Appendix E � HHS FY 2003 Federal Financial Management Improvement Act (FFMIA) Report on Compliance

Auditors of Executive Agencies' financial statements are required to report if the agencies' financial management systems are in substantial compliance with the requirements of the Federal Financial Management Improvement Act of 1996. Such audits are to be conducted in accordance with OMB's revised FFMIA Implementation Guidance, dated January 4, 2001.

Under FFMIA, agencies also are required to report whether their financial management systems substantially comply with the federal financial management systems requirements, applicable federal accounting standards, and the United States Government Standard General Ledger at the transaction level.

The Department's FY 2003 financial statement audit revealed two instances (discussed below) in which HHS financial management systems did not substantially comply with federal financial management systems requirements. HHS concurs with the auditors' findings.

Instances of Non-Compliance

Non-Compliance Number 1: Financial Management Systems and Processes

The financial management systems and processes used by HHS and its agencies made it difficult to prepare reliable, timely financial statements. The processes required extensive, time-consuming manual spreadsheets and adjustments in order to report accurate financial information;
At most HHS agencies, suitable systems were not in place to adequately support sufficient reconciliation and analyses of significant fluctuations in account balances; and
The CMS did not have an integrated accounting system to capture expenditures at the Medicare contractor level, and certain aspects of the financial reporting system did not conform to the requirements specified by the Joint Financial Management Improvement Program. The CMS needed extensive consultant support to establish reliable accounts receivable balances.

Non-Compliance Number 2: General and Application Controls

General and application controls over the Medicare contractors' financial management systems, as well as systems of certain other operating divisions were significant departures from requirements specified in OMB Circular A-127, "Financial Management Systems," and OMB A-130, "Management of Federal Information Resources."

The FY 2003 audit recognized the significant steps taken by the Department to resolve material weaknesses found in previous years. Following is a summary of some of the corrective actions taken and the current status for each of the areas of non-compliance.

Corrective Actions

Financial Management Systems and Processes

The Department's long-term strategic plan to resolve this material weakness is to replace the existing accounting systems and certain other financial systems within the Department. The short-term focus has been on improving the quality of the data in the accounting systems by increasing periodic reconciliation and analyses, and implementing a web-based Automated Financial System for collecting and consolidating financial statements department-wide. Over the last several years HHS has continued to make progress in strengthening its financial management and has a plan to bring its financial management systems into compliance with the FFMIA by replacing antiquated financial systems with the Unified Financial Management System.

A major sub-component of the unified system is the CMS Healthcare Integrated General Ledger Accounting System (HIGLAS), which will replace the Medicare contractors' different systems, both manual and automated, currently used by Medicare contractors. HIGLAS will integrate with Medicare's three existing standard claims processing systems. In addition, the current mainframe-based financial system will be replaced by this web-based system. With national implementation of HIGLAS, the financial material weakness under FFMIA will be eliminated. Following are examples of the Department's FY 2003 achievements:

At the CMS central office (CO), procedures were implemented that resulted in adjustments to accounts receivable balances reported by the contractors. However, these procedures did not ensure that accounts receivable activity included on the contractor financial reports was properly supported by detailed transactions. CMS uses formal procedures for financial reporting analysis; and
CMS continues to provide instructions and guidance to the Medicare contractors and its CO and regional offices (RO). They continue to contract with Independent Public Accountants to test financial management internal controls and to analyze accounts receivable at Medicare contractors. CMS created workgroups comprised of CO and RO consortia staff to serve as subject matter experts responsible for addressing four key areas: follow up on the Corrective Action Plans; reconciliation of funds expended to paid claims; trend analysis; and internal controls. As CMS progresses toward its long-term goal of developing an integrated general ledger system, they continue to provide training to the contractors to promote a uniform method of reporting and accounting for accounts receivable and related financial data. CMS also completed automated applications for preparing all five required principal financial statements.

Unified Financial Management System (UFMS)

Established the UFMS Program Management Office, including hiring the UFMS Program Director, to lead the effort.
Hired a nationally recognized company to serve as the program's systems integrator.
Established the UFMS governance structure in which top departmental executives, including the operating components' Chief Financial Officers and Chief Information Officers, actively participate.
Selected the commercial off-the-shelf (COTS) software to serve as the core system application/infrastructure.
Developed a department-wide budget and accounting classification structure.
Compiled department-wide financial requirements applicable to UFMS.
Developed key planning documents, including Risk Assessment and Mitigation Plan, Change Management (Business Transformation) Plan, Performance Management Plan, and Core Target Business Model.
Developed the UFMS business case (which was finalized by the UFMS PMO and approved by the HHS Information Technology Internal Review Board on November 5, 2002).
NIH commenced implementation of the general ledger component of the NIH New Business System in October 2002.
NIH is participating in the UFMS planning and global activities. NIH will assess the impact of changes to its core financial management implementation and will work with the UFMS program team to incorporate the changes, as global elements are determined. NIH will participate in and follow the direction of the UFMS Change Control Board.
Began implementation at CDC. CDC has participated in Global Fit/Gap analysis sessions for CDC specific requirements. CDC has completed the initial process design and is participating in configuration workshops.
Completed the CDC Global Conference Room Pilot 1.
Began implementation at FDA. Finalized the FDA requirements, completed FDA process flows and accessed the impact on the FDA workforce.

Healthcare Integrated General Ledger Accounting System (HIGLAS)

Established CMS HIGLAS Program Office with a staff of 20 FTEs.
Initiated implementation of an approved CMS Joint Financial Management Improvement Program COTS product at the two pilot Medicare contractors.
Established the HIGLAS project baseline and began the design and build of HIGLAS functional solution for two Medicare contractor pilots.
Finalized the following project management plans:

Business Solution Test Plan;
Communications Plan;
Configuration Management Plan;
Detailed Pilot Implementation Plan;
Master Project Plan;
Project Management Plan;
Project Work Plan;
Quality Assurance Plan;
Requirements Management Plan;
Risk Management Plan;
Stress Test Plan;
Systems Software Process Improvement Plan; and
First of multiple iterations of the Architectural View.

Conducted four Conference Room Pilots to refine business requirements and solutions.
Established the Application Service Provider and technical infrastructure, and are running 11 nonproduction instances of the Oracle software in a test environment.
Established the HIGLAS Change Control Board with support from the Technical Configuration Committee, Requirements Management Committee, and the Performance Work Group to assure decisions are made accurately and timely.
Established an Earned Value Management System that produces reports to assist project monitoring and control.
Established HIGLAS Systems Engineering Portal for project communication.
Created a HIGLAS website at www.cms.hhs.gov/ to provide program status for project stakeholders.

General and Application Controls

For CMS, the OIG acknowledged in its findings that during FY 2003 the Department made considerable progress in identifying weaknesses in its automated processing systems. Specifically, CMS identified several weaknesses in the performance of vulnerability assessments, Statement on Auditing Standards (SAS) 70 internal control reviews, the compilation of Medicare contractor controls self-assessments, OIG assessment, and related procedures. This effort provides a baseline for further improvements. CMS embraces the need to assess the risks inherent in its operations and programs, assess financial and operational priorities, and seek additional resources as necessary to correct known deficiencies.

CMS relies extensively on EDP operations at CO and the Medicare contractors to administer the Medicare program and to process and account for Medicare expenditures. Internal controls over these operations are essential to ensure the integrity, confidentiality, and reliability of critical data while reducing the risk of errors, fraud, and other illegal acts. In FY 2003, weaknesses at the Medicare contractors, as well as certain application control weaknesses at the contractors' shared systems, continued. Such weaknesses do not effectively prevent: 1) unauthorized access to and disclosure of sensitive information; 2) malicious changes that could interrupt data processing or destroy files; 3) improper Medicare payments; or 4) disruption of critical operations. The OIG aggregated the findings at the Medicare contractors and CMS CO into one material weakness. No findings at a single location were considered material.

CMS continues to make progress toward resolving this issue by revising our information systems security requirements for Medicare contractors. The CMS Core Information Security Requirements adhere to guidelines in the Office of Management and Budget (OMB) Circular A-130 and implement effective control procedures. In FY 2003, CMS completed a prototype of a system security plan methodology for Medicare contractors and developed and implemented new background investigation procedures. We also developed policy and procedures for software quality assurance, as well as developed, tested, and implemented a systems software change audit review process.

The other HHS agencies will continue to make progress toward resolving their general and application control issues. Additionally, UFMS will be designed and implemented within a secure application environment.

In the long term, HHS will continue to improve data integrity and reliability of its financial statements and financial reporting processes. Performing routine periodic reconciliation and financial analysis will help do this. Past performance on the part of HHS resulted in improved financial discipline and the achievement of an unqualified audit opinion on HHS financial statements for FYs 1999 � 2003. In addition, HHS will continue to strengthen Medicare EDP controls and improve systems security.

The corrective actions to remedy these issues will be developed by HHS components and included in the HHS CFO's Five-Year Plan.

Last revised: January 12, 2004

The White House | USA.gov | Helping America's Youth