Appendix E - FY 2004 Federal Financial Management Improvement Act Report on Compliance

Auditors of Executive Agencies' financial statements are required to report if the agencies' financial management systems are in substantial compliance with the requirements of the Federal Financial Management Improvement Act (FFMIA) of 1996. Such audits are to be conducted in accordance with OMB's revised FFMIA Implementation Guidance, dated January 4, 2001.

Under FFMIA, agencies also are required to report whether their financial management systems substantially comply with the Federal financial management systems requirements, applicable Federal accounting standards, and the United States Government Standard General Ledger (USSGL) at the transaction level.

Instances of Noncompliance

The Department's FY 2004 financial statement audit revealed two instances (see chart) in which HHS financial management systems did not substantially comply with Federal financial management systems requirements. HHS concurs with the auditor's findings.

To make the HHS general ledger USSGL- compliant, the Department has created an extension, based on the Common Accounting Number (CAN)-Budget Accounting Classification Structure (BACS) crosswalk, which will select the correct Treasury transaction codes. This extension will enforce rules and populate the correct values to make UFMS USSGL-compliant.

The FY 2004 audit recognized the significant steps taken by the Department to resolve material weaknesses found in previous years. The following is a summary of some of the corrective actions taken and the current status for each of the areas of noncompliance.

Corrective Actions

Financial Management Systems and Processes

The Department's long-term strategic plan to resolve this material weakness is to replace the existing accounting systems and certain other financial systems within the Department. The short-term focus has been on improving the quality of the data in the accounting systems by increasing periodic reconciliation and analyses, and implementing a web-based Automated Financial System for collecting and consolidating financial statements Department-wide. Over the last several years HHS has continued to make progress in strengthening its financial management and has a plan to bring its FFMIA systems into compliance by replacing antiquated financial systems with the Unified Financial Management System. (UFMS)

A major subcomponent of UFMS is the CMS Healthcare Integrated General Ledger Accounting System (HIGLAS). The lack of an integrated financial management system continues to impair CMS' and the Medicare contractors' abilities to adequately support and analyze accounts receivable and other financial balances reported. CMS is implementing a comprehensive plan to bring its financial systems into compliance. Specifically, CMS has initiated steps to implement an integrated standard general ledger system, known as HIGLAS, for the Medicare contractors and regional and central offices. HIGLAS will initially integrate the CMS' financial systems with the Medicare contractors' two existing shared claims processing systems. The CMS' current mainframe-based financial system will also be replaced by HIGLAS, the foundation of which is a web-based, Joint Financial Management Improvement Program (JFMIP)-certified, commercial-off-the-shelf system. The CMS' current plans are that by the end of FY 2005, HIGLAS will have been deployed at eight of the largest CMS Medicare contractors. This level of deployment will not comply with the requirements of the FFMIA. The Department will not meet this level of materiality of financial operations until the end of FY 2006. Full implementation of HIGLAS is expected to be completed in FY 2007.

Following is an example of the Department's FY 2004 achievements:

• CMS continues to provide instructions and guidance to the Medicare contractors and its central and regional offices. It continues to contract with independent public accountants to test financial management internal controls and to analyze accounts receivable at Medicare contractors. CMS created work groups comprised of central and regional office consortia staff to serve as subject matter experts responsible for addressing four key areas: (1) follow up on the corrective action plans; (2) reconciliation of funds expended to paid claims; (3) trend analysis; and (4) internal controls. As CMS progresses toward its long-term goal of developing an integrated general ledger system, it continues to provide training to the contractors to promote a uniform method of reporting and accounting for accounts receivable and related financial data. CMS also completed automated applications for preparing all five required principal financial statements.

General and Application Controls

The CMS recognizes the significance of security measures regarding Medicare EDP issues as they relate to the integrity, confidentiality, and availability of sensitive Medicare data. The CMS received funding in August 2002 to mitigate vulnerable weaknesses at the Medicare contractors and data centers. The distribution based on a risk analysis was to fund system security plans for the contractor claims processing systems, access controls, systems software, segregation of duties, and service continuity. Funding decisions were risk-based and business driven. Additional weaknesses were funded in FY 2004 through redistribution of funds remaining from the initial FY 2002 distribution. The full implementation of the modernization program will address issues contributing to the material weakness.

Primarily due to the large size and complexity of the Medicare Fee-for-Service claims processing system and number of data centers, the completion dates will extend into 2006. The FY 2004 report will be issued in November 2004. The sheer magnitude of the Medicare claims processing system, encompassing 16 data centers and 33 entities that process claims, coupled with the level of aggressive oversight guarantees that there will always be findings. The issue is to keep these to a manageable number with no critical vulnerabilities.

It is important that funding has been requested and received for FY 2004 as part of the CMS Modernization initiative. Additional funding is requested for FY 2005. The CMS Modernization initiative is the long-term plan for addressing these security issues, e.g., by reducing the security perimeter through Medicare contractor reform and data center consolidation.

The CMS strategy is to make investments in the short run to create a more secure systems environment where security platforms have been upgraded and integrated, e.g., robust firewalls, intrusion detection, authentication, etc., but not to expend all available resources on addressing individual audit findings. Resources will be set aside for critical weaknesses but also for strategic purposes such as CMS information technology modernization, specifically contractor reform and a reduction in the number of data centers, and the introduction of enterprise security services such as intrusion detection.

The CMS continues to make progress in identifying and addressing individual weaknesses in its automated processing systems. This is accomplished through a rigorous corrective action process. All weaknesses are tracked to completion as part of the CMS Plan of Actions and Milestones (POA&M) report. CMS also is proactive in oversight of the contractors. CMS performs vulnerability assessments, Statement of Auditing Standards No. 70, Service Organizations, internal control reviews, and requires Medicare contractors to perform internal control self-assessments. The CMS has also revised its information systems security requirements. The CMS Core Information Security Requirements adhere to statutory requirements such as the Health Insurance and Portability Accountability Act security rule, the Federal Information Security Management Act requirements, and guidelines issued by the Office of Management and Budget (Circular A-130, Federal Information Systems) and the National Institute of Standards and Technology. In FY 2004, CMS required Medicare contractors to update and submit security plans. Controls were implemented to monitor and evaluate requests for source code changes to the Fiscal Intermediary Standard System. In FY 2004, CMS also initiated additional vulnerability testing of all Medicare data centers to identify weaknesses in the claims processing networks. All weaknesses are tracked as part of the CMS POA&M report.

Hundreds of security safeguards in the areas below were funded and implemented at the contractor sites based on their self-assessments and CMS' analysis of the risks associated with not meeting the requirements. Most of these safeguards were implemented in FY 2003 and 2004. All self-assessments and safeguards were reviewed and accepted by CMS prior to the distribution of funding. The CMS oversees the implementation of funding via on-site visits.

The key to resolving the material weaknesses is building a secure claims processing environment via CMS' Modernization initiative. Data center consolidation and Medicare contractor reform mandated by the Medicare Modernization Act will contribute to a more secure environment.

CMS believes its actions to fund critical vulnerabilities and increase its oversight of the contractors will be sufficient to plug the most significant gaps in security, and, as a result, mitigate the material weakness to a reportable condition. The CMS Modernization initiative is the long-term plan for addressing these security issues, e.g., by reducing the security perimeter through Medicare contractor reform and data consolidation.

Departmental Payroll System

The Human Resources Service (HRS) and the Information Technology Service Center (ITSC) are committed to addressing the audit findings proactively and implementing remedial actions in the following manner:

The Entity-Wide Security Program and logical & physical access are findings related to the network. The ITSC's management response to these findings is that the certification and accreditation (C&A)of both the Silver Spring Center LAN and the Division of Commissioned Personnel LAN was completed in June 2003. A unified ITSC network is scheduled to be established in FY 2005, and it will be authorized, certified and accredited. The unified ITSC network will have a security plan and a risk assessment will be conducted upon implementation. A C&A is planned for the Silver Spring Center computer room.

The network password faults cited are the result of a migration process from NT to Windows 2000 Active Directory that was halted during the transition to ITSC control of the network. This process will be completed by ITSC, and the settings returned to ones meeting NIST standards. Those standards will also address the password complexity issues mentioned.

The ITSC will also be implementing patch and vulnerability management products enterprise wide to ensure devices are properly patched, configured and scanned on a regular basis to ensure their security posture. In addition, the vulnerability remediation product will be capable of ensuring compliance to security templates meeting the requirements of NIST, ISO 17799, or other standards as appropriate. All of this will take place in the context of the development of a security plan and program for the ITSC's consolidated infrastructure.

For Segregation of duties and authorization & completeness, the corrective action will be to implement additional independent reviews of code moved into production. Currently, HRS is developing a plan for a database audit logging of People Tools code tables to verify that changes are only made during scheduled code migration periods. HRS is evaluating alternative source code management packages such as Quest Software's STAT product to meet this remedial need. In addition, security for migrations will be limited to the migration lead and the migration backup individuals. All other access by Operations and Maintenance staff will be limited to read-only for any database code objects.

HRS has implemented the removal of accounts with 15 months of inactivity and conducted periodic reviews of audit operator tables (user access tables). Aged user accounts will be removed on a periodic basis. Security responsibilities will be formally documented in the updated Security Features User's Guide (SFUG) as part of the re-certification process. EHRP roles and permission lists will be reviewed and adjusted as part of the user and agency administrator re-certification.

HHS Home | Questions? | Contact HHS | Accessibility | Privacy Policy | FOIA | Disclaimers

The White House | USA.gov | Helping America's Youth

U.S. Department of Health & Human Services · 200 Independence Avenue, S.W. · Washington, D.C. 20201