This is the accessible text file for GAO report number GAO-06-970 entitled 'Financial Management: Improvement Under Way but Serious Financial Systems Problems Persist' which was released on September 27, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO: September 2006: Financial Management: Improvements Under Way but Serious Financial Systems Problems Persist: FFMIA Fiscal Year 2005 Results: GAO-06-970: GAO Highlights: Highlights of GAO-06-970, a report to the Committee on Homeland Security and Governmental Affairs, U.S. Senate and the Committee on Government Reform, House of Representatives Why GAO Did This Study: The ability to produce the financial information needed to efficiently and effectively manage the day-to-day operations of the federal government and provide accountability to taxpayers continues to be a challenge for most federal agencies. To help address this challenge, the Federal Financial Management Improvement Act of 1996 (FFMIA) requires the Chief Financial Officers (CFO) Act agencies to implement and maintain financial management systems that comply substantially with (1) federal financial management systems requirements, (2) federal accounting standards, and (3) the U.S. Government Standard General Ledger at the transaction level. FFMIA also requires GAO to report annually on the implementation of the act. What GAO Found: While the number of CFO Act agencies receiving unqualified opinions on their financial statements has increased significantly since 1997, the number of CFO Act agencies that did not substantially comply with FFMIA has remained fairly constant as shown below. Although agencies have made improvements and have other enhancements under way, the systems deficiencies that have prompted unfavorable FFMIA assessments indicate that the financial management systems of many agencies are still not able to routinely produce reliable, useful, and timely financial information. GAO views the continuing lack of compliance with FFMIA and the associated problems with agency financial systems to be significant challenges to improving the management of the federal government. Figure: CFO Act agencies not in compliance: [See PDF for Image] Source: GAO analysis, based on independent auditors' financial statement audit reports prepapred by agency inspectors general and contract auditors for fiscal years 1997 through 2005. [End of Figure] For fiscal year 2005, auditors for five agencies provided negative assurance that agency systems substantially complied with FFMIA as allowed by the Office of Management and Budget's (OMB) current audit guidance. This means that nothing came to their attention to indicate that agency financial management systems did not substantially comply with FFMIA requirements. GAO continues to believe that this type of reporting is not sufficient for reporting under the act. In addition, negative assurance may provide the false impression that the auditors are reporting that the agencies’ systems are compliant. In contrast, auditors for the Department of Labor (Labor) provided positive assurance, which is an opinion, by reporting that Labor’s financial management systems substantially complied with FFMIA requirements—a reporting practice that adds more value. Auditors have expressed concern about providing positive assurance because of the need to clarify the meaning of substantial compliance. In addition, some auditors stated that a change in OMB’s guidance that permits negative assurance would be necessary for them to provide an opinion on FFMIA compliance. To help address financial management systems deficiencies, OMB continues to move ahead on initiatives to enhance financial management in the federal government. Moreover, the continuing leadership and support of Congress will be crucial in reforming financial management in the federal government. What GAO Recommends: GAO reaffirms its prior recommendations that OMB revise its guidance to require positive assurance regarding substantial compliance with FFMIA, and clarify the meaning of substantial compliance. As in the past, OMB did not agree with GAO's view on auditors providing positive assurance on FFMIA, but agreed to consider clarifying the definition of substantial compliance in future policy and guidance updates. GAO believes positive assurance is required by FFMIA and will continue to work with OMB on this issue. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-970]. To view the full product, including the scope and methodology, click on the link above. For more information, contact McCoy Williams at (202512- 9095 or williamsm1@gao.gov. [End of Section] Report to Congressional Committees: Contents: Letter: Results In Brief: Background: Scope and Methodology: FFMIA Assessments Identify Continuing Systems Weaknesses: Federal Financial Management System Initiatives Continue to Evolve: Conclusions: Agency Comments and Our Evaluation: Appendix I: Requirements and Standards Supporting Federal Financial Management: Financial Management Systems Requirements: Federal Accounting Standards: U.S. Government Standard General Ledger: Internal Control Standards: Appendix II: Publications in the Federal Financial Management Systems Requirements Series: Appendix III: Statements of Federal Financial Accounting Concepts, Standards, Interpretations, and Technical Bulletins: Appendix IV: AAPC Technical Releases: Appendix V: Checklists for Reviewing Systems under the Federal Financial Management Improvement Act: Appendix VI: Comments from the Office of Management and Budget: Appendix VII: Auditors’ FFMIA Assessments for Fiscal Year 2005: Appendix VIII: GAO Contact and Staff Acknowledgments: Table: Table 1: Key Causes of Systems Implementation Failure: Figures: Figure 1: Auditors’ FFMIA Assessments for Fiscal Years 1997 through 2005: Figure 2: Problems Reported by Auditors for Fiscal Years 2001 through 2005: Figure 3: Auditors’ FFMIA Assessments for Fiscal Years 1997 through 2005: Figure 4: Auditors’ Assessments of Substantial Compliance with FFMIA’s Three Requirements for Fiscal Years 1997 through 2005: Figure 5: Problems Reported by Auditors for Fiscal Years 2001 through 2005: Figure 6: Overall Vision of the Financial Management Line of Business: Figure 7: Governance Structure: Figure 8: Agency Systems Architecture: Comptroller General of the United States: United States Government Accountability Office: Washington, DC 20548: September 26, 2006: The Honorable Susan M. Collins: Chairman: The Honorable Joseph I. Lieberman: Ranking Minority Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Tom Davis: Chairman: The Honorable Henry A. Waxman: Ranking Minority Member: Committee on Government Reform: House of Representatives: The lack of reliable, useful, and timely financial data needed to efficiently and effectively manage the day-to-day operations of the federal government and provide accountability to taxpayers and the Congress continues to be a weakness at many federal agencies. To address this long-standing weakness, the Congress mandated financial management reform within the federal government by enacting the Chief Financial Officers (CFO) Act of 1990.[Footnote 1] The CFO Act laid the foundation for a comprehensive reform of federal financial management by establishing a leadership structure, requiring audited financial statements, and strengthening accountability reporting. This act also requires agencies to implement modern financial management systems in order to attain the systematic measurement of performance; the development of cost information; and the integration of program, budget, and financial information for management reporting. The end goal of the CFO Act is to greatly enhance the ability of managers to do their jobs by providing the full range of financial information needed for day-to-day management. The Federal Financial Management Improvement Act of 1996[Footnote 2] (FFMIA) was enacted on September 30, 1996, and builds on the foundation laid by the CFO Act by highlighting the need for agencies to have financial management systems that are able to generate reliable, useful, and timely information needed to make fully informed decisions and to ensure accountability on an ongoing basis. FFMIA requires the major departments and agencies covered by the CFO Act[Footnote 3] to implement and maintain financial management systems that comply substantially with (1) federal financial management systems requirements, (2) applicable federal accounting standards, and (3) the U.S. Government Standard General Ledger (SGL) at the transaction level. The act also requires auditors to state in their audit reports whether the agencies' financial management systems comply with the act's requirements. In addition, we are required to report annually on the implementation status of the act. This report, our tenth, discusses (1) the auditors' assessments of agency systems' compliance with FFMIA requirements for fiscal years 1997 through 2005 and the financial management systems problems that continued to affect systems' FFMIA compliance in fiscal year 2005 and (2) the initiatives under way to help move federal financial management toward FFMIA compliance. We conducted our work from January through July 2006 in Washington, D.C., Baltimore, Md., and Kansas City, Mo., in accordance with U.S. generally accepted government auditing standards. We requested comments on a draft of this report from the Director of OMB or his designee. We received written comments from the OMB Controller. OMB's comments are discussed in the Agency Comments and Our Evaluation section and reprinted in appendix VI. Results In Brief: Since the passage of FFMIA, there has been progress in achieving the requirements of this landmark legislation. While improvements have been made throughout government, much work remains to fulfill the underlying goals of the CFO Act and FFMIA. Notably, the number of CFO Act agencies receiving unqualified opinions on their financial statements has increased significantly since FFMIA reporting began in 1997. In fiscal year 1997, 11 of the CFO Act agencies attained unqualified opinions on their financial statements, while 19[Footnote 4] agencies received unqualified opinions for fiscal year 2005. As shown in figure 1, the ability of federal financial management systems to fully address FFMIA requirements has not advanced at the same pace. In fiscal year 1997, 20 agencies were reported as having systems that were not in substantial compliance with at least one of the three FFMIA systems requirements, while in fiscal year 2005, auditors for 18 of the CFO Act agencies reported that the agencies' financial management systems did not substantially comply with at least one of the three FFMIA requirements. While progress has been made in addressing financial management systems' weaknesses, the lack of substantial compliance with the three requirements of FFMIA, and the associated deficiencies, indicates that the financial management systems of many agencies are still not able to routinely produce reliable, useful, and timely financial information. Consequently, the federal government's access to relevant, timely, and reliable data to effectively manage and oversee its major programs, which is the ultimate objective, was and continues to be restricted. Figure 1: Auditors' FFMIA Assessments for Fiscal Years 1997 through 2005: [See PDF for image] Source: GAO analysis, based on independent auditors' financial statement audit reports prepared by agency inspectors general and contract auditors for fiscal years 1997 through 2005. [End of figure] In fiscal year 2005, auditors for five[Footnote 5] of the six other CFO Act agencies provided what is termed negative assurance of FFMIA compliance. In essence, they reported that nothing came to their attention during the course of their planned audit procedures to indicate that these agencies' financial management systems did not meet FFMIA requirements. Negative assurance is the level of assurance specified by the Office of Management and Budget's (OMB) audit guidance for reporting on FFMIA compliance. From our perspective, FFMIA requires auditors to provide positive assurance, which is an opinion, on FFMIA compliance. The auditors for one agency, the Department of Labor (Labor), provided positive assurance, as required by the act, when they reported that in their opinion, Labor's financial management systems substantially complied with the requirements of FFMIA. Providing positive assurance requires some additional testing beyond that typically performed by auditors to render an opinion on financial statements. For example, in performing financial statement audits, auditors generally focus on the capability of the financial management systems to process and summarize financial information that flows into agency financial statements. In contrast, FFMIA requires auditors to take a broader perspective and consider the financial management systems capability to also reliably record and report financial information for a variety of purposes beyond financial statements. Thus FFMIA furthers the ultimate goal of improving financial management systems in the federal government and assisting agency managers in having timely access to reliable data for decision-making purposes. This in turn, will allow them to do their jobs more efficiently and effectively. For this reason, this second year of Labor's auditors providing positive assurance on FFMIA compliance continues to be a very noteworthy achievement by Labor. We look forward to other agencies opting to upgrade their level of assurance on this matter as required by the act. Auditors for the majority of the agencies we visited stated that additional guidance on the definition of substantial compliance would facilitate their assessments of financial management systems for FFMIA reporting. Some auditors also indicated that a change in OMB's guidance on FFMIA reporting would be necessary for them to shift to providing opinions on FFMIA compliance. As shown in figure 2, based on our review of the fiscal year 2005 financial statement audit reports for the 18 agencies with systems reported not to be in substantial compliance with one or more of the three FFMIA requirements, the same six primary problems that we have previously reported continue to exist. While more severe at some agencies than others, the nature and seriousness of the problems reported indicate that most agencies' financial management systems are frequently unable to routinely produce reliable, useful, and timely financial information. We view the problems with agencies' financial management systems to be a significant challenge to improving the financial management of the federal government, because the problems indicate that many agencies are still a long way from accomplishing what was envisioned with the passage of the CFO Act of 1990 and the more recent passage of FFMIA in 1996. Figure 2: Problems Reported by Auditors for Fiscal Years 2001 through 2005: [See PDF for image] Source: GAO analysis, based on independent auditors' financial statement audit reports prepared by agency inspectors general and contract auditors for fiscal years 2001 through 2005. [End of figure] In an effort to comply with FFMIA and address problems such as nonintegrated systems, inadequate reconciliations, and lack of compliance with the SGL, a number of agencies have efforts under way to implement new financial management systems, to upgrade existing systems, or to move to a shared service provider. Agencies anticipate that the new systems will provide reliable, useful, and timely data to support managerial decision making. However, significant problems in the development and implementation of new financial management systems were reported for several agencies in fiscal year 2005, especially when agencies did not follow appropriate best practices to ensure the efficient and effective implementation of these systems. OMB continues to move forward on initiatives that support the President's Management Agenda (PMA) to enhance financial management and provide results-oriented information in the federal government. A key initiative has been the further development of the financial management line of business to promote leveraging shared service solutions to enhance the government's performance and services. However, challenges exist in implementing the financial management line of business. For example, as we reported in March 2006,[Footnote 6] the requirements for agencies and private sector firms to become shared service providers and the services they must provide have not been adequately documented or effectively communicated to agencies and the private sector. OMB has not provided the current selected shared service providers with standard document templates needed to minimize risk, provide assurance, and develop understandings with customers on topics such as service- level agreements[Footnote 7] and a concept of operations. Further, processes have not been put in place to facilitate agency decisions on selecting a provider or focusing investment decisions on the benefits of standard processes and shared service providers. We made a number of recommendations to address these issues and OMB has projects under way to develop standard business processes, a common accounting code, and specific measures to assess the performance of the shared service providers to help address some shortcomings. Because the federal government is one of the largest, most complex organizations in the world, operating, maintaining, and modernizing its financial management systems represents a monumental challenge--from both cost and technical perspectives. As pressure mounts to increase accountability and efforts to reduce federal spending intensify, sustained and committed leadership will be a key factor in the successful implementation of governmentwide initiatives. While we are not making any new recommendations in this report, we reaffirm our prior recommendations aimed at enhancing OMB's audit guidance related to FFMIA assessments. Specifically, we recommended that OMB (1) require agency auditors to provide a statement of positive assurance when reporting an agency's systems to be in substantial compliance with the requirements of FFMIA and (2) explore further clarification of the definition of "substantial compliance" to encourage consistent reporting. In commenting on a draft of this report, OMB agreed with our assessment that many federal agencies still need to make improvements to generate more accurate and timely financial information to optimize day-to-day operations. As in previous years, we and OMB have differing views on the level of audit assurance necessary for assessing and reporting on compliance with FFMIA. While OMB commended Labor's auditors for taking the steps needed to provide positive assurance and encouraged similar efforts at other agencies, it stated that requiring a statement of positive assurance for all agencies was not necessary. We continue to believe that a statement of positive assurance is a statutory requirement under the act and will continue to work with OMB on this issue. OMB did agree to consider clarifying the definition of "substantial compliance" in its future policy and guidance updates. Our detailed evaluation of OMB's comments can be found at the end of this letter. Background: FFMIA is part of a series of management reform legislation passed by the Congress over the past two decades. This series of legislation started with the Federal Managers' Financial Integrity Act of 1982[Footnote 8] (FMFIA), which the Congress passed to strengthen internal controls and accounting systems throughout the federal government, among other purposes. Issued pursuant to 31 U.S.C. § 3512 (c), (d), still commonly known as FMFIA, the Comptroller General's Standards for Internal Control in the Federal Government[Footnote 9] provides the standards that are directed at helping agency managers implement effective internal control, an integral part of improving financial management systems. Internal control is a major part of managing an organization and comprises the plans, methods, and procedures used to meet missions, goals, and objectives. In summary, internal control, which under OMB's guidance for FMFIA is synonymous with management control, helps government program managers achieve desired results through effective stewardship of public resources. Effective internal control also helps in managing change to cope with shifting environments and evolving demands and priorities. As programs change and agencies strive to improve operational processes and implement new technological developments, management must continually assess and evaluate its internal control to ensure that the control activities being used are effective and updated when necessary. While agencies had achieved some early success in identifying and correcting material internal control and accounting system weaknesses, their efforts to implement FMFIA had not produced the results intended by the Congress. Therefore, in the 1990s, the Congress passed additional management reform legislation to improve the general and financial management of the federal government. This legislation includes the (1) CFO Act of 1990, (2) Government Performance and Results Act of 1993,[Footnote 10] (3) Government Management Reform Act of 1994,[Footnote 11] (4) FFMIA, (5) Clinger-Cohen Act of 1996,[Footnote 12] (6) Accountability of Tax Dollars Act of 2002,[Footnote 13] (7) Improper Payments Information Act of 2002,[Footnote 14] and (8) Department of Homeland Security (DHS) Financial Accountability Act of 2004.[Footnote 15] The combination of reforms ushered in by these laws, if successfully implemented, provides a solid foundation to improve the accountability of government programs and operations as well as to routinely produce valuable cost and operating performance information. These financial management reform acts emphasize the importance of improving financial management across the federal government. In particular, building on the foundation laid by the CFO Act, FFMIA emphasizes the need for CFO Act agencies to have systems that are able to generate reliable, useful, and timely information for decision- making purposes and to ensure ongoing accountability. FFMIA requires the departments and agencies covered by the CFO Act to implement and maintain financial management systems that comply substantially with (1) federal financial management systems requirements, (2) applicable federal accounting standards,[Footnote 16] and (3) the SGL[Footnote 17] at the transaction level. FFMIA also requires auditors to state in their CFO Act financial statement audit reports whether the agencies' financial management systems substantially comply with these three FFMIA systems requirements. Appendixes I through IV include details on the various requirements and standards that support federal financial management. Guidance for FFMIA Issued by OMB: OMB establishes governmentwide financial management systems policies and requirements and has issued two sources of guidance related to FFMIA reporting. First, OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, dated October 16, 2000, prescribed audit requirements, including specific language auditors should use when reporting on an agency system's substantial compliance with the three FFMIA requirements. Specifically, this guidance called for auditors to provide negative assurance when reporting on an agency system's FFMIA compliance. On August 23, 2006, OMB issued Bulletin No. 06-03, Audit Requirements for Federal Financial Statements, which superseded OMB Bulletin No. 01-02. The new bulletin did not substantially revise OMB's FFMIA audit guidance contained in Bulletin No. 01-02. Second, in OMB Memorandum, Revised Implementation Guidance for the Federal Financial Management Improvement Act (Jan. 4, 2001), OMB provides guidance for agencies and auditors to use in assessing substantial compliance. The guidance describes the factors that should be considered in determining whether an agency's systems substantially comply with FFMIA's three requirements. Further, the guidance provides examples of the types of indicators that should be used as a basis for assessing whether an agency's systems are in substantial compliance with each of the three FFMIA requirements. Finally, the guidance discusses the corrective action plans, to be developed by agency officials, for bringing their systems into compliance with FFMIA. Financial Audit Manual Section on FFMIA Developed by GAO and the President's Council on Integrity and Efficiency: We have worked in partnership with representatives from the President's Council on Integrity and Efficiency[Footnote 18] (PCIE) to develop and maintain the joint GAO/PCIE Financial Audit Manual (FAM). The FAM provides specific procedures auditors should perform when assessing FFMIA compliance.[Footnote 19] As detailed in appendix V, we have also issued a series of checklists to help assess whether agencies' systems meet systems requirements. The FAM guidance on FFMIA assessments recognizes that while financial statement audits offer some assurance on FFMIA compliance, auditors should design and implement additional testing to satisfy FFMIA criteria. For example, in performing financial statement audits, auditors generally focus on the ability of the financial management systems to process and summarize financial information that flows into annual agency financial statements. In contrast, FFMIA requires auditors to assess whether an agency's financial management systems comply with system requirements, accounting standards, and the SGL. To do this, auditors need to consider whether agency systems provide reliable, useful, and timely information for managing day-to-day operations so that agency managers would have the necessary information to measure performance on an ongoing basis rather than just at year end. Further, OMB's current audit guidance[Footnote 20] calls for financial statement auditors to review performance information for consistency with the financial statements, but does not require auditors to determine whether this information is available to managers for day-to-day decision making as called for by the FAM guidance for testing compliance with FFMIA. Scope and Methodology: We reviewed the fiscal year 2005 financial statement audit reports for the 24 CFO Act agencies to identify the auditors' assessments of agency financial systems' compliance and the problems that affect FFMIA compliance. Prior experience with the auditors and our review of their reports provided the basis for determining the sufficiency and relevancy of evidence provided in these documents. Based on their audit reports, we identified reported problems that affect agency systems' compliance with FFMIA. The problems identified in these reports are consistent with long-standing financial management weaknesses we have reported based on our work at a number of agencies. However, we caution that the occurrence of problems in a particular category may be even greater than auditors' reports of FFMIA noncompliance would suggest, because auditors may not have identified all instances of noncompliance with systems requirements and included all problems in their reports. We also met with OMB officials to discuss their current efforts to improve federal financial management and address our prior recommendations related to FFMIA. In addition, we performed site visits to 12 agencies to assess the amount and type of FFMIA-related work being performed by the independent public auditors. The agencies selected for visits included the 5 agencies where auditors provided negative assurance of FFMIA compliance in fiscal year 2005 (Commerce, Environmental Protection Agency (EPA), National Science Foundation (NSF), Office of Personnel Management (OPM), and Social Security Administration (SSA)); the agency where auditors provided an opinion, or positive assurance, of FFMIA compliance in fiscal year 2005 (Labor); the 2 agencies where auditors provided negative assurance of FFMIA compliance in fiscal year 2004 but reported those agencies as noncompliant in fiscal year 2005 (the Department of Energy (Energy) and the General Services Administration (GSA)); and 4[Footnote 21] of the agencies with the largest net costs as reported in the fiscal year 2005 Financial Report of the United States Government.[Footnote 22] We also met with representatives for the Inspector General of the Department of Defense (DOD), which has the largest net costs of any federal agency in fiscal year 2005, to confirm our understanding of its FFMIA-related audit procedures. We conducted our work from January 2006 through July 2006 in Washington, D.C., Baltimore, Md., and Kansas City, Mo., in accordance with U.S. generally accepted government auditing standards. We requested written comments on a draft of this report from the Director of OMB or his designee. We received written comments from the OMB controller. OMB's comments are discussed in the Agency Comments and Our Evaluation section and reprinted in appendix VI. We also received technical comments from OMB and the Departments of Health and Human Services and Transportation which we incorporated as appropriate. FFMIA Assessments Identify Continuing Systems Weaknesses: While the 24 CFO Act agencies have made demonstrable progress in producing auditable financial statements and progress in addressing their financial management systems weaknesses since the passage of FFMIA, about three-fourths are still not substantially compliant with FFMIA's three requirements. In contrast, the number of CFO Act agencies receiving unqualified opinions on their financial statements has increased significantly since 1997, when FFMIA reporting began. In fiscal year 1997, 11 of the CFO Act agencies attained unqualified opinions on their financial statements, while 19[Footnote 23] agencies received unqualified opinions in fiscal year 2005. As shown in figure 3, the ability of federal financial management systems to address FFMIA requirements has not advanced at the same pace. In fiscal year 1997, 20 agencies were reported as having systems that were not in substantial compliance with at least one of the three FFMIA systems requirements. In fiscal year 2005, auditors for 18 of the CFO Act agencies reported that the agencies' financial management systems do not substantially comply with at least one of the three FFMIA requirements. Figure 3: Auditors' FFMIA Assessments for Fiscal Years 1997 through 2005: [See PDF for image] Source: GAO analysis, based on independent auditors' financial statement audit reports prepared by inspectors general and contract auditors for fiscal years 1997 through 2005. [End of figure] Auditors' assessments for three agencies changed from fiscal year 2004 to 2005. For fiscal year 2005, auditors for OPM were able to provide negative assurance that OPM's financial management systems, as a whole, were substantially compliant with FFMIA's three requirements. Conversely, auditors for Energy and GSA reported that those agencies' financial management systems did not substantially comply with FFMIA requirements in fiscal year 2005, but had not reported any FFMIA compliance issues at those federal agencies in fiscal year 2004. At Energy, the auditors indicated that Energy's systems problems stemmed from the implementation of a new accounting system. At GSA, the auditors reported recently identified internal control weaknesses over financial reporting. In addition, consistent with the DHS Financial Accountability Act of 2004,[Footnote 24] which added DHS to the list of CFO Act agencies, DHS's auditors reported that the department's financial management systems did not substantially comply with any of the three FFMIA requirements for fiscal year 2005. Figure 4 summarizes auditors' assessments of agencies' compliance with the three requirements of FFMIA for fiscal years 1997 through 2005 and suggests that the instances of noncompliance with FFMIA's three requirements have remained fairly constant. In particular, in fiscal year 2005, auditors for eight agencies[Footnote 25] reported that their agencies' systems were not in substantial compliance with any of the three FFMIA requirements--federal financial management systems requirements, applicable federal accounting standards, or the SGL at the transaction level. Figure 4: Auditors' Assessments of Substantial Compliance with FFMIA's Three Requirements for Fiscal Years 1997 through 2005: [See PDF for image] Source: GAO analysis, based on independent auditors' financial statement audit reports prepared by agency inspectors general and contract auditors for fiscal years 1997 through 2005. [End of figure] While substantially more CFO Act agencies have obtained clean or unqualified audit opinions on their financial statements, we are concerned over the number of CFO Act agencies that have restated certain of their financial statements. As we have previously reported,[Footnote 26] a number of CFO Act agencies have restated certain of their financial statements over the past few years to correct for material errors. Errors in financial statements result from mathematical mistakes, mistakes in the application of accounting principles, or oversight or misuse of facts that existed at the time the financial statements were prepared. Generally, these restatements resulted from weaknesses in internal control over the processing and reporting of certain transactions and inadequate audit procedures to detect these errors. The auditors for the seven agencies that restated their financial statements in fiscal year 2005 also reported that the agencies' financial systems had not met FFMIA requirements. Further, restatements raise questions about the reliability of other information in previously issued financial statements and indicate a continuing lack of improvement in the underlying agency financial systems. Frequent restatements to correct errors can undermine public trust and confidence in both the entity and all responsible parties. Auditors Mostly Provide Negative Assurance on FFMIA Compliance: In fiscal year 2005, auditors for five agencies (Commerce, EPA, NSF, OPM, and SSA) provided negative assurance that the agencies' systems were compliant with FFMIA requirements. The auditor for one agency, Labor, provided positive assurance on FFMIA compliance. From our perspective, FFMIA requires auditors to provide positive assurance, which is an opinion, because section 803 (b)(1) of FFMIA requires auditors to "report whether the agency financial management systems comply with the requirements of [the act]." Auditors provide negative assurance when they state that nothing came to their attention during the course of their planned procedures to indicate that the agency's financial management systems did not meet FFMIA requirements. Under generally accepted government auditing standards, there are no requirements to perform additional testing beyond that needed for a financial statement audit for an auditor to give negative assurance. However, if financial statement users are not familiar with the concept of negative assurance, which we believe is generally the case, they may incorrectly assume that these five agencies' systems have been fully tested by the auditors and that the agencies have achieved FFMIA compliance. In addition, testing that is not sufficient to support an opinion also means that an area of noncompliance may be missed; therefore, the number of problems in a particular category may be even greater than auditors' reports of FFMIA noncompliance would suggest, because not all problems are being included. Although OMB's current audit guidance[Footnote 27] instructs auditors to test for compliance with FFMIA, it does not provide guidance on the nature and extent of tests to be performed. It only calls for auditors to provide negative assurance when reporting whether an agency's systems are in substantial compliance with the three FFMIA requirements. We did note greater attention to assessing FFMIA compliance at the agencies we visited. Auditors at 8 of the 12 CFO Act agencies visited prepared and used a separate audit program to assess FFMIA compliance. Auditors stated that separate FFMIA audit programs were developed to ensure consistency and to share best practices among their audit teams. In fiscal years 2005 and 2004, auditors for Labor provided positive assurance of Labor's financial management systems' compliance with FFMIA requirements. For both years, Labor's Inspector General contracted with an independent public accounting firm to conduct the financial statement audit and included a provision to specifically perform an FFMIA examination in accordance with American Institute of Certified Public Accountants attestation standards.[Footnote 28] In general, providing positive assurance of FFMIA compliance requires auditors to perform more audit procedures than those needed to render an opinion on the financial statements. While financial statement audits in general will offer some assurance on FFMIA compliance, auditors should also design and implement additional testing to satisfy the criteria in FFMIA. For example, in performing financial statement audits, auditors generally focus on the capability of the financial management systems to process and summarize financial information that flows into agency financial statements. In contrast, assessing FFMIA compliance involves determining whether an agency's financial management systems comply with systems requirements. To do this, auditors need to consider whether agency systems provide complete, accurate, and timely information for managing day-to-day operations. For fiscal year 2005, Labor's independent auditor performed transaction testing, provided FAM Section 700 training to audit team members, analyzed whether financial management systems provided reliable and timely financial information for managing current operations to senior management and program managers, and completed the audit procedures provided in FAM 701A and associated Joint Financial Management Improvement Program (JFMIP) checklists for each operating division. The auditor estimated that the cost of the additional procedures needed to provide positive assurance was between $50,000 and $80,000. The efforts of Labor to perform the level of review necessary to provide positive assurance of FFMIA compliance in fiscal years 2005 and 2004 are noteworthy, and we look forward to other agencies adopting similar auditing and reporting practices. Performing audit procedures designed to provide positive assurance of an agency's financial management systems' compliance with FFMIA requirements can identify weaknesses and lead to improvements that enhance the performance, productivity, and efficiency of federal financial management systems. It also provides a clear "bottom line," whereas negative assurance does not. Therefore, as we have discussed in prior reports covering fiscal years 2000 through 2004,[Footnote 29] we continue to believe that our prior recommendation for OMB to require agency auditors to provide a statement of positive assurance when reporting an agency's systems to be in substantial compliance with the three FFMIA systems requirements is still appropriate. Given OMB's explicit instruction to provide negative assurance, some auditors also indicated that a change in OMB's guidance on FFMIA reporting would be necessary in order for them to provide an opinion on FFMIA compliance. In a recent discussion with OMB officials, as well as OMB's comments on a draft of this report and our prior FFMIA reports, OMB continues to support the requirement for negative assurance of FFMIA compliance. While OMB agrees that testing should occur, and its guidance on FFMIA calls for it, it does not specify the nature and extent of audit procedures. OMB officials continue to express the belief that the level of testing needed for positive assurance may be too time-consuming and costly. OMB officials said that different, more coordinated approaches toward assessing an agency's internal controls and FFMIA compliance could provide sufficient assurance on an agency's systems. We share concerns about the added cost, but want to make our view quite clear that the focus needs to be on the ultimate end goal of having financial management systems able to routinely produce reliable, useful, and timely financial information. Until such systems exist, the ability of federal managers to effectively manage and oversee their major programs was and continues to be restricted. In its comments, OMB emphasized that its PMA and financial management line of business initiatives, along with the strengthened internal control requirements incorporated into the revised OMB Circular No. A- 123, are helping agencies to identify and correct FFMIA deficiencies. We agree these initiatives can drive systems improvements and support OMB's leadership in this area. Our concern lies in the fact that the full value of independent auditors' assessments of FFMIA compliance will not be fully realized until auditors perform a sufficient level of audit work to be able to provide positive assurance that agencies are in compliance with FFMIA as called for in the act. When reporting an agency's financial management systems to be in substantial compliance, positive assurance from independent auditors will provide users with confidence that the agency systems provide the reliable, useful, and timely information envisioned by the act. Additional FFMIA Guidance Needed: As we have previously reported, a number of auditors we interviewed expressed a need for clarification on the definition of "substantial compliance." In fiscal year 2005, auditors for 7 of the 12 agencies we visited stated that additional guidance on the definition of substantial compliance would be useful. As a result, we reiterate our previous recommendation that OMB explore clarifying the definition of "substantial compliance" to meet the needs of the auditing community and to allow for consistent application of the doctrine. In addition, 8 of the 12 independent auditors cited a need for additional guidance to assist them in assessing whether agency systems substantially comply with the three FFMIA requirements. For example, at SSA, the auditors reported a need for clearer guidance from OMB on assessing FFMIA compliance that is consistent with the GAO/PCIE FAM. Auditors for other agencies we visited professed a need for (1) more clearly defined and objective criteria to assist in their determination of FFMIA compliance, (2) more specific guidance on testing and sampling methodologies, and (3) additional guidance for assessing compliance with certain accounting standards, such as the Statement of Federal Financial Accounting Standards (SFFAS) No. 4, Managerial Cost Accounting Concepts and Standards for the Federal Government. In its comments, OMB stated that its growing experience helping agencies implement the PMA enables it to refine the existing FFMIA indicators associated with substantial compliance. Accordingly, OMB said it would consider our recommendation in any future policy and guidance updates. Reasons for Noncompliance: Audit reports for the 18 agencies reported to have systems not in substantial compliance with one or more of FFMIA's three requirements during fiscal year 2005, again identified the same six primary reasons for noncompliant agency systems. They ranged from serious, pervasive systems problems to less serious problems that may affect only one aspect of an agency's accounting operation: * nonintegrated financial management systems, * inadequate reconciliation procedures, * lack of accurate and timely recording of financial information, * noncompliance with the SGL, * lack of adherence to federal accounting standards, and: * weak security controls over information systems. Figure 5 shows the relative frequency of these problems at the agencies reported to have noncompliant systems. The same six types of problems have been cited by auditors in the fiscal years 2001 through 2004 audit reports, although the auditors may not have reported these problems as specific reasons for their systems' lack of substantial compliance with the three FFMIA requirements. In addition, we caution that the occurrence of problems in any particular category may be even greater than auditors' reports of FFMIA noncompliance would suggest because auditors may not have identified all problems during the reviews. Figure 5: Problems Reported by Auditors for Fiscal Years 2001 through 2005: [See PDF for image] Source: GAO analysis, based on independent auditors' financial statement audit reports prepared by agency inspectors general and contract auditors for fiscal years 2001 through 2005. [End of figure] Nonintegrated Financial Management Systems: The CFO Act calls for agencies to develop and maintain integrated accounting and financial management systems[Footnote 30] that comply with federal systems requirements and provide for (1) complete, reliable, consistent, and timely information that is responsive to the financial information needs of the agency and facilitates the systematic measurement of performance; (2) the development and reporting of cost management information; and (3) the integration of accounting, budgeting, and program information. OMB Circular No. A-127, Financial Management Systems, requires agencies to establish and maintain a single integrated financial management system that conforms to functional requirements issued by the Financial Systems Integration Office (FSIO),[Footnote 31] formerly the Joint Financial Management Improvement Program (JFMIP). More details on the financial management systems requirements can be found in appendixes I and II. The lack of integrated financial management systems typically results in agencies expending major effort and resources, including in some cases hiring external consultants, to develop information that their systems should be able to provide on a daily or recurring basis. Agencies with nonintegrated financial systems are also more likely to devote more time and resources to collecting information than those with integrated systems. In addition, opportunities for errors are increased when agencies' systems are not integrated. Auditors frequently mentioned the lack of integrated financial management systems in their fiscal year 2005 audit reports. As shown in figure 5, auditors for 13 of the 18 agencies with noncompliant systems reported this to be a problem, compared with 12 of the 16 agencies reported with noncompliant systems in fiscal year 2004. For example, auditors for the Department of Housing and Urban Development (HUD) reported that HUD has not been in compliance with FFMIA, in part due to the lack of an integrated financial management system, since fiscal year 1997, when reports under the act were first required. As a result, HUD has had to rely on extensive ad hoc analyses and special projects to produce account balances and disclosures. The auditors further reported that HUD's most significant system challenges exist at the Federal Housing Administration (FHA), which continues to conduct some day-to-day business operations with legacy-based systems, thereby limiting its ability to integrate the financial processing environment, although the auditors noted that FHA is making progress in achieving compliance with federal financial system requirements. Consequently, according to the HUD Office of Inspector General, since HUD's existing core financial system could be better integrated, more user-friendly, and less costly to maintain, HUD management is proceeding with plans to develop and implement a modern financial management system through the HUD Integrated Financial Management Improvement Project. At DHS, auditors reported that the financial management systems for Immigration and Customs Enforcement (ICE) and the U.S. Coast Guard lack appropriate integration. Specifically, DHS auditors reported that ICE had not successfully integrated the accounting processes of the five DHS components for which it became responsible in fiscal year 2004. Auditors also noted that ICE continued to operate unreliable processes and procedures that support accounting and financial reporting, resulting in material errors, irregularities, and abnormal balances in the DHS consolidated financial statements that existed for most of fiscal year 2004 and continued unresolved in fiscal year 2005. As a result, auditors reported that ICE's financial systems were inadequate to process financial transactions for the five DHS components. Further, auditors for the Coast Guard reported that the financial reporting process was complex and labor-intensive with a significant number of adjustments being made outside the core accounting system. In addition, Coast Guard officials had to perform a significant amount of manual review in order to integrate data from three separate general ledger systems. As a result, the auditors found that DHS was unable to prepare a consolidated financial statement for fiscal year 2005 until November 2005 and that the consolidated financial statement disclosures and notes contained critical errors and inconsistencies that required material adjustments to correct. Inadequate Reconciliation Procedures: A reconciliation process, whether manual or automated, is a necessary and valuable part of a sound financial management system. The less integrated the financial management system, the greater the need for adequate reconciliations because data are being accumulated from a number of different sources. Reconciliations are needed to ensure that data have been recorded properly between the various systems and manual records. The Comptroller General's Standards for Internal Control in the Federal Government highlight reconciliation as a key control activity. As shown in figure 5, auditors for 14 of the 18 agencies with noncompliant systems reported that the agencies had reconciliation problems, including a number of agencies that could not reconcile their Fund Balance with Treasury (FBWT) accounts with the Department of the Treasury's (Treasury) records, compared with 11 of the 16 agencies reported with noncompliant systems in fiscal year 2004. Treasury policy requires agencies to reconcile their accounting records with Treasury records monthly (comparable to individuals reconciling their personal checkbooks to their monthly bank statements). As a case in point, in fiscal year 2005, the auditor for GSA reported instances of improper reconciliation procedures that contributed to errors in financial reporting. Specifically, the auditor noted that differences between budgetary account balances in various GSA subsystems and the core financial management system had not been reconciled, nor had proper budgetary account reconciliation procedures been developed. These weaknesses inhibit GSA management's ability to detect and prevent budgetary accounting and reporting misstatements. Further, the auditors noted that GSA continued to lack adequate controls for reconciling intragovernmental balances. As a result, GSA has developed extensive manual workarounds and used estimates to determine the break down of revenue and receivables for DOD--the largest customer of GSA's Federal Acquisition Service. For example, as of June 30, 2005, GSA was unable to assign $582 million in unidentified receivable transactions to a specific department within DOD and therefore simply allocated this difference among the Department of the Army, Department of the Navy, and the Department of the Air Force. Proper reconciliation procedures would allow GSA to resolve these types of unidentified transactions, identify material out-of-balance conditions between federal entities, assist in the preparation of governmentwide financial statements, help ensure that intra- governmental balances are properly eliminated in the governmentwide financial statements, and provide some level of assurance that balances have been accurately and appropriately recorded. Lack of Accurate and Timely Recording of Financial Information: As shown in figure 5, auditors for 17 of 18 agencies with noncompliant systems reported the lack of accurate and timely recording of financial information as a problem for fiscal year 2005, compared with 16 of 16 agencies reported with noncompliant systems in fiscal year 2004. Accurate and timely recording of financial information is essential for successful financial management. Timely recording of transactions facilitates accurate reporting in agencies' financial reports and other management reports used to guide managerial decision making. In addition, having systems that record information in an accurate and timely manner is critical for key governmentwide initiatives, such as integrating budget and performance information. In contrast, lack of timely recording of transactions during the fiscal year can result in agencies making substantial efforts at fiscal year- end to perform extensive manual financial statement preparation efforts that are susceptible to error and increase the risk of misstatements. For example, auditors for the Department of Health and Human Services (HHS) noted that one of the monthly reports prepared by the Program Support Center to reconcile the general ledger with Treasury's records has lost its usefulness due to old and invalid items that remain in the general ledger. Specifically, they identified differences with an absolute value of approximately $5.5 billion, in part due to transactions dating back to as early as 1993. In addition, the auditors noted that 53 of 105 reconciliations selected for review were not completed within HHS's allotted 30-day deadline--several taking up to 84 days to complete. Finally, the auditors identified more than 32,000 grants with net obligation balances of approximately $2.3 billion that were eligible to be closed. Many of those grants have been eligible for closure for several years. As a result of these and other problems, more than 270 entries with an absolute value of more than $208 billion were recorded outside the general ledger system. The auditors noted that the majority of these entries could have been eliminated by more timely analyses and reconciliations, as well as improved estimation methodologies. Noncompliance with the SGL: As shown in figure 5, auditors for 11 of the 18 agencies with noncompliant systems reported that the agencies' systems did not comply with SGL requirements for fiscal year 2005, compared with 11 of the 16 agencies reported with noncompliant systems in fiscal year 2004. FFMIA specifically requires federal agencies to implement the SGL at the transaction level. Using the SGL promotes consistency in financial transaction processing and reporting by providing a uniform chart of accounts and pro forma transactions and provides a basis for comparison at the agency and governmentwide levels. The defined accounts and pro forma transactions standardize the accumulation of agency financial information as well as enhance financial control and support financial statement preparation and other external reporting. A lack of adherence to the SGL impedes the ability of the federal government to complete accurate, governmentwide financial statements. For example, auditors for the Small Business Administration (SBA) noted that certain accounting transactions were not recorded, processed, summarized, or reported in accordance with the SGL. Specifically, the auditors found that the SBA used improper rules to record a transaction, resulting in a subsidy account having a zero balance, while an expense account was misstated by $58 million. SBA also incorrectly characterized $30.5 million as a decrease in borrowing authority instead of an actual repayment of debt. Finally, the department used improper posting logic in preparing budget pro forma data, resulting in various overstatements and understatements totaling $24.2 million. Moreover, by not implementing the SGL, agencies may experience difficulties in providing consistent financial information across their components and functions. For example, auditors for the Department of Justice (DOJ) found that DOJ does not substantially comply with the SGL, in part due to noncompliance issues at the Federal Bureau of Investigation (FBI) and the United States Marshals Service (USMS). Specifically, the auditors noted that the FBI's financial management systems do not permit use of the SGL at the transaction level, in that certain transactions are processed outside of the core system and then must be recorded into the core system through a manual or automated batch transaction process. Further, USMS does not maintain transaction- level detail for upward and downward adjustments of prior-year undelivered orders and does not use an appropriate liability account, as called for by the SGL. Lack of Adherence to Federal Accounting Standards: One of FFMIA's requirements is that agencies' financial management systems account for transactions in accordance with federal accounting standards; however, agencies continue to face significant challenges in implementing these standards. As shown in figure 5, auditors for 11 of the 18 agencies with noncompliant systems reported that these agencies had problems complying with one or more federal accounting standards for fiscal year 2005, compared with 11 of the 16 agencies reported with noncompliant systems in fiscal year 2004. Appendixes III and IV list the federal financial accounting standards and other guidance issued by the Federal Accounting Standards Advisory Board and its Accounting and Auditing Policy Committee, respectively. The purpose of these standards and other guidance is to ensure that federal agencies' financial reports provide users with understandable, relevant, and reliable information about the financial position, activities, and results of operations of the U.S. government and its components. Auditors expressly reported compliance problems with 11 specific accounting standards in fiscal year 2005. Of those standards, the 3 that were most troublesome for agencies were SFFAS No. 1, Accounting for Selected Assets and Liabilities; SFFAS No. 4, Managerial Cost Accounting Concepts and Standards for the Federal Government; and SFFAS No. 6, Accounting for Property, Plant, and Equipment. In particular, SFFAS No. 4, which became effective in 1998 and requires the use of managerial cost accounting information in the decision-making process, continues to be difficult for federal managers to fully implement. As we recently reported,[Footnote 32] the Department of Transportation (DOT) has in recent years shown strong leadership in developing managerial cost accounting systems both departmentwide and at the individual component agencies. For example, according to DOT officials, the Federal Aviation Administration--DOT's largest component agency-- has completed the initial implementation of a managerial cost accounting system. Several other DOT component agencies are also implementing detailed costing and billing systems to meet their cost accounting needs. However, DOT management reported that it will be several years before cost accounting data systems are fully mature and include historical data that will allow DOT managers to integrate performance and accounting information. As a result, DOT managers will not know the full costs associated with their programs and activities, which could impair their decision-making abilities. Accurate and timely cost management information is critical for federal managers to transform how government agencies manage the business of government and vital in developing meaningful links between budget, accounting, and performance. Starting in July 2005, we performed a series of congressional briefings and issued corresponding reports[Footnote 33] concerning the status of managerial cost accounting activities at several large federal agencies, including Labor, Education, HHS, DOT, SSA, Treasury, and Veterans Affairs (VA). We found that generally these agencies have experienced uneven success in the implementation of managerial cost accounting and that managerial cost accounting-related internal controls within the agencies need to be strengthened. We also identified strong upper-level management support and leadership as a key component in the successful implementation of managerial cost accounting and promotion of managerial cost accounting information departmentwide. Weak Security Controls over Information Systems: Information security weaknesses are a major concern for federal agencies and the general public and one of the frequently cited reasons for noncompliance with FFMIA. As shown in figure 5, auditors for 16 of the 18 agencies with noncompliant systems reported security weaknesses in information systems to be a problem, compared with 15 of the 16 agencies reported with noncompliant systems in fiscal year 2004. These control weaknesses place vast amounts of government assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption. Since 1997, we have considered information security to be high-risk area at a governmentwide level. For example, the Department of Agriculture (Agriculture) and its component agencies accelerated their efforts during fiscal year 2005 to comply with the federal information security requirements; however, even though progress was made, the auditors noted that several material security weaknesses still exist. The weaknesses identified include an unreliable certification and accreditation process and ineffective controls in the general control environment, as well as weaknesses in controls over physical and logical access, inventory of systems and network equipment, effective policies and procedures, and vulnerability scanning[Footnote 34] and mitigation. The auditors noted that these departmental weaknesses have a significant impact on the integrity, confidentiality, and availability of systems and data. The recent information security breaches at Agriculture, VA, and other agencies compromised the personal data of millions of U.S. citizens and highlighted the importance of adequate system security policies and programs. Robust federal security programs are critically important to properly protect personal and financial information and the privacy of individuals. On June 20, 2006, we reported[Footnote 35] on a number of actions that agencies can take to help guard against the possibility that databases of personally identifiable information are inadvertently compromised. We noted that a key step is to develop a privacy impact assessment--an analysis of how personal information is collected, stored, shared, and managed--whenever information technology is used to process personal information. In addition, agencies can take more specific practical measures aimed at preventing data breaches, including limiting the collection of personal information, limiting the time that these data are retained, limiting access to personal information and training personnel accordingly, and considering the use of technological controls, such as encryption, when data need to be stored on portable devices. On June 23, 2006, OMB issued a memorandum[Footnote 36] focusing on the protection of information that is being accessed remotely or physically transported outside an agency's secured location. Federal agencies are required to implement guidance developed by the National Institute of Standards and Technology for the protection of remote information. In addition, OMB recommends that all agencies implement additional safeguards, including data encryption and proper user authentication procedures for the remote access of data. Unresolved information security weaknesses can also compromise the reliability and availability of data recorded in or transmitted by an agency's financial management system. As a case in point, in fiscal year 2005, auditors for Treasury noted that the general controls over the department's computer systems did not effectively prevent unauthorized access to and disclosure of sensitive information, unauthorized changes to systems and application software, and unauthorized access to programs and files that control computer hardware and secure applications. In particular, weaknesses we reported[Footnote 37] in information security controls at the Internal Revenue Service (IRS) could result in unauthorized individuals being able to access, alter, or abuse proprietary IRS programs and electronic data and taxpayer information. The auditors noted that a key reason for Treasury's information security weaknesses was that the department had not yet fully implemented an agencywide information security program to ensure that controls were effectively established and maintained. They further reported that Treasury's information security programs and practices needed additional improvements to adequately protect the information systems that support the department's operations. Federal Financial Management System Initiatives Continue to Evolve: Agencies have a number of efforts under way to address their existing financial management systems problems. Recent efforts to modernize financial management systems have often exceeded budgeted costs, resulted in delays in delivery dates, and not provided the anticipated system functionality and performance. The key for federal agencies to avoid the long-standing problems that have plagued financial management system improvement efforts is to address the foremost causes of those problems and adopt solutions that reduce the risks associated with these efforts to acceptable levels. Our March 2006 report[Footnote 38] discusses in detail the key causes of past financial management system implementation failures, the significant governmentwide initiatives currently under way, and actions that can be taken to improve the management and control of agency financial management system modernization efforts. The report also highlights some of the issues we identified with OMB's financial management line of business initiative and includes actions that would help reduce the risks associated with financial management system implementation efforts. In a related initiative, OMB established the FSIO to address some of the responsibilities of the former JFMIP Program Management Office, which was realigned in December 2004. OMB will provide oversight and guidance to FSIO on priorities and expected performance, in consultation with the FSIO Transformation Team of the CFO Council. Further, OMB's December 2004 revision of Circular No. A-123, Management's Responsibility for Internal Control, which was effective for fiscal year 2006, is intended to strengthen requirements for conducting management's assessment of internal control over financial reporting. Through these various initiatives, OMB is taking action to improve financial management in the federal government. However, establishing good financial management throughout the federal government will also require changing the organizational culture of some federal agencies; therefore, the sustained leadership and support of the Congress has been and continues to be essential to the reform of financial management in the federal government. Adherence to Best Practices Is Critical to Successful Modernization Initiatives: Across government, agencies have many efforts under way to implement new financial management systems or to upgrade existing systems that may help improve FFMIA compliance. However, these efforts far too often result in systems that do not meet their cost, schedule, and performance goals. While agencies anticipate that the new systems will provide reliable, useful, and timely data to support managerial decision making, our work and that of others has shown that has often not been the case. For example, modernization efforts at Energy, HHS, DOD, and Treasury have been hampered by agencies not following best practices in systems development and implementation efforts (commonly referred to as disciplined processes). * According to Energy's independent auditor,[Footnote 39] Energy implemented a new financial accounting system in April 2005, shortly after reorganizing and consolidating its finance and accounting services organization in October 2004. At the same time, Energy also adopted a new chart of accounts in conjunction with the new accounting system. Prior to 2005, Energy's auditors had consistently provided negative assurance that the financial management systems were in compliance with FFMIA; however, the reorganization and consolidation adversely affected the financial accounting staffing levels and skills mix throughout the department and Energy did not complete corrective actions to address these weaknesses. As a result, in the process of implementing the new system, Energy encountered a number of problems involving data conversion, reconciliation, posting, and reporting. Energy's auditor specifically noted problems in accounting for obligations, monitoring budget execution and control, reconciling integrated contractor trial balances with departmental records, reconciling accounting system modules to the general ledger, resolving various posting errors, and identifying and reporting intragovernmental transactions. The auditor also noted that, after the implementation of the new system, many reports needed for management, internal control, and audit purposes were no longer available. These problems hindered the department's ability to assure the accuracy and completeness of data needed for audit testing and it was unable to provide the accurate and supportable financial statements required for audit. As a result, Energy's auditors issued a disclaimer on the fiscal year 2005 financial statements and concluded that the financial management systems did not substantially comply with federal financial management systems requirements and federal accounting standards. * As part of its modernization effort, HHS developed plans to reduce the number of financial management systems from five to two using the Unified Financial Management System (UFMS). This system is expected to integrate the HHS financial management structure to provide more timely and consistent information and to promote the consolidation of accounting services throughout HHS. On the basis of our fiscal year 2004 review of UFMS,[Footnote 40] we reported that HHS had not effectively implemented the best practices needed to reduce the risks associated with the implementation of a new system. Specifically, we reported that the UFMS implementation project was schedule driven rather than event driven based on effectively implemented disciplined processes, with limited time devoted to critical steps in the system development life cycle. We also stated that data conversion and system interface challenges were critical to the ultimate success of UFMS. In April 2005, HHS deployed the core financial portion of UFMS at the Centers for Disease Control and Prevention (CDC) and the Food and Drug Administration (FDA). Subsequently, auditors at HHS reported problems with the implementation process at CDC and FDA.[Footnote 41] Specifically, they stated that HHS experienced significant challenges in resolving issues with the system conversion and implementation, including configuration issues, insufficient resources, inadequate training, and limited report capability of financial and budget activity within the system. Furthermore, the auditors noted that UFMS, as currently configured, cannot produce financial statements. Therefore, FDA and CDC used cumbersome processes to crosswalk the unadjusted trial balance to the financial statements and to record thousands of nonstandard accounting entries both prior and subsequent to the UFMS conversion. For example, FDA recorded about 14,000 nonstandard accounting entries totaling an absolute value of approximately $9.4 billion to create the September 30, 2005, financial statements. In addition, CDC had to record (1) accounting entries totaling an absolute value of approximately $11.3 billion either to its financial statements or those of another HHS operating division; (2) adjustments totaling an absolute value of about $24.4 billion, related to conversion, data cleanup, corrections, account reclassifications, and other adjustments to conform to UFMS processing; and (3) an approximately $19.1 billion absolute value adjustment to the database used to generate financial statements as a result of conversion adjustments made in UFMS that could not be extracted into the database. The auditors reported that HHS management continues to develop and implement corrective actions to improve its implementation of UFMS, develop internal controls, train personnel, and develop necessary reports, policies, and procedures; however, they noted that sustained efforts will be necessary to overcome the seriousness of the weaknesses noted. * According to DOD management, the department's inability to comply materially with FFMIA is primarily the result of structural problems related to legacy accounting systems that do not accurately account for both budgetary and proprietary activities.[Footnote 42] Quite simply, according to DOD management, the department does not have the systems and accounting structures in place to achieve compliance with FFMIA. We have reported that DOD has historically been unable to develop and implement business systems on time, within budget, and with the promised capability. For example, in September 2005, we reported[Footnote 43] that the Department of the Navy spent approximately $1 billion for four largely failed pilot Enterprise Resource Planning (ERP) system[Footnote 44] efforts, without marked improvement in its day-to-day operations. Although the pilots used the same ERP commercial off-the-shelf software, inconsistencies in the design and implementation resulted in them not being interoperable. Furthermore, if there had been effective project management oversight of the pilot programs at the outset, there would not have been a need to, in essence, start over. The Navy now has a new ERP project under way, which early Navy estimates indicate will cost another $800 million. While the new project, as currently envisioned, has the potential to address some of the Navy's financial management weaknesses, it will not provide an all-inclusive end-to-end corporate solution for the Navy. For example, the current scope of the ERP does not provide for real-time asset visibility of shipboard inventory, which has been and continues to be a long-standing problem within the department. Further, there are still significant challenges and risks ahead as the project moves forward, such as developing and implementing 44 system interfaces with other Navy and DOD systems and converting data from legacy systems to the ERP system. In addition, the Navy does not have in place the structure to capture quantitative data that can be used to assess the effectiveness of the overall effort and has not established an independent verification and validation function. * The ability to prepare the consolidated financial statements of the U.S. government (CFS) has been a long-standing challenge for Treasury's Financial Management Service. To address some of the internal control weaknesses identified in our audit report,[Footnote 45] Treasury began developing the Governmentwide Financial Report System (GFRS). The goal of this new system is to directly link information from federal agencies' audited financial statements to amounts reported in the CFS. We found[Footnote 46] that Treasury had not yet effectively implemented the disciplined processes necessary to provide reasonable assurance that GFRS will meet its performance, schedule, and cost goals. Specifically, Treasury had not (1) developed a concept of operations or any other document that adequately defines or documents the expected performance of GFRS, (2) developed a detailed project plan and schedule through completion of GFRS, (3) developed a budget justification for GFRS as called for in OMB Circular No. A-11,[Footnote 47] and (4) implemented the disciplined processes necessary to effectively manage the GFRS project. These deficiencies have contributed to the various usability problems encountered by its users. Going forward, it will be important for Treasury to better mitigate its risks so that long- standing internal control weaknesses regarding the preparation of the CFS can be eliminated and, more importantly, so that Treasury ends up with a system that fully meets its and agencies' needs. In addition to the examples above, our March 2006 report[Footnote 48] summarizes many of the agencies' financial management system implementation failures that have been previously reported by us and agency inspectors general. In our report, we identified several problems related to agencies' implementation of financial management systems in three recurring and overarching themes: disciplined processes, human capital management, and other information technology (IT) management practices. Key causes of failure within each area are identified in table 1. Although the implementation of any major system will never be a risk-free proposition, organizations that follow and effectively implement disciplined processes, along with effective human capital and other IT management practices, can reduce the risks of financial management system modernization efforts to acceptable levels. Table 1: Key Causes of Systems Implementation Failure: Disciplined processes: Requirements management; Human capital management: Strategic workforce planning; Other IT management: Enterprise architecture. Disciplined processes: Testing; Human capital management: Human resources; Other IT management: Investment management. Disciplined processes: Data conversion and system interfaces; Human capital management: Change management; Other IT management: Information security. Disciplined processes: Risk management; Human capital management: [Empty]; Other IT management: [Empty]. Disciplined processes: Project management; Human capital management: [Empty]; Other IT management: [Empty]. Source: GAO analysis and inspectors general reports. [End of Table] Goals for the Financial Management Line of Business Have Been Established: To help address financial management systems' weaknesses and implementation failures and to support the President's Management Agenda goal to expand electronic government, OMB launched the financial management line of business in March 2004. The financial management line of business was one of five original lines of business that were initiated to develop business-driven, common solutions for specific lines of business that extend across the entire federal government. OMB and designated agency lines of business task forces plan to use enterprise architecture-based principles and best practices to identify common solutions for business processes, technology-based shared services, or both, to be made available to government agencies. The original five lines of business were financial management, human resources management, grants, federal health architecture, and case management.[Footnote 49] These lines of business share similar business requirements and processes. In March 2005, OMB started a task force to address a sixth line of business on IT security. As introduced in the President's fiscal year 2007 budget proposal, three new lines of business initiatives will join the six existing lines of business. The three new lines of business are IT infrastructure optimization, geospatial, and budget formulation and execution.[Footnote 50] The financial management line of business initiative promotes leveraging shared service solutions to enhance the government's performance and services, such as establishing shared service providers to consolidate financial management activities for major agencies. Under this initiative, OMB developed an approach for competitively migrating financial management systems to a limited number of shared service providers, including OMB designated federal shared service providers, or private sector entities.[Footnote 51] As part of the fiscal year 2006 budget process, in February 2005 OMB designated four federal agencies[Footnote 52] as governmentwide financial management shared service providers. OMB evaluated business cases submitted by agencies using a due diligence checklist and selected the four agencies to be shared service providers. Three of the agencies have had significant experience providing financial management services to other small federal entities. OMB has indicated that other agencies may also serve as shared service providers in the future, but has not yet established any limits or targets on the number of providers to be designated. Although there have been subsequent requests by agencies and departments to become shared services providers, as of September 2006, OMB has not designated any new providers beyond the four original service providers previously selected. According to OMB's Migration Planning Guidance that was issued in September 2006, OMB has encouraged private sector providers that can satisfy the shared services requirements to participate in the procurement process for these services. Agencies are responsible for determining, through competition, if a private sector shared service provider meets the financial management line of business requirements. OMB officials told us they may consider the designation of these providers in the future. In a December 2005 memorandum[Footnote 53] to agency CFOs, OMB provided an update on the financial management line of business. The memorandum explained that the overall vision of the financial management line of business (as depicted in fig. 6) is to improve the cost, quality, and performance of financial management systems by leveraging shared service solutions and implementing other governmentwide reforms that foster efficiencies in federal financial operations. The memorandum also stated that the goals of the financial management line of business include: * providing timely and accurate data for decision-making; * facilitating stronger internal controls that ensure integrity in accounting and other stewardship activities; * reducing costs by providing a competitive alternative for agencies to acquire, develop, implement, and operate financial management systems through shared service solutions; * standardizing systems, business processes, and data elements; and: * providing for seamless data exchange between and among federal agencies by implementing a common language and structure for financial information and system interfaces. Figure 6: Overall Vision of the Financial Management Line of Business: [See PDF for image] Source: Office of Management and Budget. [End of figure] OMB stated, in the December 2005 memorandum, that federal agencies have begun implementing the financial management line of business initiative by actively migrating to shared service providers and initiating solutions to integrate financial data among and between agency business systems. In August 2005, OPM was the first CFO Act agency to announce its plans to move to a designated shared service provider. In addition, in March 2006, Labor awarded a 5-year contract to a private sector firm to provide financial management hosting and operation and maintenance services, which includes hardware, software, and other services. As part of its best-value determination, EPA was also considering the designated shared service providers as well as private sector providers for software, integration, and hosting and plans to award its contract no later than the first quarter of fiscal year 2007. Moreover, DHS officials testified in March 2006,[Footnote 54] that rather than acquiring, configuring, and implementing a new system within DHS, they recognized the opportunity to leverage investments that have already been made, both within DHS and at OMB-designated shared service providers. OMB noted that nothing in the December 2005 memorandum changes the expectations that agencies will continue to take all the necessary steps (in the earliest possible time frames) to meet the financial management line of business goals. OMB stated that it had instituted a policy that agencies seeking to modernize their financial systems must either be designated as a public shared service provider or must migrate to a shared service provider (public, private, or a combination of both). However, exceptions will be made in limited situations when an agency demonstrates compelling evidence of a best value and lower risk alternative. It is OMB's intent to avoid investments in "in-house" solutions wherever possible so that the shared service framework can fully achieve potential and anticipated returns. Challenges and Implications in Implementing the Financial Management Line of Business: We have long supported and called for initiatives to standardize and streamline common systems, which can reduce costs and, if done correctly, improve accountability. Likewise, OMB has correctly recognized that enhancing the government's ability to implement financial management systems that are capable of providing accurate, reliable, and timely information on the results of operations needs to be addressed as a governmentwide solution, rather than individual agency stove-piped efforts designed to meet a given entity's needs. However, this is a significant change in how agencies acquire new system capacity and raises numerous complex issues that have far- reaching implications for the government and private sector shared service providers. As we reported in March 2006,[Footnote 55] OMB has not yet fully defined and implemented the processes necessary to successfully complete the financial management line of business initiative. OMB has been proactive since the beginning of the financial management line of business initiative in making speeches, discussing the initiative with the media, including it in the President's budget request, highlighting it on its Web site, and issuing draft guidance. Until recently there were limited tools and guidance available. In our March 2006 report,[Footnote 56] we found, for example, that the requirements for agencies and private sector firms to become shared service providers and the services that they must provide have not been adequately documented or effectively communicated to agencies and the private sector. In addition, OMB had not provided shared service providers with standard document templates needed to minimize risk, provide assurance, and develop understandings with customers on topics such as service-level agreements and a concept of operations. We made a number of recommendations to address these issues, and OMB has been taking steps to address them. For example, in May 2006, OMB issued an initial competition framework[Footnote 57] and draft Migration Planning Guidance that was circulated to agencies and the public for comment and included some of this important information. The Migration Planning Guidance issued in September 2006 included change management best practices and templates for service level agreements and project plans, among other items. As explained later, FSIO plays a key role in developing the guidance to move the financial management line of business forward. OMB has stated that agencies will consistently meet cost, schedule, and performance goals when implementing new financial management systems once the financial management line of business is fully realized. However, agencies' financial management system problems may not all be solved by moving to a shared service provider and this may actually create additional problems if agencies put less focus on their risk management and financial management efforts. In addition, there may be some misconception that moving to a shared service provider would guarantee an agency of getting a clean audit opinion and being compliant with FFMIA. There are a number of factors that affect FFMIA compliance, including the quality of transaction data in agency feeder systems, the success of converting data from legacy systems, and the interaction of people, process, and technology within an agency's environment. In March 2006,[Footnote 58] we reported that careful consideration of the following four concepts, each one building upon the next, would be integral to the success of OMB's initiatives and could help break the cycle of failure in implementing financial management systems. The four concepts were (1) developing a concept of operations, (2) defining standard business processes, (3) developing a strategy for ensuring that agencies migrate to a limited number of service providers in accordance with OMB's stated approach, and (4) defining and effectively implementing disciplined processes necessary to properly manage the specific projects. Because these issues have not been addressed, a firm foundation to address the long-standing problems that have impeded success has not yet been established. A concept of operations would help provide the foundation for the financial management line of business. An effective concept of operations would describe, at a high level, (1) how all of the various elements of federal financial systems and mixed systems relate to each other and (2) how information flows from and through these systems. A concept of operations would provide a useful tool to explain how financial management systems at the agency and governmentwide levels can operate cohesively. It would be geared to a governmentwide solution rather than individual agency stove-piped efforts. Because the federal government has lacked such a document, a clear understanding of the interrelationships among federal financial systems and how the shared service provider concept fits into this framework has not yet been achieved. Standard business processes are critical to implementing the financial management line of business and need to be defined and communicated to all federal agencies. Standard business processes promote consistency and provide the framework for agencies and shared service providers. OMB officials recognize that standardization is important and are developing a standard set of business processes in four areas: funds control, accounts payable, accounts receivable, and financial reporting. As illustrated previously in figure 6, OMB is also developing a common accounting code that may help address some of this lack of standardization. According to OMB officials, OMB also has other initiatives under way to develop standard interfaces for feeder systems such as acquisitions. While these are positive steps, there are numerous other areas where standardization is important, such as inventory, supplies, and material management as well as the loan management areas. Absent this standardization, shared service providers have been designated without common business rules and potential customer agencies continue to implement and operate individual stove- piped systems that may require additional work to adopt these processes. To maximize the success of a new system acquisition, organizations need to consider the redesign of current business processes. As we noted in our Executive Guide: Creating Value Through World-class Financial Management,[Footnote 59] leading finance organizations have found that productivity gains typically result from more efficient processes, not from simply automating old processes. In the past, agencies have resisted change and failed to develop transition plans, reengineer business processes, and limit customization. Agencies may continue to resist change and this approach for outsourcing their financial management systems because of the perceived (1) loss of control of their own data, (2) potential increase in costs with a decrease in the level of customer service and quality, (3) inability of providers to meet specific user needs, (4) loss of control to upgrade the system, and (5) negative effect on an agency's individual employees. The shared service provider concept will still require that agencies address long- standing human capital problems by incorporating elements of strategic workforce planning such as aligning an organization's human capital program with its current and emerging mission and programmatic goals, and developing long-term strategies for acquiring, developing, and retaining an organization's total workforce to meet the needs of the future. A clear migration strategy for implementing the financial management line of business will be crucial. However, OMB has not articulated a clear and measurable strategy for achieving this goal. This is important because there has been a historical tendency for agencies and units within agencies to prefer internally developed processes and resist standardization. OMB's general principle is that agencies should migrate to shared service providers when it is cost effective to do so and they have maximized the useful life and investment in the current system, which averages about 5 to 7 years. According to OMB's draft Migration Planning Guidance, it is anticipated that within 10 years all agencies will have decided whether to migrate their technology hosting and application management to a shared service provider, or will have become a shared service provider themselves. However, OMB does not plan to establish a specific migration path or time table for agencies to move to a shared service provider. It is not clear how this will impact the adoption of this initiative. Given the pressures to reduce budgets, instilling discipline with respect to following a clear migration path will be essential. Furthermore, without a clear migration path, while some agencies may readily migrate to a shared service provider to minimize the tremendous undertaking of implementing or significantly upgrading a financial system, other agencies will likely perpetuate the waste of taxpayer dollars previously described related to failed system implementation efforts. Whether agencies move to a shared service provider or implement their own systems, they must have disciplined processes (e.g., testing, requirements management, and risk management) in place to achieve the intended results within established resources on schedule. Effective implementation and testing processes are still required to ensure that the system delivers the desired functionality on time and within budget. Agencies have frequently struggled to implement key best practices when implementing commercial off-the-shelf financial management systems and relied too heavily on JFMIP testing and certification. A standard set of best practices will be needed to guide the migration from legacy systems to new systems and shared service providers. The Migration Planning Guidance is a good first step in stressing the importance of this standard set of best practices. Financial Systems Integration Office Established and Priorities Identified: In accordance with a December 2004 memorandum,[Footnote 60] JFMIP responsibilities were realigned and the four JFMIP principals[Footnote 61] will continue to meet at their discretion to discuss major financial management issues. FSIO has been established with staff from the previous JFMIP program management office to address some of the former JFMIP responsibilities. According to a December 2005 OMB memorandum,[Footnote 62] the governance structure for financial management system initiatives gives FSIO direct responsibility for completing priority projects under the financial management line of business, such as developing the Migration Planning Guidance. As depicted in figure 7, OMB will provide oversight and guidance to FSIO on priorities and expected performance, in consultation with the FSIO Transformation Team of the CFO Council. According to OMB, the updated governance structure ensures that the FSIO, financial management line of business, and the FSIO Transformation Team do not operate in separate stovepipes. Responsibility for work products will now rest with FSIO where full-time dedicated staff including the FSIO Executive Director will be held accountable for achieving financial management line of business milestones. FSIO will coordinate the collection and expenditure of financial management line of business funds. Figure 7: Governance Structure: [See PDF for image] Source: Office and Management and Budget. [End of figure] OMB will continue its role as Executive Sponsor of the financial management line of business. In December 2005, FSIO moved from GSA's Office of the Chief Financial Officer to the Office of Governmentwide Policy, Office of Technology Strategy (OTS). OMB named GSA the managing partner responsible for project management of the financial management line of business. Specifically, GSA's responsibilities include organizing the work effort, involving the Federal CFO community in the initiative, and setting the schedule of priorities with input from Executive Steering Committee members selected from partner agencies. The Executive Steering Committee provides strategic direction and agency sponsorship, assists in priority setting, and approves partner agency resource contributions. The members of the committee meet quarterly or on an as-needed basis and are comprised of the FSIO Executive Director, six representatives from CFO Act agencies at the CFO or Deputy CFO-level, a non-voting representative from OMB's Office of E-Government and a non-voting representative from OMB's Office of Federal Financial Management. The members were selected from the CFO Act agencies to represent diverse perspectives in regards to size of agency, financial management technical platform, and migration status. The FSIO Transformation Team meets monthly and has a larger membership than the Executive Steering Committee, including agency representatives from all CFO Act agencies. The team functions as an advisory group to the Executive Steering Committee, manages the delivery of interdisciplinary work packages, and makes recommendations to the FSIO Executive Committee and the financial management line of business managing partner. The team is responsible for: (1) providing an internal review function for final work products, (2) providing recommendations to the financial management line of business project management office, and (3) continuously seeking to refine processes to increase the quality of and buy-in for their work products. In terms of mission and scope, FSIO has three major areas of responsibilities: (1) continuing its primary role of core financial system requirements development, testing, and certification; (2) providing support to the federal financial community by taking on special priority projects as determined by the OMB Controller, CFO Council, and the FSIO Executive Director; and (3) conducting outreach through an annual financial management conference sponsored by the JFMIP principals and other related activities. The projects that the FSIO undertakes will directly reflect the priorities of the CFO community and OMB. The priority projects to be undertaken in the near term will relate to the transparency and standardization initiatives of the financial management line of business, which were previously discussed and illustrated in figures 6 and 7. Opinions on Internal Control May Further Strengthen New Internal Control Reporting Requirements: Another key initiative for improving financial management in the federal government was OMB's December 2004 revision of Circular No. A- 123,[Footnote 63] which we support, and was effective at the start of fiscal year 2006.[Footnote 64] Financial systems weaknesses are frequently caused by a lack of adequate internal control within an agency. The revisions to OMB Circular No. A-123 were intended to strengthen the requirements for conducting management's assessment of internal control over financial reporting at CFO Act agencies. One major revision requires CFO Act agency management to annually provide a separate assurance statement on internal control over financial reporting in its performance and accountability report, along with a report on identified material weaknesses and corrective actions. The revision also establishes that OMB may, at its discretion, require a CFO Act agency to obtain an opinion on internal control over financial reporting. We view auditor opinions on internal control over financial reporting as an important component of monitoring the effectiveness of an entity's risk management and accountability systems. OMB's efforts to enhance Circular No. A-123 through the December 2004 revision and its continued efforts to improve the quality of internal control in the federal government financial management environment reflect substantial progress in both the criteria and expectations for this issue. As we point out in our recent report[Footnote 65]on this issue, because agencies are not uniformly ready for such audits, specific criteria to ascertain when an agency should initially be required to obtain an audit opinion on its internal control over financial reporting are critical to ensuring that the internal control audits fully contribute to the overarching goal of ongoing improvement in federal agency internal control and accountability. Additionally, implementing a multiyear cycle for an opinion on internal control over financial reporting could assist in mitigating the cost of the requirement while still providing an effective quality control mechanism for ascertaining that management's assessment of its internal control is reliable. Although all of the benefits associated with obtaining an audit opinion on internal control are not quantifiable in monetary terms, it is clear that having set criteria as to when an agency should initially be required to obtain an auditor opinion on internal control over financial reporting would be a key oversight mechanism for the Congress and ultimately the U.S. taxpayer. Sustained and Committed Leadership Is Key to Success for Financial Management Initiatives: Sustained leadership will be key to a successful strategy for moving federal agencies towards consolidated financial management systems and FFMIA compliance. In our Executive Guide: Creating Value Through World- class Financial Management,[Footnote 66] we found that leading organizations made financial management improvement an entitywide priority by, among other things, providing clear, strong executive leadership. We also reported that making financial management a priority throughout the federal government involves changing the organizational culture of federal agencies. Much work remains to develop a change management strategy to minimize the risk associated with the implementation of the financial management line of business initiative. Because the tenure of political appointees is relatively short, the current and future administrations must continue a strong emphasis on top-notch financial management. In addition, continued attention and oversight by the Congress is crucial to the success of these initiatives and federal financial management reform. The leadership and support demonstrated by the Congress have been and continue to be essential in the reform of financial management in the federal government. As previously discussed, the legislative framework provided by the CFO Act and FFMIA, among others, established a solid foundation to stimulate change needed to achieve sound financial systems management. Further, in October 2004, the Congress added DHS to the list of CFO Act agencies and thus subject to FFMIA in fiscal year 2005. Sustained congressional interest in these issues has been demonstrated by the number of hearings on federal financial management and reform held over the past several years. For example, hearings have recently been held on the financial management line of business initiative that provided a constructive discussion on some of the challenges inherent in such a large undertaking. It is critical that the various appropriations, budget, authorizing, and oversight committees hold agency top management accountable for resolving these problems and that the committees continue to support improvement efforts. Conclusions: The size and complexity of the federal government and the long-standing nature of its financial management systems weaknesses continues to present a formidable management challenge. Modernizing and improving financial management systems will require continued attention from the highest levels of government. We recognize that it will take time, investment, and sustained emphasis on correcting these deficiencies to improve federal financial management systems to the level required by FFMIA. However, with concerted and coordinated effort, including attention from top agency management and the Congress, the federal government can make progress toward improving its financial management systems and thus achieve the goals of the CFO Act and provide accountability to the nation's taxpayers. We continue to be concerned that the full nature and scope of the problems have not yet been identified because most auditors have only provided negative assurance in their FFMIA reports. We also believe the law requires auditors to provide positive assurance on FFMIA compliance. Therefore, we reaffirm our recommendation made in prior reports that OMB revise its current FFMIA guidance to require agency auditors to provide a statement of positive assurance when reporting an agency's systems to be in substantial compliance with FFMIA. A key benefit of providing positive assurance is that auditors will need to perform additional audit procedures in order to have a strong basis for definitively stating whether agencies' financial management systems substantially comply with FFMIA's three requirements. We also reaffirm our other prior recommendation for OMB to explore further clarification of the definition of "substantial compliance" in its FFMIA guidance to encourage consistent reporting among agency auditors. As we have stated in prior reports,[Footnote 67] the auditors that we interviewed continue to express concerns about providing positive assurance in reporting on agency systems' FFMIA compliance due to a perceived need for a clearer definition of substantial compliance. Further, some auditors that we interviewed stated that a change in OMB's guidance on FFMIA reporting will be necessary in order for them to provide an opinion on FFMIA compliance. Agency Comments and Our Evaluation: In written comments (reprinted in app. VI) on a draft of this report, OMB generally agreed with our assessment that while federal agencies continue to make progress in addressing financial management systems weaknesses, many agencies still need to make improvements to produce the information needed to efficiently and effectively manage day-to-day operations. As in previous years, OMB did not see the necessity of our recommendation for agency auditors to provide a statement of positive assurance when reporting agency systems to be in substantial compliance with the requirements of FFMIA. While OMB commended Labor's auditors for performing the additional level of audit work needed to provide positive assurance of compliance with FFMIA and encouraged similar efforts at other agencies, OMB stated that requiring a statement of positive assurance would prove only marginally useful. OMB stated that the goals of its various initiatives--the President's Management Agenda (PMA), the Financial Management Line of Business (FMLOB), and the strengthened internal control requirements incorporated into the revised OMB Circular No. A-123, Management's Responsibility for Internal Control--align with the goal of FFMIA to create the full range of information needed for day-to-day management. From OMB's perspective, the broad scope of the PMA and the fundamental changes occurring under the FMLOB initiative, combined with the strengthened reporting requirements of Circular No. A-123, are helping agencies to identify and correct FFMIA deficiencies. While we agree that the PMA, FMLOB, and OMB Circular No. A-123 initiatives are helping to drive improvements, auditors need to consider other aspects of financial management systems as well when assessing FFMIA compliance that are not fully addressed through the current reporting structure. For example, in preparing the PMA scorecard assessments, OMB officials meet with agencies to discuss a number of financial management issues and have systems demonstrations. Our concern is that some of the information provided by this approach does not come under audit scrutiny and may not be reliable. Similarly, internal control assessments performed under Circular No. A-123 are based on management's judgment and are subject to an opinion-level review by independent auditors only in limited circumstances. From our perspective, an opinion by an independent auditor on FFMIA compliance would confirm whether an agency's systems substantially met the requirements of FFMIA and provide additional confidence in the information provided as a result of the PMA, FMLOB, and Circular No. A- 123 initiatives. Finally, we continue to believe that a statement of positive assurance is a statutory requirement under the act. With regard to our prior recommendation, which we reaffirmed in this report, for revised guidance that clarifies the definition of substantial compliance, OMB said that the experience obtained from helping agencies implement the high standards incorporated in the PMA and the FMLOB will allow a further refinement of the FFMIA indicators associated with substantial compliance. Therefore, OMB agreed to consider clarifying the definition of "substantial compliance" in future policy and guidance updates. As we noted in our prior reports,[Footnote 68] auditors that we interviewed expressed a need for clarification regarding the meaning of substantial compliance; and in fiscal year 2005, auditors for 7 of the 12 agencies we visited stated that additional guidance on the definition of substantial compliance would be useful. OMB and the Departments of Health and Human Services and Transportation also provided technical comments, which we incorporated as appropriate. We are sending copies of this report to the Chairman and Ranking Minority Member, Subcommittee on Federal Financial Management, Government Information, and International Security, Senate Committee on Homeland Security and Governmental Affairs, and to the Chairman and Ranking Minority Member, Subcommittee on Government Management, Finance, and Accountability, House Committee on Government Reform. We are also sending copies to the Director of the Office of Management and Budget, the heads of the 24 CFO Act agencies in our review, and agency CFOs and Inspectors General. Copies will be made available to others upon request. In addition, this report will be available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov]. This report was prepared under the direction of McCoy Williams, Director, Financial Management and Assurance, who may be reached at (202) 512-9095 or williamsm1@gao.gov if you have any questions. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix VIII. Signed by: David M. Walker Comptroller General of the United States: [End of section] Appendix I: Requirements and Standards Supporting Federal Financial Management: Financial Management Systems Requirements: The policies and standards prescribed for executive agencies to follow in developing, operating, evaluating, and reporting on financial management systems are defined in Office of Management and Budget (OMB) Circular No. A-127, Financial Management Systems. The components of an integrated financial management system include the core financial system,[Footnote 69] managerial cost accounting system, administrative systems, and certain programmatic systems. Administrative systems are those that are common to all federal agency operations,[Footnote 70] and programmatic systems are those needed to fulfill an agency's mission. Circular No. A-127 refers to the series of publications entitled Federal Financial Management Systems Requirements, initially issued by the Joint Financial Management Improvement Program's (JFMIP) Program Management Office (PMO) as the primary source of governmentwide requirements for financial management systems. However, as of December 2004, the Financial Systems Integration Office (FSIO) assumed responsibility for coordinating the work related to federal financial management systems requirements and OMB's Office of Federal Financial Management (OFFM) is responsible for issuing the new or revised regulations. In December 2004, the JFMIP Principals voted to modify the roles and responsibilities of JFMIP, resulting in the creation of FSIO. Appendix II lists the federal financial management systems requirements published to date. Figure 8 is the current model that illustrates how these systems interrelate in an agency's overall systems architecture. Figure 8: Agency Systems Architecture: [See PDF for image] Source: OMB, Core Financial Systems Requirements, OFFM-No-1016 (Washington, D.C.: January 2006). [End of figure] FFMIA Guidance: OMB establishes governmentwide financial management policies and requirements and has issued two sources of guidance related to FFMIA reporting. First, OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, dated October 16, 2000, prescribed specific language auditors should use when reporting on an agency system's substantial compliance with the three FFMIA requirements. Specifically, this guidance called for auditors to provide negative assurance when reporting on an agency system's FFMIA compliance. On August 23, 2006, OMB issued Bulletin No. 06-03, Audit Requirements for Federal Financial Statements, which superseded OMB Bulletin No. 01-02. This bulletin did not substantially revise the FFMIA audit guidance included in Bulletin No. 01-02. Second, in OMB Memorandum, Revised Implementation Guidance for the Federal Financial Management Improvement Act (Jan. 4, 2001), OMB provides guidance for agencies and auditors to use in assessing substantial compliance. The guidance describes the factors that should be considered in determining whether an agency's systems substantially comply with FFMIA's three requirements. Further, the guidance provides examples of the types of indicators that should be used as a basis for assessing whether an agency's systems are in substantial compliance with each of the three FFMIA requirements. Finally, the guidance discusses the corrective action plans, to be developed by agency heads, for bringing their systems into compliance with FFMIA. We have worked in partnership with representatives from the President's Council on Integrity and Efficiency (PCIE) to develop and maintain the joint GAO/PCIE Financial Audit Manual (FAM). The FAM provides specific procedures auditors should perform when assessing FFMIA compliance.[Footnote 71] As detailed in appendix V, we have also issued a series of checklists to help assess whether agencies' systems meet systems requirements. The FAM guidance on FFMIA assessments recognizes that while financial statement audits offer some assurance regarding FFMIA compliance, auditors should design and implement additional testing to satisfy FFMIA criteria. OMB Circular No. A-127 also requires agencies to purchase commercial off-the-shelf (COTS) software that has been tested and certified through the PMO software certification process when acquiring core financial systems. However, in December 2004, OMB transferred the responsibility of certifying systems to FSIO as part of the realignment of JFMIP. The certification process does not eliminate or significantly reduce the need for agencies to develop and conduct comprehensive testing efforts to ensure that the COTS software meets their requirements. Moreover, core financial systems certification does not mean that agencies that install these packages will have financial management systems that are compliant with FFMIA. Many other factors can affect the capability of the systems to comply with FFMIA, including modifications made to the FSIO-certified core financial management systems software and the validity and completeness of data from feeder systems. Federal Accounting Standards: The Federal Accounting Standards Advisory Board (FASAB)[Footnote 72] promulgates federal accounting standards and concepts that agency chief financial officers use in developing financial management systems and preparing financial statements. FASAB develops the appropriate accounting standards and concepts after considering the financial and budgetary information needs of the Congress, executive agencies, and other users of federal financial information and comments from the public. FASAB forwards the standards and concepts to the Comptroller General, the Director of OMB, the Secretary of the Treasury, and the Director of the Congressional Budget Office (CBO) for a 90-day review. If, within 90 days, neither the Comptroller General nor the Director of OMB objects to the standard or concept, then it is issued and becomes final. FASAB announces finalized concepts and standards in The Federal Register. The American Institute of Certified Public Accountants designated the federal accounting standards promulgated by FASAB as being generally accepted accounting principles for the federal government. This recognition enhances the acceptability of the standards, which form the foundation for preparing consistent and meaningful financial statements both for individual agencies and the government as a whole. Currently, there are 30 Statements of Federal Financial Accounting Standards (SFFAS) and 4 Statements of Federal Financial Accounting Concepts (SFFAC).[Footnote 73] The concepts and standards are the basis for OMB's guidance to agencies on the form and content of their financial statements and for the government's consolidated financial statements. Appendix III lists the concepts, standards, interpretations,[Footnote 74]and technical bulletins, along with their respective effective dates. FASAB's Accounting and Auditing Policy Committee (AAPC)[Footnote 75]assists in resolving issues related to the implementation of accounting standards. AAPC's efforts result in guidance for preparers and auditors of federal financial statements in connection with implementation of accounting standards and the reporting and auditing requirements contained in OMB's Bulletin No. 01-09, Form and Content of Agency Financial Statements (Sept. 25, 2001), and Bulletin No. 01- 02,[Footnote 76] Audit Requirements for Federal Financial Statements (Oct. 16, 2000). To date, AAPC has issued six technical releases, which are listed in appendix IV along with their release dates. U.S. Government Standard General Ledger: The U.S. Government Standard General Ledger (SGL) was established by an interagency task force under the direction of OMB and mandated for use by agencies in OMB and Treasury regulations in 1986. The SGL promotes consistency in financial transaction processing and reporting by providing a uniform chart of accounts and pro forma transactions used to standardize federal agencies' financial information accumulation and processing throughout the year, enhance financial control, and support budget and external reporting, including financial statement preparation. The SGL is intended to improve data stewardship throughout the federal government enabling consistent reporting at all levels within the agencies and providing comparable data and financial analysis governmentwide.[Footnote 77] Internal Control Standards: Congress enacted legislation, 31 U.S.C. § 3512(c), (d) (commonly referred to as the Federal Managers' Financial Integrity Act of 1982 (FMFIA)), to strengthen internal controls and accounting systems throughout the federal government, among other purposes. Issued pursuant to FMFIA, the Comptroller General's Standards for Internal Control in the Federal Government[Footnote 78]provides standards that are directed at helping agency managers implement effective internal control, an integral part of improving financial management systems. Internal control is a major part of managing an organization and comprises the plans, methods, and procedures used to meet missions, goals, and objectives. In summary, internal control, which under OMB's guidance for FMFIA is synonymous with management control, helps government program managers achieve desired results through effective stewardship of public resources. In December 2004, OMB revised Circular No. A-123[Footnote 79] (effective beginning with fiscal year 2006) to strengthen the requirements for conducting management's assessment of internal control over financial reporting. Significant revisions contained in Appendix A of the circular include requiring Chief Financial Officers (CFO) Act agency management to annually assess the adequacy of internal control over financial reporting, provide a report on identified material weaknesses and corrective actions, and provide a separate assurance statement on the agency's internal control over financial reporting. In initiating the revisions, OMB cited the internal control requirements for publicly traded companies that are contained in section 404 of the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley).[Footnote 80]Sarbanes- Oxley was enacted in response to corporate accountability failures of several years prior to its enactment and contains a provision (section 404) calling for management's assessment of internal control over financial reporting similar to the long-standing requirements for executive branch agencies contained in FMFIA to issue annual statements of assurance over internal control in the agencies. Opinions on internal control over financial reporting as required by Sarbanes-Oxley for publicly traded companies are important to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. Regulators, public companies, audit firms, and investors generally agree that Sarbanes-Oxley has had a positive and significant impact on investor protection and confidence. [End of section] Appendix II: Publications in the Federal Financial Management Systems Requirements Series: Table 2: FFMSR document: FFMSR-8 System Requirements for Management Cost Accounting; Issue date: February 1998. FFMSR document: JFMIP-SR-99-5 Human Resources & Payroll System Requirements; Issue date: April 199. FFMSR document: JFMIP-SR-99-8 Direct Loan System Requirements; Issue date: June 1999. FFMSR document: JFMIP-SR-99-9 Travel System Requirements; Issue date: July 1999. FFMSR document: JFMIP-SR-99-14 Seized property and Forfeited Assets Systems Requirements; Issue date: December 1999. FFMSR document: JFMIP-SR-00-01 Guaranteed Loan System Requirements; Issue date: March 2000. FFMSR document: JFMIP-SR-00-3 Grant Financial System Requirements; Issue date: June 2000. FFMSR document: JFMIP-SR-00-4 Property management System Requirements; Issue date: October 2000. FFMSR document: JFMIP-SR-01-01 Benefit System Requirements; Issue date: September 2001. FFMSR document: JFMIP-SR-02-02 Acquisition/Financial Systems Interface Requirements; Issue date: June 2002. FFMSR document: JFMIP-SR-03-01 Revenue System Requirements; Issue date: January 2003. FFMSR document: JFMIP-Sr-03-02 Inventory, Supplies and Materials System requirements; Issue date: August 2003. FFMSR document: JFMIP-SR-01-04 Framework for Federal Financial Management Systems; Issue date: April 2004. FFMSR document: OFFM-NO-0106 Core Financial System Requirements; Issue date: January 2006. FFMSR document: OFFM-NO-0206 Insurance System Requirements; Issue date: June 2006. Source: OMB's Office of Federal Financial Management (OFFM). Note: Effective December 1, 2004, all financial management system requirements documents and other guidance initially issued by the JFMIP were transferred to OFFM and remain in effect until modified. [End of table] [End of section] Appendix III: Statements of Federal Financial Accounting Concepts, Standards, Interpretations, and Technical Bulletins: [See PDF for Image - table did not compute] Source: FASAB. [A] Effective dates do not apply to Statements of Federal Financial Accounting Concepts, Interpretations, and Technical Bulletins. [End of Table] [End of section] Appendix IV: AAPC Technical Releases: Technical release: TR-1 Audit Legal Representation letter Guidance; AAPC release date: March 1, 1998. Technical release: TR-2 Determining Probable and Reasonably Estimable for Environmental Liabilities in the Federal Government; AAPC release date: March 15, 1998. Technical release: TR-3 Preparing and Auditing Direct Loan and Loan Guarantee Under the Federal Credit Reform Act; AAPC release date: July 31, 1999. Technical release: TR-4 Reporting on Non-Valued Seized and Forfeited Property; AAPC release date: July 31, 1999. Technical release: TR-5 Implementation Guidance on SFFAS No. 10: Accounting for Internal Use Software; AAPC release date: May 14, 2001. Technical release: Tr-6 Preparing Estimates for Direct Loan and Loan Guarantee Subsidies Under the Federal Credit Reform Act (Amendments to Tr-3); AAPC release date: January 2004. Source: FASAB. [End of table] [End of section] Appendix V: Checklists for Reviewing Systems under the Federal Financial Management Improvement Act: Checklist: GAO/AIMD-00-21.2.3 Human Resources and Payroll Systems Requirements; Issue date: March 2000. Checklist: GAO-01-99G Seized Property and Forfeited Assets Systems Requirements; Issue date: October 2000. Checklist: GAO/AIMD-21-2.6 Direct Loan System Requirements; Issue date: April 2000. Checklist: GAO/AIMD-21.2.8 Travel System Requirements; Issue date: May 2000. Checklist: GAO/AIMD-99-21.2.9 System Requirements for Managerial Cost Accounting; Issue date: January 1999. Checklist: GAO-01-371G Guaranteed Loan System Requirements; Issue date: March 2001. Checklist: GAO-01-911G Grant Financial System Requirements; Issue date: September 2001. Checklist: GAO-02-171G Property Management Systems Requirements; Issue date: December 2001. Checklist: GAO-04-22G Benefit System Requirements; Issue date: October 2003. Checklist: GAO-04-650G Acquisition/Financial Systems Interface Requirements; Issue date: June 2004. Checklist: GAO-05-225G Core Financial System Requirements; Issue date: February 2005. Source: GAO. [End of Table] [End of section] Appendix VI: Comments from the Office of Management and Budget: The Controller: Executive Office Of The President: Office Of Management And Budget: Washington, D. C. 20503: SEP 06 2006: Mr. McCoy Williams: Director, Financial Management and Assurance: United States Government Accountability Office Washington, DC 20548: Dear Mr. Williams: Thank you for allowing us to comment on the Government Accountability Office (GAO) draft report entitled "Financial Management: Improvements Under Way but Serious Financial Systems Problems Persist." In general, the Office of Management and Budget (OMB) agrees with your assessment that many agencies still need to make improvements to their financial systems so that managers can receive more accurate, reliable and timely financial management information to optimize day-to-day operations. We continue to work aggressively to assist agencies in building a strong foundation of financial management practices through the President's Management Agenda (PMA), the Financial Management Line of Business (FMLoB), and the strengthened internal control requirements incorporated into the revised OMB Circular No. A-123 (A-123), Management's Responsibility for Internal Control. The goals of each of these initiatives align with the goals of the Federal Financial Management Improvement Act (FFMIA) --creating the full range of information needed for day-to-day management. As noted in your report, most agencies have been successful in obtaining unqualified opinions on their financial statements and in resolving long-standing material weaknesses. These accomplishments point to strengthened internal control and more accurate and timely financial information. Nevertheless, our common goal goes beyond attaining unqualified opinions on agency financial statements. We are both striving for the creation and use - for both government managers and the taxpayer - of accurate, reliable and timely management information. Under the PMA's Improving Financial Performance initiative, agencies must meet seven "standards of success" to receive a "yellow" status rating. The "yellow" standards include receiving an unqualified financial statement opinion, eliminating all material weaknesses and non-compliances, and being found in substantial compliance with FFMIA. A "yellow" status rating shows that an agency has a foundation of accounting processes and effective internal controls. To achieve "green" status, agencies must demonstrate how they are using timely and accurate financial data to drive better results. The Administration has also undertaken the FMLoB initiative to foster additional financial standardization across the Federal Government. Several projects are underway to standardize financial business rules, processes, interfaces, and data. Standardization will mitigate many of the risks associated with implementing and maintaining modern financial systems. One of the goals of the FMLoB is to provide agencies with competitive alternatives in procuring financial systems and services. It will help to reduce the costs and risks of implementing and maintaining financial systems by allowing agencies to migrate to organizations with proven track-records in supporting Federal financial systems. The FMLoB will strengthen internal controls while helping agencies meet the requirements of FFMIA. Lastly, OMB's revised A-123 requires agency management to employ strengthened assessment processes, and to issue a separate management assurance, regarding internal controls over reporting. Appendix A of A- 123 directs Federal managers to take a proactive approach to assessing internals controls by: 1) documenting the reporting process end-to-end, 2) directly testing key controls to validate effectiveness, and 3) reporting on the results of the tests in a new management assurance statement. Moreover, A-123's internal control requirements complement and reinforce the standards being promulgated through the PMA and the FMLoB. Many of the ongoing assessments required under the revised A-123 mirror the types of assessments that would occur in establishing a statement of positive assurance under FFMIA. The broad scope of the PMA and the fundamental changes occurring under the FMLoB initiative, combined with the strengthened reporting requirements of A-123, are helping agencies identify and correct FFMIA deficiencies. As such, OMB believes that requiring a statement of positive assurance for FFMIA compliance would prove only marginally useful. We commend the auditors at the Department of Labor, as you have, for taking the extra steps to provide positive assurance of compliance on its financial management systems. Nevertheless, while encouraging similar efforts at other agencies, we believe that mandating positive assurance of systems' compliance with FFMIA for all agencies is not necessary. The draft report also recommends that OMB clarify the definition of "substantial compliance." We believe that our growing experience helping agencies implement the high standards incorporated in the PMA and the FMLoB will enable us to further refine the existing FFMIA indicators associated with substantial compliance. As such, we will consider this recommendation, as appropriate, in any future policy and guidance updates. We appreciate the opportunity to comment on the draft report and look forward to continue working with GAO in improving Federal financial management systems. If you have any questions please contact David Alekson at 202.395.5642. Sincerely, Signed by: Linda M. Combs: Controller: [End of section] Appendix VII: Auditors' FFMIA Assessments for Fiscal Year 2005: [See PDF for Image- table did not compute] Source: GAO, prepared from analysis of fiscal year 2005 financial statement audit reports. [End of Table] [End of section] Appendix VIII: GAO Contact and Staff Acknowledgments: GAO Contact: McCoy Williams, (202) 512-9095: Acknowledgments: In addition to the contact named above, Kay L. Daly, Assistant Director; Jeremy Cockrum; Debra Cottrell; Daniel Egan; C. Robin Hodge; Michael LaForge; W. Stephen Lowrey; Bennet E. Severson; and George Warnock made key contributions to this report. FOOTNOTES [1] Pub. L. No. 101-576, 104 Stat. 2838 (Nov. 15, 1990). [2] Federal Financial Management Improvement Act of 1996, Pub. L. No. 104-208, div. A., § 101(f), title VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996). [3] The Department of Homeland Security (DHS) Financial Accountability Act, Pub. L. No. 108-330, 118 Stat. 1275 (Oct. 16, 2004), added DHS to the list of CFO Act agencies, increasing the number of CFO Act agencies to 24 for fiscal year 2005. [4] For fiscal year 2005, 18 of 24 CFO Act agencies were able to attain unqualified opinions on their financial statements by the November 15, 2005, reporting deadline established by OMB. The independent auditor of the Department of State subsequently withdrew its qualified opinion on the department's fiscal year 2005 financial statements and reissued an unqualified opinion on these financial statements dated December 14, 2005. As a result, 19 CFO Act agencies received unqualified opinions on their fiscal year 2005 financial statements. [5] The Department of Commerce (Commerce), the Environmental Protection Agency (EPA), the National Science Foundation (NSF), the Office of Personnel Management (OPM), and the Social Security Administration (SSA). [6] GAO, Financial Management Systems: Additional Efforts Needed to Address Key Causes of Modernization Failures, GAO-06-184 (Washington, D.C.: Mar. 15, 2006). [7] A service-level agreement is critical for both the shared service providers and the agencies to be held accountable for their respective parts of the agreement. [8] Pub. L. No. 97-255, 96 Stat. 814 (Sept. 8, 1982) (codified at 31 U.S.C. § 3512 (c), (d)). [9] GAO, Standards for Internal Control in the Federal Government, GAO/ AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999). [10] Pub. L. No. 103-62, 107 Stat. 285 (Aug. 3, 1993). [11] Pub. L. No. 103-356, 108 Stat. 3410 (Oct. 13, 1994). [12] Pub. L. No. 104-106, div. E, 110 Stat. 186, 679 (Feb. 10, 1996). [13] Pub. L. No. 107-289, 116 Stat. 2049 (Nov. 7, 2002) (codified at 31 U.S.C. § 3515). The Accountability of Tax Dollars Act of 2002 extends the requirement to prepare and submit audited financial statements to most executive agencies not subject to the CFO Act unless they are exempted by OMB. However, these agencies are not required to have systems that are compliant with FFMIA requirements. [14] Pub. L. No. 107-300, 116 Stat. 2350 (Nov. 26, 2002). [15] Pub. L. No. 108-330, 118 Stat. 1275 (Oct. 16, 2004). [16] The American Institute of Certified Public Accountants recognizes the federal accounting standards promulgated by the Federal Accounting Standards Advisory Board as generally accepted accounting principles. For a further description of federal accounting standards, see appendix I. [17] The SGL provides a standard chart of accounts and standardized transactions that agencies are to use in all their financial systems. [18] The PCIE--which is governed by Executive Order No. 12805 of May 11, 1992--was established to (1) address integrity, economy, and effectiveness issues that transcend individual government agencies and (2) increase the professionalism and effectiveness of inspectors general personnel throughout the government. The PCIE is composed primarily of the presidentially appointed inspectors general. Officials from OMB, the Federal Bureau of Investigation, Office of Government Ethics, Office of Special Counsel, and Office of Personnel Management serve on the PCIE as well. [19] GAO-01-765G, sections 701, 701A, 701B, and 260.58-.60. [20] OMB Bulletin No. 06-03, Audit Requirements for Federal Financial Statements (Aug. 23, 2006). [21] The Department of Agriculture, Department of Health and Human Services (HHS), Department of the Treasury, and the Department of Veterans Affairs (VA). [22] Department of the Treasury, 2005 Financial Report of the United States Government (Washington, D.C.: Dec. 2005). [23] For fiscal year 2005, 18 of 24 CFO Act agencies were able to attain unqualified opinions on their financial statements by the November 15, 2005, reporting deadline established by OMB. The independent auditor of the Department of State subsequently withdrew its qualified opinion on the department's fiscal year 2005 financial statements and reissued an unqualified opinion on these financial statements dated December 14, 2005. As a result, 19 CFO Act agencies received unqualified opinions on their fiscal year 2005 financial statements. [24] The DHS Financial Accountability Act, Pub. L. No. 108-330, 118 Stat. 1275 (Oct. 16, 2004). [25] The Departments of Agriculture, Defense, Homeland Security, Justice, Transportation, and Treasury, the National Aeronautics and Space Administration, and the Small Business Administration. [26] GAO, Financial Audit: Restatements to the Department of State's Fiscal Year 2003 Financial Statements, GAO-05-814R (Washington, D.C.: Sept. 20, 2005); Financial Audit: Restatements to the Nuclear Regulatory Commission's Fiscal Year 2003 Financial Statements, GAO-06- 30R (Washington, D.C.: Oct. 27, 2005); Financial Audit: Restatements to the General Services Administration's Fiscal Year 2003 Financial Statements, GAO-06-70R (Washington, D.C.: Dec. 6, 2005); Financial Audit: Restatements to the National Science Foundation's Fiscal Year 2003 Financial Statements, GAO-06-229R (Washington, D.C.: Dec. 22, 2005); and Financial Audit: Restatements to the Department of Agriculture's Fiscal Year 2003 Financial Statements, GAO-06-254R (Washington, D.C.: Jan. 26, 2006). [27] OMB Bulletin No. 06-03, Audit Requirements for Federal Financial Statements (Aug. 23, 2006). [28] Generally accepted government auditing standards incorporate the American Institute of Certified Public Accountants (AICPA) general standard on criteria, its field work standards, and its reporting standards for attestation engagements, as well as the AICPA Statements on Standards for Attestation Engagements, unless the Comptroller General of the United States excludes them by formal announcement. [29] GAO, Financial Management: FFMIA Implementation Critical for Federal Accountability, GAO-02-29 (Washington, D.C.: Oct. 1, 2001); Financial Management: FFMIA Implementation Necessary to Achieve Accountability, GAO-03-31 (Washington, D.C.: Oct. 1, 2002); Financial Management: Sustained Efforts Needed to Achieve FFMIA Accountability, GAO-03-1062 (Washington, D.C.: Sept. 30, 2003); Financial Management: Improved Financial Systems Are Key to FFMIA Compliance, GAO-05-20 (Washington, D.C.: Oct. 1, 2004); and Financial Management: Achieving FFMIA Compliance Continues to Challenge Agencies, GAO-05-881 (Washington, D.C.: Sept. 20, 2005). [30] Federal financial system requirements define an integrated financial system as one that coordinates a number of previously unconnected functions to improve overall efficiency and control. Characteristics of such a system include (1) standard data classifications for recording financial events; (2) common processes for processing similar transactions; (3) consistent control over data entry, transaction processing, and reporting; and (4) a system design that eliminates unnecessary duplication of transaction entry. OMB Circular No. A-127, Financial Management Systems, paragraph 7(b) (Revised Dec. 1, 2004). [31] The FSIO was formerly known as the Joint Financial Management Improvement Program (JFMIP) staff office. In December 2004, the JFMIP Principals voted to modify the roles and responsibilities of the JFMIP Program Office, now FSIO. The FSIO Executive reports to OMB's Office of Federal Financial Management Controller. See OMB, Update on the Financial Management Line of Business and the Financial Systems Integration Office, Memorandum (Washington, D.C.: Dec. 16, 2005). [32] GAO, Managerial Cost Accounting Practices: Departments of Education, Transportation, and the Treasury, GAO-06-301R (Washington, D.C.: Dec. 19, 2005). [33] GAO, Managerial Cost Accounting Practices: Leadership and Internal Controls Are Key to Successful Implementation, GAO-05-1013R (Washington, D.C.: Sept. 2, 2005); Managerial Cost Accounting Practices: Departments of Labor and Veterans Affairs, GAO-05-1031T (Washington, D.C.: Sept. 21, 2005); Managerial Cost Accounting Practices: Departments of Education, Transportation, and the Treasury, GAO-06-301R (Washington, D.C.: Dec. 19, 2005); and Managerial Cost Accounting Practices: Department of Health and Human Services and Social Security Administration, GAO-06-599R (Washington, D.C.: Apr. 18, 2006). [34] A vulnerability is the existence of a flaw or weakness in hardware or software that can be exploited resulting in a violation of an implicit or explicit security policy. Vulnerability scanners are software applications that can be used to identify vulnerabilities on computer hosts and networks. [35] GAO, Information Security: Leadership Needed to Address Weaknesses and Privacy Issues at Veterans Affairs, GAO-06-897T (Washington, D.C.: June 20, 2006). [36] OMB, Protection of Sensitive Agency Information, M-06-16 (Washington, D.C.: June 23, 2006). [37] GAO, Tax Administration: IRS Improved Some Filing Season Services, but Long-term Goals Would Help Manage Strategic Trade-offs, GAO-06-51 (Washington, D.C.: Nov. 14, 2005). [38] [8] GAO-06-184. [39] KPMG, Independent Auditor's Report (Washington, D.C.: Nov. 9, 2005). [40] GAO, Financial Management Systems: Lack of Disciplined Processes Puts Implementation of HHS' Financial System at Risk, GAO-04-1008 (Washington, D.C.: Sept. 23, 2004). [41] Ernst & Young, Report of Independent Auditors (Washington, D.C.: Nov. 11, 2005). [42] Department of Defense, FY 2005 Performance and Accountability Report (Washington, D.C.: Nov. 15, 2005). [43] GAO, DOD Business Systems Modernization: Navy ERP Adherence to Best Business Practices Critical to Avoid Past Failures, GAO-05-858 (Washington, D.C.: Sept. 29, 2005). [44] An ERP solution is an automated system using commercial off-the- shelf software consisting of multiple, integrated functional modules that perform a variety of business-related tasks such as payroll, general ledger accounting, and supply chain management. [45] Department of the Treasury, 2005 Financial Report of the United States Government (Washington, D.C.: Dec. 2005). [46] GAO, Financial Management Systems: Lack of Disciplined Processes Puts Effective Implementation of Treasury's Governmentwide Financial Report System at Risk, GAO-06-413 (Washington, D.C.: Apr. 21, 2006). [47] Section 300 of OMB Circular No. A-11, Preparation, Submission, and Execution of the Budget (Nov. 2, 2005), set forth requirements for federal agencies for planning, budgeting, acquiring, and managing information technology capital assets. [48] GAO-06-184. [49] Case management involves managing claims or investigations including creating, routing, tracing, assigning and closing a case, as well as collaboration among case handlers. [50] In March 2006, OMB launched task forces to conduct governmentwide analysis for the three new lines of business based on an analysis of the fiscal year 2007 budget that shows significant opportunities for improvement in sharing common information technology infrastructure, geospatial data and capabilities, and budgeting processes and functions across government. [51] OMB has not designated any private sector entities as shared service providers, but may consider doing so in the future. [52] The four agencies designated as shared service providers were the Department of the Interior (National Business Center), General Services Administration (Federal Integrated Solutions Center), Department of the Treasury (Bureau of the Public Debt's Administrative Resource Center), and Department of Transportation (Enterprise Services Center). [53] OMB, Update on the Financial Management Line of Business and the Financial Systems Integration Office, Memorandum (Washington, D.C.: Dec. 16, 2005). [54] DHS, Information Technology Investments and the Future of the eMerge2 Program (Washington, D.C.: Mar. 29, 2006). [55] GAO-06-184. [56] GAO-06-184. [57] See OMB Memorandum, Competition Framework for Financial Management Lines of Business Migrations (May 22, 2006), for the initial Competition Framework which will be incorporated into the Migration Planning Guidance. [58] GAO-06-184. [59] GAO, Executive Guide: Creating Value Through World-class Financial Management, GAO/AIMD-00-134 (Washington, D.C.: April 2000). [60] OMB, Realignment of Responsibilities for Federal Financial Management Policy and Oversight, Memorandum (Washington, D.C.: Dec. 2, 2004). [61] The JFMIP principals are the Comptroller General of the United States, the Secretary of the Treasury, and the Directors of OMB and OPM. [62] OMB, Update on the Financial Management Line of Business and the Financial Systems Integration Office, Memorandum (Washington, D.C.: Dec. 16, 2005). [63] OMB Circular No. A-123, Management's Responsibility for Internal Control (revised Dec. 2004). [64] GAO, Financial Management: Effective Internal Control Is Key to Accountability, GAO-05-321T (Washington, D.C.: Feb. 16, 2005). [65] GAO, Internal Control: Analysis of Joint Study on Estimating the Costs and Benefits of Rendering Opinions on Internal Control over Financial Reporting in the Federal Government, GAO-06-255R (Washington, D.C.: Sept. 6, 2006). [66] GAO/AIMD-00-134. [67] GAO-02-29, GAO-03-31, GAO-05-20, and GAO-05-881. [68] GAO-02-29, GAO-03-31, GAO-05-20, and GAO-05-881. [69] Core financial systems, as defined by the Office of Federal Financial Management (OFFM), include managing general ledger, funding, payments, receivables, and certain basic cost functions. [70] Examples of administrative systems include budget, acquisition, travel, property, and human resources and payroll. [71] GAO-01-765G, sections 701, 701A, 701B, and 260.58-.60. [72] In October 1990, the Secretary of the Treasury, the Director of OMB, and the Comptroller General established FASAB to develop a set of generally accepted accounting standards and concepts for the federal government. Effective October 1, 2003, FASAB is comprised of six nonfederal or public members, one member from the Congressional Budget Office, and the three sponsors. [73] Accounting standards are authoritative statements of how particular types of transactions and other events should be reflected in financial statements. SFFACs explain the objectives and ideas upon which FASAB develops the standards. [74] An interpretation is a document of narrow scope that provides clarifications of original meaning, additional definitions, or other guidance pertaining to an existing federal accounting standard. [75] In 1997, FASAB, in conjunction with OMB, Treasury, GAO, the Chief Financial Officers Council, and the President's Council on Integrity and Efficiency, established AAPC to assist the federal government in improving financial reporting. [76] On August 23, 2006, OMB issued Bulletin No. 06-03, Audit Requirements for Federal Financial Statements. This bulletin did not substantially revise FFMIA audit guidance. [77] SGL guidance is published in the Treasury Financial Manual. Treasury's Financial Management Service is responsible for maintaining the SGL and answering agency inquiries. [78] GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3 (Washington, D.C.: Nov. 1999). [79] OMB Circular No. A-123, Management's Responsibility for Internal Control (revised Dec. 21, 2004). [80] Pub. L. No. 107-204, § 404, 116 Stat. 745, 789 (July 30, 2002). GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: