring that the federal government operates efficiently
and is results-oriented. While FFMIA implementation relates directly to
the improved financial performance initiative, development and
maintenance of FFMIA-compliant systems will also affect the
implementation of the other four PMA initiatives. Notably, OMB is
developing a federal enterprise architecture that is intended to
facilitate the government's ability to make significant progress across
the PMA. For example, as part of the e-gov PMA initiative, the number
of federal payroll providers is being consolidated. Numerous agencies
had targeted their payroll operations for costly modernization, and
according to OMB, millions of dollars will be saved through shared
resources and processes and by modernizing on a cross-agency,
governmentwide basis.
The Clinger-Cohen Act sets forth a variety of initiatives to support
better decision making for capital investments in information
technology, which has led to the development of the Federal Enterprise
Architecture and better-informed capital investment and control
processes within agencies and across government. This has produced
another broad shift in the financial systems environment--one that
acknowledges that financial systems planning can no longer take place
within an isolated environment or "stovepipe," but must now be
integrated with enterprise goals. Managed properly, an enterprise
architecture can clarify and help optimize the interdependencies and
relationships among an organization's business operations and the
underlying information technology infrastructure and applications that
support those operations.
Moreover, developing such an architecture will help address the
government's inability to properly reconcile and report on
intragovernmental transactions. We have reported[Footnote 54] for years
that the heart of the intragovernmental transactions issue was that the
federal government lacked clearly articulated business rules for these
transactions so that they would be handled consistently by agencies.
This is compounded by limitations and incompatibility of agency and
trading partner systems, among other issues. OMB and Treasury have
taken steps to help transform and standardize intragovernmental
transactions, including instituting an e-gov project[Footnote 55] to
define a governmentwide data architecture and provide a single source
of detailed trading partner data. The Intragovernmental Transaction
Exchange was piloted from October 2003 to April 2004, and provided
information about the business processes and technologies used to
interact with it. After evaluating the results of the pilot, OMB
expects to phase it into use at all agencies.
Building upon the efforts of the Federal Enterprise Architecture
program to support the PMA for e-gov, OMB and designated agency task
forces have launched the line of business (LOB) initiative. This
initiative seeks to develop business-driven, common solutions for five
lines of business that span across the federal government. The five
initiatives are financial management, human resources management,
grants management, federal health architecture, and case management.
Each of the lines of business shares similar business requirements and
business processes. OMB and the LOB task forces plan to use either
enterprise architecture-based principles and best practices to identify
common solutions for business processes, technology-based shared
services to be made available to government agencies, or both. Driven
from a business perspective rather than a technology focus, the
solutions are expected to address distinct business improvements to
enhance government's performance and services for citizens. The results
of LOB efforts are expected to save taxpayer dollars, reduce
administrative burden, and significantly improve service delivery.
The financial management LOB goals are to (1) achieve or enhance
process improvements and cost savings in the acquisition, development,
implementation, and operation of financial management systems through
shared services, joint procurements, consolidation, and other means;
(2) promote seamless data exchange between and among federal agencies;
(3) provide for the standardization of business processes and data
elements; and (4) strengthen internal controls through real-time
integration of core financial and subsidiary systems. OMB has an
ambitious time frame, September 2004, for identifying a common solution
and developing a target architecture and a joint business case. At the
time of our review, OMB had not completed this effort. Agency business
cases submitted as part of the budget cycle are expected to reflect the
proposed common solutions. GAO has long supported and called for such
initiatives to standardize and streamline common systems, which cannot
only reduce costs but, if done correctly, can improve accountability.
The problems we have seen related to requirements, testing, interfaces,
and data conversion at the agency level indicate that attention to
these disciplined processes will continue to be important as OMB and
the LOB task forces move forward. These initiatives and the
intragovernmental transaction exchange will be required to address
broader sets of requirements, interfaces, and data conversion issues
than those at an individual agency level, thus amplifying the
complexity of the task. Disciplined process can play an important role
in helping governmentwide systems initiatives reduce the risk of these
projects to acceptable levels.
In addition, with many new financial management systems being
implemented in the federal government, it is crucial that the federal
government have a qualified workforce with the right mix of skills to
implement financial systems successfully. Our report[Footnote 56] on
effective strategic workforce planning highlighted five principles that
such a process should address irrespective of the context in which
planning is done. Among the principles are determining the critical
skills and competencies that will be needed to achieve current and
future results, and developing strategies tailored to address gaps in
the number, deployment, and alignment of human capital approaches. At a
JFMIP-sponsored forum on successful integration and interoperability of
business management systems held in May 2004, the participants noted
that agencies are losing experienced people for a variety of reasons
and relying excessively on outside contractors because they have no
other choice. Participants expressed concern that internally, staff
lack the technical expertise needed. Agency officials overseeing
implementations have expertise on the functional requirements, such as
government accounting standards, but vendors and integrators have
little expertise in these areas. This is extremely high risk and
costly, and greater oversight and close monitoring of contractors is
needed. Further, our executive guide[Footnote 57] emphasizes the need
for developing a financial management team with the right mix of skills
and competencies. A changing financial management business vision
requires shifting workforce capacities and providing a financial
management workforce that is more analytic and capable of providing
decision support.
Conclusions:
Long-standing problems with agencies' financial systems continue to
make it difficult for agencies to routinely produce reliable, useful,
and timely financial information. While a number of agencies are
receiving unqualified ("clean") opinions on their financial statements,
the continued widespread noncompliance with FFMIA shows that agencies
still have a long way to go to having systems, processes, and controls
that routinely generate reliable, useful, and timely information.
The FFMIA-related problems reported in agency audit reports indicate
that federal financial management systems are not currently providing
federal managers the financial data needed for day-to-day management of
their programs or for external reporting in an efficient or timely
manner. Yet we remain concerned that the full nature and scope of the
problems have not been identified because auditors have only provided
negative assurance in their FFMIA reports. We believe the law requires
auditors to provide positive assurance on FFMIA compliance. Therefore,
we reaffirm our recommendation made in prior reports that OMB revise
its current FFMIA guidance to require agency auditors to provide a
statement of positive assurance when reporting an agency's systems to
be in substantial compliance, which entails a more thorough examination
of the agency's systems. We also reaffirm our other prior
recommendation for OMB to explore further clarification of the
definition of "substantial compliance" in its FFMIA guidance to
encourage consistent reporting among agency auditors. As we
stated[Footnote 58] in our prior reports, auditors we interviewed had
concerns about providing positive assurance in reporting on agency
systems' FFMIA compliance because of a need for clarification regarding
the meaning of substantial compliance.
Implementing new COTS core financial systems is a formidable challenge
since financial management systems are not only needed for external
reporting but, most importantly, are needed to provide the financial
information program managers need to manage operations on a day-to-day
basis. Reliable, useful, and timely financial management information is
key to achieving the goals of the PMA and its related initiatives, such
as PART. As the federal government moves forward with agency
implementations of new financial management systems and for systems
implemented to satisfy governmentwide initiatives, adherence to proven
disciplined processes to minimize risks and improve management of these
implementations is critical. Moreover, people with the right skill sets
in the right places at the right times are critical to efficiently and
effectively implementing a financial management system and operating it
once it is in place. Improvements in federal financial management
systems are in some cases a long-term goal, but with sustained
attention from important decision makers, including the Congress and
OMB, the goals of the CFO Act and FFMIA can be achieved.
Agency Comments and Our Evaluation:
In written comments (reprinted in app. VI) on a draft of this report,
OMB agreed with our assessment that while federal agencies continue to
make progress in addressing financial management systems weaknesses,
many agencies still lack the ability to produce the data needed to
efficiently and effectively manage day-to-day operations. As in
previous years, OMB disagreed with our recommendation that agency
auditors be required to provide a statement of positive assurance when
reporting agency systems to be in substantial compliance with FFMIA.
OMB said that the PMA and FFMIA should be viewed as complementary
methods for achieving improvements in financial management systems. OMB
stated that the framework of performance standards established under
the PMA provides a corroborative mechanism for evaluating FFMIA
compliance, which together with existing audit processes can provide an
accurate assessment of substantial compliance. Therefore, OMB does not
believe that the addition of a statement of positive assurance on FFMIA
compliance would be beneficial. While we agree that the initiatives of
the PMA are stimulating improvements, auditors need to consider other
aspects of financial management systems when assessing FFMIA compliance
that are not fully addressed through the current reporting structure.
Our concern is that some of the information provided by this approach,
such as monthly financial performance metrics for managing activities,
does not come under audit scrutiny and may not be reliable. In
contrast, an opinion by an independent auditor of FFMIA compliance
would confirm that an agency's systems substantially met the
requirements of FFMIA and provide additional confidence in the
information provided by the PMA. Finally, as we have stated in previous
reports, a statement of positive assurance is a statutory requirement
under the act.
With regard to our prior recommendation, which we reaffirmed in this
report, for revised guidance that clarifies the definition of
substantial compliance, OMB said that the performance results obtained
from the PMA initiatives will allow a further refinement of the
existing substantial compliance indicators. OMB agreed to consider
clarifying the definition of "substantial compliance" in future policy
and guidance updates. As we noted in our prior reports,[Footnote 59]
auditors we interviewed expressed a need for clarification regarding
the meaning of substantial compliance.
OMB also provided additional oral comments, which we incorporated as
appropriate.
We are sending copies of this report to the Chairman and Ranking
Minority Member, Subcommittee on Financial Management, the Budget, and
International Security, Senate Committee on Governmental Affairs, and
to the Chairman and Ranking Minority Member, Subcommittee on Government
Efficiency and Financial Management, House Committee on Government
Reform. We are also sending copies to the Director of the Office of
Management and Budget, the Secretary of Homeland Security, the heads of
the 23 CFO Act agencies, and agency CFOs and IGs. Copies will be made
available to others upon request. In addition, this report will be
available at no charge on the GAO Web site at
[Hyperlink, http://www.gao.gov].
This report was prepared under the direction of Sally E. Thompson,
Director, Financial Management and Assurance, who may be reached at
(202) 512-2600 or by e-mail at [Hyperlink, thompsons@gao.gov] if you
have any questions. Staff contacts and other key contributors to this
report are listed in appendix VII.
Signed by:
David M. Walker:
Comptroller General of the United States:
[End of section]
Appendixes:
Appendix I: Requirements and Standards Supporting Federal Financial
Management:
Financial Management Systems Requirements:
The policies and standards prescribed for executive agencies to follow
in developing, operating, evaluating, and reporting on financial
management systems are defined in Office of Management and Budget (OMB)
Circular No. A-127, Financial Management Systems. The components of an
integrated financial management system include the core financial
system,[Footnote 60] managerial cost accounting system, and
administrative and programmatic systems. Administrative systems are
those that are common to all federal agency operations,[Footnote 61]
and programmatic systems are those needed to fulfill an agency's
mission. The Program Management Office (PMO), managed by the Executive
Director of the Joint Financial Management Improvement Program (JFMIP)
and funded by the Chief Financial Officers (CFO) Council, has issued
federal financial management systems requirements (FFMSR)[Footnote 62]
for the core financial system and managerial cost accounting system,
and is in the process of issuing these requirements for the
administrative and programmatic systems. Appendix II lists the federal
financial management systems requirements published to date. Figure 5
is the PMO model that illustrates how these systems interrelate in an
agency's overall systems architecture.
Figure 5: Agency Systems Architecture:
[See PDF for image]
[End of figure]
OMB Circular No. A-127 requires agencies to purchase commercial off-
the-shelf (COTS) software that has been tested and certified through
the PMO software certification process when acquiring core financial
systems. PMO's certification process, however, does not eliminate or
significantly reduce the need for agencies to develop and conduct
comprehensive testing efforts to ensure that the COTS software meets
their requirements. Moreover, according to PMO, core financial systems
certification does not mean that agencies that install these packages
will have financial management systems that are compliant with the
Federal Financial Management Improvement Act (FFMIA) of 1996. Many
other factors can affect the capability of the systems to comply with
FFMIA, including modifications made to the PMO-certified core financial
management systems software and the validity and completeness of data
from feeder systems.
Federal Accounting Standards:
The Federal Accounting Standards Advisory Board (FASAB)[Footnote 63]
promulgates federal accounting standards that agency CFOs use in
developing financial management systems and preparing financial
statements. FASAB develops the appropriate accounting standards after
considering the financial and budgetary information needs of the
Congress, executive agencies, and other users of federal financial
information and comments from the public. FASAB forwards the standards
to the three Sponsors--the Comptroller General, the Secretary of the
Treasury, and the Director of OMB--for a 90-day review. If there are no
objections during the review period, the standards are considered final
and FASAB publishes them on its Web site and in print.
The American Institute of Certified Public Accountants has recognized
the federal accounting standards promulgated by FASAB as generally
accepted accounting principles for the federal government. This
recognition enhances the acceptability of the standards, which form the
foundation for preparing consistent and meaningful financial statements
both for individual agencies and the government as a whole. Currently,
there are 25 Statements of Federal Financial Accounting Standards
(SFFAS) and 4 Statements of Federal Financial Accounting Concepts
(SFFAC).[Footnote 64] The concepts and standards are the basis for
OMB's guidance to agencies on the form and content of their financial
statements and for the government's consolidated financial statements.
Appendix III lists the concepts, standards, and
interpretations[Footnote 65] along with their respective effective
dates.
FASAB's Accounting and Auditing Policy Committee (AAPC)[Footnote 66]
assists in resolving issues related to the implementation of accounting
standards. AAPC's efforts result in guidance for preparers and auditors
of federal financial statements in connection with implementation of
accounting standards and the reporting and auditing requirements
contained in OMB's Form and Content of Agency's Financial Statements
Bulletin and Audit Requirements for Federal Financial Statements
Bulletin. To date, AAPC has issued six technical releases, which are
listed in appendix IV along with their release dates.
U.S. Government Standard General Ledger:
The U.S. Government Standard General Ledger (SGL) was established by an
interagency task force under the direction of OMB and mandated for use
by agencies in OMB and Department of the Treasury regulations in 1986.
The SGL promotes consistency in financial transaction processing and
reporting by providing a uniform chart of accounts and pro forma
transactions used to standardize federal agencies' financial
information accumulation and processing throughout the year; enhance
financial control; and support budget and external reporting, including
financial statement preparation. For example, agency use of the SGL
accounts and OMB's new intergovernmental business rules for
standardizing intragovernmental activity and balances are key to
removing one of the material weaknesses that GAO has reported on the
governmentwide consolidated statements since fiscal year 1997. The SGL
is intended to improve data stewardship throughout the federal
government, enabling consistent reporting at all levels within the
agencies and providing comparable data and financial analysis
governmentwide.[Footnote 67]
Internal Control Standards:
The Congress enacted legislation, 31 U.S.C. 3512(c),(d) (commonly
referred to as the Federal Managers' Financial Integrity Act of 1982
(FIA)), to strengthen internal controls and accounting systems
throughout the federal government, among other purposes. Issued
pursuant to FIA, the Comptroller General's Standards for Internal
Control in the Federal Government[Footnote 68] provides standards
directed at helping agency managers implement effective internal
control, an integral part of improving financial management systems.
Internal control is a major part of managing an organization and
comprises the plans, methods, and procedures used to meet missions,
goals, and objectives. In summary, internal control, which under OMB's
guidance for FIA is synonymous with management control, helps
government program managers achieve desired results through effective
stewardship of public resources.
Effective internal control also helps in managing change to cope with
shifting environments and evolving demands and priorities. As programs
change and agencies strive to improve operational processes and
implement new technological developments, management must continually
assess and evaluate its internal control to ensure that the control
objectives are being achieved.
[End of section]
Appendix II: Publications in the Federal Financial Management Systems
Requirements Series:
FFMSR document: FFMSR-8 Systems Requirements for Managerial Cost
Accounting;
Issue date: February 1998.
FFMSR document: JFMIP-SR-99-5 Human Resources & Payroll Systems
Requirements;
Issue date: April 1999.
FFMSR document: JFMIP-SR-99-8 Direct Loan System Requirements;
Issue date: June 1999.
FFMSR document: JFMIP-SR-99-9 Travel System Requirements;
Issue date: July 1999.
FFMSR document: JFMIP-SR-99-14 Seized Property and Forfeited Asset
Systems Requirements;
Issue date: December 1999.
FFMSR document: JFMIP-SR-00-01 Guaranteed Loan System Requirements;
Issue date: March 2000.
FFMSR document: JFMIP-SR-00-3 Grant Financial System Requirements;
Issue date: June 2000.
FFMSR document: JFMIP-SR-00-4 Property Management Systems Requirements;
Issue date: October 2000.
FFMSR document: JFMIP-SR-01-01 Benefit System Requirements;
Issue date: September 2001.
FFMSR document: JFMIP-SR-02-01 Core Financial System Requirements;
Issue date: November 2001.
FFMSR document: JFMIP-SR-02-02 Acquisition/Financial Systems Interface
Requirements;
Issue date: June 2002.
FFMSR document: JFMIP-SR-03-01 Revenue System Requirements;
Issue date: January 2003.
FFMSR document: JFMIP-SR-03-02 Inventory, Supplies and Materials System
Requirements;
Issue date: August 2003.
FFMSR document: JFMIP-SR-02-01 Addendum to Core Financial System
Requirements;
Issue date: March 2004.
FFMSR document: JFMIP-SR-01-04 Framework for Federal Financial
Management Systems;
Issue date: April 2004.
Source: JFMIP.
[End of table]
[End of section]
Appendix III: Statements of Federal Financial Accounting Concepts,
Statements of Federal Financial Accounting Standards, and
Interpretations:
Concepts: SFFAC No. 1 Objectives of Federal Financial Reporting.
Concepts: SFFAC No. 2 Entity and Display.
Concepts: SFFAC No. 3 Management's Discussion and Analysis.
Concepts: SFFAC No. 4 Intended Audience and Qualitative Characteristics
for the Consolidated Financial Report of the United States Government;
Standards: SFFAS No. 1 Accounting for Selected Assets and Liabilities;
Effective for fiscal year[A]: 1994.
Standards: SFFAS No. 2 Accounting for Direct Loans and Loan Guarantees;
Effective for fiscal year[A]: 1994.
Standards: SFFAS No. 3 Accounting for Inventory and Related Property;
Effective for fiscal year[A]: 1994.
Standards: SFFAS No. 4 Managerial Cost Accounting Concepts and
Standards;
Effective for fiscal year[A]: 1998.
Standards: SFFAS No. 5 Accounting for Liabilities of the Federal
Government;
Effective for fiscal year[A]: 1997.
Standards: SFFAS No. 6 Accounting for Property, Plant, and Equipment;
Effective for fiscal year[A]: 1998.
Standards: SFFAS No. 7 Accounting for Revenue and Other Financing
Sources;
Effective for fiscal year[A]: 1998.
Standards: SFFAS No. 8 Supplementary Stewardship Reporting;
Effective for fiscal year[A]: 1998.
Standards: SFFAS No. 9 Deferral of the Effective Date of Managerial
Cost Accounting Standards for the Federal Government in SFFAS No. 4;
Effective for fiscal year[A]: 1998.
Standards: SFFAS No. 10 Accounting for Internal Use Software;
Effective for fiscal year[A]: 2001.
Standards: SFFAS No. 11 Amendments to Accounting for Property, Plant,
and Equipment--Definitional Changes;
Effective for fiscal year[A]: 1999.
Standards: SFFAS No. 12 Recognition of Contingent Liabilities Arising
from Litigation: An Amendment of SFFAS No. 5, Accounting for
Liabilities of the Federal Government;
Effective for fiscal year[A]: 1998.
Standards: SFFAS No. 13 Deferral of Paragraph 65-2--Material Revenue-
Related Transactions Disclosures;
Effective for fiscal year[A]: 1999.
Standards: SFFAS No. 14 Amendments to Deferred Maintenance Reporting;
Effective for fiscal year[A]: 1999.
Standards: SFFAS No. 15 Management's Discussion and Analysis;
Effective for fiscal year[A]: 2000.
Standards: SFFAS No. 16 Amendments to Accounting for Property, Plant,
and Equipment;
Effective for fiscal year[A]: 2000.
Standards: SFFAS No. 17 Accounting for Social Insurance;
Effective for fiscal year[A]: 2000.
Standards: SFFAS No. 18 Amendments to Accounting Standards for Direct
Loans and Loan Guarantees in SFFAS No. 2;
Effective for fiscal year[A]: 2001.
Standards: SFFAS No. 19 Technical Amendments to Accounting Standards
for Direct Loans and Loan Guarantees in SFFAS No. 2;
Effective for fiscal year[A]: 2003.
Standards: SFFAS No. 20 Elimination of Certain Disclosures Related to
Tax Revenue Transactions by the Internal Revenue Service, Customs, and
Others;
Effective for fiscal year[A]: 2001.
Standards: SFFAS No. 21 Reporting Corrections of Errors and Changes in
Accounting Principles;
Effective for fiscal year[A]: 2002.
Standards: SFFAS No. 22 Change in Certain Requirements for Reconciling
Obligations and Net Cost of Operations;
Effective for fiscal year[A]: 2001.
Standards: SFFAS No. 23 Eliminating the Category National Defense
Property, Plant, and Equipment;
Effective for fiscal year[A]: 2003.
Standards: SFFAS No. 24 Selected Standards for the Consolidated
Financial Report of the United States Government;
Effective for fiscal year[A]: 2002.
Standards: SFFAS No. 25 Reclassification of Stewardship
Responsibilities and Eliminating the Current Services Assessment;
Effective for fiscal year[A]: 2005.
Interpretations: No. 1 Reporting on Indian Trust Funds.
Interpretations: No. 2 Accounting for Treasury Judgment Fund
Transactions;
Interpretations: No. 3 Measurement Date for Pension and Retirement
Health Care Liabilities;
Interpretations: No. 4 Accounting for Pension Payments in Excess of
Pension Expense;
Interpretations: No. 5 Recognition by Recipient Entities of Receivable
Nonexchange Revenue;
Interpretations: No. 6 Accounting for Imputed Intra-departmental Costs;
Source: FASAB.
[A] Effective dates do not apply to Statements of Federal Financial
Accounting Concepts and Interpretations.
[End of table]
[End of section]
Appendix IV: AAPC Technical Releases:
Technical release: TR-1 Audit Legal Letter Guidance;
AAPC release date: March 1, 1998.
Technical release: TR-2 Environmental Liabilities Guidance;
AAPC release date: March 15, 1998.
Technical release: TR-3 Preparing and Auditing Direct Loan and Loan
Guarantee Subsidies Under the Federal Credit Reform Act;
AAPC release date: July 31, 1999.
Technical release: TR-4 Reporting on Non-Valued Seized and Forfeited
Property;
AAPC release date: July 31, 1999.
Technical release: TR-5 Implementation Guidance on SFFAS No. 10:
Accounting for Internal Use Software;
AAPC release date: May 14, 2001.
Technical release: TR-6 Preparing Estimates for Direct Loan and Loan
Guarantee Subsidies Under the Federal Credit Reform Act (Amendments to
TR-3);
AAPC release date: January 2004.
Source: FASAB.
[End of table]
[End of section]
Appendix V: Checklists for Reviewing Systems under the Federal
Financial Management Improvement Act:
Checklist: GAO/AIMD-00-21.2.3 Human Resources and Payroll Systems
Requirements;
Issue date: March 2000.
Checklist: GAO-01-99G Seized Property and Forfeited Assets Systems
Requirements;
Issue date: October 2000.
Checklist: GAO/AIMD-21.2.6 Direct Loan System Requirements;
Issue date: April 2000.
Checklist: GAO/AIMD-21.2.8 Travel System Requirements;
Issue date: May 2000.
Checklist: GAO/AIMD-99-21.2.9 System Requirements for Managerial Cost
Accounting;
Issue date: January 1999.
Checklist: GAO-01-371G Guaranteed Loan System Requirements;
Issue date: March 2001.
Checklist: GAO-01-911G Grant Financial System Requirements;
Issue date: September 2001.
Checklist: GAO-02-171G Property Management Systems Requirements;
Issue date: December 2001.
Checklist: GAO-04-22G Benefit System Requirements;
Issue date: October 2003.
Checklist: GAO-04-650G Acquisition/Financial Systems Interface
Requirements;
Issue date: June 2004.
Checklist: GAO-04-763G Core Financial System Requirements (Exposure
Draft);
Issue date: July 2004.
Source: GAO.
[End of table]
[End of section]
Appendix VI: Comments from the Office of Management and Budget:
EXECUTIVE OFFICE OF THE PRESIDENT:
OFFICE OF MANAGEMENT AND BUDGET:
WASHINGTON, D: C. 20503:
THE CONTROLLER:
SEP 24 2004:
Ms. Sally E. Thompson:
Director, Financial Management and Assurance:
United States Government Accountability Office:
Washington, DC 20548:
Dear Ms. Thompson:
Thank you for the opportunity to comment on the GAO draft report
entitled "Financial Management: Improved Financial Systems are Key to
FFMIA Compliance."
Overall, OMB: agrees with your assessment that many Federal agencies
continue to make progress implementing the Federal Financial Management
Improvement Act (FFMIA). We also agree that agencies have a long way to
go before Federal managers begin receiving the financial information
they need to efficiently and effectively-manage day-to-day operations.
Indeed, our common goal goes far beyond attaining unqualified opinions
on agency financial statements. We are both striving for the creation
and use - for both government managers and the. taxpayer - of reliable,
useful and timely management information.
Nevertheless, Federal agencies have continued to show significantly
improved financial performance: most agencies are filing quarterly and
annual financial statements on a timely basis; financial statement
quality is improving as most agencies receive unqualified audit
opinions; long-standing material weaknesses are being resolved; and
monthly financial performance metrics for managing activities are in
widespread use.
We believe a major factor in bringing about the financial improvements
at Federal agencies has been the homework of performance standards we
established under the President's Management Agenda. The processes used
in evaluating agencies against these standards can also provide a
robust corroborative mechanism in evaluating compliance with the FFMIA.
They are more than an alternate route to substantial compliance - they
greatly buttress the already thorough audit processes currently in use.
When used in combination with information provided by an agency's
auditors, an accurate assessment of substantial compliance can be
attained.
Accordingly, as we indicated in our comments on last year's draft.
report, OMB believes that the addition of a statement of positive
assurance on FFMIA compliance would not be beneficial.
The draft report also recommends that OMB explore clarifying the
definition of "substantial compliance." We believe that our growing
experience helping agencies implement the high standards incorporated
in the President's Management Agenda will enable us to further refine
the existing FFMIA indicators associated with substantial compliance.
As such, we will consider this recommendation, as appropriate; in any
future policy and guidance updates.
We appreciate the opportunity to comment on the draft report and look
forward to continue working with GAO in improving Federal financial
management systems. If you have any questions please feel free to
contact David Alekson, Financial Systems Branch at 202.395.5642.
Sincerely,
Signed by:
Linda M. Springer:
Controller:
[End of section]
Appendix VII: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Sally E. Thompson, (202) 512-2600 Kay L. Daly, (202) 512-9312:
Acknowledgments:
In addition to those named above, Alberto Garza, Lisa M. Knight,
Michael S. LaForge, W. Stephen Lowrey, Gina K. Ross, Sandra S. Silzer,
and Bryan D. Weisbard made key contributions to this report.
(193054):
FOOTNOTES
[1] Pub. L. No. 101-576, 104 Stat. 2838 (1990).
[2] Federal Financial Management Improvement Act of 1996, Pub. L. No.
104-208, div. A., § 101(f), title VIII, 110 Stat. 3009, 3009-389 (Sept.
30, 1996).
[3] There were initially 24 CFO Act agencies. (See Pub. L. No. 101-576,
§205, 104 Stat. 2838, 2842-43 (1990)). The Federal Emergency Management
Agency, one of the 24 CFO Act agencies, was subsequently transferred to
the new Department of Homeland Security (DHS) created effective March
1, 2003. DHS must prepare audited financial statements under the
Accountability of Tax Dollars Act of 2002 (Pub. L. No. 107-289, 116
Stat. 2049 (Nov. 7, 2002)). However, DHS was not established as a CFO
Act agency and therefore is not subject to FFMIA. Consideration is now
being given by each house of Congress to adding DHS to the list of CFO
Act agencies in the Department of Homeland Security Financial
Accountability Act, H.R. 4259 and S. 1567, 108th Congress.
[4] The Department of Commerce (Commerce), the Department of Energy
(Energy), the Environmental Protection Agency (EPA), the National
Science Foundation (NSF), the Nuclear Regulatory Commission (NRC), and
the Social Security Administration (SSA).
[5] U.S. Department of Veterans Affairs, Office of Inspector General,
Issues at VA Medical Center Bay Pines, Florida and Procurement and
Deployment of the Core Financial and Logistics System (CoreFLS), 04-
01371-177 (Washington, D.C.: August 2004).
[6] GAO, DOD Business Systems Modernization: Billions Continue to Be
Invested with Inadequate Management Oversight and Accountability, GAO-
04-615 (Washington, D.C.: May 27, 2004).
[7] GAO, Financial Management Systems: Lack of Disciplined Processes
Puts Implementation of HHS' Financial System at Risk, GAO-04-1008
(Washington, D.C.: Sept. 23, 2004).
[8] GAO, Business Modernization: Improvements Needed in Management of
NASA's Integrated Financial Management Program, GAO-03-507
(Washington, D.C.: Apr. 30, 2003); Information Technology: Architecture
Needed to Guide NASA's Financial Management Modernization, GAO-04-43
(Washington, D.C.: Nov. 21, 2003); Business Modernization: Disciplined
Processes Needed to Better Manage NASA's Integrated Financial
Management Program, GAO-04-118 (Washington, D.C.: Nov. 21, 2003);
Business Modernization: NASA's Integrated Financial Management Program
Does Not Fully Address Agency's External Report Issues, GAO-04-151
(Washington, D.C.: Nov. 21, 2003); Business Modernization: NASA's
Challenges in Managing Its Integrated Financial Management Program,
GAO-04-255 (Washington, D.C.: Nov. 21, 2003); and National Aeronautics
and Space Administration: Significant Actions Needed to Address Long-
standing Financial Management Problems, GAO-04-754T (Washington, D.C.:
May 19, 2004).
[9] GAO, Financial Management: FFMIA Implementation Critical for
Federal Accountability, GAO-02-29 (Washington, D.C.: Oct. 1, 2001);
Financial Management: FFMIA Implementation Necessary to Achieve
Accountability, GAO-03-31 (Washington, D.C.: Oct. 1, 2002); and
Financial Management: Sustained Efforts Needed to Achieve FFMIA
Accountability, GAO-03-1062 (Washington, D.C.: Sept. 30, 2003).
[10] Pub. L. No. 103-62, 107 Stat. 285 (Aug. 3, 1993).
[11] Pub. L. No. 103-356, 108 Stat. 3410 (Oct. 13, 1994).
[12] Pub. L. No. 104-106, div. E, 110 Stat. 186, 679 (Feb. 10, 1996).
[13] The Accountability of Tax Dollars Act of 2002 extends the
requirement to prepare and submit audited financial statements to most
executive agencies not subject to the CFO Act unless they are exempted
by OMB. However, these agencies are not required to have systems that
are compliant with FFMIA.
[14] The American Institute of Certified Public Accountants recognizes
the federal accounting standards promulgated by the Federal Accounting
Standards Advisory Board as generally accepted accounting principles.
For a further description of federal accounting standards, see app. I.
[15] The SGL provides a standard chart of accounts and standardized
transactions that agencies are to use in all their financial systems.
[16] These five crosscutting initiatives are (1) improved financial
performance, (2) strategic human capital management, (3) competitive
sourcing, (4) expanded electronic government, and (5) budget and
performance integration.
[17] The authority for the creation of JFMIP is statutorily based. See
the Budget and Accounting Procedures Act of 1950, now codified at 31
U.S.C. 3511(d).
[18] See app. III for the systems requirements documents issued to
date.
[19] GAO/PCIE, Financial Audit Manual, GAO-01-765G (Washington, D.C.:
July 2004).
[20] GAO-01-765G, sections 701, 701A, 701B, and 260.58-.60.
[21] Of these 17 agencies, systems for 8 agencies were reported not to
be in substantial compliance with all three FFMIA requirements.
[22] GAO, Financial Management: Department of Homeland Security Faces
Significant Financial Management Challenges, GAO-04-774 (Washington,
D.C.: July 19, 2004).
[23] OMB Bulletin No. 01-02, Audit Requirements for Federal Financial
Statements (Oct. 16, 2000).
[24] GAO-02-29, GAO-03-31, and GAO-03-1062.
[25] A final rule issued by the Securities and Exchange Commission that
took effect in August 2003 provides guidance for implementations of
Sections 302, 404, and 906 of the Sarbanes-Oxley Act of 2002 (Pub. L.
No. 107-204, §§302, 404, 906 116 Stat. 745, 777, 789, 806 (July 30,
2002)), which requires publicly traded companies to establish and
maintain an adequate internal control structure and procedures for
financial reporting and include in the annual report a statement of
management's responsibility for and assessment of the effectiveness of
those controls and procedures in accordance with standards adopted by
the Securities and Exchange Commission.
[26] GAO-02-29.
[27] GAO-02-29 and GAO-03-31.
[28] Federal financial system requirements define an integrated
financial system as one that coordinates a number of previously
unconnected functions to improve overall efficiency and control.
Characteristics of such a system include (1) standard data
classifications for recording financial events, (2) common processes
for processing similar transactions, (3) consistent control over data
entry, transaction processing, and reporting, and (4) a system design
that eliminates unnecessary duplication of transaction entry.
[29] In our October 2003 FFMIA report, we stated that auditors had
discussed problems relating to nonintegrated financial management
systems at 12 agencies. As part of our analysis of the most recent
reports, it became apparent that the auditors for 1 additional agency
concluded that nonintegrated systems were a factor contributing to its
financial reporting difficulties for fiscal year 2002. Therefore, the
revised number of agencies with nonintegrated systems for fiscal year
2002 is 13.
[30] GAO, Financial Audit: IRS's Fiscal Years 2003 and 2002 Financial
Statements, GAO-04-126 (Washington, D.C.: Nov. 13, 2003).
[31] GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
[32] Agencies record their budget spending authorizations in their fund
balance with Treasury accounts. Agencies increase or decrease these
accounts as they collect or disburse funds.
[33] PSC is an administrative office that provides program support
services to HHS components and other federal agencies through fee-for-
service. PSC's major business lines include financial management and
administrative operations.
[34] The PSC CORE Accounting system is the nucleus of PSC's accounting
operations and accepts and processes data supplied by 8 of the 12 HHS
agencies as well as from Payroll, Travel, and Payment Management
Systems.
[35] USAID's ARS obtains obligation and contract data and uses this
information to calculate estimated quarterly expenses against
individual contracts, grants, or obligation line items.
[36] GAO, High-Risk Series: An Update, GAO-03-119 (Washington, D.C.:
January 2003).
[37] Pub. L. 107-347, title III, §301, 116 Stat. 2899, 2946-2961
(December 17, 2002).
[38] GAO, Information Security: Continued Efforts Needed to Sustain
Progress in Implementing Statutory Requirements, GAO-04-483T
(Washington, D.C.: Mar. 16, 2004).
[39] GAO-03-1062.
[40] The PMO, which is managed by JFMIP's Executive Director, with
funds provided by the CFO Council agencies, tests vendor COTS packages
and certifies that they meet certain financial management system
requirements for core financial systems.
[41] GAO-03-1062.
[42] SEI is a federally funded research and development center operated
by Carnegie Mellon University and sponsored by DOD. The SEI objective
is to provide leadership in software engineering and in the transition
of new software engineering technology into practice.
[43] IEEE develops standards for a broad range of global industries,
including the information technology and information assurance
industries.
[44] Steve McConnell, Rapid Development: Taming Wild Software Schedules
(Redmond, Wash.: Microsoft Press, 1996).
[45] GAO-04-615.
[46] Business systems include those that are used to support civilian
and military personnel, finance, logistics, procurement, and
transportation.
[47] GAO-04-1008.
[48] GAO-03-507, GAO-04-43, GAO-04-118, GAO-04-151, GAO-04-255, and
GAO-04-754T.
[49] GAO-04-615.
[50] See GAO, Department of Defense: Long-standing Problems Continue to
Impede Financial and Business Management Transformation, GAO-04-907T
(Washington, D.C.: July 7, 2004).
[51] NIH and CMS have efforts under way to replace their financial
systems that are expected to be fully implemented in 2006 and 2007,
respectively.
[52] GAO-04-1008.
[53] GAO-03-507, GAO-04-43, GAO-04-118, GAO-04-151, GAO-04-255, and
GAO-04-754T.
[54] GAO, Fiscal Year 2003 U.S. Government Financial Statements:
Sustained Improvement in Federal Financial Management Is Crucial to
Addressing Our Nation's Future Fiscal Challenges, GAO-04-477T
(Washington, D.C.: Mar. 3, 2004).
[55] E-gov is a PMA initiative. OMB has selected 25 presidential e-gov
efforts that focus on a wide variety of services, aiming to simplify
and unify agency work processes and information flows, provide one-stop
services to citizens, and enable information to be collected online
once and reused rather than being collected many times.
[56] GAO, Human Capital: Key Principles for Effective Strategic
Workforce Planning, GAO-04-39 (Washington, D.C.: Dec. 11, 2003).
[57] GAO, Executive Guide: Creating Value Through World-class Financial
Management, GAO/AIMD-00-134 (Washington, D.C.: April 2000).
[58] GAO-02-29 and GAO-03-31.
[59] GAO-02-29 and GAO-03-31.
[60] Core financial systems, as defined by the Program Management
Office, include those systems for managing general ledger, funding,
payments, receivables, and certain basic cost functions.
[61] Examples of administrative systems include budget, acquisition,
travel, property, and human resources and payroll.
[62] OMB Circular No. A-127 references the series of publications
called FFMSRs, issued by PMO, as the primary source of governmentwide
requirements for financial management systems.
[63] In October 1990, the Secretary of the Treasury, the Director of
OMB, and the Comptroller General established FASAB to develop a set of
generally accepted accounting standards for the federal government.
Effective October 1, 2003, FASAB consists of six nonfederal or public
members, one member from the Congressional Budget Office, and the three
Sponsors.
[64] Accounting standards are authoritative statements of how
particular types of transactions and other events should be reflected
in financial statements. SFFACs explain the objectives and ideas upon
which FASAB develops the standards.
[65] An interpretation is a document of narrow scope that provides
clarifications of original meaning, additional definitions, or other
guidance pertaining to an existing federal accounting standard.
[66] In 1997, FASAB, in conjunction with OMB, Treasury, GAO, the CFO
Council, and the President's Council on Integrity and Efficiency,
established AAPC to assist the federal government in improving
financial reporting.
[67] SGL guidance is published in the Treasury Financial Manual.
Treasury's Financial Management Service is responsible for maintaining
the SGL and answering agency inquiries.
[68] GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3 (Washington, D.C.: November 1999).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548: