Skip Navigation

United States Department of Health & Human Services

 

spacer

line

Print Print    Download Reader PDF

Finance Home | Mission | Library | Organization | Contacts | Weblinks

Appendix E - FY 2005 Federal Financial Management Improvement Act Report on Compliance

Auditors of Executive Agencies’ financial statements are required to report if the agencies’ financial management systems are in substantial compliance with the requirements of the Federal Financial Management Improvement Act (FFMIA) of 1996. Such audits are to be conducted in accordance with OMB’s revised FFMIA Implementation Guidance, dated January 4, 2001.

Under FFMIA, agencies also are required to report whether their financial management systems substantially comply with the Federal financial management systems requirements, applicable Federal Accounting Standards, and the United States Government Standard General Ledger (USSGL) at the transaction level.

Instances of Noncompliance

The Department’s FY 2005 financial statement audit revealed one instance of noncompliance - Financial Systems and Processes, in which HHS financial management systems did not substantially comply with federal financial management systems requirements. The one noncompliance includes four sub-components; 1a) CMS’ financial systems analysis and oversight, 1b) the Department’s Payroll System, 1c) the CORE accounting system, and 1d) NIH’s Center for Information Technology (CIT). HHS concurs with the auditor’s findings.

In last year’s report (FY 2004 PAR), the auditors reported 3 FFMIA non-compliances: 1) Financial Systems and Processes, 2) CMS Financial Systems and Analysis, and 3) Departmental Payroll System. These three non-compliances have now been consolidated into one noncompliance with 2 sub-components. In addition, the auditors identified 2 new non-compliances -- the core accounting system and the NIH Center for Information Technology (CIT) which they are reporting as additional sub-components of the one non-compliance, Financial Systems and Processes .

Instances of Noncompliance

Noncompliance Number 1: Financial Management Systems and Processes

  • The financial management systems and processes used by HHS and its agencies made it difficult to prepare reliable and timely financial statements. The processes required extensive, time-consuming manual spreadsheets and adjustments to report accurate financial information;
  • At most HHS Agencies, suitable systems were not in place to adequately support sufficient reconciliation and analyses of significant fluctuations in account balances; and
  • CMS did not have an integrated accounting system to capture expenditures at the Medicare contractor level, and certain aspects of the financial reporting system did not conform to the requirements specified by the Joint Financial Management Improvement Program. CMS needed extensive consultant support to establish reliable accounts receivable balances.

Noncompliance Number 1a: General and Application Controls

General and application controls over the Medicare contractors’ financial management systems, as well as systems of certain other HHS Agencies, were significant departures from requirements specified in OMB Circular A-127, Financial Management Systems, and OMB Circular A-130, Management of Federal Information Resources.

Noncompliance Number 1b: Payroll System

The Independent Auditor’s Report for the Human Resources Service Personnel and Payroll Systems’ General Information Technology and Application Controls identified certain controls related to the application software development and change controls for the Commissioned Corps Personnel/Payroll System (COPPS) that were not operating effectively.

Following are three of the seven findings from the SAS-70 audit report (four items not included for security concerns):

  • Inspected the service level agreement between PSC and ITSC and determined that the security responsibilities between HRS and ITSC were not documented in sufficient detail.
  • Inspected a selection of four background investigations for CCSB new hires and determined that background investigations were performed commensurate with job responsibilities, for three of the four new hires selected.
  • Inspected a list of individuals awaiting access to the Silver Spring data center and inquired of HRS management and were informed that their individuals on the list were not approved by HRS for access.

Noncompliance Number 1c: Core Accounting Systems

The Independent Service Auditors’ Report for the Division of Financial Operations related to the general information technology and application control environment over the CORE Accounting Systems and feeder systems identified certain controls related to the application software development and change controls, computer resources’ protection against unauthorized modification, disclosure, loss, or impairment and changes to existing systems software and implementation of new system software were not operating effectively.

Noncompliance Number 1d: NIH Center for Information Technology

CIT has procedures for systems software implementation and maintenance for the Windows and Mainframe environment. However, documentation and logging of change requests, authorizations, testing, and approval for the Mainframe and Windows environment are inconsistent and incomplete. This resulted in controls not being suitably designed for the control objective-" Controls provide reasonable assurance that all changes to hardware and operating systems software in the Windows and Mainframe environment are authorized, properly tested, reviewed, approved, documented, and implemented"-as they relate to the Mainframe and Windows environment.

Several federal financial management applications are hosted on the mainframe, including the NIH CIT Central Accounting System.

To make the HHS general ledger USSGL- compliant, the Department has created an extension, based on the Common Accounting Number (CAN)-Budget Accounting Classification Structure (BACS) crosswalk, which will select the correct Treasury transaction codes. This extension will enforce rules and populate the correct values to make the Unified Financial Management System (UFMS) USSGL-compliant.

The FY 2005 audit recognized the significant steps taken by the Department to resolve material weaknesses found in previous years.

The following is a summary of some of the corrective actions taken and the current status for each of the areas of noncompliance.

Corrective Actions

FFMIA Systems and Processes

The Department’s long-term strategic plan to resolve this material weakness is to replace the existing accounting systems and certain other financial systems within the Department with the UFMS. The short-term focus has been on improving the quality of the data in the accounting systems by increasing periodic reconciliation and analyses, and implementing a web-based automated financial system for collecting and consolidating financial statements Department-wide. Over the last several years HHS has continued to make progress in strengthening its financial management and has a plan to bring its FFMIA systems into compliance by replacing antiquated financial systems with the UFMS.

A major subcomponent of UFMS is the CMS Healthcare Integrated General Ledger Accounting System (HIGLAS). The lack of an integrated financial management system continues to impair CMS’ and the Medicare contractors’ abilities to adequately support and analyze accounts receivable and other financial balances reported.

FY 2005 Unified Financial Management
System (UFMS) Accomplishments
  • Began implementation at the Program Support Center (PSC).
  • The Food and Drug Administration conducted successful conference room pilot.
  • The Centers for Disease Control and Prevention (CDC) conducted mock conversions 1-4.
  • CDC began end-user training.
  • CDC conducted integration testing.
  • PSC conducted conference room pilot.
  • Travel module deployed at the National Institutes of Health (NIH) for HHS travelers.
  • Implemented Oracle General Ledger and Federal Administrator at NIH.
  • Completed full implementation of core financial modules at CDC and FDA.

The CMS is implementing a comprehensive plan to bring its financial systems into compliance. Specifically, CMS has initiated steps to implement an integrated standard general ledger system, known as HIGLAS, for the Medicare contractors and regional and central offices. HIGLAS will initially integrate the CMS’ financial systems with two of the Medicare contractors’ existing shared claims processing systems. The CMS’ current mainframe-based financial system will also be replaced by HIGLAS, the foundation of which is a web-based, commercial-off-the-shelf system. The HIGLAS has been deployed at four of the largest CMS Medicare contractors. Two pilot Medicare contractors, Palmetto GBA (Fiscal Intermediary, May 2005) and Empire Medicare Services (Carrier, July 2005), and two non-pilot Medicare contractors, Empire Medicare Services (Fiscal Intermediary August 2005) and First Coast Service Options (Fiscal Intermediary, September 2005). This level of deployment makes progress towards compliance with the requirements of the FFMIA. The CMS will meet its original goal for materiality of financial operations by the end of FY 2006. HIGLAS will be FFMIA compliant in FY 2008, and fully implemented by FY 2011 .

FY 2005 HIGLAS Accomplishments

  • Established a CMS HIGLAS program office with a staff of 20 full-time equivalents. An FY 2002 action, the HIGLAS program office continues to exist.
  • Completed implementation of an approved JFMIP commercial-off-the-shelf product for the two pilot contractors and two non-pilot contractors.
  • Initiated transition and conversion activities for two additional non-pilot contractors who are on schedule for implementation in the second and third quarters of FY 2006.
  • Established the Application Service Provider and technical infrastructure, and running 11 non-production instances of the Oracle software in a test environment.
  • Created a HIGLAS website at www.cms.hhs.govto provide program status for project stakeholders.

Medicare General and Application Controls

The CMS recognizes the significance of security measures regarding Medicare EDP issues as they relate to the integrity, confidentiality, and availability of sensitive Medicare data. The CMS continues to accept risk, primarily due to the large size and complexity of the Medicare fee-for-service claims processing system and number of data centers. The sheer magnitude of the Medicare claims processing system, encompassing 14 data centers and 32 entities that process claims, coupled with the level of aggressive oversight guarantees that there will always be findings.

The major focus needs to be on limiting the number of findings including critical or high-risk vulnerabilities.

The CMS revised its strategy to address CFO EDP audit issues in FY 2005. This strategy was successfully implemented as the prior material weakness has been downgraded to reportable conditions in the areas of logical access controls; and application security, development and program change control. The report of the independent contractors noted improvements in the areas of entity-wide security program, systems software and service continuity planning and testing. The CMS has now refined the strategy further to eliminate the two reportable conditions. This refinement extends through FY 2007 after which CMS plans for the CFO EDP reportable conditions to be eliminated from its financial statements. The CMS’ objectives are to eliminate by September 30, 2006 all findings within each of the reportable conditions as reported as part of the CFO EDP audit that are attributable to inadequate management oversight. By September 30, 2007, CMS’ objective is to put into place the appropriate processes and controls to eliminate both the reportable conditions and the root causes for the reportable conditions.

The CMS strategy to accomplish the objectives involves a short-, mid- and long-term approach to correct all technical and management vulnerabilities and emplace a strong management oversight program to eliminate the root causes of the problems. The short-term strategy is simply to correct all vulnerabilities attributable to inadequate management oversight from whatever source in FY 2006. Whatever source includes SAS 70 audits, CFO EDP findings, and the results of other evaluations, tests or assessments at both central office and the Medicare contractors. The mid-term strategy is to address the system or root causes for the vulnerabilities. The long-term strategy is to sustain the improvements implemented in the short and mid-term. The CMS’ progress in addressing individual findings is measured by its Plan of Actions and Milestones Report, which is submitted to HHS and OMB.

The long-term strategy in eliminating the reportable conditions also includes the CMS’ revitalization initiative that will further improve its security posture. A more secure system environment is a key component of the revitalization plan. The CMS is building security into the agency’s modernized infrastructure through capital investments targeted to reduce its security perimeter. The CMS will limit its exposure to risk through preemptive measures such as data center consolidation and Medicare contractor reform. This simplification of CMS’ contractor environment will leave less opportunity for exploitation than is the case in the current highly complex systems environment. The CMS plans for its security perimeter to be considerably smaller than is the situation today.

Payroll System

The independent Service Auditor’s Report for the Human Resources Service Personnel and Payroll Systems’ General Information Technology and Application Controls identified certain controls related to the application software development and change controls for the Commissioned Corps Personnel/Payroll System (COPPS) were not operating effectively.

Centers of Excellence

HHS currently meets the following goals of the Financial Management Line of Business (FMLoB)

Goal : Select a Center of Excellence (COE) which will host the Department’s core financial management systems and to which the Department may migrate its financial management services.

Status : Commercial centers of excellence are currently hosting HHS’ core accounting systems. Additional milestones related to the selection of a different hosting facility are not appropriate for consideration until the HHS Unified Financial Management System (UFMS) implementation has been completed.

Goal : Migrate financial management hosting (and potentially services) to the selected COE.

Status : Commercial facilities are currently being utilized for the hosting of HHS’ core accounting systems (CMS HIGLAS: IBM facilities; UFMS: AT&T facility via the CDC Mid-Tier Data Center). Additional milestones related to the migration to different hosting facility are not appropriate for consideration until the HHS Unified Financial Management System (UFMS) implementation has been completed.

spacer

HHS Home | Questions? | Contact HHS | Accessibility | Privacy Policy | FOIA | Disclaimers

The White House | USA.gov | Helping America's Youth

U.S. Department of Health & Human Services · 200 Independence Avenue, S.W. · Washington, D.C. 20201