GSA Management and Internal Control Program
An effective internal control program helps GSA safeguard Government resources and ensures that the agency efficiently and effectively fulfills its core mission and achieves its strategic goals.
GSA evaluates internal controls across the agency at various levels of the organization. GSA management is responsible for establishing goals and objectives around operating environments, ensuring compliance with relevant laws and regulations, and managing both expected and unanticipated events. Employees across the organization are responsible for executing internal controls.
Management’s Responsibility for Enterprise Risk Management and Internal Controls
The agency’s senior assessment team, the Management Control Oversight Council (MCOC), chaired by the Deputy Administrator, is responsible for establishing governance for GSA’s senior managers to provide the leadership and oversight necessary for effective implementation of the agency’s Internal Control Program.
Integration with Enterprise Risk
To better understand and anticipate enterprise risk, GSA identifies and prioritizes prospective threats to the organization annually. This includes an effort to integrate and leverage information developed as part of OMB Circular A-123 internal controls assessments.
In FY 2019, GSA conducted two surveys, one with executives and another with managers throughout the organization, and identified the likelihood and impact of enterprise risk events. The results of both surveys were shared and discussed with each of the services and with specific mission-support offices. Based on the surveys and follow up discussions, GSA made adjustments to the annual risk profile and prioritized some risks for additional analysis and planning. Risks are managed throughout the year at the appropriate program level, with certain cross-cutting risks monitored and discussed at the enterprise level through existing governance mechanisms and decision bodies.
The OCFO A-123 Internal Control Review Team and the Office of Government-wide Policy (OGP) conducted parallel financial and acquisition reviews across the agency. The Procurement Management Review (PMR) Division, which is a component of OGP’s Office of Acquisition Policy, completed 1,104 contract and real property lease file reviews in FY 2019, covering 16 GSA contracting organizations.
Contract Administration Baseline Review
Throughout FY 2019, PMRs focused on post-award responsibilities, including contracting officer’s representative (COR) delegations of authority, internal or external to the agency. Contracting activities were assessed to confirm that project teams are performing the required oversight and documentation as indicated in each contract.
As expected, the increased focus on contract administration highlighted both successes to applaud and challenges that will require corrective action plans in FY 2020. The top contract administration challenges are listed below:
- Security: Contractor access to Government space is often necessary to execute contract requirements. While an agency process exists to obtain identification badges for contractors, improvements are needed in maintenance and oversight procedures from credential issuance through contract completion.
- Performance-based Contracts: Performance-based contracts represent approximately 80 percent of GSA-obligated dollars. As such, GSA needs to ensure these contracts contain the applicable performance standards and surveillance plans to allow proper assessment of the contractors’ performance required in the contract.
- Lease Total Cost: Real property leasing actions are a unique type of procurement in that the total postoccupancy lease costs, such as alterations via reimbursable work authorization and overtime utilities, are not easily linked back to the master lease to provide a total cost.
- Integrated Teams: Contracting is a team sport requiring contributions from all members of the project team to ensure success. Focus is needed to ensure that contracting officers, CORs, and project managers use the same playbook in terms of key post-award activities, such as awareness and understanding of delegated roles and responsibilities, contract file storage, and accessibility.
OCFO internal control responsibilities include evaluating the effectiveness of internal controls over reporting and financial systems, conducting an agency-wide assessment of compliance with GAO’s 5 components and 17 principles of internal control, and monitoring and reporting on improper payments.
Federal Managers’ Financial Integrity Act of 1982
The Federal Managers' Financial Integrity Act of 1982 (FMFIA) requires that agencies establish internal controls and financial systems to provide reasonable assurance that the integrity of Federal programs and operations are protected. It also requires the head of the agency to provide an annual assurance statement on whether the agency has met this requirement and whether any material weaknesses exist.
In response to FMFIA, the agency holds managers accountable for the performance, productivity, operations, and integrity of their programs through the use of internal controls. OCFO developed an Internal Control Evaluation Tool (ICET). ICET incorporates the evaluation factors for the 5 components and 17 principles of internal control, Digital Accountability and Transparency Act (DATA Act) reporting requirements, and Enterprise Risk Management (ERM) concepts to allow senior managers to evaluate the adequacy of the internal controls and determine whether the controls conform to the internal control standards established by OMB and GAO.
The evaluation results and other information were provided to the MCOC to determine and advise whether there were any material weaknesses in internal control requiring disclosure in the Administrator’s Statement of Assurance.
OMB Circular A-123, Management's Responsibility for Enterprise Risk Management and Internal Control, Appendix A and D
OMB Circular No. A-123, Appendices A and D, require agencies to conduct an annual management assessment of internal control over reporting and financial systems. In FY 2019, the OCFO continued to deploy an extensive annual assessment methodology that assesses risk across key business processes and identifies the related key internal controls over reporting and financial systems.
The Appendix A risk assessment evaluated the results of the FY 2018 financial audit, the FY 2018 evaluation of GAO’s 5 components and 17 principles of internal control, recent GAO and OIG audits, and management-identified priorities. The assessment identified budget and finance, Federal Acquisition Service (FAS) and Public Buildings Service (PBS) procurement, accounts payable, payments, timing of personnel actions for within-grade and quality step increases, DATA Act reporting, and OCFO robotics process automation (RPA) as within the scope of the FY 2019 assessment.
For Appendix D, the financial system evaluation was based on initial materiality assessments. The systems in scope for this year’s assessments included Pegasys (the GSA core financial system of record), the Assisted Services Shared Information System, the Requisition, Ordering, and Documentation System, and the Enterprise Acquisition System Integrated. Key controls were evaluated for the appropriate design, operational effectiveness and identified potential risk areas.
GSA’s evaluation of Appendices A and D did not identify any material weaknesses in controls or material system non-conformances as of September 30, 2019.
Federal Financial Management Improvement Act of 1996
The Federal Financial Management Improvement Act of 1996 was designed to improve Federal financial management and reporting by requiring that financial management systems comply substantially with three requirements:
- Federal financial management system requirements;
- Applicable Federal accounting standards; and
- The U. S. Government Standard General Ledger at the transaction level.
The act also requires independent auditors to report on agency compliance with the three stated requirements as part of financial statement audit reports. The agency evaluated its financial management systems and has determined they substantially comply with Federal financial management systems requirements, applicable Federal accounting standards, and the U.S. Government Standard General Ledger at the transaction level.
Information and Financial Management Systems Framework
The CFO Act assigns responsibilities for planning, developing, maintaining, and integrating financial management systems to Federal agencies. GSA currently maintains e-Payroll applications, portions of its legacy core accounting system, and general support systems, which operate on a variety of hosting platforms to support various feeder applications.
In FY 2019, GSA continued its progress in financial systems modernization. GSA completed phase II of a project to move the Visual Invoice Tracking and Payment application, an accounts payable subsystem, to a new platform. The new platform improved GSA’s security posture, retired additional components of legacy FoxPro code, satisfied 508 compliance, expanded single sign-on implementation, and enhanced the overall user experience and usability of this mission-critical application.
Due to functionality being incorporated in Pegasys, GSA decommissioned several financial management applications including FTS Expense Accruals, Pegasys Forms Delete, Pegasys Online Disbursement Review, Year End Lease Accruals (Lease YE Accrual), Pegasys Open Items, BULKLOAD, Adventure Travel, Financial Operations and Disbursement Division, Customer Support Center, and IPAC Search. The benefits of decommissioning these systems include cost avoidance, as well as streamlined user access and user experience.
GSA has also successfully implemented a Robotic Process Automation (RPA) program within OCFO, which is automating processes for OCFO, FAS, PBS, and other GSA support offices. The RPA program has delivered bots that help GSA comply with Federal requirements, such as the Prompt Payment Act and the Improper Payment Elimination and Recovery Act of 2010; reduce cycle time for different processes, thereby increasing the capacity to improve customer satisfaction; reduce errors and associated re-work and delays; reconcile data across multiple systems and documents; and automate manual, repetitive, rule-based processes, allowing employees to shift to higher-value work advancing the agency's mission. GSA is now in the planning phases of building an RPA enterprise platform, which will allow for unattended automation and time-based scheduling of bots.
GSA has undertaken other activities that improve processes, increase automation, and further consolidate applications in its system architecture. To better secure GSA’s data assets, the agency continues to move more applications to the SecureAuth single sign-on solution and integrate two-factor authentication for identity and access management services. In the area of software asset management, GSA continues to mature new tool sets and additional capabilities introduced to help combat fraud and ensure proof of purchase, license, and user agreements.
To protect and secure sensitive building information (Federal tenant data, floorplans, leasing data, and market surveys with competitive rental rates), PBS IT and GSA IT Security included additional rigor into contractor requirements in the National Broker Contract. The contract now requires GLS brokers to use Governmentprovided systems and email to store or process all information pertaining to leases. Contractors must also use GSA-provided IT systems and email (currently virtual desktops and GSA-provided Google Accounts) to store, process, or transmit GSA information for all work performed under this contract.
Federal Information Security Modernization Act
The Federal Information Security Management Act (FISMA) requires Federal agencies to implement a set of processes and system controls designed to ensure the confidentiality, integrity, and availability of systemrelated information. The controls in each Federal agency must follow established Federal Information Processing Standards, National Institute of Standards and Technology (NIST) standards, and other legislative requirements pertaining to Federal information systems, such as the Privacy Act of 1974.
To facilitate FISMA compliance, GSA maintains a formal program for information security management focused on FISMA requirements and protecting GSA IT resources. This program is focused on processes necessary to mitigate new threats and anticipate risks posed by new technologies and follows NIST’s cybersecurity framework for making risk-based determinations. Integration of cybersecurity with enterprise risk management has been improved by bringing cyber risks discussion to the Investment Review Board (IRB) and prioritizing investment decisions that mitigate the risks.
GSA meets all FISMA Cross Agency Priority Goals for cybersecurity and has received a Managing Risk rating across all capability domains and overall for the Risk Management Assessment Scorecard. GSA has also implemented a set of Continuous Diagnostics and Mitigation (CDM) security sensor tools feeding summarized data to a CDM dashboard. The CDM dashboard provides a centralized view of cybersecurity risks across the enterprise and provides leadership with an ability to identify cybersecurity risks and prioritize actions to mitigate or accept risks based on potential impacts to the mission of the GSA. Other actions taken to mitigate cybersecurity risks at GSA include:
- Implementing information security requirements in accordance with FISMA mandates and GSA policies.
- Addressing weaknesses identified in GSA system-level plans of action and milestones, which are developed to manage the risks associated with all GSA applications.
- Providing security and privacy awareness training to more than 17,000 employees and contractors.
- Developing a continuous diagnostics and mitigation program in accordance with NIST, U.S. Department of Homeland Security, and OMB direction.
Digital Accountability and Transparency Act
The DATA Act was enacted in 2014, amending the Federal Financial Accountability and Transparency Act of 2006 (FFATA). FFATA requires reporting of obligations and award-related information for all Federal financial assistance and procurement awards. The DATA Act expands upon FFATA by adding U.S. Department of the Treasury account-level reporting; this includes reporting all Treasury Account Symbols that fund each award and contract transaction, budget authority, program activity, outlays, and budget object classes, among other data elements. The DATA Act also requires the Federal Government to collectively standardize the financial data elements reportable under the act. GSA submitted its quarterly DATA Act submissions as required. This information is publicly accessible and searchable by the American public to see how tax dollars are spent. Additionally, in their recent biennial "Audit of the Completeness, Accuracy, Timeliness, and Quality of GSA's 2019 DATA Act Submission" for the first quarter, the OIG found that GSA's financial and award data to be of "higher" quality, the highest grade allowable.
The Antideficiency Act (ADA), Pub.L. 97-258, 96 Stat. 923, prohibits Federal agencies from incurring obligations or expending funds in advance or in excess of an appropriation. The law was initially enacted in 1884, with major amendments occurring in 1950 and 1982. It is now codified at 31 U.S.C. § 1341.
In FY 2019, OMB confirmed an FY 2017 ADA violation related to the Acquisition Services Fund (ASF). In response, GSA implemented a corrective action plan that enhances forecasting capabilities. In addition, OMB amended the FY 2019 ASF apportionment to allow for automatic increases to the apportionment in the event of unanticipated customer orders placed above the apportioned levels, thus eliminating the cause of the ADA.
GSA is also working with OMB to reach a decision for a potential FY 2017 violation of the ADA related to the Federal Citizens Services Fund (FCSF). The FCSF was used to improve search capability for State and local Government websites without reimbursement, potentially in contravention to the fund’s authorizing statutes. GSA discontinued these support services in February 2017.