This is the accessible text file for GAO report number GAO-06-970
entitled 'Financial Management: Improvement Under Way but Serious
Financial Systems Problems Persist' which was released on September 27,
2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
GAO:
September 2006:
Financial Management:
Improvements Under Way but Serious Financial Systems Problems Persist:
FFMIA Fiscal Year 2005 Results:
GAO-06-970:
GAO Highlights:
Highlights of GAO-06-970, a report to the Committee on Homeland
Security and Governmental Affairs, U.S. Senate and the Committee on
Government Reform, House of Representatives
Why GAO Did This Study:
The ability to produce the financial information needed to efficiently
and effectively manage the day-to-day operations of the federal
government and provide accountability to taxpayers continues to be a
challenge for most federal agencies. To help address this challenge,
the Federal Financial Management Improvement Act of 1996 (FFMIA)
requires the Chief Financial Officers (CFO) Act agencies to implement
and maintain financial management systems that comply substantially
with (1) federal financial management systems requirements, (2) federal
accounting standards, and (3) the U.S. Government Standard General
Ledger at the transaction level. FFMIA also requires GAO to report
annually on the implementation of the act.
What GAO Found:
While the number of CFO Act agencies receiving unqualified opinions on
their financial statements has increased significantly since 1997, the
number of CFO Act agencies that did not substantially comply with FFMIA
has remained fairly constant as shown below. Although agencies have
made improvements and have other enhancements under way, the systems
deficiencies that have prompted unfavorable FFMIA assessments indicate
that the financial management systems of many agencies are still not
able to routinely produce reliable, useful, and timely financial
information. GAO views the continuing lack of compliance with FFMIA and
the associated problems with agency financial systems to be significant
challenges to improving the management of the federal government.
Figure: CFO Act agencies not in compliance:
[See PDF for Image]
Source: GAO analysis, based on independent auditors' financial
statement audit reports prepapred by agency inspectors general and
contract auditors for fiscal years 1997 through 2005.
[End of Figure]
For fiscal year 2005, auditors for five agencies provided negative
assurance that agency systems substantially complied with FFMIA as
allowed by the Office of Management and Budget's (OMB) current audit
guidance. This means that nothing came to their attention to indicate
that agency financial management systems did not substantially comply
with FFMIA requirements. GAO continues to believe that this type of
reporting is not sufficient for reporting under the act. In addition,
negative assurance may provide the false impression that the auditors
are reporting that the agencies’ systems are compliant. In contrast,
auditors for the Department of Labor (Labor) provided positive
assurance, which is an opinion, by reporting that Labor’s financial
management systems substantially complied with FFMIA requirements—a
reporting practice that adds more value. Auditors have expressed
concern about providing positive assurance because of the need to
clarify the meaning of substantial compliance. In addition, some
auditors stated that a change in OMB’s guidance that permits negative
assurance would be necessary for them to provide an opinion on FFMIA
compliance.
To help address financial management systems deficiencies, OMB
continues to move ahead on initiatives to enhance financial management
in the federal government. Moreover, the continuing leadership and
support of Congress will be crucial in reforming financial management
in the federal government.
What GAO Recommends:
GAO reaffirms its prior recommendations that OMB revise its guidance to
require positive assurance regarding substantial compliance with FFMIA,
and clarify the meaning of substantial compliance. As in the past, OMB
did not agree with GAO's view on auditors providing positive assurance
on FFMIA, but agreed to consider clarifying the definition of
substantial compliance in future policy and guidance updates. GAO
believes positive assurance is required by FFMIA and will continue to
work with OMB on this issue.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-970].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact McCoy Williams at (202512-
9095 or williamsm1@gao.gov.
[End of Section]
Report to Congressional Committees:
Contents:
Letter:
Results In Brief:
Background:
Scope and Methodology:
FFMIA Assessments Identify Continuing Systems Weaknesses:
Federal Financial Management System Initiatives Continue to Evolve:
Conclusions:
Agency Comments and Our Evaluation:
Appendix I: Requirements and Standards Supporting Federal Financial
Management:
Financial Management Systems Requirements:
Federal Accounting Standards:
U.S. Government Standard General Ledger:
Internal Control Standards:
Appendix II: Publications in the Federal Financial Management Systems
Requirements Series:
Appendix III: Statements of Federal Financial Accounting Concepts,
Standards, Interpretations, and Technical Bulletins:
Appendix IV: AAPC Technical Releases:
Appendix V: Checklists for Reviewing Systems under the Federal
Financial Management Improvement Act:
Appendix VI: Comments from the Office of Management and Budget:
Appendix VII: Auditors’ FFMIA Assessments for Fiscal Year 2005:
Appendix VIII: GAO Contact and Staff Acknowledgments:
Table:
Table 1: Key Causes of Systems Implementation Failure:
Figures:
Figure 1: Auditors’ FFMIA Assessments for Fiscal Years 1997
through 2005:
Figure 2: Problems Reported by Auditors for Fiscal Years 2001 through
2005:
Figure 3: Auditors’ FFMIA Assessments for Fiscal Years 1997 through
2005:
Figure 4: Auditors’ Assessments of Substantial Compliance with FFMIA’s
Three Requirements for Fiscal Years 1997 through 2005:
Figure 5: Problems Reported by Auditors for Fiscal Years 2001 through
2005:
Figure 6: Overall Vision of the Financial Management Line of Business:
Figure 7: Governance Structure:
Figure 8: Agency Systems Architecture:
Comptroller General of the United States:
United States Government Accountability Office:
Washington, DC 20548:
September 26, 2006:
The Honorable Susan M. Collins:
Chairman:
The Honorable Joseph I. Lieberman:
Ranking Minority Member:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Honorable Tom Davis:
Chairman:
The Honorable Henry A. Waxman:
Ranking Minority Member:
Committee on Government Reform:
House of Representatives:
The lack of reliable, useful, and timely financial data needed to
efficiently and effectively manage the day-to-day operations of the
federal government and provide accountability to taxpayers and the
Congress continues to be a weakness at many federal agencies. To
address this long-standing weakness, the Congress mandated financial
management reform within the federal government by enacting the Chief
Financial Officers (CFO) Act of 1990.[Footnote 1] The CFO Act laid the
foundation for a comprehensive reform of federal financial management
by establishing a leadership structure, requiring audited financial
statements, and strengthening accountability reporting. This act also
requires agencies to implement modern financial management systems in
order to attain the systematic measurement of performance; the
development of cost information; and the integration of program,
budget, and financial information for management reporting. The end
goal of the CFO Act is to greatly enhance the ability of managers to do
their jobs by providing the full range of financial information needed
for day-to-day management.
The Federal Financial Management Improvement Act of 1996[Footnote 2]
(FFMIA) was enacted on September 30, 1996, and builds on the foundation
laid by the CFO Act by highlighting the need for agencies to have
financial management systems that are able to generate reliable,
useful, and timely information needed to make fully informed decisions
and to ensure accountability on an ongoing basis. FFMIA requires the
major departments and agencies covered by the CFO Act[Footnote 3] to
implement and maintain financial management systems that comply
substantially with (1) federal financial management systems
requirements, (2) applicable federal accounting standards, and (3) the
U.S. Government Standard General Ledger (SGL) at the transaction level.
The act also requires auditors to state in their audit reports whether
the agencies' financial management systems comply with the act's
requirements. In addition, we are required to report annually on the
implementation status of the act. This report, our tenth, discusses (1)
the auditors' assessments of agency systems' compliance with FFMIA
requirements for fiscal years 1997 through 2005 and the financial
management systems problems that continued to affect systems' FFMIA
compliance in fiscal year 2005 and (2) the initiatives under way to
help move federal financial management toward FFMIA compliance.
We conducted our work from January through July 2006 in Washington,
D.C., Baltimore, Md., and Kansas City, Mo., in accordance with U.S.
generally accepted government auditing standards. We requested comments
on a draft of this report from the Director of OMB or his designee. We
received written comments from the OMB Controller. OMB's comments are
discussed in the Agency Comments and Our Evaluation section and
reprinted in appendix VI.
Results In Brief:
Since the passage of FFMIA, there has been progress in achieving the
requirements of this landmark legislation. While improvements have been
made throughout government, much work remains to fulfill the underlying
goals of the CFO Act and FFMIA. Notably, the number of CFO Act agencies
receiving unqualified opinions on their financial statements has
increased significantly since FFMIA reporting began in 1997. In fiscal
year 1997, 11 of the CFO Act agencies attained unqualified opinions on
their financial statements, while 19[Footnote 4] agencies received
unqualified opinions for fiscal year 2005. As shown in figure 1, the
ability of federal financial management systems to fully address FFMIA
requirements has not advanced at the same pace. In fiscal year 1997, 20
agencies were reported as having systems that were not in substantial
compliance with at least one of the three FFMIA systems requirements,
while in fiscal year 2005, auditors for 18 of the CFO Act agencies
reported that the agencies' financial management systems did not
substantially comply with at least one of the three FFMIA requirements.
While progress has been made in addressing financial management
systems' weaknesses, the lack of substantial compliance with the three
requirements of FFMIA, and the associated deficiencies, indicates that
the financial management systems of many agencies are still not able to
routinely produce reliable, useful, and timely financial information.
Consequently, the federal government's access to relevant, timely, and
reliable data to effectively manage and oversee its major programs,
which is the ultimate objective, was and continues to be restricted.
Figure 1: Auditors' FFMIA Assessments for Fiscal Years 1997 through
2005:
[See PDF for image]
Source: GAO analysis, based on independent auditors' financial
statement audit reports prepared by agency inspectors general and
contract auditors for fiscal years 1997 through 2005.
[End of figure]
In fiscal year 2005, auditors for five[Footnote 5] of the six other CFO
Act agencies provided what is termed negative assurance of FFMIA
compliance. In essence, they reported that nothing came to their
attention during the course of their planned audit procedures to
indicate that these agencies' financial management systems did not meet
FFMIA requirements. Negative assurance is the level of assurance
specified by the Office of Management and Budget's (OMB) audit guidance
for reporting on FFMIA compliance. From our perspective, FFMIA requires
auditors to provide positive assurance, which is an opinion, on FFMIA
compliance. The auditors for one agency, the Department of Labor
(Labor), provided positive assurance, as required by the act, when they
reported that in their opinion, Labor's financial management systems
substantially complied with the requirements of FFMIA. Providing
positive assurance requires some additional testing beyond that
typically performed by auditors to render an opinion on financial
statements. For example, in performing financial statement audits,
auditors generally focus on the capability of the financial management
systems to process and summarize financial information that flows into
agency financial statements. In contrast, FFMIA requires auditors to
take a broader perspective and consider the financial management
systems capability to also reliably record and report financial
information for a variety of purposes beyond financial statements. Thus
FFMIA furthers the ultimate goal of improving financial management
systems in the federal government and assisting agency managers in
having timely access to reliable data for decision-making purposes.
This in turn, will allow them to do their jobs more efficiently and
effectively.
For this reason, this second year of Labor's auditors providing
positive assurance on FFMIA compliance continues to be a very
noteworthy achievement by Labor. We look forward to other agencies
opting to upgrade their level of assurance on this matter as required
by the act. Auditors for the majority of the agencies we visited stated
that additional guidance on the definition of substantial compliance
would facilitate their assessments of financial management systems for
FFMIA reporting. Some auditors also indicated that a change in OMB's
guidance on FFMIA reporting would be necessary for them to shift to
providing opinions on FFMIA compliance.
As shown in figure 2, based on our review of the fiscal year 2005
financial statement audit reports for the 18 agencies with systems
reported not to be in substantial compliance with one or more of the
three FFMIA requirements, the same six primary problems that we have
previously reported continue to exist. While more severe at some
agencies than others, the nature and seriousness of the problems
reported indicate that most agencies' financial management systems are
frequently unable to routinely produce reliable, useful, and timely
financial information. We view the problems with agencies' financial
management systems to be a significant challenge to improving the
financial management of the federal government, because the problems
indicate that many agencies are still a long way from accomplishing
what was envisioned with the passage of the CFO Act of 1990 and the
more recent passage of FFMIA in 1996.
Figure 2: Problems Reported by Auditors for Fiscal Years 2001 through
2005:
[See PDF for image]
Source: GAO analysis, based on independent auditors' financial
statement audit reports prepared by agency inspectors general and
contract auditors for fiscal years 2001 through 2005.
[End of figure]
In an effort to comply with FFMIA and address problems such as
nonintegrated systems, inadequate reconciliations, and lack of
compliance with the SGL, a number of agencies have efforts under way to
implement new financial management systems, to upgrade existing
systems, or to move to a shared service provider. Agencies anticipate
that the new systems will provide reliable, useful, and timely data to
support managerial decision making. However, significant problems in
the development and implementation of new financial management systems
were reported for several agencies in fiscal year 2005, especially when
agencies did not follow appropriate best practices to ensure the
efficient and effective implementation of these systems.
OMB continues to move forward on initiatives that support the
President's Management Agenda (PMA) to enhance financial management and
provide results-oriented information in the federal government. A key
initiative has been the further development of the financial management
line of business to promote leveraging shared service solutions to
enhance the government's performance and services. However, challenges
exist in implementing the financial management line of business. For
example, as we reported in March 2006,[Footnote 6] the requirements for
agencies and private sector firms to become shared service providers
and the services they must provide have not been adequately documented
or effectively communicated to agencies and the private sector. OMB has
not provided the current selected shared service providers with
standard document templates needed to minimize risk, provide assurance,
and develop understandings with customers on topics such as service-
level agreements[Footnote 7] and a concept of operations. Further,
processes have not been put in place to facilitate agency decisions on
selecting a provider or focusing investment decisions on the benefits
of standard processes and shared service providers. We made a number of
recommendations to address these issues and OMB has projects under way
to develop standard business processes, a common accounting code, and
specific measures to assess the performance of the shared service
providers to help address some shortcomings. Because the federal
government is one of the largest, most complex organizations in the
world, operating, maintaining, and modernizing its financial management
systems represents a monumental challenge--from both cost and technical
perspectives. As pressure mounts to increase accountability and efforts
to reduce federal spending intensify, sustained and committed
leadership will be a key factor in the successful implementation of
governmentwide initiatives.
While we are not making any new recommendations in this report, we
reaffirm our prior recommendations aimed at enhancing OMB's audit
guidance related to FFMIA assessments. Specifically, we recommended
that OMB (1) require agency auditors to provide a statement of positive
assurance when reporting an agency's systems to be in substantial
compliance with the requirements of FFMIA and (2) explore further
clarification of the definition of "substantial compliance" to
encourage consistent reporting.
In commenting on a draft of this report, OMB agreed with our assessment
that many federal agencies still need to make improvements to generate
more accurate and timely financial information to optimize day-to-day
operations. As in previous years, we and OMB have differing views on
the level of audit assurance necessary for assessing and reporting on
compliance with FFMIA. While OMB commended Labor's auditors for taking
the steps needed to provide positive assurance and encouraged similar
efforts at other agencies, it stated that requiring a statement of
positive assurance for all agencies was not necessary. We continue to
believe that a statement of positive assurance is a statutory
requirement under the act and will continue to work with OMB on this
issue. OMB did agree to consider clarifying the definition of
"substantial compliance" in its future policy and guidance updates. Our
detailed evaluation of OMB's comments can be found at the end of this
letter.
Background:
FFMIA is part of a series of management reform legislation passed by
the Congress over the past two decades. This series of legislation
started with the Federal Managers' Financial Integrity Act of
1982[Footnote 8] (FMFIA), which the Congress passed to strengthen
internal controls and accounting systems throughout the federal
government, among other purposes. Issued pursuant to 31 U.S.C. § 3512
(c), (d), still commonly known as FMFIA, the Comptroller General's
Standards for Internal Control in the Federal Government[Footnote 9]
provides the standards that are directed at helping agency managers
implement effective internal control, an integral part of improving
financial management systems. Internal control is a major part of
managing an organization and comprises the plans, methods, and
procedures used to meet missions, goals, and objectives. In summary,
internal control, which under OMB's guidance for FMFIA is synonymous
with management control, helps government program managers achieve
desired results through effective stewardship of public resources.
Effective internal control also helps in managing change to cope with
shifting environments and evolving demands and priorities. As programs
change and agencies strive to improve operational processes and
implement new technological developments, management must continually
assess and evaluate its internal control to ensure that the control
activities being used are effective and updated when necessary. While
agencies had achieved some early success in identifying and correcting
material internal control and accounting system weaknesses, their
efforts to implement FMFIA had not produced the results intended by the
Congress.
Therefore, in the 1990s, the Congress passed additional management
reform legislation to improve the general and financial management of
the federal government. This legislation includes the (1) CFO Act of
1990, (2) Government Performance and Results Act of 1993,[Footnote 10]
(3) Government Management Reform Act of 1994,[Footnote 11] (4) FFMIA,
(5) Clinger-Cohen Act of 1996,[Footnote 12] (6) Accountability of Tax
Dollars Act of 2002,[Footnote 13] (7) Improper Payments Information Act
of 2002,[Footnote 14] and (8) Department of Homeland Security (DHS)
Financial Accountability Act of 2004.[Footnote 15] The combination of
reforms ushered in by these laws, if successfully implemented, provides
a solid foundation to improve the accountability of government programs
and operations as well as to routinely produce valuable cost and
operating performance information. These financial management reform
acts emphasize the importance of improving financial management across
the federal government.
In particular, building on the foundation laid by the CFO Act, FFMIA
emphasizes the need for CFO Act agencies to have systems that are able
to generate reliable, useful, and timely information for decision-
making purposes and to ensure ongoing accountability. FFMIA requires
the departments and agencies covered by the CFO Act to implement and
maintain financial management systems that comply substantially with
(1) federal financial management systems requirements, (2) applicable
federal accounting standards,[Footnote 16] and (3) the SGL[Footnote 17]
at the transaction level. FFMIA also requires auditors to state in
their CFO Act financial statement audit reports whether the agencies'
financial management systems substantially comply with these three
FFMIA systems requirements. Appendixes I through IV include details on
the various requirements and standards that support federal financial
management.
Guidance for FFMIA Issued by OMB:
OMB establishes governmentwide financial management systems policies
and requirements and has issued two sources of guidance related to
FFMIA reporting. First, OMB Bulletin No. 01-02, Audit Requirements for
Federal Financial Statements, dated October 16, 2000, prescribed audit
requirements, including specific language auditors should use when
reporting on an agency system's substantial compliance with the three
FFMIA requirements. Specifically, this guidance called for auditors to
provide negative assurance when reporting on an agency system's FFMIA
compliance. On August 23, 2006, OMB issued Bulletin No. 06-03, Audit
Requirements for Federal Financial Statements, which superseded OMB
Bulletin No. 01-02. The new bulletin did not substantially revise OMB's
FFMIA audit guidance contained in Bulletin No. 01-02. Second, in OMB
Memorandum, Revised Implementation Guidance for the Federal Financial
Management Improvement Act (Jan. 4, 2001), OMB provides guidance for
agencies and auditors to use in assessing substantial compliance. The
guidance describes the factors that should be considered in determining
whether an agency's systems substantially comply with FFMIA's three
requirements. Further, the guidance provides examples of the types of
indicators that should be used as a basis for assessing whether an
agency's systems are in substantial compliance with each of the three
FFMIA requirements. Finally, the guidance discusses the corrective
action plans, to be developed by agency officials, for bringing their
systems into compliance with FFMIA.
Financial Audit Manual Section on FFMIA Developed by GAO and the
President's Council on Integrity and Efficiency:
We have worked in partnership with representatives from the President's
Council on Integrity and Efficiency[Footnote 18] (PCIE) to develop and
maintain the joint GAO/PCIE Financial Audit Manual (FAM). The FAM
provides specific procedures auditors should perform when assessing
FFMIA compliance.[Footnote 19] As detailed in appendix V, we have also
issued a series of checklists to help assess whether agencies' systems
meet systems requirements. The FAM guidance on FFMIA assessments
recognizes that while financial statement audits offer some assurance
on FFMIA compliance, auditors should design and implement additional
testing to satisfy FFMIA criteria. For example, in performing financial
statement audits, auditors generally focus on the ability of the
financial management systems to process and summarize financial
information that flows into annual agency financial statements. In
contrast, FFMIA requires auditors to assess whether an agency's
financial management systems comply with system requirements,
accounting standards, and the SGL. To do this, auditors need to
consider whether agency systems provide reliable, useful, and timely
information for managing day-to-day operations so that agency managers
would have the necessary information to measure performance on an
ongoing basis rather than just at year end. Further, OMB's current
audit guidance[Footnote 20] calls for financial statement auditors to
review performance information for consistency with the financial
statements, but does not require auditors to determine whether this
information is available to managers for day-to-day decision making as
called for by the FAM guidance for testing compliance with FFMIA.
Scope and Methodology:
We reviewed the fiscal year 2005 financial statement audit reports for
the 24 CFO Act agencies to identify the auditors' assessments of agency
financial systems' compliance and the problems that affect FFMIA
compliance. Prior experience with the auditors and our review of their
reports provided the basis for determining the sufficiency and
relevancy of evidence provided in these documents. Based on their audit
reports, we identified reported problems that affect agency systems'
compliance with FFMIA. The problems identified in these reports are
consistent with long-standing financial management weaknesses we have
reported based on our work at a number of agencies. However, we caution
that the occurrence of problems in a particular category may be even
greater than auditors' reports of FFMIA noncompliance would suggest,
because auditors may not have identified all instances of noncompliance
with systems requirements and included all problems in their reports.
We also met with OMB officials to discuss their current efforts to
improve federal financial management and address our prior
recommendations related to FFMIA.
In addition, we performed site visits to 12 agencies to assess the
amount and type of FFMIA-related work being performed by the
independent public auditors. The agencies selected for visits included
the 5 agencies where auditors provided negative assurance of FFMIA
compliance in fiscal year 2005 (Commerce, Environmental Protection
Agency (EPA), National Science Foundation (NSF), Office of Personnel
Management (OPM), and Social Security Administration (SSA)); the agency
where auditors provided an opinion, or positive assurance, of FFMIA
compliance in fiscal year 2005 (Labor); the 2 agencies where auditors
provided negative assurance of FFMIA compliance in fiscal year 2004 but
reported those agencies as noncompliant in fiscal year 2005 (the
Department of Energy (Energy) and the General Services Administration
(GSA)); and 4[Footnote 21] of the agencies with the largest net costs
as reported in the fiscal year 2005 Financial Report of the United
States Government.[Footnote 22] We also met with representatives for
the Inspector General of the Department of Defense (DOD), which has the
largest net costs of any federal agency in fiscal year 2005, to confirm
our understanding of its FFMIA-related audit procedures.
We conducted our work from January 2006 through July 2006 in
Washington, D.C., Baltimore, Md., and Kansas City, Mo., in accordance
with U.S. generally accepted government auditing standards. We
requested written comments on a draft of this report from the Director
of OMB or his designee. We received written comments from the OMB
controller. OMB's comments are discussed in the Agency Comments and Our
Evaluation section and reprinted in appendix VI. We also received
technical comments from OMB and the Departments of Health and Human
Services and Transportation which we incorporated as appropriate.
FFMIA Assessments Identify Continuing Systems Weaknesses:
While the 24 CFO Act agencies have made demonstrable progress in
producing auditable financial statements and progress in addressing
their financial management systems weaknesses since the passage of
FFMIA, about three-fourths are still not substantially compliant with
FFMIA's three requirements. In contrast, the number of CFO Act agencies
receiving unqualified opinions on their financial statements has
increased significantly since 1997, when FFMIA reporting began. In
fiscal year 1997, 11 of the CFO Act agencies attained unqualified
opinions on their financial statements, while 19[Footnote 23] agencies
received unqualified opinions in fiscal year 2005. As shown in figure
3, the ability of federal financial management systems to address FFMIA
requirements has not advanced at the same pace. In fiscal year 1997, 20
agencies were reported as having systems that were not in substantial
compliance with at least one of the three FFMIA systems requirements.
In fiscal year 2005, auditors for 18 of the CFO Act agencies reported
that the agencies' financial management systems do not substantially
comply with at least one of the three FFMIA requirements.
Figure 3: Auditors' FFMIA Assessments for Fiscal Years 1997 through
2005:
[See PDF for image]
Source: GAO analysis, based on independent auditors' financial
statement audit reports prepared by inspectors general and contract
auditors for fiscal years 1997 through 2005.
[End of figure]
Auditors' assessments for three agencies changed from fiscal year 2004
to 2005. For fiscal year 2005, auditors for OPM were able to provide
negative assurance that OPM's financial management systems, as a whole,
were substantially compliant with FFMIA's three requirements.
Conversely, auditors for Energy and GSA reported that those agencies'
financial management systems did not substantially comply with FFMIA
requirements in fiscal year 2005, but had not reported any FFMIA
compliance issues at those federal agencies in fiscal year 2004. At
Energy, the auditors indicated that Energy's systems problems stemmed
from the implementation of a new accounting system. At GSA, the
auditors reported recently identified internal control weaknesses over
financial reporting. In addition, consistent with the DHS Financial
Accountability Act of 2004,[Footnote 24] which added DHS to the list of
CFO Act agencies, DHS's auditors reported that the department's
financial management systems did not substantially comply with any of
the three FFMIA requirements for fiscal year 2005.
Figure 4 summarizes auditors' assessments of agencies' compliance with
the three requirements of FFMIA for fiscal years 1997 through 2005 and
suggests that the instances of noncompliance with FFMIA's three
requirements have remained fairly constant. In particular, in fiscal
year 2005, auditors for eight agencies[Footnote 25] reported that their
agencies' systems were not in substantial compliance with any of the
three FFMIA requirements--federal financial management systems
requirements, applicable federal accounting standards, or the SGL at
the transaction level.
Figure 4: Auditors' Assessments of Substantial Compliance with FFMIA's
Three Requirements for Fiscal Years 1997 through 2005:
[See PDF for image]
Source: GAO analysis, based on independent auditors' financial
statement audit reports prepared by agency inspectors general and
contract auditors for fiscal years 1997 through 2005.
[End of figure]
While substantially more CFO Act agencies have obtained clean or
unqualified audit opinions on their financial statements, we are
concerned over the number of CFO Act agencies that have restated
certain of their financial statements. As we have previously
reported,[Footnote 26] a number of CFO Act agencies have restated
certain of their financial statements over the past few years to
correct for material errors. Errors in financial statements result from
mathematical mistakes, mistakes in the application of accounting
principles, or oversight or misuse of facts that existed at the time
the financial statements were prepared. Generally, these restatements
resulted from weaknesses in internal control over the processing and
reporting of certain transactions and inadequate audit procedures to
detect these errors. The auditors for the seven agencies that restated
their financial statements in fiscal year 2005 also reported that the
agencies' financial systems had not met FFMIA requirements. Further,
restatements raise questions about the reliability of other information
in previously issued financial statements and indicate a continuing
lack of improvement in the underlying agency financial systems.
Frequent restatements to correct errors can undermine public trust and
confidence in both the entity and all responsible parties.
Auditors Mostly Provide Negative Assurance on FFMIA Compliance:
In fiscal year 2005, auditors for five agencies (Commerce, EPA, NSF,
OPM, and SSA) provided negative assurance that the agencies' systems
were compliant with FFMIA requirements. The auditor for one agency,
Labor, provided positive assurance on FFMIA compliance. From our
perspective, FFMIA requires auditors to provide positive assurance,
which is an opinion, because section 803 (b)(1) of FFMIA requires
auditors to "report whether the agency financial management systems
comply with the requirements of [the act]." Auditors provide negative
assurance when they state that nothing came to their attention during
the course of their planned procedures to indicate that the agency's
financial management systems did not meet FFMIA requirements. Under
generally accepted government auditing standards, there are no
requirements to perform additional testing beyond that needed for a
financial statement audit for an auditor to give negative assurance.
However, if financial statement users are not familiar with the concept
of negative assurance, which we believe is generally the case, they may
incorrectly assume that these five agencies' systems have been fully
tested by the auditors and that the agencies have achieved FFMIA
compliance. In addition, testing that is not sufficient to support an
opinion also means that an area of noncompliance may be missed;
therefore, the number of problems in a particular category may be even
greater than auditors' reports of FFMIA noncompliance would suggest,
because not all problems are being included. Although OMB's current
audit guidance[Footnote 27] instructs auditors to test for compliance
with FFMIA, it does not provide guidance on the nature and extent of
tests to be performed. It only calls for auditors to provide negative
assurance when reporting whether an agency's systems are in substantial
compliance with the three FFMIA requirements. We did note greater
attention to assessing FFMIA compliance at the agencies we visited.
Auditors at 8 of the 12 CFO Act agencies visited prepared and used a
separate audit program to assess FFMIA compliance. Auditors stated that
separate FFMIA audit programs were developed to ensure consistency and
to share best practices among their audit teams.
In fiscal years 2005 and 2004, auditors for Labor provided positive
assurance of Labor's financial management systems' compliance with
FFMIA requirements. For both years, Labor's Inspector General
contracted with an independent public accounting firm to conduct the
financial statement audit and included a provision to specifically
perform an FFMIA examination in accordance with American Institute of
Certified Public Accountants attestation standards.[Footnote 28] In
general, providing positive assurance of FFMIA compliance requires
auditors to perform more audit procedures than those needed to render
an opinion on the financial statements. While financial statement
audits in general will offer some assurance on FFMIA compliance,
auditors should also design and implement additional testing to satisfy
the criteria in FFMIA. For example, in performing financial statement
audits, auditors generally focus on the capability of the financial
management systems to process and summarize financial information that
flows into agency financial statements. In contrast, assessing FFMIA
compliance involves determining whether an agency's financial
management systems comply with systems requirements. To do this,
auditors need to consider whether agency systems provide complete,
accurate, and timely information for managing day-to-day operations.
For fiscal year 2005, Labor's independent auditor performed transaction
testing, provided FAM Section 700 training to audit team members,
analyzed whether financial management systems provided reliable and
timely financial information for managing current operations to senior
management and program managers, and completed the audit procedures
provided in FAM 701A and associated Joint Financial Management
Improvement Program (JFMIP) checklists for each operating division. The
auditor estimated that the cost of the additional procedures needed to
provide positive assurance was between $50,000 and $80,000. The efforts
of Labor to perform the level of review necessary to provide positive
assurance of FFMIA compliance in fiscal years 2005 and 2004 are
noteworthy, and we look forward to other agencies adopting similar
auditing and reporting practices.
Performing audit procedures designed to provide positive assurance of
an agency's financial management systems' compliance with FFMIA
requirements can identify weaknesses and lead to improvements that
enhance the performance, productivity, and efficiency of federal
financial management systems. It also provides a clear "bottom line,"
whereas negative assurance does not. Therefore, as we have discussed in
prior reports covering fiscal years 2000 through 2004,[Footnote 29] we
continue to believe that our prior recommendation for OMB to require
agency auditors to provide a statement of positive assurance when
reporting an agency's systems to be in substantial compliance with the
three FFMIA systems requirements is still appropriate. Given OMB's
explicit instruction to provide negative assurance, some auditors also
indicated that a change in OMB's guidance on FFMIA reporting would be
necessary in order for them to provide an opinion on FFMIA compliance.
In a recent discussion with OMB officials, as well as OMB's comments on
a draft of this report and our prior FFMIA reports, OMB continues to
support the requirement for negative assurance of FFMIA compliance.
While OMB agrees that testing should occur, and its guidance on FFMIA
calls for it, it does not specify the nature and extent of audit
procedures. OMB officials continue to express the belief that the level
of testing needed for positive assurance may be too time-consuming and
costly. OMB officials said that different, more coordinated approaches
toward assessing an agency's internal controls and FFMIA compliance
could provide sufficient assurance on an agency's systems. We share
concerns about the added cost, but want to make our view quite clear
that the focus needs to be on the ultimate end goal of having financial
management systems able to routinely produce reliable, useful, and
timely financial information. Until such systems exist, the ability of
federal managers to effectively manage and oversee their major programs
was and continues to be restricted.
In its comments, OMB emphasized that its PMA and financial management
line of business initiatives, along with the strengthened internal
control requirements incorporated into the revised OMB Circular No. A-
123, are helping agencies to identify and correct FFMIA deficiencies.
We agree these initiatives can drive systems improvements and support
OMB's leadership in this area. Our concern lies in the fact that the
full value of independent auditors' assessments of FFMIA compliance
will not be fully realized until auditors perform a sufficient level of
audit work to be able to provide positive assurance that agencies are
in compliance with FFMIA as called for in the act. When reporting an
agency's financial management systems to be in substantial compliance,
positive assurance from independent auditors will provide users with
confidence that the agency systems provide the reliable, useful, and
timely information envisioned by the act.
Additional FFMIA Guidance Needed:
As we have previously reported, a number of auditors we interviewed
expressed a need for clarification on the definition of "substantial
compliance." In fiscal year 2005, auditors for 7 of the 12 agencies we
visited stated that additional guidance on the definition of
substantial compliance would be useful. As a result, we reiterate our
previous recommendation that OMB explore clarifying the definition of
"substantial compliance" to meet the needs of the auditing community
and to allow for consistent application of the doctrine.
In addition, 8 of the 12 independent auditors cited a need for
additional guidance to assist them in assessing whether agency systems
substantially comply with the three FFMIA requirements. For example, at
SSA, the auditors reported a need for clearer guidance from OMB on
assessing FFMIA compliance that is consistent with the GAO/PCIE FAM.
Auditors for other agencies we visited professed a need for (1) more
clearly defined and objective criteria to assist in their determination
of FFMIA compliance, (2) more specific guidance on testing and sampling
methodologies, and (3) additional guidance for assessing compliance
with certain accounting standards, such as the Statement of Federal
Financial Accounting Standards (SFFAS) No. 4, Managerial Cost
Accounting Concepts and Standards for the Federal Government. In its
comments, OMB stated that its growing experience helping agencies
implement the PMA enables it to refine the existing FFMIA indicators
associated with substantial compliance. Accordingly, OMB said it would
consider our recommendation in any future policy and guidance updates.
Reasons for Noncompliance:
Audit reports for the 18 agencies reported to have systems not in
substantial compliance with one or more of FFMIA's three requirements
during fiscal year 2005, again identified the same six primary reasons
for noncompliant agency systems. They ranged from serious, pervasive
systems problems to less serious problems that may affect only one
aspect of an agency's accounting operation:
* nonintegrated financial management systems,
* inadequate reconciliation procedures,
* lack of accurate and timely recording of financial information,
* noncompliance with the SGL,
* lack of adherence to federal accounting standards, and:
* weak security controls over information systems.
Figure 5 shows the relative frequency of these problems at the agencies
reported to have noncompliant systems. The same six types of problems
have been cited by auditors in the fiscal years 2001 through 2004 audit
reports, although the auditors may not have reported these problems as
specific reasons for their systems' lack of substantial compliance with
the three FFMIA requirements. In addition, we caution that the
occurrence of problems in any particular category may be even greater
than auditors' reports of FFMIA noncompliance would suggest because
auditors may not have identified all problems during the reviews.
Figure 5: Problems Reported by Auditors for Fiscal Years 2001 through
2005:
[See PDF for image]
Source: GAO analysis, based on independent auditors' financial
statement audit reports prepared by agency inspectors general and
contract auditors for fiscal years 2001 through 2005.
[End of figure]
Nonintegrated Financial Management Systems:
The CFO Act calls for agencies to develop and maintain integrated
accounting and financial management systems[Footnote 30] that comply
with federal systems requirements and provide for (1) complete,
reliable, consistent, and timely information that is responsive to the
financial information needs of the agency and facilitates the
systematic measurement of performance; (2) the development and
reporting of cost management information; and (3) the integration of
accounting, budgeting, and program information. OMB Circular No. A-127,
Financial Management Systems, requires agencies to establish and
maintain a single integrated financial management system that conforms
to functional requirements issued by the Financial Systems Integration
Office (FSIO),[Footnote 31] formerly the Joint Financial Management
Improvement Program (JFMIP). More details on the financial management
systems requirements can be found in appendixes I and II.
The lack of integrated financial management systems typically results
in agencies expending major effort and resources, including in some
cases hiring external consultants, to develop information that their
systems should be able to provide on a daily or recurring basis.
Agencies with nonintegrated financial systems are also more likely to
devote more time and resources to collecting information than those
with integrated systems. In addition, opportunities for errors are
increased when agencies' systems are not integrated.
Auditors frequently mentioned the lack of integrated financial
management systems in their fiscal year 2005 audit reports. As shown in
figure 5, auditors for 13 of the 18 agencies with noncompliant systems
reported this to be a problem, compared with 12 of the 16 agencies
reported with noncompliant systems in fiscal year 2004. For example,
auditors for the Department of Housing and Urban Development (HUD)
reported that HUD has not been in compliance with FFMIA, in part due to
the lack of an integrated financial management system, since fiscal
year 1997, when reports under the act were first required. As a result,
HUD has had to rely on extensive ad hoc analyses and special projects
to produce account balances and disclosures. The auditors further
reported that HUD's most significant system challenges exist at the
Federal Housing Administration (FHA), which continues to conduct some
day-to-day business operations with legacy-based systems, thereby
limiting its ability to integrate the financial processing environment,
although the auditors noted that FHA is making progress in achieving
compliance with federal financial system requirements. Consequently,
according to the HUD Office of Inspector General, since HUD's existing
core financial system could be better integrated, more user-friendly,
and less costly to maintain, HUD management is proceeding with plans to
develop and implement a modern financial management system through the
HUD Integrated Financial Management Improvement Project.
At DHS, auditors reported that the financial management systems for
Immigration and Customs Enforcement (ICE) and the U.S. Coast Guard lack
appropriate integration. Specifically, DHS auditors reported that ICE
had not successfully integrated the accounting processes of the five
DHS components for which it became responsible in fiscal year 2004.
Auditors also noted that ICE continued to operate unreliable processes
and procedures that support accounting and financial reporting,
resulting in material errors, irregularities, and abnormal balances in
the DHS consolidated financial statements that existed for most of
fiscal year 2004 and continued unresolved in fiscal year 2005. As a
result, auditors reported that ICE's financial systems were inadequate
to process financial transactions for the five DHS components. Further,
auditors for the Coast Guard reported that the financial reporting
process was complex and labor-intensive with a significant number of
adjustments being made outside the core accounting system. In addition,
Coast Guard officials had to perform a significant amount of manual
review in order to integrate data from three separate general ledger
systems. As a result, the auditors found that DHS was unable to prepare
a consolidated financial statement for fiscal year 2005 until November
2005 and that the consolidated financial statement disclosures and
notes contained critical errors and inconsistencies that required
material adjustments to correct.
Inadequate Reconciliation Procedures:
A reconciliation process, whether manual or automated, is a necessary
and valuable part of a sound financial management system. The less
integrated the financial management system, the greater the need for
adequate reconciliations because data are being accumulated from a
number of different sources. Reconciliations are needed to ensure that
data have been recorded properly between the various systems and manual
records. The Comptroller General's Standards for Internal Control in
the Federal Government highlight reconciliation as a key control
activity.
As shown in figure 5, auditors for 14 of the 18 agencies with
noncompliant systems reported that the agencies had reconciliation
problems, including a number of agencies that could not reconcile their
Fund Balance with Treasury (FBWT) accounts with the Department of the
Treasury's (Treasury) records, compared with 11 of the 16 agencies
reported with noncompliant systems in fiscal year 2004. Treasury policy
requires agencies to reconcile their accounting records with Treasury
records monthly (comparable to individuals reconciling their personal
checkbooks to their monthly bank statements).
As a case in point, in fiscal year 2005, the auditor for GSA reported
instances of improper reconciliation procedures that contributed to
errors in financial reporting. Specifically, the auditor noted that
differences between budgetary account balances in various GSA
subsystems and the core financial management system had not been
reconciled, nor had proper budgetary account reconciliation procedures
been developed. These weaknesses inhibit GSA management's ability to
detect and prevent budgetary accounting and reporting misstatements.
Further, the auditors noted that GSA continued to lack adequate
controls for reconciling intragovernmental balances. As a result, GSA
has developed extensive manual workarounds and used estimates to
determine the break down of revenue and receivables for DOD--the
largest customer of GSA's Federal Acquisition Service. For example, as
of June 30, 2005, GSA was unable to assign $582 million in unidentified
receivable transactions to a specific department within DOD and
therefore simply allocated this difference among the Department of the
Army, Department of the Navy, and the Department of the Air Force.
Proper reconciliation procedures would allow GSA to resolve these types
of unidentified transactions, identify material out-of-balance
conditions between federal entities, assist in the preparation of
governmentwide financial statements, help ensure that intra-
governmental balances are properly eliminated in the governmentwide
financial statements, and provide some level of assurance that balances
have been accurately and appropriately recorded.
Lack of Accurate and Timely Recording of Financial Information:
As shown in figure 5, auditors for 17 of 18 agencies with noncompliant
systems reported the lack of accurate and timely recording of financial
information as a problem for fiscal year 2005, compared with 16 of 16
agencies reported with noncompliant systems in fiscal year 2004.
Accurate and timely recording of financial information is essential for
successful financial management. Timely recording of transactions
facilitates accurate reporting in agencies' financial reports and other
management reports used to guide managerial decision making. In
addition, having systems that record information in an accurate and
timely manner is critical for key governmentwide initiatives, such as
integrating budget and performance information.
In contrast, lack of timely recording of transactions during the fiscal
year can result in agencies making substantial efforts at fiscal year-
end to perform extensive manual financial statement preparation efforts
that are susceptible to error and increase the risk of misstatements.
For example, auditors for the Department of Health and Human Services
(HHS) noted that one of the monthly reports prepared by the Program
Support Center to reconcile the general ledger with Treasury's records
has lost its usefulness due to old and invalid items that remain in the
general ledger. Specifically, they identified differences with an
absolute value of approximately $5.5 billion, in part due to
transactions dating back to as early as 1993. In addition, the auditors
noted that 53 of 105 reconciliations selected for review were not
completed within HHS's allotted 30-day deadline--several taking up to
84 days to complete. Finally, the auditors identified more than 32,000
grants with net obligation balances of approximately $2.3 billion that
were eligible to be closed. Many of those grants have been eligible for
closure for several years. As a result of these and other problems,
more than 270 entries with an absolute value of more than $208 billion
were recorded outside the general ledger system. The auditors noted
that the majority of these entries could have been eliminated by more
timely analyses and reconciliations, as well as improved estimation
methodologies.
Noncompliance with the SGL:
As shown in figure 5, auditors for 11 of the 18 agencies with
noncompliant systems reported that the agencies' systems did not comply
with SGL requirements for fiscal year 2005, compared with 11 of the 16
agencies reported with noncompliant systems in fiscal year 2004. FFMIA
specifically requires federal agencies to implement the SGL at the
transaction level. Using the SGL promotes consistency in financial
transaction processing and reporting by providing a uniform chart of
accounts and pro forma transactions and provides a basis for comparison
at the agency and governmentwide levels. The defined accounts and pro
forma transactions standardize the accumulation of agency financial
information as well as enhance financial control and support financial
statement preparation and other external reporting.
A lack of adherence to the SGL impedes the ability of the federal
government to complete accurate, governmentwide financial statements.
For example, auditors for the Small Business Administration (SBA) noted
that certain accounting transactions were not recorded, processed,
summarized, or reported in accordance with the SGL. Specifically, the
auditors found that the SBA used improper rules to record a
transaction, resulting in a subsidy account having a zero balance,
while an expense account was misstated by $58 million. SBA also
incorrectly characterized $30.5 million as a decrease in borrowing
authority instead of an actual repayment of debt. Finally, the
department used improper posting logic in preparing budget pro forma
data, resulting in various overstatements and understatements totaling
$24.2 million.
Moreover, by not implementing the SGL, agencies may experience
difficulties in providing consistent financial information across their
components and functions. For example, auditors for the Department of
Justice (DOJ) found that DOJ does not substantially comply with the
SGL, in part due to noncompliance issues at the Federal Bureau of
Investigation (FBI) and the United States Marshals Service (USMS).
Specifically, the auditors noted that the FBI's financial management
systems do not permit use of the SGL at the transaction level, in that
certain transactions are processed outside of the core system and then
must be recorded into the core system through a manual or automated
batch transaction process. Further, USMS does not maintain transaction-
level detail for upward and downward adjustments of prior-year
undelivered orders and does not use an appropriate liability account,
as called for by the SGL.
Lack of Adherence to Federal Accounting Standards:
One of FFMIA's requirements is that agencies' financial management
systems account for transactions in accordance with federal accounting
standards; however, agencies continue to face significant challenges in
implementing these standards. As shown in figure 5, auditors for 11 of
the 18 agencies with noncompliant systems reported that these agencies
had problems complying with one or more federal accounting standards
for fiscal year 2005, compared with 11 of the 16 agencies reported with
noncompliant systems in fiscal year 2004. Appendixes III and IV list
the federal financial accounting standards and other guidance issued by
the Federal Accounting Standards Advisory Board and its Accounting and
Auditing Policy Committee, respectively. The purpose of these standards
and other guidance is to ensure that federal agencies' financial
reports provide users with understandable, relevant, and reliable
information about the financial position, activities, and results of
operations of the U.S. government and its components.
Auditors expressly reported compliance problems with 11 specific
accounting standards in fiscal year 2005. Of those standards, the 3
that were most troublesome for agencies were SFFAS No. 1, Accounting
for Selected Assets and Liabilities; SFFAS No. 4, Managerial Cost
Accounting Concepts and Standards for the Federal Government; and SFFAS
No. 6, Accounting for Property, Plant, and Equipment. In particular,
SFFAS No. 4, which became effective in 1998 and requires the use of
managerial cost accounting information in the decision-making process,
continues to be difficult for federal managers to fully implement. As
we recently reported,[Footnote 32] the Department of Transportation
(DOT) has in recent years shown strong leadership in developing
managerial cost accounting systems both departmentwide and at the
individual component agencies. For example, according to DOT officials,
the Federal Aviation Administration--DOT's largest component agency--
has completed the initial implementation of a managerial cost
accounting system. Several other DOT component agencies are also
implementing detailed costing and billing systems to meet their cost
accounting needs. However, DOT management reported that it will be
several years before cost accounting data systems are fully mature and
include historical data that will allow DOT managers to integrate
performance and accounting information. As a result, DOT managers will
not know the full costs associated with their programs and activities,
which could impair their decision-making abilities.
Accurate and timely cost management information is critical for federal
managers to transform how government agencies manage the business of
government and vital in developing meaningful links between budget,
accounting, and performance. Starting in July 2005, we performed a
series of congressional briefings and issued corresponding
reports[Footnote 33] concerning the status of managerial cost
accounting activities at several large federal agencies, including
Labor, Education, HHS, DOT, SSA, Treasury, and Veterans Affairs (VA).
We found that generally these agencies have experienced uneven success
in the implementation of managerial cost accounting and that managerial
cost accounting-related internal controls within the agencies need to
be strengthened. We also identified strong upper-level management
support and leadership as a key component in the successful
implementation of managerial cost accounting and promotion of
managerial cost accounting information departmentwide.
Weak Security Controls over Information Systems:
Information security weaknesses are a major concern for federal
agencies and the general public and one of the frequently cited reasons
for noncompliance with FFMIA. As shown in figure 5, auditors for 16 of
the 18 agencies with noncompliant systems reported security weaknesses
in information systems to be a problem, compared with 15 of the 16
agencies reported with noncompliant systems in fiscal year 2004. These
control weaknesses place vast amounts of government assets at risk of
inadvertent or deliberate misuse, financial information at risk of
unauthorized modification or destruction, sensitive information at risk
of inappropriate disclosure, and critical operations at risk of
disruption. Since 1997, we have considered information security to be
high-risk area at a governmentwide level.
For example, the Department of Agriculture (Agriculture) and its
component agencies accelerated their efforts during fiscal year 2005 to
comply with the federal information security requirements; however,
even though progress was made, the auditors noted that several material
security weaknesses still exist. The weaknesses identified include an
unreliable certification and accreditation process and ineffective
controls in the general control environment, as well as weaknesses in
controls over physical and logical access, inventory of systems and
network equipment, effective policies and procedures, and vulnerability
scanning[Footnote 34] and mitigation. The auditors noted that these
departmental weaknesses have a significant impact on the integrity,
confidentiality, and availability of systems and data.
The recent information security breaches at Agriculture, VA, and other
agencies compromised the personal data of millions of U.S. citizens and
highlighted the importance of adequate system security policies and
programs. Robust federal security programs are critically important to
properly protect personal and financial information and the privacy of
individuals. On June 20, 2006, we reported[Footnote 35] on a number of
actions that agencies can take to help guard against the possibility
that databases of personally identifiable information are inadvertently
compromised. We noted that a key step is to develop a privacy impact
assessment--an analysis of how personal information is collected,
stored, shared, and managed--whenever information technology is used to
process personal information. In addition, agencies can take more
specific practical measures aimed at preventing data breaches,
including limiting the collection of personal information, limiting the
time that these data are retained, limiting access to personal
information and training personnel accordingly, and considering the use
of technological controls, such as encryption, when data need to be
stored on portable devices. On June 23, 2006, OMB issued a
memorandum[Footnote 36] focusing on the protection of information that
is being accessed remotely or physically transported outside an
agency's secured location. Federal agencies are required to implement
guidance developed by the National Institute of Standards and
Technology for the protection of remote information. In addition, OMB
recommends that all agencies implement additional safeguards, including
data encryption and proper user authentication procedures for the
remote access of data.
Unresolved information security weaknesses can also compromise the
reliability and availability of data recorded in or transmitted by an
agency's financial management system. As a case in point, in fiscal
year 2005, auditors for Treasury noted that the general controls over
the department's computer systems did not effectively prevent
unauthorized access to and disclosure of sensitive information,
unauthorized changes to systems and application software, and
unauthorized access to programs and files that control computer
hardware and secure applications. In particular, weaknesses we
reported[Footnote 37] in information security controls at the Internal
Revenue Service (IRS) could result in unauthorized individuals being
able to access, alter, or abuse proprietary IRS programs and electronic
data and taxpayer information. The auditors noted that a key reason for
Treasury's information security weaknesses was that the department had
not yet fully implemented an agencywide information security program to
ensure that controls were effectively established and maintained. They
further reported that Treasury's information security programs and
practices needed additional improvements to adequately protect the
information systems that support the department's operations.
Federal Financial Management System Initiatives Continue to Evolve:
Agencies have a number of efforts under way to address their existing
financial management systems problems. Recent efforts to modernize
financial management systems have often exceeded budgeted costs,
resulted in delays in delivery dates, and not provided the anticipated
system functionality and performance. The key for federal agencies to
avoid the long-standing problems that have plagued financial management
system improvement efforts is to address the foremost causes of those
problems and adopt solutions that reduce the risks associated with
these efforts to acceptable levels. Our March 2006 report[Footnote 38]
discusses in detail the key causes of past financial management system
implementation failures, the significant governmentwide initiatives
currently under way, and actions that can be taken to improve the
management and control of agency financial management system
modernization efforts. The report also highlights some of the issues we
identified with OMB's financial management line of business initiative
and includes actions that would help reduce the risks associated with
financial management system implementation efforts. In a related
initiative, OMB established the FSIO to address some of the
responsibilities of the former JFMIP Program Management Office, which
was realigned in December 2004. OMB will provide oversight and guidance
to FSIO on priorities and expected performance, in consultation with
the FSIO Transformation Team of the CFO Council. Further, OMB's
December 2004 revision of Circular No. A-123, Management's
Responsibility for Internal Control, which was effective for fiscal
year 2006, is intended to strengthen requirements for conducting
management's assessment of internal control over financial reporting.
Through these various initiatives, OMB is taking action to improve
financial management in the federal government. However, establishing
good financial management throughout the federal government will also
require changing the organizational culture of some federal agencies;
therefore, the sustained leadership and support of the Congress has
been and continues to be essential to the reform of financial
management in the federal government.
Adherence to Best Practices Is Critical to Successful Modernization
Initiatives:
Across government, agencies have many efforts under way to implement
new financial management systems or to upgrade existing systems that
may help improve FFMIA compliance. However, these efforts far too often
result in systems that do not meet their cost, schedule, and
performance goals. While agencies anticipate that the new systems will
provide reliable, useful, and timely data to support managerial
decision making, our work and that of others has shown that has often
not been the case. For example, modernization efforts at Energy, HHS,
DOD, and Treasury have been hampered by agencies not following best
practices in systems development and implementation efforts (commonly
referred to as disciplined processes).
* According to Energy's independent auditor,[Footnote 39] Energy
implemented a new financial accounting system in April 2005, shortly
after reorganizing and consolidating its finance and accounting
services organization in October 2004. At the same time, Energy also
adopted a new chart of accounts in conjunction with the new accounting
system. Prior to 2005, Energy's auditors had consistently provided
negative assurance that the financial management systems were in
compliance with FFMIA; however, the reorganization and consolidation
adversely affected the financial accounting staffing levels and skills
mix throughout the department and Energy did not complete corrective
actions to address these weaknesses. As a result, in the process of
implementing the new system, Energy encountered a number of problems
involving data conversion, reconciliation, posting, and reporting.
Energy's auditor specifically noted problems in accounting for
obligations, monitoring budget execution and control, reconciling
integrated contractor trial balances with departmental records,
reconciling accounting system modules to the general ledger, resolving
various posting errors, and identifying and reporting intragovernmental
transactions. The auditor also noted that, after the implementation of
the new system, many reports needed for management, internal control,
and audit purposes were no longer available. These problems hindered
the department's ability to assure the accuracy and completeness of
data needed for audit testing and it was unable to provide the accurate
and supportable financial statements required for audit. As a result,
Energy's auditors issued a disclaimer on the fiscal year 2005 financial
statements and concluded that the financial management systems did not
substantially comply with federal financial management systems
requirements and federal accounting standards.
* As part of its modernization effort, HHS developed plans to reduce
the number of financial management systems from five to two using the
Unified Financial Management System (UFMS). This system is expected to
integrate the HHS financial management structure to provide more timely
and consistent information and to promote the consolidation of
accounting services throughout HHS. On the basis of our fiscal year
2004 review of UFMS,[Footnote 40] we reported that HHS had not
effectively implemented the best practices needed to reduce the risks
associated with the implementation of a new system. Specifically, we
reported that the UFMS implementation project was schedule driven
rather than event driven based on effectively implemented disciplined
processes, with limited time devoted to critical steps in the system
development life cycle. We also stated that data conversion and system
interface challenges were critical to the ultimate success of UFMS. In
April 2005, HHS deployed the core financial portion of UFMS at the
Centers for Disease Control and Prevention (CDC) and the Food and Drug
Administration (FDA). Subsequently, auditors at HHS reported problems
with the implementation process at CDC and FDA.[Footnote 41]
Specifically, they stated that HHS experienced significant challenges
in resolving issues with the system conversion and implementation,
including configuration issues, insufficient resources, inadequate
training, and limited report capability of financial and budget
activity within the system. Furthermore, the auditors noted that UFMS,
as currently configured, cannot produce financial statements.
Therefore, FDA and CDC used cumbersome processes to crosswalk the
unadjusted trial balance to the financial statements and to record
thousands of nonstandard accounting entries both prior and subsequent
to the UFMS conversion. For example, FDA recorded about 14,000
nonstandard accounting entries totaling an absolute value of
approximately $9.4 billion to create the September 30, 2005, financial
statements. In addition, CDC had to record (1) accounting entries
totaling an absolute value of approximately $11.3 billion either to its
financial statements or those of another HHS operating division; (2)
adjustments totaling an absolute value of about $24.4 billion, related
to conversion, data cleanup, corrections, account reclassifications,
and other adjustments to conform to UFMS processing; and (3) an
approximately $19.1 billion absolute value adjustment to the database
used to generate financial statements as a result of conversion
adjustments made in UFMS that could not be extracted into the database.
The auditors reported that HHS management continues to develop and
implement corrective actions to improve its implementation of UFMS,
develop internal controls, train personnel, and develop necessary
reports, policies, and procedures; however, they noted that sustained
efforts will be necessary to overcome the seriousness of the weaknesses
noted.
* According to DOD management, the department's inability to comply
materially with FFMIA is primarily the result of structural problems
related to legacy accounting systems that do not accurately account for
both budgetary and proprietary activities.[Footnote 42] Quite simply,
according to DOD management, the department does not have the systems
and accounting structures in place to achieve compliance with FFMIA. We
have reported that DOD has historically been unable to develop and
implement business systems on time, within budget, and with the
promised capability. For example, in September 2005, we
reported[Footnote 43] that the Department of the Navy spent
approximately $1 billion for four largely failed pilot Enterprise
Resource Planning (ERP) system[Footnote 44] efforts, without marked
improvement in its day-to-day operations. Although the pilots used the
same ERP commercial off-the-shelf software, inconsistencies in the
design and implementation resulted in them not being interoperable.
Furthermore, if there had been effective project management oversight
of the pilot programs at the outset, there would not have been a need
to, in essence, start over. The Navy now has a new ERP project under
way, which early Navy estimates indicate will cost another $800
million. While the new project, as currently envisioned, has the
potential to address some of the Navy's financial management
weaknesses, it will not provide an all-inclusive end-to-end corporate
solution for the Navy. For example, the current scope of the ERP does
not provide for real-time asset visibility of shipboard inventory,
which has been and continues to be a long-standing problem within the
department. Further, there are still significant challenges and risks
ahead as the project moves forward, such as developing and implementing
44 system interfaces with other Navy and DOD systems and converting
data from legacy systems to the ERP system. In addition, the Navy does
not have in place the structure to capture quantitative data that can
be used to assess the effectiveness of the overall effort and has not
established an independent verification and validation function.
* The ability to prepare the consolidated financial statements of the
U.S. government (CFS) has been a long-standing challenge for Treasury's
Financial Management Service. To address some of the internal control
weaknesses identified in our audit report,[Footnote 45] Treasury began
developing the Governmentwide Financial Report System (GFRS). The goal
of this new system is to directly link information from federal
agencies' audited financial statements to amounts reported in the CFS.
We found[Footnote 46] that Treasury had not yet effectively implemented
the disciplined processes necessary to provide reasonable assurance
that GFRS will meet its performance, schedule, and cost goals.
Specifically, Treasury had not (1) developed a concept of operations or
any other document that adequately defines or documents the expected
performance of GFRS, (2) developed a detailed project plan and schedule
through completion of GFRS, (3) developed a budget justification for
GFRS as called for in OMB Circular No. A-11,[Footnote 47] and (4)
implemented the disciplined processes necessary to effectively manage
the GFRS project. These deficiencies have contributed to the various
usability problems encountered by its users. Going forward, it will be
important for Treasury to better mitigate its risks so that long-
standing internal control weaknesses regarding the preparation of the
CFS can be eliminated and, more importantly, so that Treasury ends up
with a system that fully meets its and agencies' needs.
In addition to the examples above, our March 2006 report[Footnote 48]
summarizes many of the agencies' financial management system
implementation failures that have been previously reported by us and
agency inspectors general. In our report, we identified several
problems related to agencies' implementation of financial management
systems in three recurring and overarching themes: disciplined
processes, human capital management, and other information technology
(IT) management practices. Key causes of failure within each area are
identified in table 1. Although the implementation of any major system
will never be a risk-free proposition, organizations that follow and
effectively implement disciplined processes, along with effective human
capital and other IT management practices, can reduce the risks of
financial management system modernization efforts to acceptable levels.
Table 1: Key Causes of Systems Implementation Failure:
Disciplined processes: Requirements management;
Human capital management: Strategic workforce planning;
Other IT management: Enterprise architecture.
Disciplined processes: Testing;
Human capital management: Human resources;
Other IT management: Investment management.
Disciplined processes: Data conversion and system interfaces;
Human capital management: Change management;
Other IT management: Information security.
Disciplined processes: Risk management;
Human capital management: [Empty];
Other IT management: [Empty].
Disciplined processes: Project management;
Human capital management: [Empty];
Other IT management: [Empty].
Source: GAO analysis and inspectors general reports.
[End of Table]
Goals for the Financial Management Line of Business Have Been
Established:
To help address financial management systems' weaknesses and
implementation failures and to support the President's Management
Agenda goal to expand electronic government, OMB launched the financial
management line of business in March 2004. The financial management
line of business was one of five original lines of business that were
initiated to develop business-driven, common solutions for specific
lines of business that extend across the entire federal government. OMB
and designated agency lines of business task forces plan to use
enterprise architecture-based principles and best practices to identify
common solutions for business processes, technology-based shared
services, or both, to be made available to government agencies. The
original five lines of business were financial management, human
resources management, grants, federal health architecture, and case
management.[Footnote 49] These lines of business share similar business
requirements and processes. In March 2005, OMB started a task force to
address a sixth line of business on IT security. As introduced in the
President's fiscal year 2007 budget proposal, three new lines of
business initiatives will join the six existing lines of business. The
three new lines of business are IT infrastructure optimization,
geospatial, and budget formulation and execution.[Footnote 50]
The financial management line of business initiative promotes
leveraging shared service solutions to enhance the government's
performance and services, such as establishing shared service providers
to consolidate financial management activities for major agencies.
Under this initiative, OMB developed an approach for competitively
migrating financial management systems to a limited number of shared
service providers, including OMB designated federal shared service
providers, or private sector entities.[Footnote 51] As part of the
fiscal year 2006 budget process, in February 2005 OMB designated four
federal agencies[Footnote 52] as governmentwide financial management
shared service providers. OMB evaluated business cases submitted by
agencies using a due diligence checklist and selected the four agencies
to be shared service providers. Three of the agencies have had
significant experience providing financial management services to other
small federal entities.
OMB has indicated that other agencies may also serve as shared service
providers in the future, but has not yet established any limits or
targets on the number of providers to be designated. Although there
have been subsequent requests by agencies and departments to become
shared services providers, as of September 2006, OMB has not designated
any new providers beyond the four original service providers previously
selected. According to OMB's Migration Planning Guidance that was
issued in September 2006, OMB has encouraged private sector providers
that can satisfy the shared services requirements to participate in the
procurement process for these services. Agencies are responsible for
determining, through competition, if a private sector shared service
provider meets the financial management line of business requirements.
OMB officials told us they may consider the designation of these
providers in the future.
In a December 2005 memorandum[Footnote 53] to agency CFOs, OMB provided
an update on the financial management line of business. The memorandum
explained that the overall vision of the financial management line of
business (as depicted in fig. 6) is to improve the cost, quality, and
performance of financial management systems by leveraging shared
service solutions and implementing other governmentwide reforms that
foster efficiencies in federal financial operations. The memorandum
also stated that the goals of the financial management line of business
include:
* providing timely and accurate data for decision-making;
* facilitating stronger internal controls that ensure integrity in
accounting and other stewardship activities;
* reducing costs by providing a competitive alternative for agencies to
acquire, develop, implement, and operate financial management systems
through shared service solutions;
* standardizing systems, business processes, and data elements; and:
* providing for seamless data exchange between and among federal
agencies by implementing a common language and structure for financial
information and system interfaces.
Figure 6: Overall Vision of the Financial Management Line of Business:
[See PDF for image]
Source: Office of Management and Budget.
[End of figure]
OMB stated, in the December 2005 memorandum, that federal agencies have
begun implementing the financial management line of business initiative
by actively migrating to shared service providers and initiating
solutions to integrate financial data among and between agency business
systems. In August 2005, OPM was the first CFO Act agency to announce
its plans to move to a designated shared service provider. In addition,
in March 2006, Labor awarded a 5-year contract to a private sector firm
to provide financial management hosting and operation and maintenance
services, which includes hardware, software, and other services. As
part of its best-value determination, EPA was also considering the
designated shared service providers as well as private sector providers
for software, integration, and hosting and plans to award its contract
no later than the first quarter of fiscal year 2007. Moreover, DHS
officials testified in March 2006,[Footnote 54] that rather than
acquiring, configuring, and implementing a new system within DHS, they
recognized the opportunity to leverage investments that have already
been made, both within DHS and at OMB-designated shared service
providers.
OMB noted that nothing in the December 2005 memorandum changes the
expectations that agencies will continue to take all the necessary
steps (in the earliest possible time frames) to meet the financial
management line of business goals. OMB stated that it had instituted a
policy that agencies seeking to modernize their financial systems must
either be designated as a public shared service provider or must
migrate to a shared service provider (public, private, or a combination
of both). However, exceptions will be made in limited situations when
an agency demonstrates compelling evidence of a best value and lower
risk alternative. It is OMB's intent to avoid investments in "in-house"
solutions wherever possible so that the shared service framework can
fully achieve potential and anticipated returns.
Challenges and Implications in Implementing the Financial Management
Line of Business:
We have long supported and called for initiatives to standardize and
streamline common systems, which can reduce costs and, if done
correctly, improve accountability. Likewise, OMB has correctly
recognized that enhancing the government's ability to implement
financial management systems that are capable of providing accurate,
reliable, and timely information on the results of operations needs to
be addressed as a governmentwide solution, rather than individual
agency stove-piped efforts designed to meet a given entity's needs.
However, this is a significant change in how agencies acquire new
system capacity and raises numerous complex issues that have far-
reaching implications for the government and private sector shared
service providers. As we reported in March 2006,[Footnote 55] OMB has
not yet fully defined and implemented the processes necessary to
successfully complete the financial management line of business
initiative.
OMB has been proactive since the beginning of the financial management
line of business initiative in making speeches, discussing the
initiative with the media, including it in the President's budget
request, highlighting it on its Web site, and issuing draft guidance.
Until recently there were limited tools and guidance available. In our
March 2006 report,[Footnote 56] we found, for example, that the
requirements for agencies and private sector firms to become shared
service providers and the services that they must provide have not been
adequately documented or effectively communicated to agencies and the
private sector. In addition, OMB had not provided shared service
providers with standard document templates needed to minimize risk,
provide assurance, and develop understandings with customers on topics
such as service-level agreements and a concept of operations. We made a
number of recommendations to address these issues, and OMB has been
taking steps to address them. For example, in May 2006, OMB issued an
initial competition framework[Footnote 57] and draft Migration Planning
Guidance that was circulated to agencies and the public for comment and
included some of this important information. The Migration Planning
Guidance issued in September 2006 included change management best
practices and templates for service level agreements and project plans,
among other items. As explained later, FSIO plays a key role in
developing the guidance to move the financial management line of
business forward.
OMB has stated that agencies will consistently meet cost, schedule, and
performance goals when implementing new financial management systems
once the financial management line of business is fully realized.
However, agencies' financial management system problems may not all be
solved by moving to a shared service provider and this may actually
create additional problems if agencies put less focus on their risk
management and financial management efforts. In addition, there may be
some misconception that moving to a shared service provider would
guarantee an agency of getting a clean audit opinion and being
compliant with FFMIA. There are a number of factors that affect FFMIA
compliance, including the quality of transaction data in agency feeder
systems, the success of converting data from legacy systems, and the
interaction of people, process, and technology within an agency's
environment.
In March 2006,[Footnote 58] we reported that careful consideration of
the following four concepts, each one building upon the next, would be
integral to the success of OMB's initiatives and could help break the
cycle of failure in implementing financial management systems. The four
concepts were (1) developing a concept of operations, (2) defining
standard business processes, (3) developing a strategy for ensuring
that agencies migrate to a limited number of service providers in
accordance with OMB's stated approach, and (4) defining and effectively
implementing disciplined processes necessary to properly manage the
specific projects. Because these issues have not been addressed, a firm
foundation to address the long-standing problems that have impeded
success has not yet been established.
A concept of operations would help provide the foundation for the
financial management line of business. An effective concept of
operations would describe, at a high level, (1) how all of the various
elements of federal financial systems and mixed systems relate to each
other and (2) how information flows from and through these systems. A
concept of operations would provide a useful tool to explain how
financial management systems at the agency and governmentwide levels
can operate cohesively. It would be geared to a governmentwide solution
rather than individual agency stove-piped efforts. Because the federal
government has lacked such a document, a clear understanding of the
interrelationships among federal financial systems and how the shared
service provider concept fits into this framework has not yet been
achieved.
Standard business processes are critical to implementing the financial
management line of business and need to be defined and communicated to
all federal agencies. Standard business processes promote consistency
and provide the framework for agencies and shared service providers.
OMB officials recognize that standardization is important and are
developing a standard set of business processes in four areas: funds
control, accounts payable, accounts receivable, and financial
reporting. As illustrated previously in figure 6, OMB is also
developing a common accounting code that may help address some of this
lack of standardization. According to OMB officials, OMB also has other
initiatives under way to develop standard interfaces for feeder systems
such as acquisitions. While these are positive steps, there are
numerous other areas where standardization is important, such as
inventory, supplies, and material management as well as the loan
management areas. Absent this standardization, shared service providers
have been designated without common business rules and potential
customer agencies continue to implement and operate individual stove-
piped systems that may require additional work to adopt these
processes.
To maximize the success of a new system acquisition, organizations need
to consider the redesign of current business processes. As we noted in
our Executive Guide: Creating Value Through World-class Financial
Management,[Footnote 59] leading finance organizations have found that
productivity gains typically result from more efficient processes, not
from simply automating old processes. In the past, agencies have
resisted change and failed to develop transition plans, reengineer
business processes, and limit customization. Agencies may continue to
resist change and this approach for outsourcing their financial
management systems because of the perceived (1) loss of control of
their own data, (2) potential increase in costs with a decrease in the
level of customer service and quality, (3) inability of providers to
meet specific user needs, (4) loss of control to upgrade the system,
and (5) negative effect on an agency's individual employees. The shared
service provider concept will still require that agencies address long-
standing human capital problems by incorporating elements of strategic
workforce planning such as aligning an organization's human capital
program with its current and emerging mission and programmatic goals,
and developing long-term strategies for acquiring, developing, and
retaining an organization's total workforce to meet the needs of the
future.
A clear migration strategy for implementing the financial management
line of business will be crucial. However, OMB has not articulated a
clear and measurable strategy for achieving this goal. This is
important because there has been a historical tendency for agencies and
units within agencies to prefer internally developed processes and
resist standardization. OMB's general principle is that agencies should
migrate to shared service providers when it is cost effective to do so
and they have maximized the useful life and investment in the current
system, which averages about 5 to 7 years. According to OMB's draft
Migration Planning Guidance, it is anticipated that within 10 years all
agencies will have decided whether to migrate their technology hosting
and application management to a shared service provider, or will have
become a shared service provider themselves. However, OMB does not plan
to establish a specific migration path or time table for agencies to
move to a shared service provider. It is not clear how this will impact
the adoption of this initiative. Given the pressures to reduce budgets,
instilling discipline with respect to following a clear migration path
will be essential. Furthermore, without a clear migration path, while
some agencies may readily migrate to a shared service provider to
minimize the tremendous undertaking of implementing or significantly
upgrading a financial system, other agencies will likely perpetuate the
waste of taxpayer dollars previously described related to failed system
implementation efforts.
Whether agencies move to a shared service provider or implement their
own systems, they must have disciplined processes (e.g., testing,
requirements management, and risk management) in place to achieve the
intended results within established resources on schedule. Effective
implementation and testing processes are still required to ensure that
the system delivers the desired functionality on time and within
budget. Agencies have frequently struggled to implement key best
practices when implementing commercial off-the-shelf financial
management systems and relied too heavily on JFMIP testing and
certification. A standard set of best practices will be needed to guide
the migration from legacy systems to new systems and shared service
providers. The Migration Planning Guidance is a good first step in
stressing the importance of this standard set of best practices.
Financial Systems Integration Office Established and Priorities
Identified:
In accordance with a December 2004 memorandum,[Footnote 60] JFMIP
responsibilities were realigned and the four JFMIP principals[Footnote
61] will continue to meet at their discretion to discuss major
financial management issues. FSIO has been established with staff from
the previous JFMIP program management office to address some of the
former JFMIP responsibilities. According to a December 2005 OMB
memorandum,[Footnote 62] the governance structure for financial
management system initiatives gives FSIO direct responsibility for
completing priority projects under the financial management line of
business, such as developing the Migration Planning Guidance. As
depicted in figure 7, OMB will provide oversight and guidance to FSIO
on priorities and expected performance, in consultation with the FSIO
Transformation Team of the CFO Council. According to OMB, the updated
governance structure ensures that the FSIO, financial management line
of business, and the FSIO Transformation Team do not operate in
separate stovepipes. Responsibility for work products will now rest
with FSIO where full-time dedicated staff including the FSIO Executive
Director will be held accountable for achieving financial management
line of business milestones. FSIO will coordinate the collection and
expenditure of financial management line of business funds.
Figure 7: Governance Structure:
[See PDF for image]
Source: Office and Management and Budget.
[End of figure]
OMB will continue its role as Executive Sponsor of the financial
management line of business. In December 2005, FSIO moved from GSA's
Office of the Chief Financial Officer to the Office of Governmentwide
Policy, Office of Technology Strategy (OTS). OMB named GSA the managing
partner responsible for project management of the financial management
line of business. Specifically, GSA's responsibilities include
organizing the work effort, involving the Federal CFO community in the
initiative, and setting the schedule of priorities with input from
Executive Steering Committee members selected from partner agencies.
The Executive Steering Committee provides strategic direction and
agency sponsorship, assists in priority setting, and approves partner
agency resource contributions. The members of the committee meet
quarterly or on an as-needed basis and are comprised of the FSIO
Executive Director, six representatives from CFO Act agencies at the
CFO or Deputy CFO-level, a non-voting representative from OMB's Office
of E-Government and a non-voting representative from OMB's Office of
Federal Financial Management. The members were selected from the CFO
Act agencies to represent diverse perspectives in regards to size of
agency, financial management technical platform, and migration status.
The FSIO Transformation Team meets monthly and has a larger membership
than the Executive Steering Committee, including agency representatives
from all CFO Act agencies. The team functions as an advisory group to
the Executive Steering Committee, manages the delivery of
interdisciplinary work packages, and makes recommendations to the FSIO
Executive Committee and the financial management line of business
managing partner. The team is responsible for: (1) providing an
internal review function for final work products, (2) providing
recommendations to the financial management line of business project
management office, and (3) continuously seeking to refine processes to
increase the quality of and buy-in for their work products.
In terms of mission and scope, FSIO has three major areas of
responsibilities: (1) continuing its primary role of core financial
system requirements development, testing, and certification; (2)
providing support to the federal financial community by taking on
special priority projects as determined by the OMB Controller, CFO
Council, and the FSIO Executive Director; and (3) conducting outreach
through an annual financial management conference sponsored by the
JFMIP principals and other related activities. The projects that the
FSIO undertakes will directly reflect the priorities of the CFO
community and OMB. The priority projects to be undertaken in the near
term will relate to the transparency and standardization initiatives of
the financial management line of business, which were previously
discussed and illustrated in figures 6 and 7.
Opinions on Internal Control May Further Strengthen New Internal
Control Reporting Requirements:
Another key initiative for improving financial management in the
federal government was OMB's December 2004 revision of Circular No. A-
123,[Footnote 63] which we support, and was effective at the start of
fiscal year 2006.[Footnote 64] Financial systems weaknesses are
frequently caused by a lack of adequate internal control within an
agency. The revisions to OMB Circular No. A-123 were intended to
strengthen the requirements for conducting management's assessment of
internal control over financial reporting at CFO Act agencies. One
major revision requires CFO Act agency management to annually provide a
separate assurance statement on internal control over financial
reporting in its performance and accountability report, along with a
report on identified material weaknesses and corrective actions. The
revision also establishes that OMB may, at its discretion, require a
CFO Act agency to obtain an opinion on internal control over financial
reporting.
We view auditor opinions on internal control over financial reporting
as an important component of monitoring the effectiveness of an
entity's risk management and accountability systems. OMB's efforts to
enhance Circular No. A-123 through the December 2004 revision and its
continued efforts to improve the quality of internal control in the
federal government financial management environment reflect substantial
progress in both the criteria and expectations for this issue. As we
point out in our recent report[Footnote 65]on this issue, because
agencies are not uniformly ready for such audits, specific criteria to
ascertain when an agency should initially be required to obtain an
audit opinion on its internal control over financial reporting are
critical to ensuring that the internal control audits fully contribute
to the overarching goal of ongoing improvement in federal agency
internal control and accountability. Additionally, implementing a
multiyear cycle for an opinion on internal control over financial
reporting could assist in mitigating the cost of the requirement while
still providing an effective quality control mechanism for ascertaining
that management's assessment of its internal control is reliable.
Although all of the benefits associated with obtaining an audit opinion
on internal control are not quantifiable in monetary terms, it is clear
that having set criteria as to when an agency should initially be
required to obtain an auditor opinion on internal control over
financial reporting would be a key oversight mechanism for the Congress
and ultimately the U.S. taxpayer.
Sustained and Committed Leadership Is Key to Success for Financial
Management Initiatives:
Sustained leadership will be key to a successful strategy for moving
federal agencies towards consolidated financial management systems and
FFMIA compliance. In our Executive Guide: Creating Value Through World-
class Financial Management,[Footnote 66] we found that leading
organizations made financial management improvement an entitywide
priority by, among other things, providing clear, strong executive
leadership. We also reported that making financial management a
priority throughout the federal government involves changing the
organizational culture of federal agencies. Much work remains to
develop a change management strategy to minimize the risk associated
with the implementation of the financial management line of business
initiative. Because the tenure of political appointees is relatively
short, the current and future administrations must continue a strong
emphasis on top-notch financial management. In addition, continued
attention and oversight by the Congress is crucial to the success of
these initiatives and federal financial management reform.
The leadership and support demonstrated by the Congress have been and
continue to be essential in the reform of financial management in the
federal government. As previously discussed, the legislative framework
provided by the CFO Act and FFMIA, among others, established a solid
foundation to stimulate change needed to achieve sound financial
systems management. Further, in October 2004, the Congress added DHS to
the list of CFO Act agencies and thus subject to FFMIA in fiscal year
2005. Sustained congressional interest in these issues has been
demonstrated by the number of hearings on federal financial management
and reform held over the past several years. For example, hearings have
recently been held on the financial management line of business
initiative that provided a constructive discussion on some of the
challenges inherent in such a large undertaking. It is critical that
the various appropriations, budget, authorizing, and oversight
committees hold agency top management accountable for resolving these
problems and that the committees continue to support improvement
efforts.
Conclusions:
The size and complexity of the federal government and the long-standing
nature of its financial management systems weaknesses continues to
present a formidable management challenge. Modernizing and improving
financial management systems will require continued attention from the
highest levels of government. We recognize that it will take time,
investment, and sustained emphasis on correcting these deficiencies to
improve federal financial management systems to the level required by
FFMIA. However, with concerted and coordinated effort, including
attention from top agency management and the Congress, the federal
government can make progress toward improving its financial management
systems and thus achieve the goals of the CFO Act and provide
accountability to the nation's taxpayers.
We continue to be concerned that the full nature and scope of the
problems have not yet been identified because most auditors have only
provided negative assurance in their FFMIA reports. We also believe the
law requires auditors to provide positive assurance on FFMIA
compliance. Therefore, we reaffirm our recommendation made in prior
reports that OMB revise its current FFMIA guidance to require agency
auditors to provide a statement of positive assurance when reporting an
agency's systems to be in substantial compliance with FFMIA. A key
benefit of providing positive assurance is that auditors will need to
perform additional audit procedures in order to have a strong basis for
definitively stating whether agencies' financial management systems
substantially comply with FFMIA's three requirements. We also reaffirm
our other prior recommendation for OMB to explore further clarification
of the definition of "substantial compliance" in its FFMIA guidance to
encourage consistent reporting among agency auditors. As we have stated
in prior reports,[Footnote 67] the auditors that we interviewed
continue to express concerns about providing positive assurance in
reporting on agency systems' FFMIA compliance due to a perceived need
for a clearer definition of substantial compliance. Further, some
auditors that we interviewed stated that a change in OMB's guidance on
FFMIA reporting will be necessary in order for them to provide an
opinion on FFMIA compliance.
Agency Comments and Our Evaluation:
In written comments (reprinted in app. VI) on a draft of this report,
OMB generally agreed with our assessment that while federal agencies
continue to make progress in addressing financial management systems
weaknesses, many agencies still need to make improvements to produce
the information needed to efficiently and effectively manage day-to-day
operations. As in previous years, OMB did not see the necessity of our
recommendation for agency auditors to provide a statement of positive
assurance when reporting agency systems to be in substantial compliance
with the requirements of FFMIA. While OMB commended Labor's auditors
for performing the additional level of audit work needed to provide
positive assurance of compliance with FFMIA and encouraged similar
efforts at other agencies, OMB stated that requiring a statement of
positive assurance would prove only marginally useful.
OMB stated that the goals of its various initiatives--the President's
Management Agenda (PMA), the Financial Management Line of Business
(FMLOB), and the strengthened internal control requirements
incorporated into the revised OMB Circular No. A-123, Management's
Responsibility for Internal Control--align with the goal of FFMIA to
create the full range of information needed for day-to-day management.
From OMB's perspective, the broad scope of the PMA and the fundamental
changes occurring under the FMLOB initiative, combined with the
strengthened reporting requirements of Circular No. A-123, are helping
agencies to identify and correct FFMIA deficiencies.
While we agree that the PMA, FMLOB, and OMB Circular No. A-123
initiatives are helping to drive improvements, auditors need to
consider other aspects of financial management systems as well when
assessing FFMIA compliance that are not fully addressed through the
current reporting structure. For example, in preparing the PMA
scorecard assessments, OMB officials meet with agencies to discuss a
number of financial management issues and have systems demonstrations.
Our concern is that some of the information provided by this approach
does not come under audit scrutiny and may not be reliable. Similarly,
internal control assessments performed under Circular No. A-123 are
based on management's judgment and are subject to an opinion-level
review by independent auditors only in limited circumstances. From our
perspective, an opinion by an independent auditor on FFMIA compliance
would confirm whether an agency's systems substantially met the
requirements of FFMIA and provide additional confidence in the
information provided as a result of the PMA, FMLOB, and Circular No. A-
123 initiatives. Finally, we continue to believe that a statement of
positive assurance is a statutory requirement under the act.
With regard to our prior recommendation, which we reaffirmed in this
report, for revised guidance that clarifies the definition of
substantial compliance, OMB said that the experience obtained from
helping agencies implement the high standards incorporated in the PMA
and the FMLOB will allow a further refinement of the FFMIA indicators
associated with substantial compliance. Therefore, OMB agreed to
consider clarifying the definition of "substantial compliance" in
future policy and guidance updates. As we noted in our prior
reports,[Footnote 68] auditors that we interviewed expressed a need for
clarification regarding the meaning of substantial compliance; and in
fiscal year 2005, auditors for 7 of the 12 agencies we visited stated
that additional guidance on the definition of substantial compliance
would be useful.
OMB and the Departments of Health and Human Services and Transportation
also provided technical comments, which we incorporated as appropriate.
We are sending copies of this report to the Chairman and Ranking
Minority Member, Subcommittee on Federal Financial Management,
Government Information, and International Security, Senate Committee on
Homeland Security and Governmental Affairs, and to the Chairman and
Ranking Minority Member, Subcommittee on Government Management,
Finance, and Accountability, House Committee on Government Reform. We
are also sending copies to the Director of the Office of Management and
Budget, the heads of the 24 CFO Act agencies in our review, and agency
CFOs and Inspectors General. Copies will be made available to others
upon request. In addition, this report will be available at no charge
on the GAO Web site at [Hyperlink, http://www.gao.gov].
This report was prepared under the direction of McCoy Williams,
Director, Financial Management and Assurance, who may be reached at
(202) 512-9095 or williamsm1@gao.gov if you have any questions. Contact
points for our Offices of Congressional Relations and Public Affairs
may be found on the last page of this report. GAO staff who made key
contributions to this report are listed in appendix VIII.
Signed by:
David M. Walker Comptroller General of the United States:
[End of section]
Appendix I: Requirements and Standards Supporting Federal Financial
Management:
Financial Management Systems Requirements:
The policies and standards prescribed for executive agencies to follow
in developing, operating, evaluating, and reporting on financial
management systems are defined in Office of Management and Budget (OMB)
Circular No. A-127, Financial Management Systems. The components of an
integrated financial management system include the core financial
system,[Footnote 69] managerial cost accounting system, administrative
systems, and certain programmatic systems. Administrative systems are
those that are common to all federal agency operations,[Footnote 70]
and programmatic systems are those needed to fulfill an agency's
mission. Circular No. A-127 refers to the series of publications
entitled Federal Financial Management Systems Requirements, initially
issued by the Joint Financial Management Improvement Program's (JFMIP)
Program Management Office (PMO) as the primary source of governmentwide
requirements for financial management systems. However, as of December
2004, the Financial Systems Integration Office (FSIO) assumed
responsibility for coordinating the work related to federal financial
management systems requirements and OMB's Office of Federal Financial
Management (OFFM) is responsible for issuing the new or revised
regulations. In December 2004, the JFMIP Principals voted to modify the
roles and responsibilities of JFMIP, resulting in the creation of FSIO.
Appendix II lists the federal financial management systems requirements
published to date. Figure 8 is the current model that illustrates how
these systems interrelate in an agency's overall systems architecture.
Figure 8: Agency Systems Architecture:
[See PDF for image]
Source: OMB, Core Financial Systems Requirements, OFFM-No-1016
(Washington, D.C.: January 2006).
[End of figure]
FFMIA Guidance:
OMB establishes governmentwide financial management policies and
requirements and has issued two sources of guidance related to FFMIA
reporting. First, OMB Bulletin No. 01-02, Audit Requirements for
Federal Financial Statements, dated October 16, 2000, prescribed
specific language auditors should use when reporting on an agency
system's substantial compliance with the three FFMIA requirements.
Specifically, this guidance called for auditors to provide negative
assurance when reporting on an agency system's FFMIA compliance. On
August 23, 2006, OMB issued Bulletin No. 06-03, Audit Requirements for
Federal Financial Statements, which superseded OMB Bulletin No. 01-02.
This bulletin did not substantially revise the FFMIA audit guidance
included in Bulletin No. 01-02. Second, in OMB Memorandum, Revised
Implementation Guidance for the Federal Financial Management
Improvement Act (Jan. 4, 2001), OMB provides guidance for agencies and
auditors to use in assessing substantial compliance. The guidance
describes the factors that should be considered in determining whether
an agency's systems substantially comply with FFMIA's three
requirements. Further, the guidance provides examples of the types of
indicators that should be used as a basis for assessing whether an
agency's systems are in substantial compliance with each of the three
FFMIA requirements. Finally, the guidance discusses the corrective
action plans, to be developed by agency heads, for bringing their
systems into compliance with FFMIA.
We have worked in partnership with representatives from the President's
Council on Integrity and Efficiency (PCIE) to develop and maintain the
joint GAO/PCIE Financial Audit Manual (FAM). The FAM provides specific
procedures auditors should perform when assessing FFMIA
compliance.[Footnote 71] As detailed in appendix V, we have also issued
a series of checklists to help assess whether agencies' systems meet
systems requirements. The FAM guidance on FFMIA assessments recognizes
that while financial statement audits offer some assurance regarding
FFMIA compliance, auditors should design and implement additional
testing to satisfy FFMIA criteria.
OMB Circular No. A-127 also requires agencies to purchase commercial
off-the-shelf (COTS) software that has been tested and certified
through the PMO software certification process when acquiring core
financial systems. However, in December 2004, OMB transferred the
responsibility of certifying systems to FSIO as part of the realignment
of JFMIP. The certification process does not eliminate or significantly
reduce the need for agencies to develop and conduct comprehensive
testing efforts to ensure that the COTS software meets their
requirements. Moreover, core financial systems certification does not
mean that agencies that install these packages will have financial
management systems that are compliant with FFMIA. Many other factors
can affect the capability of the systems to comply with FFMIA,
including modifications made to the FSIO-certified core financial
management systems software and the validity and completeness of data
from feeder systems.
Federal Accounting Standards:
The Federal Accounting Standards Advisory Board (FASAB)[Footnote 72]
promulgates federal accounting standards and concepts that agency chief
financial officers use in developing financial management systems and
preparing financial statements. FASAB develops the appropriate
accounting standards and concepts after considering the financial and
budgetary information needs of the Congress, executive agencies, and
other users of federal financial information and comments from the
public. FASAB forwards the standards and concepts to the Comptroller
General, the Director of OMB, the Secretary of the Treasury, and the
Director of the Congressional Budget Office (CBO) for a 90-day review.
If, within 90 days, neither the Comptroller General nor the Director of
OMB objects to the standard or concept, then it is issued and becomes
final. FASAB announces finalized concepts and standards in The Federal
Register.
The American Institute of Certified Public Accountants designated the
federal accounting standards promulgated by FASAB as being generally
accepted accounting principles for the federal government. This
recognition enhances the acceptability of the standards, which form the
foundation for preparing consistent and meaningful financial statements
both for individual agencies and the government as a whole. Currently,
there are 30 Statements of Federal Financial Accounting Standards
(SFFAS) and 4 Statements of Federal Financial Accounting Concepts
(SFFAC).[Footnote 73] The concepts and standards are the basis for
OMB's guidance to agencies on the form and content of their financial
statements and for the government's consolidated financial statements.
Appendix III lists the concepts, standards, interpretations,[Footnote
74]and technical bulletins, along with their respective effective
dates.
FASAB's Accounting and Auditing Policy Committee (AAPC)[Footnote
75]assists in resolving issues related to the implementation of
accounting standards. AAPC's efforts result in guidance for preparers
and auditors of federal financial statements in connection with
implementation of accounting standards and the reporting and auditing
requirements contained in OMB's Bulletin No. 01-09, Form and Content of
Agency Financial Statements (Sept. 25, 2001), and Bulletin No. 01-
02,[Footnote 76] Audit Requirements for Federal Financial Statements
(Oct. 16, 2000). To date, AAPC has issued six technical releases, which
are listed in appendix IV along with their release dates.
U.S. Government Standard General Ledger:
The U.S. Government Standard General Ledger (SGL) was established by an
interagency task force under the direction of OMB and mandated for use
by agencies in OMB and Treasury regulations in 1986. The SGL promotes
consistency in financial transaction processing and reporting by
providing a uniform chart of accounts and pro forma transactions used
to standardize federal agencies' financial information accumulation and
processing throughout the year, enhance financial control, and support
budget and external reporting, including financial statement
preparation. The SGL is intended to improve data stewardship throughout
the federal government enabling consistent reporting at all levels
within the agencies and providing comparable data and financial
analysis governmentwide.[Footnote 77]
Internal Control Standards:
Congress enacted legislation, 31 U.S.C. § 3512(c), (d) (commonly
referred to as the Federal Managers' Financial Integrity Act of 1982
(FMFIA)), to strengthen internal controls and accounting systems
throughout the federal government, among other purposes. Issued
pursuant to FMFIA, the Comptroller General's Standards for Internal
Control in the Federal Government[Footnote 78]provides standards that
are directed at helping agency managers implement effective internal
control, an integral part of improving financial management systems.
Internal control is a major part of managing an organization and
comprises the plans, methods, and procedures used to meet missions,
goals, and objectives. In summary, internal control, which under OMB's
guidance for FMFIA is synonymous with management control, helps
government program managers achieve desired results through effective
stewardship of public resources.
In December 2004, OMB revised Circular No. A-123[Footnote 79]
(effective beginning with fiscal year 2006) to strengthen the
requirements for conducting management's assessment of internal control
over financial reporting. Significant revisions contained in Appendix A
of the circular include requiring Chief Financial Officers (CFO) Act
agency management to annually assess the adequacy of internal control
over financial reporting, provide a report on identified material
weaknesses and corrective actions, and provide a separate assurance
statement on the agency's internal control over financial reporting. In
initiating the revisions, OMB cited the internal control requirements
for publicly traded companies that are contained in section 404 of the
Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley).[Footnote 80]Sarbanes-
Oxley was enacted in response to corporate accountability failures of
several years prior to its enactment and contains a provision (section
404) calling for management's assessment of internal control over
financial reporting similar to the long-standing requirements for
executive branch agencies contained in FMFIA to issue annual statements
of assurance over internal control in the agencies. Opinions on
internal control over financial reporting as required by Sarbanes-Oxley
for publicly traded companies are important to protect investors by
improving the accuracy and reliability of corporate disclosures made
pursuant to the securities laws. Regulators, public companies, audit
firms, and investors generally agree that Sarbanes-Oxley has had a
positive and significant impact on investor protection and confidence.
[End of section]
Appendix II: Publications in the Federal Financial Management Systems
Requirements Series:
Table 2:
FFMSR document: FFMSR-8 System Requirements for Management Cost
Accounting;
Issue date: February 1998.
FFMSR document: JFMIP-SR-99-5 Human Resources & Payroll System
Requirements;
Issue date: April 199.
FFMSR document: JFMIP-SR-99-8 Direct Loan System Requirements;
Issue date: June 1999.
FFMSR document: JFMIP-SR-99-9 Travel System Requirements;
Issue date: July 1999.
FFMSR document: JFMIP-SR-99-14 Seized property and Forfeited Assets
Systems Requirements;
Issue date: December 1999.
FFMSR document: JFMIP-SR-00-01 Guaranteed Loan System Requirements;
Issue date: March 2000.
FFMSR document: JFMIP-SR-00-3 Grant Financial System Requirements;
Issue date: June 2000.
FFMSR document: JFMIP-SR-00-4 Property management System Requirements;
Issue date: October 2000.
FFMSR document: JFMIP-SR-01-01 Benefit System Requirements;
Issue date: September 2001.
FFMSR document: JFMIP-SR-02-02 Acquisition/Financial Systems Interface
Requirements;
Issue date: June 2002.
FFMSR document: JFMIP-SR-03-01 Revenue System Requirements;
Issue date: January 2003.
FFMSR document: JFMIP-Sr-03-02 Inventory, Supplies and Materials System
requirements;
Issue date: August 2003.
FFMSR document: JFMIP-SR-01-04 Framework for Federal Financial
Management Systems;
Issue date: April 2004.
FFMSR document: OFFM-NO-0106 Core Financial System Requirements;
Issue date: January 2006.
FFMSR document: OFFM-NO-0206 Insurance System Requirements;
Issue date: June 2006.
Source: OMB's Office of Federal Financial Management (OFFM).
Note: Effective December 1, 2004, all financial management system
requirements documents and other guidance initially issued by the JFMIP
were transferred to OFFM and remain in effect until modified.
[End of table]
[End of section]
Appendix III: Statements of Federal Financial Accounting Concepts,
Standards, Interpretations, and Technical Bulletins:
[See PDF for Image - table did not compute]
Source: FASAB.
[A] Effective dates do not apply to Statements of Federal Financial
Accounting Concepts, Interpretations, and Technical Bulletins.
[End of Table]
[End of section]
Appendix IV: AAPC Technical Releases:
Technical release: TR-1 Audit Legal Representation letter Guidance;
AAPC release date: March 1, 1998.
Technical release: TR-2 Determining Probable and Reasonably Estimable
for Environmental Liabilities in the Federal Government;
AAPC release date: March 15, 1998.
Technical release: TR-3 Preparing and Auditing Direct Loan and Loan
Guarantee Under the Federal Credit Reform Act;
AAPC release date: July 31, 1999.
Technical release: TR-4 Reporting on Non-Valued Seized and Forfeited
Property;
AAPC release date: July 31, 1999.
Technical release: TR-5 Implementation Guidance on SFFAS No. 10:
Accounting for Internal Use Software;
AAPC release date: May 14, 2001.
Technical release: Tr-6 Preparing Estimates for Direct Loan and Loan
Guarantee Subsidies Under the Federal Credit Reform Act (Amendments to
Tr-3);
AAPC release date: January 2004.
Source: FASAB.
[End of table]
[End of section]
Appendix V: Checklists for Reviewing Systems under the Federal
Financial Management Improvement Act:
Checklist: GAO/AIMD-00-21.2.3 Human Resources and Payroll Systems
Requirements;
Issue date: March 2000.
Checklist: GAO-01-99G Seized Property and Forfeited Assets Systems
Requirements;
Issue date: October 2000.
Checklist: GAO/AIMD-21-2.6 Direct Loan System Requirements;
Issue date: April 2000.
Checklist: GAO/AIMD-21.2.8 Travel System Requirements;
Issue date: May 2000.
Checklist: GAO/AIMD-99-21.2.9 System Requirements for Managerial Cost
Accounting;
Issue date: January 1999.
Checklist: GAO-01-371G Guaranteed Loan System Requirements;
Issue date: March 2001.
Checklist: GAO-01-911G Grant Financial System Requirements;
Issue date: September 2001.
Checklist: GAO-02-171G Property Management Systems Requirements;
Issue date: December 2001.
Checklist: GAO-04-22G Benefit System Requirements;
Issue date: October 2003.
Checklist: GAO-04-650G Acquisition/Financial Systems Interface
Requirements;
Issue date: June 2004.
Checklist: GAO-05-225G Core Financial System Requirements;
Issue date: February 2005.
Source: GAO.
[End of Table]
[End of section]
Appendix VI: Comments from the Office of Management and Budget:
The Controller:
Executive Office Of The President:
Office Of Management And Budget:
Washington, D. C. 20503:
SEP 06 2006:
Mr. McCoy Williams:
Director, Financial Management and Assurance:
United States Government Accountability Office Washington, DC 20548:
Dear Mr. Williams:
Thank you for allowing us to comment on the Government Accountability
Office (GAO) draft report entitled "Financial Management: Improvements
Under Way but Serious Financial Systems Problems Persist."
In general, the Office of Management and Budget (OMB) agrees with your
assessment that many agencies still need to make improvements to their
financial systems so that managers can receive more accurate, reliable
and timely financial management information to optimize day-to-day
operations. We continue to work aggressively to assist agencies in
building a strong foundation of financial management practices through
the President's Management Agenda (PMA), the Financial Management Line
of Business (FMLoB), and the strengthened internal control requirements
incorporated into the revised OMB Circular No. A-123 (A-123),
Management's Responsibility for Internal Control. The goals of each of
these initiatives align with the goals of the Federal Financial
Management Improvement Act (FFMIA) --creating the full range of
information needed for day-to-day management.
As noted in your report, most agencies have been successful in
obtaining unqualified opinions on their financial statements and in
resolving long-standing material weaknesses. These accomplishments
point to strengthened internal control and more accurate and timely
financial information. Nevertheless, our common goal goes beyond
attaining unqualified opinions on agency financial statements. We are
both striving for the creation and use - for both government managers
and the taxpayer - of accurate, reliable and timely management
information.
Under the PMA's Improving Financial Performance initiative, agencies
must meet seven "standards of success" to receive a "yellow" status
rating. The "yellow" standards include receiving an unqualified
financial statement opinion, eliminating all material weaknesses and
non-compliances, and being found in substantial compliance with FFMIA.
A "yellow" status rating shows that an agency has a foundation of
accounting processes and effective internal controls. To achieve
"green" status, agencies must demonstrate how they are using timely and
accurate financial data to drive better results.
The Administration has also undertaken the FMLoB initiative to foster
additional financial standardization across the Federal Government.
Several projects are underway to standardize financial business rules,
processes, interfaces, and data. Standardization will mitigate many of
the risks associated with implementing and maintaining modern financial
systems. One of the goals of the FMLoB is to provide agencies with
competitive alternatives in procuring financial systems and services.
It will help to reduce the costs and risks of implementing and
maintaining financial systems by allowing agencies to migrate to
organizations with proven track-records in supporting Federal financial
systems. The FMLoB will strengthen internal controls while helping
agencies meet the requirements of FFMIA.
Lastly, OMB's revised A-123 requires agency management to employ
strengthened assessment processes, and to issue a separate management
assurance, regarding internal controls over reporting. Appendix A of A-
123 directs Federal managers to take a proactive approach to assessing
internals controls by: 1) documenting the reporting process end-to-end,
2) directly testing key controls to validate effectiveness, and 3)
reporting on the results of the tests in a new management assurance
statement. Moreover, A-123's internal control requirements complement
and reinforce the standards being promulgated through the PMA and the
FMLoB. Many of the ongoing assessments required under the revised A-123
mirror the types of assessments that would occur in establishing a
statement of positive assurance under FFMIA.
The broad scope of the PMA and the fundamental changes occurring under
the FMLoB initiative, combined with the strengthened reporting
requirements of A-123, are helping agencies identify and correct FFMIA
deficiencies. As such, OMB believes that requiring a statement of
positive assurance for FFMIA compliance would prove only marginally
useful. We commend the auditors at the Department of Labor, as you
have, for taking the extra steps to provide positive assurance of
compliance on its financial management systems. Nevertheless, while
encouraging similar efforts at other agencies, we believe that
mandating positive assurance of systems' compliance with FFMIA for all
agencies is not necessary.
The draft report also recommends that OMB clarify the definition of
"substantial compliance." We believe that our growing experience
helping agencies implement the high standards incorporated in the PMA
and the FMLoB will enable us to further refine the existing FFMIA
indicators associated with substantial compliance. As such, we will
consider this recommendation, as appropriate, in any future policy and
guidance updates.
We appreciate the opportunity to comment on the draft report and look
forward to continue working with GAO in improving Federal financial
management systems. If you have any questions please contact David
Alekson at 202.395.5642.
Sincerely,
Signed by:
Linda M. Combs:
Controller:
[End of section]
Appendix VII: Auditors' FFMIA Assessments for Fiscal Year 2005:
[See PDF for Image- table did not compute]
Source: GAO, prepared from analysis of fiscal year 2005 financial
statement audit reports.
[End of Table]
[End of section]
Appendix VIII: GAO Contact and Staff Acknowledgments:
GAO Contact:
McCoy Williams, (202) 512-9095:
Acknowledgments:
In addition to the contact named above, Kay L. Daly, Assistant
Director; Jeremy Cockrum; Debra Cottrell; Daniel Egan; C. Robin Hodge;
Michael LaForge; W. Stephen Lowrey; Bennet E. Severson; and George
Warnock made key contributions to this report.
FOOTNOTES
[1] Pub. L. No. 101-576, 104 Stat. 2838 (Nov. 15, 1990).
[2] Federal Financial Management Improvement Act of 1996, Pub. L. No.
104-208, div. A., § 101(f), title VIII, 110 Stat. 3009, 3009-389 (Sept.
30, 1996).
[3] The Department of Homeland Security (DHS) Financial Accountability
Act, Pub. L. No. 108-330, 118 Stat. 1275 (Oct. 16, 2004), added DHS to
the list of CFO Act agencies, increasing the number of CFO Act agencies
to 24 for fiscal year 2005.
[4] For fiscal year 2005, 18 of 24 CFO Act agencies were able to attain
unqualified opinions on their financial statements by the November 15,
2005, reporting deadline established by OMB. The independent auditor of
the Department of State subsequently withdrew its qualified opinion on
the department's fiscal year 2005 financial statements and reissued an
unqualified opinion on these financial statements dated December 14,
2005. As a result, 19 CFO Act agencies received unqualified opinions on
their fiscal year 2005 financial statements.
[5] The Department of Commerce (Commerce), the Environmental Protection
Agency (EPA), the National Science Foundation (NSF), the Office of
Personnel Management (OPM), and the Social Security Administration
(SSA).
[6] GAO, Financial Management Systems: Additional Efforts Needed to
Address Key Causes of Modernization Failures, GAO-06-184 (Washington,
D.C.: Mar. 15, 2006).
[7] A service-level agreement is critical for both the shared service
providers and the agencies to be held accountable for their respective
parts of the agreement.
[8] Pub. L. No. 97-255, 96 Stat. 814 (Sept. 8, 1982) (codified at 31
U.S.C. § 3512 (c), (d)).
[9] GAO, Standards for Internal Control in the Federal Government, GAO/
AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999).
[10] Pub. L. No. 103-62, 107 Stat. 285 (Aug. 3, 1993).
[11] Pub. L. No. 103-356, 108 Stat. 3410 (Oct. 13, 1994).
[12] Pub. L. No. 104-106, div. E, 110 Stat. 186, 679 (Feb. 10, 1996).
[13] Pub. L. No. 107-289, 116 Stat. 2049 (Nov. 7, 2002) (codified at 31
U.S.C. § 3515). The Accountability of Tax Dollars Act of 2002 extends
the requirement to prepare and submit audited financial statements to
most executive agencies not subject to the CFO Act unless they are
exempted by OMB. However, these agencies are not required to have
systems that are compliant with FFMIA requirements.
[14] Pub. L. No. 107-300, 116 Stat. 2350 (Nov. 26, 2002).
[15] Pub. L. No. 108-330, 118 Stat. 1275 (Oct. 16, 2004).
[16] The American Institute of Certified Public Accountants recognizes
the federal accounting standards promulgated by the Federal Accounting
Standards Advisory Board as generally accepted accounting principles.
For a further description of federal accounting standards, see appendix
I.
[17] The SGL provides a standard chart of accounts and standardized
transactions that agencies are to use in all their financial systems.
[18] The PCIE--which is governed by Executive Order No. 12805 of May
11, 1992--was established to (1) address integrity, economy, and
effectiveness issues that transcend individual government agencies and
(2) increase the professionalism and effectiveness of inspectors
general personnel throughout the government. The PCIE is composed
primarily of the presidentially appointed inspectors general. Officials
from OMB, the Federal Bureau of Investigation, Office of Government
Ethics, Office of Special Counsel, and Office of Personnel Management
serve on the PCIE as well.
[19] GAO-01-765G, sections 701, 701A, 701B, and 260.58-.60.
[20] OMB Bulletin No. 06-03, Audit Requirements for Federal Financial
Statements (Aug. 23, 2006).
[21] The Department of Agriculture, Department of Health and Human
Services (HHS), Department of the Treasury, and the Department of
Veterans Affairs (VA).
[22] Department of the Treasury, 2005 Financial Report of the United
States Government (Washington, D.C.: Dec. 2005).
[23] For fiscal year 2005, 18 of 24 CFO Act agencies were able to
attain unqualified opinions on their financial statements by the
November 15, 2005, reporting deadline established by OMB. The
independent auditor of the Department of State subsequently withdrew
its qualified opinion on the department's fiscal year 2005 financial
statements and reissued an unqualified opinion on these financial
statements dated December 14, 2005. As a result, 19 CFO Act agencies
received unqualified opinions on their fiscal year 2005 financial
statements.
[24] The DHS Financial Accountability Act, Pub. L. No. 108-330, 118
Stat. 1275 (Oct. 16, 2004).
[25] The Departments of Agriculture, Defense, Homeland Security,
Justice, Transportation, and Treasury, the National Aeronautics and
Space Administration, and the Small Business Administration.
[26] GAO, Financial Audit: Restatements to the Department of State's
Fiscal Year 2003 Financial Statements, GAO-05-814R (Washington, D.C.:
Sept. 20, 2005); Financial Audit: Restatements to the Nuclear
Regulatory Commission's Fiscal Year 2003 Financial Statements, GAO-06-
30R (Washington, D.C.: Oct. 27, 2005); Financial Audit: Restatements to
the General Services Administration's Fiscal Year 2003 Financial
Statements, GAO-06-70R (Washington, D.C.: Dec. 6, 2005); Financial
Audit: Restatements to the National Science Foundation's Fiscal Year
2003 Financial Statements, GAO-06-229R (Washington, D.C.: Dec. 22,
2005); and Financial Audit: Restatements to the Department of
Agriculture's Fiscal Year 2003 Financial Statements, GAO-06-254R
(Washington, D.C.: Jan. 26, 2006).
[27] OMB Bulletin No. 06-03, Audit Requirements for Federal Financial
Statements (Aug. 23, 2006).
[28] Generally accepted government auditing standards incorporate the
American Institute of Certified Public Accountants (AICPA) general
standard on criteria, its field work standards, and its reporting
standards for attestation engagements, as well as the AICPA Statements
on Standards for Attestation Engagements, unless the Comptroller
General of the United States excludes them by formal announcement.
[29] GAO, Financial Management: FFMIA Implementation Critical for
Federal Accountability, GAO-02-29 (Washington, D.C.: Oct. 1, 2001);
Financial Management: FFMIA Implementation Necessary to Achieve
Accountability, GAO-03-31 (Washington, D.C.: Oct. 1, 2002); Financial
Management: Sustained Efforts Needed to Achieve FFMIA Accountability,
GAO-03-1062 (Washington, D.C.: Sept. 30, 2003); Financial Management:
Improved Financial Systems Are Key to FFMIA Compliance, GAO-05-20
(Washington, D.C.: Oct. 1, 2004); and Financial Management: Achieving
FFMIA Compliance Continues to Challenge Agencies, GAO-05-881
(Washington, D.C.: Sept. 20, 2005).
[30] Federal financial system requirements define an integrated
financial system as one that coordinates a number of previously
unconnected functions to improve overall efficiency and control.
Characteristics of such a system include (1) standard data
classifications for recording financial events; (2) common processes
for processing similar transactions; (3) consistent control over data
entry, transaction processing, and reporting; and (4) a system design
that eliminates unnecessary duplication of transaction entry. OMB
Circular No. A-127, Financial Management Systems, paragraph 7(b)
(Revised Dec. 1, 2004).
[31] The FSIO was formerly known as the Joint Financial Management
Improvement Program (JFMIP) staff office. In December 2004, the JFMIP
Principals voted to modify the roles and responsibilities of the JFMIP
Program Office, now FSIO. The FSIO Executive reports to OMB's Office of
Federal Financial Management Controller. See OMB, Update on the
Financial Management Line of Business and the Financial Systems
Integration Office, Memorandum (Washington, D.C.: Dec. 16, 2005).
[32] GAO, Managerial Cost Accounting Practices: Departments of
Education, Transportation, and the Treasury, GAO-06-301R (Washington,
D.C.: Dec. 19, 2005).
[33] GAO, Managerial Cost Accounting Practices: Leadership and Internal
Controls Are Key to Successful Implementation, GAO-05-1013R
(Washington, D.C.: Sept. 2, 2005); Managerial Cost Accounting
Practices: Departments of Labor and Veterans Affairs, GAO-05-1031T
(Washington, D.C.: Sept. 21, 2005); Managerial Cost Accounting
Practices: Departments of Education, Transportation, and the Treasury,
GAO-06-301R (Washington, D.C.: Dec. 19, 2005); and Managerial Cost
Accounting Practices: Department of Health and Human Services and
Social Security Administration, GAO-06-599R (Washington, D.C.: Apr. 18,
2006).
[34] A vulnerability is the existence of a flaw or weakness in hardware
or software that can be exploited resulting in a violation of an
implicit or explicit security policy. Vulnerability scanners are
software applications that can be used to identify vulnerabilities on
computer hosts and networks.
[35] GAO, Information Security: Leadership Needed to Address Weaknesses
and Privacy Issues at Veterans Affairs, GAO-06-897T (Washington, D.C.:
June 20, 2006).
[36] OMB, Protection of Sensitive Agency Information, M-06-16
(Washington, D.C.: June 23, 2006).
[37] GAO, Tax Administration: IRS Improved Some Filing Season Services,
but Long-term Goals Would Help Manage Strategic Trade-offs, GAO-06-51
(Washington, D.C.: Nov. 14, 2005).
[38] [8] GAO-06-184.
[39] KPMG, Independent Auditor's Report (Washington, D.C.: Nov. 9,
2005).
[40] GAO, Financial Management Systems: Lack of Disciplined Processes
Puts Implementation of HHS' Financial System at Risk, GAO-04-1008
(Washington, D.C.: Sept. 23, 2004).
[41] Ernst & Young, Report of Independent Auditors (Washington, D.C.:
Nov. 11, 2005).
[42] Department of Defense, FY 2005 Performance and Accountability
Report (Washington, D.C.: Nov. 15, 2005).
[43] GAO, DOD Business Systems Modernization: Navy ERP Adherence to
Best Business Practices Critical to Avoid Past Failures, GAO-05-858
(Washington, D.C.: Sept. 29, 2005).
[44] An ERP solution is an automated system using commercial off-the-
shelf software consisting of multiple, integrated functional modules
that perform a variety of business-related tasks such as payroll,
general ledger accounting, and supply chain management.
[45] Department of the Treasury, 2005 Financial Report of the United
States Government (Washington, D.C.: Dec. 2005).
[46] GAO, Financial Management Systems: Lack of Disciplined Processes
Puts Effective Implementation of Treasury's Governmentwide Financial
Report System at Risk, GAO-06-413 (Washington, D.C.: Apr. 21, 2006).
[47] Section 300 of OMB Circular No. A-11, Preparation, Submission, and
Execution of the Budget (Nov. 2, 2005), set forth requirements for
federal agencies for planning, budgeting, acquiring, and managing
information technology capital assets.
[48] GAO-06-184.
[49] Case management involves managing claims or investigations
including creating, routing, tracing, assigning and closing a case, as
well as collaboration among case handlers.
[50] In March 2006, OMB launched task forces to conduct governmentwide
analysis for the three new lines of business based on an analysis of
the fiscal year 2007 budget that shows significant opportunities for
improvement in sharing common information technology infrastructure,
geospatial data and capabilities, and budgeting processes and functions
across government.
[51] OMB has not designated any private sector entities as shared
service providers, but may consider doing so in the future.
[52] The four agencies designated as shared service providers were the
Department of the Interior (National Business Center), General Services
Administration (Federal Integrated Solutions Center), Department of the
Treasury (Bureau of the Public Debt's Administrative Resource Center),
and Department of Transportation (Enterprise Services Center).
[53] OMB, Update on the Financial Management Line of Business and the
Financial Systems Integration Office, Memorandum (Washington, D.C.:
Dec. 16, 2005).
[54] DHS, Information Technology Investments and the Future of the
eMerge2 Program (Washington, D.C.: Mar. 29, 2006).
[55] GAO-06-184.
[56] GAO-06-184.
[57] See OMB Memorandum, Competition Framework for Financial Management
Lines of Business Migrations (May 22, 2006), for the initial
Competition Framework which will be incorporated into the Migration
Planning Guidance.
[58] GAO-06-184.
[59] GAO, Executive Guide: Creating Value Through World-class Financial
Management, GAO/AIMD-00-134 (Washington, D.C.: April 2000).
[60] OMB, Realignment of Responsibilities for Federal Financial
Management Policy and Oversight, Memorandum (Washington, D.C.: Dec. 2,
2004).
[61] The JFMIP principals are the Comptroller General of the United
States, the Secretary of the Treasury, and the Directors of OMB and
OPM.
[62] OMB, Update on the Financial Management Line of Business and the
Financial Systems Integration Office, Memorandum (Washington, D.C.:
Dec. 16, 2005).
[63] OMB Circular No. A-123, Management's Responsibility for Internal
Control (revised Dec. 2004).
[64] GAO, Financial Management: Effective Internal Control Is Key to
Accountability, GAO-05-321T (Washington, D.C.: Feb. 16, 2005).
[65] GAO, Internal Control: Analysis of Joint Study on Estimating the
Costs and Benefits of Rendering Opinions on Internal Control over
Financial Reporting in the Federal Government, GAO-06-255R (Washington,
D.C.: Sept. 6, 2006).
[66] GAO/AIMD-00-134.
[67] GAO-02-29, GAO-03-31, GAO-05-20, and GAO-05-881.
[68] GAO-02-29, GAO-03-31, GAO-05-20, and GAO-05-881.
[69] Core financial systems, as defined by the Office of Federal
Financial Management (OFFM), include managing general ledger, funding,
payments, receivables, and certain basic cost functions.
[70] Examples of administrative systems include budget, acquisition,
travel, property, and human resources and payroll.
[71] GAO-01-765G, sections 701, 701A, 701B, and 260.58-.60.
[72] In October 1990, the Secretary of the Treasury, the Director of
OMB, and the Comptroller General established FASAB to develop a set of
generally accepted accounting standards and concepts for the federal
government. Effective October 1, 2003, FASAB is comprised of six
nonfederal or public members, one member from the Congressional Budget
Office, and the three sponsors.
[73] Accounting standards are authoritative statements of how
particular types of transactions and other events should be reflected
in financial statements. SFFACs explain the objectives and ideas upon
which FASAB develops the standards.
[74] An interpretation is a document of narrow scope that provides
clarifications of original meaning, additional definitions, or other
guidance pertaining to an existing federal accounting standard.
[75] In 1997, FASAB, in conjunction with OMB, Treasury, GAO, the Chief
Financial Officers Council, and the President's Council on Integrity
and Efficiency, established AAPC to assist the federal government in
improving financial reporting.
[76] On August 23, 2006, OMB issued Bulletin No. 06-03, Audit
Requirements for Federal Financial Statements. This bulletin did not
substantially revise FFMIA audit guidance.
[77] SGL guidance is published in the Treasury Financial Manual.
Treasury's Financial Management Service is responsible for maintaining
the SGL and answering agency inquiries.
[78] GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3 (Washington, D.C.: Nov. 1999).
[79] OMB Circular No. A-123, Management's Responsibility for Internal
Control (revised Dec. 21, 2004).
[80] Pub. L. No. 107-204, § 404, 116 Stat. 745, 789 (July 30, 2002).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548: