U.S. General Services Administration
GSA Management and Internal Control Program
1. Management’s Responsibility for Enterprise Risk Management and Internal Controls
Internal control is at the core of GSA fulfilling its mission and achieving its goals while safeguarding Governmental resources. GSA management is responsible for implementing internal control activities across the agency.
GSA uses a top-down approach to implement effective and efficient internal controls. The agency’s senior assessment team, the Management Control Oversight Council (MCOC), chaired by the Deputy Administrator, is responsible for establishing governance for GSA’s senior managers to provide the leadership and oversight necessary for effective implementation of the agency’s Internal Control Program. GSA evaluates internal control across the agency at various levels of the organization to ensure significant risks are identified and related internal controls are tested and evaluated.
The OCFO A-123 Internal Control Review team and the Office of Government-wide Policy (OGP) conducted parallel financial and acquisition reviews across the agency. The organization within OGP performing the work is the Procurement Management Review (PMR) Division, which is a component of the Office of Acquisition Policy reporting directly to the GSA Senior Procurement Executive. This office completed a total of 1,061 contract/real property lease reviews in FY 2018 covering 18 GSA Contracting organizations.
PMR reviews assessed the effectiveness of internal controls over procurement management. By analyzing activities from both an acquisition and financial perspective, GSA addressed control issues that involved financial and acquisition functions. Any identified control deficiencies are tracked and monitored for timely and accurate implementation of corrective actions. No material weakness was identified during this review process.
The OCFO deploys an extensive annual testing and assessment methodology that evaluates the effectiveness of internal controls over financial reporting and financial systems. In FY 2018, the OCFO conducted an agency-wide assessment of the five Components and 17 Principles of Internal Control as required by the U. S. Government Accountability Office (GAO) Standards for Internal Control in the Federal Government (Green Book). The OCFO improved the quality of the reporting and monitoring of improper payments by enhancing the sampling model used for estimating the improper payment rate for Rental of Space. The previous model sampled from one information source: the disbursement population from our Pegasys financial system. The new sampling model uses three sources of information: the disbursement population from our Pegasys financial system, overpayments identified from our Federal Shared Service Provider (FSSP), and overpayments identified from our Payment Recapture Audit. Using this multi-pronged approach generates a more accurate Rental of Space improper payment rate estimate. It also provides additional information for analyzing the root causes of improper payments. In FY 2018, the test results for Rental of Space indicate an improper payment rate of 0.29 percent and an improper payment amount of $16.70 million.
2. Federal Managers’ Financial Integrity Act
The FMFIA of 1982 requires that agencies establish internal controls and financial systems to provide reasonable assurance that the integrity of Federal programs and operations is protected. Furthermore, it requires the head of the agency to provide an annual assurance statement on whether the agency has met this requirement and whether any material weaknesses exist.
In response to the FMFIA, the agency holds managers accountable for the performance, productivity, operations and integrity of their programs through the use of internal controls. Senior managers at the agency each year evaluate the adequacy of the internal controls and determine whether the controls conform to the internal control standards established by OMB and GAO. The results of these evaluations and other information provided to senior management are used to determine whether there are any internal control matters to be reported as material weaknesses. The agency’s senior assessment team, the MCOC, provides oversight of the internal control program and advises the Administrator on the Statement of Assurance.
Additionally, GSA monitors internal controls over purchase and travel cards. See the Fraud Reduction Report Section for comments on this activity.
3. OMB Circular No. A-123, Appendix A
Appendices A and D of OMB Circular No. A-123 provide requirements to agencies for conducting the management assessment of internal control over reporting and financial systems, respectively. In FY 2018, the OCFO continued to deploy an extensive annual assessment methodology that assesses risk across key business processes and identifies the related key internal controls over reporting and financial systems. The key controls were then evaluated for appropriate design and operational effectiveness, while financial system assessments were conducted to identify potential risk areas.
The Agency’s evaluation for FY 2018 did not identify any material weaknesses in controls or material system non-conformances as of, or subsequent to, September 30, 2018.
4. Federal Financial Management Improvement Act
The FFMIA of 1996 was designed to improve Federal financial management and reporting by requiring that financial management systems comply substantially with three requirements:
- Federal financial management system requirements;
- Applicable Federal accounting standards; and,
- The U. S. Government Standard General Ledger at the transaction level.
Furthermore, the Act requires independent auditors to report on agency compliance with the three stated requirements as part of financial statement audit reports. The agency evaluated its financial management systems and has determined they substantially comply with Federal financial management systems requirements, applicable Federal accounting standards and the U. S. Government Standard General Ledger at the transaction level.
5. Information and Financial Management Systems Framework
The CFO Act assigns responsibilities for planning, developing, maintaining, and integrating financial management systems within Federal agencies. GSA currently maintains e-Payroll applications, portions of its legacy core accounting system, and general support systems, which operate on a variety of hosting platforms to support various feeder applications.
In FY 2018, GSA continued its progress in financial systems modernization. GSA completed a project to move the Visual Invoice Tracking and Payment (VITAP) application, an accounts payable subsystem, to a new platform. The new .Net platform improved GSA’s security posture and retired a significant portion of legacy FoxPro code. Additional benefits included 508 Compliance, implementing Single Sign-On, and enhancing the overall user experience and usability of this mission-critical application.
GSA’s legacy time and attendance and leave management systems, ETAMS and ALOHA, were replaced in FY 2018 by the GSA’s new HR Links system. HR Links system is a PeopleSoft solution operated and configured by IBM and QTS Realty Trust, Inc. (QTS). QTS operates the two FedRAMP-certified data centers where the application is hosted. HRLinks improves GSA’s security posture by providing multi-factor authentication to one integrated system, and additional benefits include single-sign-on, self-service features, easy access to leave balances, 508 compliance, and mobile access.
GSA also undertook activities to improve processes, increase automation, and further consolidate applications. These strategies support GSA's financial management system goals of reducing operating and maintenance costs, while enhancing compliance and IT security controls. Projects included in part: piloting Robotics Process Automation to streamline processes and significantly increase automation; implementing database and technology transformations and continuing efforts to consolidate General Support Systems application functionality into a single system and/or migrating it to GSA’s core financial system, Pegasys.
6. Federal Information Security Modernization Act
The Federal Information Security Management Act (FISMA) requires Federal agencies to implement a set of processes and system controls designed to ensure the confidentiality, integrity, and availability of system-related information. The controls in each Federal agency must follow established Federal Information Processing Standards, National Institute of Standards and Technology (NIST) standards, and other legislative requirements pertaining to Federal information systems, such as the Privacy Act of 1974.
To facilitate FISMA compliance, GSA maintains a formal program for information security management focused on FISMA requirements, protecting GSA IT resources. This program is focused on processes necessary to mitigate new threats and anticipate risks posed by new technologies.
Designated GSA information system security managers and information system security officers implement information security requirements in accordance with FISMA requirements and GSA policies.
GSA continues to address weaknesses identified in its Plan of Action and Milestones. GSA annually provides security and privacy awareness training to more than 15,000 employees and contractors. GSA continues to implement and develop a continuous diagnostics and mitigation program in accordance with NIST, U.S. Department of Homeland Security, and OMB direction.
7. Digital Accountability and Transparency Act (DATA Act)
The Digital Accountability and Transparency Act (DATA Act) was enacted in 2014, amending the Federal Financial Accountability and Transparency Act of 2006 (FFATA). FFATA requires reporting of obligations and award-related information for all Federal financial assistance and procurement awards. The DATA Act expands upon FFATA by adding U.S. Department of the Treasury (Treasury) account-level reporting; this includes reporting all Treasury Account Symbols that fund each award and contract transaction, budget authority, program activity, outlays, and budget object classes, among other data elements. The DATA Act also requires the Federal Government to collectively standardize the data elements reportable under the Act. GSA submitted its quarterly DATA Act submissions as required. This information is 15publicly accessible and searchable by the American public to see how their tax dollars are being spent. The 16Spending Explorer makes it easy to conduct high level analysis of Federal spending.
8. Antideficiency Act (ADA)
The Antideficiency Act, Pub.L. 97–258, 96 Stat. 923, is legislation enacted by the Congress to prevent the incurring of obligations or the making of expenditures in excess of amounts available in appropriations or funds. The law was initially enacted in 1884, with major amendments occurring in 1950 and 1982. It is now codified at 31 U.S.C. § 1341.
GSA is working with OMB on final decisions for two potential FY 2017 violations of the ADA. In one instance, the ASF apportionment did not account for growth potential of a specific reimbursable agreement and the ASF flow-through apportionment limitation was exceeded. In response to this potential violation, GSA initiated a Corrective Action Plan (CAP) with four actions, which have been completed. Additional information on this potential ADA is included in the OIG’s Management Challenges and the Statement of Assurance.
The second potential ADA violation identified in FY 2017 was related to the FCSF. The FCSF was utilized to support search capability for state and local Government websites. GSA corrected the situation by discontinuing these services in February 2017.