Appendix E � HHS FY 2003 Federal Financial Management Improvement Act (FFMIA) Report on Compliance
Auditors of Executive Agencies' financial statements are required to report if the agencies' financial management systems are in substantial compliance with the requirements of the Federal Financial Management Improvement Act of 1996. Such audits are to be conducted in accordance with OMB's revised FFMIA Implementation Guidance, dated January 4, 2001.
Under FFMIA, agencies also are required to report whether their financial management systems substantially comply with the federal financial management systems requirements, applicable federal accounting standards, and the United States Government Standard General Ledger at the transaction level.
The Department's FY 2003 financial statement audit revealed two instances (discussed below) in which HHS financial management systems did not substantially comply with federal financial management systems requirements. HHS concurs with the auditors' findings.
Instances of Non-Compliance
Non-Compliance Number 1: Financial Management Systems and Processes
Non-Compliance Number 2: General and Application Controls
The FY 2003 audit recognized the significant steps taken by the Department to resolve material weaknesses found in previous years. Following is a summary of some of the corrective actions taken and the current status for each of the areas of non-compliance.
Financial Management Systems and Processes
The Department's long-term strategic plan to resolve this material weakness is to replace the existing accounting systems and certain other financial systems within the Department. The short-term focus has been on improving the quality of the data in the accounting systems by increasing periodic reconciliation and analyses, and implementing a web-based Automated Financial System for collecting and consolidating financial statements department-wide. Over the last several years HHS has continued to make progress in strengthening its financial management and has a plan to bring its financial management systems into compliance with the FFMIA by replacing antiquated financial systems with the Unified Financial Management System.
A major sub-component of the unified system is the CMS Healthcare Integrated General Ledger Accounting System (HIGLAS), which will replace the Medicare contractors' different systems, both manual and automated, currently used by Medicare contractors. HIGLAS will integrate with Medicare's three existing standard claims processing systems. In addition, the current mainframe-based financial system will be replaced by this web-based system. With national implementation of HIGLAS, the financial material weakness under FFMIA will be eliminated. Following are examples of the Department's FY 2003 achievements:
Unified Financial Management System (UFMS)
Healthcare Integrated General Ledger Accounting System (HIGLAS)
General and Application Controls
For CMS, the OIG acknowledged in its findings that during FY 2003 the Department made considerable progress in identifying weaknesses in its automated processing systems. Specifically, CMS identified several weaknesses in the performance of vulnerability assessments, Statement on Auditing Standards (SAS) 70 internal control reviews, the compilation of Medicare contractor controls self-assessments, OIG assessment, and related procedures. This effort provides a baseline for further improvements. CMS embraces the need to assess the risks inherent in its operations and programs, assess financial and operational priorities, and seek additional resources as necessary to correct known deficiencies.
CMS relies extensively on EDP operations at CO and the Medicare contractors to administer the Medicare program and to process and account for Medicare expenditures. Internal controls over these operations are essential to ensure the integrity, confidentiality, and reliability of critical data while reducing the risk of errors, fraud, and other illegal acts. In FY 2003, weaknesses at the Medicare contractors, as well as certain application control weaknesses at the contractors' shared systems, continued. Such weaknesses do not effectively prevent: 1) unauthorized access to and disclosure of sensitive information; 2) malicious changes that could interrupt data processing or destroy files; 3) improper Medicare payments; or 4) disruption of critical operations. The OIG aggregated the findings at the Medicare contractors and CMS CO into one material weakness. No findings at a single location were considered material.
CMS continues to make progress toward resolving this issue by revising our information systems security requirements for Medicare contractors. The CMS Core Information Security Requirements adhere to guidelines in the Office of Management and Budget (OMB) Circular A-130 and implement effective control procedures. In FY 2003, CMS completed a prototype of a system security plan methodology for Medicare contractors and developed and implemented new background investigation procedures. We also developed policy and procedures for software quality assurance, as well as developed, tested, and implemented a systems software change audit review process.
The other HHS agencies will continue to make progress toward resolving their general and application control issues. Additionally, UFMS will be designed and implemented within a secure application environment.
In the long term, HHS will continue to improve data integrity and reliability of its financial statements and financial reporting processes. Performing routine periodic reconciliation and financial analysis will help do this. Past performance on the part of HHS resulted in improved financial discipline and the achievement of an unqualified audit opinion on HHS financial statements for FYs 1999 � 2003. In addition, HHS will continue to strengthen Medicare EDP controls and improve systems security.
The corrective actions to remedy these issues will be developed by HHS components and included in the HHS CFO's Five-Year Plan.
Last revised: January 12, 2004