Federal Managers’ Financial Integrity Act (FFMIA), Section 4
As required by law, GSA evaluates its financial management systems annually for compliance with Federal financial management systems requirements, applicable Federal accounting standards, and U.S. Standard General Ledger (USSGL) recording and reporting requirements. GSA evaluated its financial management system controls and compliance using a consolidated A-123 and A-127 questionnaire and by completing independent systems certification and accreditation (C&A) reviews, Statement on Auditing Standards (SAS) 70 reviews, A-123 reviews, and other systems assessments. As in prior years, additional compliance review steps included a review of pertinent audit reports issued during FY 2007, a review of the current status of prior year systems-related issues, and discussions with senior managers and auditors regarding the details of pertinent systems-related control issues. Taken as a whole, GSA is confident that these systems-related review activities provide a sufficient basis for assessing Agency compliance with Section 4, FMFIA, and FFMIA requirements for FY 2007.
Based on all review work performed during FY 2007, Agency management believes that GSA substantially conforms to the requirements referred to in Section 4 of FMFIA. This conclusion is supported by actions completed during the past year to enhance financial reporting controls for budgetary accounting and to resolve prior year audit findings relating to system access and monitoring controls. For example, during FY 2007 more than 70 action steps were completed to fully or partially resolve financial systems-related issues and findings. These conditions related primarily to financial system general and applications-related internal control.
No Entity-wide System Non-Conformances Noted
No entity-wide system non-conformances are reported for GSA systems in FY 2007. GSA management is proud of this accomplishment and attributes it to a renewed emphasis on the importance of systems-related internal controls and the collective set of actions successfully completed by managers and associates to improve the systems control environment at GSA. These completed actions served to significantly enhance managerial, operational, and technical systems controls for many of GSA’s critical program and financial management systems.
Significant Systems Deficiency
During FY 2007, substantial progress was achieved in addressing the prior year reportable condition relating to the need for improved system access, separation of duties, and system monitoring controls involving certain GSA systems. However, in FY 2007, the independent auditors have determined that a significant deficiency exists over certain GSA applications that require strengthened system access, separation of duties, and monitoring controls. Appropriate actions will be taken by GSA management officials to effectively address these new findings in FY 2008.
In addition, an OIG audit found that access to sensitive information and certain processing capabilities on OCFO-managed applications should be more fully restricted. In light of these findings, the OCFO took two immediate actions. These actions involved further restricting access to sensitive information, and conducting a comprehensive systems review of all OCFO-managed systems to identify any additional information and/or systems access vulnerabilities. Also, longer-term actions were initiated to redesign and strengthen system access controls for the affected applications. These actions will include improving authorization, authentication, and access controls to further restrict the ability of authorized users to access sensitive information on a least-privileged basis, thereby improving GSA’s IT security controls.
Additional Improvements Planned for FY 2008
To ensure that GSA remains properly focused on being proactive in improving the effectiveness of its financial reporting and systems controls, several initiatives are planned for FY 2008. Major initiatives will involve taking various actions to improve financial reporting and strengthening systems-related life-cycle management controls for program and financial systems.
During FY 2007, significant progress was achieved in integrating GSA’s internal processes for assessing the sufficiency of management and systems-related internal control via one survey instrument. During FY 2008, the challenge will be to devise and implement an improved and more fully integrated process to streamline and document the conduct of various reviews relating to internal controls and compliance with OMB Circular A-123 and National Institute of Standards and Technology (NIST) requirements pertaining to system-related internal controls. Currently, these activities require considerable effort on the part of several different groups within GSA. By more effectively coordinating and consolidating these review activities, more meaningful reviews and assessments will be able to be completed in a more timely and cost-effective manner. All planned improvement actions should serve to significantly improve systems controls and thereby improve the extent of GSA’s overall compliance with pertinent laws and regulations.