Analysis of systems, controls and legal compliance
An effective internal control program helps the U.S. General Services Administration (GSA) safeguard Government resources and ensures that the agency efficiently and effectively fulfills its core mission and achieves its strategic goals.
The agency’s senior assessment team, the Management Control Oversight Council, chaired by the Deputy Administrator, reviews and approves the enterprise internal control program and provides the leadership and oversight necessary for effective implementation of the agency’s program.
GSA evaluates internal controls across the agency at various levels of the organization. GSA management is responsible for establishing goals and objectives around operating environments, ensuring compliance with relevant laws and regulations, and managing both expected and unanticipated events. Employees across the organization are responsible for understanding the controls applicable to their workflows and applying them in accordance with internal control guidance.
In fiscal year (FY) 2023, GSA continued its efforts to increase and reinforce internal control compliance. The agency requires employees to take internal control training, which outlines applicable Office of Management and Budget (OMB) Circular A-123 standards and best practices and serves as a first line of defense. For the first time, GSA established focus groups to gather insight around strengths, common pain points, and opportunities to improve and strengthen GSA’s internal control environment. Action plans are being developed that address stakeholder feedback in key areas such as internal control culture, communication, and training. Additionally, GSA sustained its focus on increasing accountability, resolving audit recommendations, and implementing a more effective system of internal control agency wide. Specifically, senior executives, program managers, and staff closely monitor program audit resolution through performance dashboards.
Management’s responsibility for enterprise risk management and internal controls
Integration with enterprise risk
To better understand and anticipate enterprise risk, GSA identifies and assesses prospective threats to the organization annually. This includes an effort to integrate and effectively use information developed as part of OMB Circular A-123 internal controls assessments.
In 2021, GSA established an enterprise risk management policy statement, which highlights the importance of effective risk management in meeting its mission. The Enterprise Risk and Strategic Initiatives (ERSI) Board, co-chaired by the Deputy Performance Improvement Officer and the Chief Information Security Officer, works to continuously improve risk governance at GSA. The ERSI Board is charged with implementing sound risk management across GSA and translating enterprise-level strategies into actionable initiatives. Risks are managed throughout the year at the appropriate program level, with certain cross-cutting or emerging risks monitored and discussed at the enterprise level through existing governance mechanisms and decision bodies.
Procurement management review function
As part of GSA’s internal controls, the Office of Government-wide Policy conducts procurement management reviews. Procurement management reviews assess the basic foundational components of the acquisition function, including contract administration, performance-based contracting, acquisition planning, and effective contract pricing and negotiations. These reviews help the agency identify best practices and challenges in the acquisition function.
GSA plays an important role in advancing the administration’s priorities through leadership in Government-wide acquisition, including economic growth, climate resiliency, and strengthening diversity, equity, inclusion, and accessibility. Achieving these goals requires a modern, accessible, and streamlined acquisition ecosystem and a robust marketplace that connects buyers to the suppliers and businesses that meet their mission needs.
The procurement management review (PMR) process continues to play an important role in helping to ensure the agency meets its ambitious goals. For example, in FY 2023, the PMR Division (PMRD) continued its focus on contract administration and electronic contract filing, verifying that adequate management and internal controls are in place to ensure sufficient Government oversight of the goods and services procured. As GSA’s head of contracting activity (HCA) and that person’s delegate, when applicable, is responsible for developing acquisition policies and procedures, and for establishing guidance regarding acquisition reviews under their delegated authority. The PMRD has repurposed the procurement management reviews to include review of both the HCA’s procurement and program organizations relating to the HCA’s procurement portfolio. Therefore, the procurement management reviews are strategically aligned to reflect both procurement and program operations.
The PMRD will continue to prioritize activities that ensure the administration priorities and GSA’s acquisition policies have a significant and lasting positive impact on the American public and its stakeholders.
Federal Managers’ Financial Integrity Act of 1982
The Federal Managers’ Financial Integrity Act of 1982 (FMFIA) requires that agencies establish internal controls and financial systems to provide reasonable assurance that the integrity of Federal programs and operations is protected. It also requires the head of the agency to provide an annual assurance statement on whether the agency has met this requirement and whether any material weaknesses exist.
In response to FMFIA, GSA implemented processes to hold managers accountable for the performance, productivity, operations, and integrity of their programs through the use of internal controls. GSA’s Office of the Chief Financial Officer (OCFO) continues to use an Entity Level Evaluation Tool that incorporates the evaluation factors of the Government Accountability Office’s (GAO) 5 components and 17 principles of internal control, and OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control.
All controls were operating as intended as of September 30, 2023.
OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, Appendices A and D
OMB Circular A-123, Appendices A and D, require agencies to conduct an annual management assessment of internal control over reporting and financial systems. In FY 2023, OCFO deployed an extensive methodology that assessed risk across key business processes and identified the related key internal controls over reporting and financial systems.
The Appendix A risk assessment evaluated the results of the FY 2022 financial audit, the FY 2022 evaluation of GAO’s 5 components and 17 principles of internal control, recent GAO and Office of Inspector General audits, and management-identified priorities. In FY 2023, GSA assessed:
- Payroll and Human Capital Management
- Federal Acquisition Service Revenue and Receivables
- Public Buildings Service Revenue and Receivables
- Public Buildings Service Reimbursable Work Agreements
- Financial Statement Manual Journal Entries
For Appendix D, the financial system evaluation was based on initial materiality assessments. The systems in scope for this year’s assessments included:
- Pegasys - GSA’s core financial system of record
- HR Links - GSA’s human capital management system
- Occupancy Agreement Billing
- Fleet Management System
- Payroll Accounting and Reporting
- FEDPAY
- Product Information Communication System
- Assisted Services Shared Information System - a single, integrated solution for all GSA-assisted acquisitions
- Order Management System - an order fulfillment service primarily servicing the GSA Global Supply and Retail Operations
Key controls were evaluated for the appropriate design, operating effectiveness, and identified potential risk areas.
GSA’s evaluation of Appendices A and D did not identify any material weaknesses in controls or material system non-conformances as of September 30, 2023.
GAO standards for internal control in the federal government
The GAO requires entities to assess whether their agency’s internal controls support 5 components and 17 principles of internal control. GSA understands the five components of internal control must be effectively implemented and operating in an integrated manner for an internal control system to be effective.
To ensure cohesion, in FY 2023, GSA continued to update an inventory of policies and procedures designed to support internal controls. These policies and procedures were mapped to the component and principle they support. Each year, GSA reviews new and existing policies and procedures in the inventory and updates the related mapping documentation as necessary. GSA annually tests the 5 components and 17 principles of internal control for compliance.
Federal Financial Management Improvement Act of 1996
The Federal Financial Management Improvement Act of 1996 was designed to improve Federal financial management and reporting by requiring that financial management systems comply substantially with three requirements:
- Federal financial management system requirements.
- Applicable federal accounting standards.
- The U.S. Standard General Ledger at the transaction level.
The act also requires independent auditors to report on agency compliance with the three stated requirements as part of financial statement audit reports. The agency evaluated its financial management systems and has determined they substantially comply with Federal financial management systems requirements, applicable Federal accounting standards, and the USSGL at the transaction level as of September 30, 2023.
Information and financial management systems framework
The Chief Financial Officers Act of 1990 assigns responsibilities for planning, developing, maintaining, and integrating financial management systems to Federal agencies. GSA currently maintains Pegasys, its core accounting system; the e-Payroll applications; and the general support applications on different hosting platforms. On February 26, 2023, USDA transferred management of the Pegasys Financial Services including its related staff, financial management system, and supporting contracts back to GSA.
Overall, GSA is focused on improving the operations of these systems by consolidating platforms and licenses, increasing automation, migrating systems to cloud-based solutions, and modernizing legacy systems. These actions also enable GSA to reduce maintenance costs and provide more seamless support to the GSA financial community. Database encryption, implementing two-factor authentication for identity and access management, and moving more applications to a single sign- on solution help enhance the overall security posture of the agency’s portfolio.
Since FY 2020, GSA has been transitioning ancillary applications to open-source technology. Beginning in FY 2020, the agency successfully migrated the Collection Information Repository application, the recurring services notification approval process, and Pegasys vendor request management to open-source technology. In FY 2021, GSA migrated two more financial management applications, WebVendor and Pegasys Payment Search, from proprietary database technology. The benefits of open-source technology are many: lower software costs, reduced development time and expense, faster start-ups, easier reuse and repurposing, and robust community troubleshooting and maintenance.
In FY 2022, GSA deployed multi-factor authentication to FEDPAY for Government users. The agency also migrated all applications using a custom-coded password service into GSA’s enterprise password management solution, Password Manager Pro. These actions help GSA better protect its data assets from rogue hackers and takeovers and protects users’ security and privacy. To better insulate software assets from fraud and to ensure the agency appropriately records proof of purchase, licenses, and end-user agreements, GSA continues to improve its software asset management toolkit. In 2023, GSA IT migrated seven Financial Management Line of Business (FMLoB) web applications to IdentityNow, a Sailpoint product. IdentityNow simplifies identity governance, helping GSA automate user access and certification, enforce separation of duties, catalog policies, and better manage passwords. Additional FMLoB and HR applications will be migrated in late 2023 or early 2024, allowing GSA to decommission legacy access management solutions. Future migrations will automate the processing of access requests that are currently manually processed through the Enterprise Access Request System to a more simple case management solution.
Federal Information Security Modernization Act
The Federal Information Security Modernization Act (FISMA) requires Federal agencies to implement a set of processes and system controls designed to ensure the confidentiality, integrity, and availability of system-related information. The controls in each Federal agency must follow established Federal Information Processing Standards, National Institute of Standards and Technology (NIST) standards, and other legislative requirements pertaining to Federal information systems, such as the Privacy Act of 1974.
To facilitate FISMA compliance, GSA maintains a formal program for information security management that focuses on FISMA requirements and protecting GSA IT resources. This program determines the processes necessary to mitigate new threats and anticipate risks posed by new technologies. The program also follows NIST’s cybersecurity framework for making risk-based determinations. GSA IT will closely integrate cybersecurity with enterprise risk management; GSA will improve and prioritize investment decisions that continue to mitigate those risks.
In May 2021, the President issued Executive Order 14028, Improving the Nation’s Cybersecurity, directing Federal agencies to make a series of enhancements in their cybersecurity capabilities, implement software supply chain integrity, and transition to a zero-trust architecture. EO 14028, supported by a series of OMB memoranda and Cybersecurity and Infrastructure Security Agency (CISA) directives, represents a fundamental change in approach to how the Government secures its information and information system resources. GSA fully supports the administration’s goals to advance zero-trust architecture and has aligned its approach to available best practices from NIST, CISA, and OMB Memorandum M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles [PDF]. In FY 2022, GSA submitted a proposal to the Technology Modernization Fund and was awarded $29.8 million to advance zero-trust architecture that focuses on information technology security, including users and devices, networks, and security operations, and the agency’s progress is described below:
- Users and devices: GSA will meet the newer demands of telework through a multi-domain, hybrid cloud architecture approach that adheres to enhanced security principles. In FY 2023, GSA migrated to a cloud-based identity governance platform and awarded a new cloud based authentication platform contract to support stronger authentication options.
- Networks: GSA implemented distinct network security segments by implementing a secure access service edge solution for its users and devices, resulting in cost savings and enhancing user experience by eliminating the need for virtual private networks. In addition, GSA has completed upgrades to the security network for 250 public buildings.
- Security operations: GSA has adopted increased machine learning- and artificial intelligence-driven algorithms to help connect diverse data sources and highlight threats, while also providing security oversight for cyber supply chain risk management. The agency also plans to continue to expand its enterprise security operations center to include additional Government-wide public-facing digital services.
GSA has further aligned its cybersecurity program to the new capability-driven metrics in the FY 2023 FISMA evaluation process. These metrics set forth a maturity baseline for cybersecurity to enable more informed, risk-based decisions and to achieve observable security outcomes. The cybersecurity scores, which are derived from those FISMA metrics, represent the Federal Government’s progress in achieving EO 14028 milestones and implementing key cybersecurity measures. GSA received a total score of 94 percent on the Federal Cyber Security Progress Report, and the highest possible score of 15.0 in the NIST Cybersecurity Framework areas of Identify, Respond and Recover; a score of 36.2 out of 40 in Protect; and a score of 12.3 out of 15.0 in Detect. Additionally, as part of FY23 FISMA audit, GSA’s security program received an overall FISMA rating of “Effective” with Managed and Measurable (Level 4) for Identify, Respond, and Recover and Optimized (Level 5) for Protect and Detect cybersecurity functions.
Digital Accountability and Transparency Act
The Federal Financial Accountability and Transparency Act of 2006 (FFATA) requires Federal agencies to report obligations and award-related information for all Federal financial assistance and procurement awards. The Digital Accountability and Transparency Act of 2014 (DATA Act) expands upon FFATA by adding U.S. Department of the Treasury account-level reporting. This includes reporting all Treasury Account Symbols that fund each award and contract transaction, budget authority, program activity, outlay, and budget object class, among other data elements. The DATA Act also requires the Federal Government to collectively standardize the financial data elements that are reportable under the act. In FY 2023, GSA provided monthly DATA Act submissions and certified those submissions each quarter, as required. This information is publicly accessible on the USA Spending website, which allows users to view how Federal tax dollars are spent.
Antideficiency Act
The Antideficiency Act, Public Law 97-258, 96 Stat. 923, prohibits Federal agencies from incurring obligations or expending funds in advance or in excess of an appropriation. The law was initially enacted in 1884, with major amendments occurring in 1950 and 1982. It is now codified at 31 U.S.C. § 1341 and 1342.
GSA regularly monitors program spending against the levels apportioned by the Office of Management and Budget as well as the levels of actual resources collected to ensure the agency does not spend more funding than authorized. Additionally, GSA has controls in place in its financial system, Pegasys, to prevent spending above the levels apportioned to GSA’s various funds. These systematic controls increase efforts to comply with the ADA.
Statement of assurance
The U.S. General Services Administration management is responsible for managing risks and maintaining effective internal controls to meet the objectives of Sections 2 and 4 of the Federal Managers’ Financial Integrity Act. GSA conducted its assessment of risk and internal controls in accordance with the OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control. The assessment did not identify any material weaknesses. GSA management can provide reasonable assurance that internal controls over operations, financial reporting, and compliance were operating effectively as of September 30, 2023.
In FY 2022, GSA identified an accounting error that impacted balances for multiple years and the financial statement audit identified inadequate second-level reviews over manual transactions processed in the Agency’s core financial system, which combined, resulted in a material weakness. To address the material weakness, GSA conducted a risk assessment to ensure adequate controls are in place, implemented second level approvals into the accounting system as of October 5, 2023, and updated the system to ensure proper classification of transactions.
GSA has assessed that it is in compliance with Federal financial management standards, as required by the Federal Financial Management Improvement Act of 1996 and OMB Circular A-123 Appendix D. GSA is confident that all systems substantially comply with the Federal financial management system requirements, Federal accounting standards promulgated by the Federal Accounting Standards Advisory Board, and with the U.S. Standard General Ledger at the transaction level as of September 30, 2023.
/S/_____________________
Robin Carnahan
Administrator of General Services
November 14, 2023