Management and Internal Control Program
GSA Management and Internal Control Program
Federal Managers’ Financial Integrity Act Section 2
The Federal Managers’ Financial Integrity Act (FMFIA) requires agencies to establish internal control and financial systems that provide reasonable assurance that the three objectives of internal control are achieved:
- Effectiveness and efficiency of operations;
- Compliance with applicable laws and regulations; and
- Reliability of financial reporting.
FMFIA requires that the head of the agency, based on evaluation, provide an annual Statement of Assurance on whether the agency has met these requirements. Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Internal Control, implements the FMFIA and defines management’s responsibility for internal control in federal agencies. FMFIA also requires agencies to establish internal controls over their programs, financial reporting, and financial management systems. GSA internal control reviews are conducted for agency program components to ensure that significant risks are identified, tested and evaluated. GSA provides assurance on the effectiveness of the internal control over operations, management systems, and financial reporting for FY 2014 with consideration to all internal and external reviews of the agency. The “Summary of GSA’s Financial Statement Audit and Management Assurances” table is provided in the “Other Information” section of this report.
In FY 2014, GSA continued to strengthen management practices and internal controls to assure the integrity of its programs, operations, and business and financial management systems. This effort included an increased focus on risk management and risk analysis on all programs. GSA successfully completed all the requirements of OMB Circular A-123; the Office of Federal Procurement Policy’s (OFPP) Memorandum entitled, Conducting Acquisition Assessments under OMB Circular A-123; the FMFIA; OMB Circular A-123 Appendix D, Compliance with the Federal Financial Management Improvement Act of 1996; the Federal Financial Management Improvement Act (FFMIA); and the Federal Information Security Management Act (FISMA) as the foundation of effective management operations and internal controls.
In FY 2014, the Procurement Management Review (PMR) Division conducted acquisition reviews across the agency. PMR reviews assessed the effectiveness of internal controls to include audit deficiencies identified by external auditors (i.e. Defense Contract Audit Agency and the General Accountability Office). By analyzing activity from an acquisition perspective, GSA identified and addressed control issues related to the acquisition functions. Review results were presented to management at the Management Control Oversight Committee meeting in October. A dashboard tracker located on the GSA Acquisition Portal is used to track the timely and accurate implementation of corrective action plans.
GSA conducted limited reviews of controls over financial reporting as prescribed in OMB Circular A-123 Appendix A. Results of these reviews and responses to the assurance statement process did not identify any material weaknesses in these areas. Although not identified as a material weakness, GSA management recognizes that challenges exist in GSA’s entity-level controls environment that need to be strengthened to promote standardization of business rules and effective communications across the agency.
GSA’s external auditor identified one material weakness related to controls over financial reporting. The material weakness contains two components - future estimated cleanup costs for contaminants other than asbestos and incomplete lease classification analysis.
Remediation efforts completed during fiscal year 2014 to address future estimated cleanup costs for contaminants other than asbestos included a change in accounting methodology, which resulted in a revised environmental liability estimate recorded prior to final presentation of the financial statements. Additional remediation actions for this deficiency are planned in fiscal year 2015 and are summarized below:
- Transition the asbestos working team to address contaminants other than asbestos.
- Continue to refine the methodology for GSA’s non-asbestos environmental liability to include additional project costs and cost estimates for future equipment and facility disposal.
- Update guidelines, provide training, and communicate program efforts regarding the non-asbestos environmental liability estimation methodology.
GSA is in the process of finalizing a project plan and a corrective action plan to ensure the amounts recorded by GSA for environmental liabilities for cleanup costs other than asbestos is complete and accurate.
Remediation efforts are also planned for fiscal year 2015 to address incomplete lease classification analysis. GSA will develop a corrective action plan to improve its policies and procedures that will ensure personnel conducting scoring analyses for lease classification are properly trained. In addition, GSA will update policies to add clarity to scoring evaluations and will enforce existing policies to certify that all necessary leases are properly classified before lease award. These improvements will provide additional safeguards in the lease classification process and ensure that the lease classification analysis is done accurately, timely and consistently.
Federal Managers’ Financial Integrity Act Section 4
GSA evaluates its financial management systems annually for compliance with federal financial management systems requirements, applicable federal accounting standards, and U.S. Standard General Ledger (USSGL) recording and reporting requirements. In FY 2014, GSA evaluated its financial management systems controls and compliance by completing systems certification and accreditation reviews as part of the agency security assessment and authorization on Pegasys, the agency core financial system, submitting required Office of the Chief Information Security Officer (OCISO) reports and obtaining authorization to operate (ATO), conducting OMB Circular A-123 reviews, and evaluating risk indicators contained in the FFMIA Compliance Risk Model. GSA also reviewed pertinent audit reports issued in FY 2014, remediated all prior year SSAE16 audit recommendations, and discussed the details of pertinent systems-related control issues with senior managers and auditors.
In FY 2014, improvements were made to strengthen GSA IT systems controls in the areas of continuous monitoring and automated logging & monitoring. GSA will continue to implement and enhance controls in these areas, and the automated tools will provide improved vulnerability management capabilities as well as near real time reporting on system inventories and risk posture.
In assessing compliance with FFMIA, GSA adheres to the implementation guidance provided by OMB and considers the results of GSA Office of the Inspector General and U.S. Government Accountability Office audit reports, annual financial statement audits, FISMA compliance reviews, risk assessments, and other systems-related review and monitoring activities. Based on all information assessed, the administrator has determined that GSA financial management systems are in substantial compliance with FFMIA requirements for FY 2014.
Federal Information Security Management Act
FISMA requires federal agencies to implement a mandatory set of processes and system controls designed to ensure the confidentiality, integrity, and availability of system-related information. The processes and systems controls in each federal agency must follow established Federal Information Processing Standards, National Institute of Standards and Technology standards (NIST), and other legislative requirements pertaining to federal information systems, such as the Privacy Act of 1974.
To facilitate FISMA compliance, GSA maintains a formal program for information security management focused on FISMA requirements, protecting GSA IT resources, and supporting the GSA mission. This program consists of policies, procedures, and processes to mitigate new threats and anticipate risks posed by new technologies.
Designated GSA information system security managers and information system security officers implement information security requirements in accordance with FISMA requirements and GSA policies.
GSA continues to address weaknesses identified in its Plan of Action and Milestones. GSA annually provides security and privacy awareness training for over 15,000 employees and contractors. Privacy Impact Assessments were completed on all applicable systems. GSA continues to implement and mature a continuous monitoring program in accordance with NIST, Department of Homeland Security (DHS), and Office of Management and Budget (OMB) direction.
Financial Management Systems Framework
The Chief Financial Officers Act assigns responsibilities for planning, developing, maintaining, and integrating financial management systems within federal agencies.
As depicted on the Financial Management Systems Framework chart below, GSA currently maintains a core accounting system, Pegasys; E-Payroll applications; portions of its legacy core accounting system, National Electronic and Accounting Reporting (NEAR); and general support systems, which operate, on a variety of hosting platforms to support various feeder applications.
In FY 2014, GSA continued its progress in financial systems modernization and improvement in support of this financial management systems framework. To achieve its strategic goals GSA will continue efforts to:
- Retire NEAR by transferring billing and accounts receivable and other remaining functionality to Pegasys; and
- Streamline, consolidate, and modernize financially oriented general support systems.
These strategies support GSA financial management system goals of reducing financial system operating and maintenance costs, and enhancing compliance and IT security controls.