Appendix D - FY 2003 Federal Managers' Financial Integrity Act (FMFIA) Report on Systems and Controls
Introduction
This year, we have abbreviated the FMFIA report based on reader comments and comparisons with other
agency reports. We believe this streamlined report will be more useful and appealing to readers.
Overall Results
The FMFIA requires agencies to provide an annual statement of assurance on the effectiveness of their management, administrative and accounting controls, and financial management systems. The Department's annual assurance statement is contained in the Message from the Secretary (see page i) of this Performance and Accountability Report (PAR).
During FY 2003, HHS had no increase in Section 2 material weaknesses. One material weakness from prior years -- "Deficiency in the Enforcement Program for Imported Foods" (FDA 89-02) -- is no longer considered by HHS to be material at the department-wide level due to the substantial efforts made at the agency level by FDA to address this matter. One Section 4 material non-conformance related to financial systems and processes department-wide remained unresolved. The chart on page V.D.12 contains a summary of the FY 2003 findings including target correction dates.
In FY 2003, HHS managers were asked to review the GAO's 2003 High Risk list for HHS to determine if a material weakness exists. Except for GAO's findings -- Financial Systems and Processes and Medicare Information System Controls -- which were identified by the auditors in prior year CFO audits and included in our FMFIA reports, there were no new material weaknesses reported by the HHS agencies as FMFIA material weaknesses in their FMFIA reports.
HHS Management Control Program
HHS's management control program under the FMFIA and Revised OMB Circular A-123, Management Accountability and Control, reflects the Department's continuing commitment to safeguard the resources entrusted to it by reducing fraud, waste, and abuse, and preventing financial losses in HHS programs. HHS continually evaluates its program operations and systems through CFO annual financial statement audits, as well as other OIG and GAO audits, management reviews, systems reviews, etc., to ensure the integrity and efficiency of its operations. HHS program managers continue to improve management controls by identifying and correcting management control deficiencies.
The Department's FMFIA program supports a key objective in our HHS FY 2003 CFO Financial Management Five-Year Plan to respond to our diverse customers' needs by ensuring that the financial
information for their programs is accurate and that the financial systems and processes that support them maintain the highest level of integrity. HHS operating divisions are to have written strategies for assessing management controls on an ongoing basis and these strategies should be consistent with the Five-Year Financial Management Plan goals and targets.
In addition to our goal of obtaining a clean audit opinion on our annual financial statements, we have a related goal of resolving all internal control material weaknesses and reportable conditions cited by the auditors, including instances of non-compliance with the Federal Financial Management Improvement Act (FFMIA) as well as those identified through FMFIA reviews. For tracking and reporting on audit material
weaknesses, HHS has developed a department-wide CFO Corrective Action Plan, referred to as the "CAP". The CAP includes all of the findings resulting from the financial statement audits, including qualifications, material weaknesses, and reportable conditions. In FY 2003, we continued to submit the CAP quarterly to OMB. HHS achieved "green" in quarterly scorecard reports in part as a result of HHS making "good progress" in the CAP. The milestones for the material weaknesses included in this FMFIA report (see below) are consistent with the quarterly CAP milestones reported to OMB.
Material Weaknesses and Accounting System Non-Conformances
FY 2002 FMFIA Section 2, Material Weaknesses
In its FY 2002 Performance and Accountability report, HHS provided a qualified assurance for a material weakness at the Food and Drug Administration: "Deficiency in the Enforcement Program for Imported Foods" (FDA 89-02) under Section 2 of the FMFIA. As stated above, the Department has determined that FDA has made substantial efforts to date to address this material weakness. As a result, HHS has
determined that this material weakness does not represent a material weakness at the HHS corporate
level, although FDA continues to report this material weakness in its FMFIA report.
Following are some of the improvements FDA has made in its Enforcement for Imported Foods program:
Hired 600 new inspectors and lab personnel to monitor food imports;
Signed an agreement with the U.S. Army to design and develop mobile laboratories to be deployed to borders to analyze samples;
Acquired analytical equipment for field labs to handle large numbers of samples in case of terrorist contamination;
Acquired hand-held rapid test kits for 18 select agents;
Inspected, examined, and analyzed 106,080 imported foods; and
Conducted 167 inspections of foreign food establishments, priority "high risk", consistent with goal of 160 such inspections.
In the FY 2002 report, FDA estimated that it would complete corrective action to remove this material
weakness by FY 2006. However, FDA has revised its estimate for completing corrective action from FY
2006 to FY 2005. FDA reported that they are developing a risk-based inspection strategy, and that recently hired staff under the counterterrorism funding needs to be fully trained and utilized in performing some import-related functions.
FMFIA Section 4, Systems Non-Conformances
The FY 2002 FMFIA Report reflected a material non-conformance, Financial Systems and Processes
(HHS-00-01), under Section 4 of the FMFIA. This finding comprised three component findings: the
department-wide audit finding and the two separate audit findings at the Centers for Medicare and Medicaid Services (CMS) -- Financial Systems Analysis and Oversight (CMS-01-01) and Medicare EDP Controls (CMS 01-02). See below for detailed corrective action plans to address this Section 4 material nonconformance.
Unified Financial Management System � The Long Term Solution
The HHS financial auditors have cited the Department's lack of an integrated accounting system as a material weakness and a specific impediment in preparing timely financial reports and statements.
Secretary Thompson has directed a "One HHS" approach to managing the Department. One of the major tenets of the Secretary's approach is the development and implementation of the Unified Financial
Management System (UFMS) for the Department. In accordance with Secretary Thompson's June 2001 direction, the UFMS is to be composed of two primary components�one component for the Centers for
Medicare & Medicaid Services (CMS) called the Health Care Integrated General Ledger System (HIGLAS), and another component for the rest of the Department. The two components will be integrated to provide
for department-wide financial reporting. The unified system is to generate interim and annual financial statements, as well as other required external and internal financial reports. HHS will continue
implementation of UFMS/HIGLAS per the approved implementation plan to achieve compliance with the FFMIA/FMFIA Section 4 by FY 2005 and to remove related material weakness in financial statements. The
substantial implementation of the UFMS department-wide to achieve FFMIA compliance by FY 2005 includes implementation of the NIH Business and Research Support System (NBRSS), which will replace
NIH's current accounting system.
In the short term, HHS operating divisions have continued to make substantial progress in addressing
account analysis and reconciliation problems including implementing a more efficient process for preparing financial statements. NIH, for example, has implemented numerous additional analyses and reconciliations and a new, more disciplined process to prepare trial balances for preparation of NIH's financial statements.
CMS has also made substantial progress on mitigating the Electronic Data Processing (EDP) control
weaknesses and has revised its target for completing corrective action to FY 2004. Implementation of all
the safeguards will improve security, although the long-term fix for the Medicare contractors lies in the CMS IT Modernization initiative.
Federal Financial Management Improvement Act (FFMIA)
The Federal Financial Management Improvement Act (FFMIA) mandates among other things, that
agencies "�implement and maintain financial and management systems that comply substantially with
federal financial management systems requirements, applicable federal accounting standards, and the
United States Government Standard General Ledger at the transaction level." FFMIA also requires that
remediation plans be developed for any entity that is unable to report substantial compliance with these
requirements.
For a full assessment of the Department's compliance efforts under FFMIA, please refer to Appendix E of this report.
Section 4 Material Non-Conformance � Corrective Action Plan
Following are the summary corrective action plans for the Section 4, Material non-conformance.
Material Non-Conformance: (HHS-00-01) Department-wide Financial Systems and Processes
Description The Department continues to have serious internal control weaknesses in its financial systems and processes for producing financial statements. The FY 2002 CFO audit and the FMFIA Report reflected a material non-conformance department-wide under the FFMIA, which was reported under Section 4 of the FMFIA called Financial Systems and Processes (HHS-00-01). This finding combined the department-wide audit finding with the audit findings at the Centers for Medicare and Medicaid Services (CMS). CMS's FY 2002 financial statements audit revealed the same two material weaknesses as in the FY 2001 audit,
specifically: Financial Systems and Analysis (CMS-01-01) and Medicare EDP Controls (CMS 01-02).
Pace of Corrective Action:
Year Identified: FY 2000
Original Targeted Correction Date: N/A
Correction Date in Last Report: FY 2005
Current Correction Date: FY 2005
FY 2005 � FFMIA/FMFIA Compliance for UFMS and HIGLAS (the largest Medicare Contractors will be using the new HIGLAS system) 1/;
FY 2007 � Full UFMS/HIGLAS implementation
1/ Implementation of UFMS in accordance with approved implementation plan will allow HHS to comply with the FFMIA/FMFIA by the end of FY 2005. OMB, as a result of its review of key UFMS planning documents and discussions with HHS officials, recognized in its quarterly progress reports that the Department's current financial management "status" could improve when the UFMS is
substantially implemented at the end of FY 2005.
In the short term, account analysis and reconciliations are helping to mitigate systems weaknesses.
Responsible Program Manager: Tom Doherty, Director, UFMS Program Management Office
Source of Discovery: FY 2000, FY 2001, and FY 2002 financial statement audits by OIG.
Completed Actions and Events:
Department-wide
FY 2002:
Selected the commercial off-the-shelf software to serve as the core system application/infrastructure and hired a nationally recognized company to serve as the program's systems integrator.
Established the UFMS governance structure in which top departmental executives, including the HHS agencies' Chief Financial Officers and Chief Information Officers, actively participate.
Developed key planning documents, including Risk Assessment and Mitigation Plan, Change Management (Business Transformation) Plan, Performance Management Plan, and Core Target Business Model.
Developed the UFMS business case (which was finalized by the UFMS PMO and approved by the HHS Information Technology Internal Review Board on November 5, 2002).
See FY 2002 FMFIA Report in HHS FY 2002 Performance and Accountability Report.
Planned/Continuing Agency Actions:
FY 2003:
Planned/Actual Dates:
Following are key deliverables provided to OMB under the President's Management Agenda (PMA):
Submitted an outline of the UFMS Security Plan for addressing National Institute of Standards and Technology requirements.
January 29, 2003
Supplemented the project management plan provided on January
29, 2003 to OMB to include concrete costed deliverables and
specific due dates for each stage of UFMS implementation.
February, 2003
Submitted draft security certification/accreditation strategy to
include definition of minimum system boundaries.
April, 2003
Submitted detailed work breakdown structure mapped to earned value measurement and to performance measures (Tracking Matrix).
April, 2003 and every two months thereafter
Reported progress on UFMS Development/Acquisition Phase (see
2.4.2 of UFMS Security Plan).
April 30, 2003
Submitted a detailed UFMS security plan.
September 15, 2003
Note: Detailed updates on Corrective Actions are provided
quarterly to OMB. These Corrective Action Plans (CAPs), address
both short-term and long-term measures to address this weakness.
Long-Term UFMS Milestones:
NIH Business and Research Support System (NBRSS) - complete deployment
FY 2005
UFMS and HIGLAS: FFMIA/FMFIA Compliance
End of FY 2005
UFMS and HIGLAS: Full Implementation
FY 2007
Material Non-Conformance: (CMS 01-01) CMS Financial Systems, Analysis and Oversight
This finding is a sub-set of the one Section 4 material non-conformance department-wide (HHS-00-01).
The financial statements auditors reported that the Centers for Medicare & Medicaid Services (CMS) relies on a decentralized organization, complex and antiquated systems and ad hoc reports to accumulate data for financial reporting due to the lack of an integrated accounting system at the Medicare contractor level. An integrated financial system and strong oversight are needed to ensure that periodic analyses and reconciliation are completed to detect errors in a timely manner.
Pace of Corrective Action: Continuous
Year identified: FY 1997
Original Targeted Correction Date: FY 1999
Correction Date in Last Year's Report: FY 2005
Current Correction Date:
FY 2005 � FFMIA/FMFIA Compliance for UFMS and HIGLAS (the
largest Medicare Contractors will be using the new HIGLAS
system) 1/;
FY 2007 � Full UFMS/HIGLAS implementation
1/ Implementation of UFMS in accordance with approved implementation plan will allow HHS to comply with the FFMIA/FMFIA by the end of FY 2005. OMB, as a result of its review of key UFMS
planning documents and discussions with HHS officials, recognized in its quarterly progress reports that the Department's current financial management "status" could improve when the new accounting system
(UFMS) is substantially implemented at the end of FY 2005.
Lead Management Contact: Maria C. Montilla, Acting Director, Accounting Management Group, and Director of Financial Oversight, Office of Financial Management
Source of Discovery: FY 1997 financial statement audit by OIG and other sources.
Brief Description of Corrective Action Plan
While CMS has made significant improvements in financial reporting, our long-term solution to this material weakness is the Healthcare Integrated General Ledger Accounting System (HIGLAS). Until this system is implemented, CMS will continue projects and activities aimed at compensating for the lack of the modernized system. Until HIGLAS can be fully implemented, CMS will continue to implement short-term corrective actions, as outlined in our Chief Financial Officer (CFO) Comprehensive Plan for Financial Management, to address this material weakness. The four key financial management objectives of our plan are to: (1) improve financial reporting, guidance, and oversight by providing timely, reliable, and accurate financial information that will enable CMS managers and other decision makers to make timely and accurate program and administrative decisions; (2) design and implement effective financial management systems that comply with the Federal Financial Management Improvement Act (FFMIA); (3) improve debt collection and internal accounting operations; and (4) validate key financial data to ensure its accuracy and reliability.
Completed Actions and Events:
FY 2002:
The CMS has accomplished the following initiatives to effectively implement HIGLAS:
Established a CMS HIGLAS Program Office staffed with 20 FTEs.
Initiated implementation of an approved Joint Financial Management Improvement Program commercial off-the-shelf product at two pilot sites.
Established the HIGLAS project baseline and began the design and building of HIGLAS functional specifications/requirements for two Medicare contractor pilot locations.
Finalized the following project management plans: Business Solution Test Plan; Communications Plan; Configuration Management Plan; Quality Assurance Plan; and Risk Management Plan.
Conducted five Conference Room Pilots to refine business requirements/solutions. All activities completed.
Conducted five Technical Requirement Pilots in nine sessions. All activities completed.
Established the Application Service provider and technical infrastructure.
Initiated running 11 non-production instances of the ORACLE software in a test environment.
Established the HIGLAS Change Control Board with support from the Technical Configuration Committee, Requirements Management Committee, and the Performance Work Group to assure decisions are made accurately and timely.
Established HIGLAS Portal, e-Room, for project communication.
Created a HIGLAS website to provide program status for project stakeholders.
See FY 2002 FMFIA Report in HHS FY 2002 Performance and Accountability Report.
CAP Milestones for FY 2002 - FY 2003
Planned/Actual Dates:
Provided annual financial management training including trend analysis to contractors.
Completed
Acquired CPA services to validate accounts receivable balances.
Completed
Revised financial management internet manual.
Completed
Completed CPA accounts receivable reviews.
Completed
Established CAPs from accounts receivable reviews.
Completed
Contractors implemented CAPs from reviews.
On-going
CMS 1522 Cash Reconciliation Workgroup provided policy and procedures to ensure contractors reconcile funds expended.
Completed
Developed review procedures for monitoring the CMS 1522.
Completed
Provided procedures and trained regional offices to perform reviews.
Completed
Performed onsite reviews at 11 contractors.
Completed
Monitor the monthly CMS 1522 reconciliation submitted by contractors.
Monthly
Issued draft & final instructions to contractors that require a reconciliation of the CMS 1522 detailed claims data.
Completed
Implement final instructions that require a reconciliation of the CMS 1522 claims data.
January, 2004
Formed Trend Analysis Workgroup to develop and implement trend analysis procedures.
Completed
Issued contractor trend analysis procedures.
Completed
Perform trend analysis on receivable balances reported.
Quarterly
Issued final RO procedures to perform trend analysis and to review contractors trending analysis.
Completed
Implemented procedures for quarterly and yearly financial statements.
Completed
UFMS and HIGLAS compliance with FFMIA/Section 4 FMFIA.
End of FY 2005
Complete UFMS/HIGLAS implementation.
FY 2007
Material Non-Conformance: (CMS 01-02) Medicare EDP Controls
This finding is a sub-set of the one Section 4 material non-conformance department-wide (HHS-00-01).
The financial statement auditors reported that electronic data processing (EDP) controls at the Center for Medicare & Medicaid Services (CMS) central office (CO) and the Medicare contractors could result in: 1) unauthorized access to and disclosure of sensitive information; 2) malicious changes that could interrupt data processing or destroy files; 3) improper Medicare payments; or 4) disruption of critical operations. The auditors reported that weaknesses continue to exist in the areas of entity-wide security plans, Medicare data file, physical data center access controls, and service continuity. No individual weakness was determined to be material, but in the aggregate, the weaknesses were considered material.
Pace of Corrective Action: Continuous
Year identified: FY 1998
Original Targeted Correction Date: FY 1999
Correction Date in Last Year's Report: FY 2003
Current Correction Date: FY 2004
Responsible Program Manager: Richard Lyman, Director, Security and Standards Group, Office of Information Services
Source of Discovery: FY 1997 financial statements audit by OIG.
The CMS recognizes the significance of security measures regarding Medicare EDP issues as they relate to the integrity, confidentiality, and availability of sensitive Medicare data. The CMS received funding in August 2002 to mitigate the most vulnerable weaknesses at the Medicare contractors and data centers. Distribution based on risk analysis was to fund system security plans for the contractor claims processing systems, access controls, systems software, segregation of duties, and service continuity. Funding decisions were risk-based and business driven. Funding has been requested for FY 2004 as part of the CMS Modernization Initiative to resource major weaknesses. The CMS Initiative will be effective in addressing these security issues. The strategy is to make investments to create a secure systems environment where security platforms have been implemented and integrated, e.g., robust firewalls, intrusion detection, authentication etc., and not to expend all available resources on addressing audit findings.
CAP Milestones for FY 2003 - FY 2004
Medicare Contractors
Planned/Actual Dates:
Required Medicare contractors to adhere to OMB A-130 guidelines for entitywide security plans to ensure appropriate safeguarding of Medicare data.
Completed
Require Medicare contractors to use CMS systems security methodology to develop plans in the future as funding permits.
September, 2004
Develop consistent and effective physical and logical access procedures, including administration and monitoring of access by contractor personnel in the course of their job responsibilities.
September, 2004
Develop consistent and effective procedures over the implementation, maintenance, access, and documentation of operating systems software products used to process Medicare data.
September, 2004
Develop a segregation of duties to ensure that accountability and responsibility
for access to Medicare applications and data are appropriately assigned.
September, 2004
Update and appropriately document service continuity procedures to recover
Medicare processing in case of a system outage.
September, 2004
CMS Central Office
Complete the CMS master plan and the supporting general support systems plans that application plans will refer to.
September, 2004
Recertified all personnel with physical access to the data center.
Completed
HHS FMFIA Reporting Summary
FMFIA Section 2 Material Weakness and Section 4 Material Nonconformances Outstanding
FY 1997
FY 1998
FY 1999
FY 2000
FY 2001
FY 2002
FY 2003
Section 2 Material Weaknesses Outstanding
From Prior Year
2
3
4
5
5
2
1
New
1
1
1
0
0
0
0
Corrected/Reclassified
0
0
0
0
3*
1
1**
Outstanding as of 9/30/2003
0
Section 4 Material Nonconformances Outstanding
From Prior Year
0
0
0
0
0
1
1
New
0
0
0
0
1*
0
0
Corrected/Reclassified
0
0
0
0
0
0
0
Outstanding as of 9/30/2003
1
* Financial Systems and Processes (HHS-00-01). This single Section 4 material non-conformance reflects HHS's action during FY 2001 to combine the following three prior year Section 2 material weaknesses into a single finding, and reclassify the combined finding as a Section 4 material non-conformance (details and status in chart below):
Financial Systems and Processes (HHS-00-01) (1a below);
Financial Systems Analysis and Oversight (CMS 01-01) (1b below); and
Medicare EDP Controls (CMS 01-02) (1c below).
** "Deficiency in the Enforcement Program for Imported Foods" (FDA 89-02). Due to substantial FDA efforts, HHS no longer considers FDA 89-02 to be material at the department-wide level. FDA continues to report this material weakness in its FMFIA report with a targeted correction date of FY 2005.
Status of Outstanding FMFIA Material Weaknesses or Nonconformances
#
Title & Identification Code
First FY Reported
Target Correction Date
Section 2
None
Section 4
1a
Financial Systems & Processes ID: HHS-00-01
FY 2001
UFMS FMFIA and FFMIA compliance (FY 2005). UFMS full implementation (FY 2007).
1b
CMS Financial Systems Analysis and Oversight (Medicare Accounts Receivable)
ID: CMS 01-01 (formerly HCFA 97-02)
FY 2001
HIGLAS FMFIA and FFMIA compliance. (FY 2005) HIGLAS full implementation (FY 2007)
1c
Medicare EDP Controls, including Application Controls for Medicare Contractors. ID: CMS 01-02 (formerly HCFA 98-01a)
FY 2001
FY 2004 (previously reported as FY 2003 in FY 2002 report).
Download Reader 
