GSA Management and Internal Control Program
Federal Managers’ Financial Integrity Act (FMFIA) Section 2
The FMFIA requires agencies to establish internal control and financial systems that provide reasonable assurance that the three objectives of internal control are achieved:
- Effectiveness and efficiency of operations;
- Compliance with applicable laws and regulations; and
- Reliability of financial reporting.
FMFIA requires that the head of the agency, based on evaluation, provide an annual Statement of Assurance on whether the agency has met these requirements. OMB Circular A-123, Management’s Responsibility for Internal Control, implements the FMFIA and defines management’s responsibility for internal control in federal agencies. FMFIA also requires agencies to establish internal controls over their programs, financial reporting, and financial management systems. GSA internal control reviews are conducted for agency program components. The goal of these reviews are to identify and mitigate significant risks in a timely manner. These reviews also ensure that audit findings are responded to in a timely and effective manner and corrective action plans are implemented. GSA evaluates assurance on the effectiveness of the internal control over operations, management systems, and financial reporting for FY 2015 with consideration to all internal and external reviews of the agency. The “Summary of GSA’s Financial Statement Audit and Management Assurances” table is provided in the “Other Information” section of this report.
In FY 2015, GSA continued to strengthen management practices and internal controls to assure the integrity of its programs, operations, business and financial management systems. This effort included an increased focus on risk management and risk analysis on all programs. GSA successfully completed all the requirements of “OMB Circular A-123”; the Office of Federal Procurement Policy’s Memorandum entitled, “Conducting Acquisition Assessments under OMB Circular A-123”; the “FMFIA”; “OMB Circular A-123 Appendix D, Compliance with Federal Financial Management Improvement Act (FFMIA); and the “Federal Information Security Management Act (FISMA)” as the foundation of effective management operations and internal controls.
In FY 2015, the Procurement Management Review (PMR) Division and the Office of the Chief Financial Officer A-123 Internal Control Review team conducted parallel financial and acquisition reviews across the agency. PMR reviews assessed the effectiveness of internal controls over procurement management. By analyzing activities from both an acquisition and financial perspective, GSA addressed control issues that involved financial and acquisition functions. Any identified control deficiencies are tracked through a database application and monitored for timely and accurate implementation of corrective actions.
Overall, the Internal Control Program at GSA is functioning soundly and GSA can provide reasonable assurance that its internal control over financial reporting is operating effectively and that there are no material weaknesses relating to the design or operation of internal control over financial reporting.
Federal Managers’ Financial Integrity Act Section 4
GSA evaluates its financial management systems annually for compliance with federal financial management systems requirements, applicable federal accounting standards, and USSGL recording and reporting requirements. In FY 2015, GSA evaluated its financial management systems controls and compliance by completing systems certification and accreditation reviews as part of the agency security assessment and authorization on Pegasys, the agency core financial system, submitting required Office of the Chief Information Security Officer (OCISO) reports and obtaining authorization to operate, conducting OMB Circular A-123 reviews, and evaluating risk indicators contained in the FFMIA Compliance Risk Model. GSA also reviewed pertinent audit reports issued in FY 2015, remediated all but one of the prior year Statement on Standards and Attestation 16 audit recommendations, and discussed the details of pertinent systems-related control issues with senior managers and auditors. The remaining open recommendation is scheduled to be completed in the first quarter of FY 2016.
In FY 2015, improvements were made to strengthen GSA IT systems controls in the areas of continuous monitoring and automated logging & monitoring. GSA will continue to implement and enhance controls in these areas, and the automated tools will provide improved vulnerability management capabilities as well as near real time reporting on system inventories and risk posture.
In assessing compliance with FFMIA, GSA adheres to the implementation guidance provided by OMB and considers the results of GSA OIG and Government Accountability Office (GAO) audit reports, annual financial statement audits, FISMA compliance reviews, risk assessments, and other systems-related review and monitoring activities. Based on all information assessed, the administrator has determined that GSA financial management systems are in substantial compliance with FFMIA requirements for FY 2015.
Federal Information Security Management Act
FISMA requires federal agencies to implement a mandatory set of processes and system controls designed to ensure the confidentiality, integrity, and availability of system-related information. The processes and systems controls in each federal agency must follow established Federal Information Processing Standards, National Institute of Standards and Technology standards (NIST), and other legislative requirements pertaining to federal information systems, such as the Privacy Act of 1974.
To facilitate FISMA compliance, GSA maintains a formal program for information security management focused on FISMA requirements, protecting GSA IT resources, and supporting the GSA mission. This program consists of policies, procedures, and processes to mitigate new threats and anticipate risks posed by new technologies.
Designated GSA information system security managers and information system security officers implement information security requirements in accordance with FISMA requirements and GSA policies.
GSA continues to address weaknesses identified in its Plan of Action and Milestones. GSA annually provides security and privacy awareness training for over 15,000 employees and contractors. Privacy Impact Assessments were completed on all applicable systems. GSA continues to implement and mature a continuous monitoring program in accordance with NIST, Department of Homeland Security (DHS), and OMB direction.
Financial Management Systems Framework
The Chief Financial Officers Act assigns responsibilities for planning, developing, maintaining, and integrating financial management systems within federal agencies.
As depicted on the Financial Management Systems Framework chart below, GSA currently maintains a core accounting system, Pegasys; E-Payroll applications; portions of its legacy core accounting system, and general support systems, which operate, on a variety of hosting platforms to support various feeder applications.
In FY 2015, GSA continued its progress in financial systems modernization and improvement in support of this financial management systems framework. To achieve its strategic goals GSA will continue efforts to:
- Streamline, consolidate, and modernize financially oriented general support systems
- Complete the transfer of financial system ownership to USDA
These strategies support GSA financial management system goals of reducing financial system operating and maintenance costs, and enhancing compliance and IT security controls.