Appendix E - FY 2005 Federal Financial Management Improvement Act Report on ComplianceAuditors of Executive Agencies’ financial statements are required to report if the agencies’ financial management systems are in substantial compliance with the requirements of the Federal Financial Management Improvement Act (FFMIA) of 1996. Such audits are to be conducted in accordance with OMB’s revised FFMIA Implementation Guidance, dated January 4, 2001. Under FFMIA, agencies also are required to report whether their financial management systems substantially comply with the Federal financial management systems requirements, applicable Federal Accounting Standards, and the United States Government Standard General Ledger (USSGL) at the transaction level. Instances of Noncompliance The Department’s FY 2005 financial statement audit revealed one instance of noncompliance - Financial Systems and Processes, in which HHS financial management systems did not substantially comply with federal financial management systems requirements. The one noncompliance includes four sub-components; 1a) CMS’ financial systems analysis and oversight, 1b) the Department’s Payroll System, 1c) the CORE accounting system, and 1d) NIH’s Center for Information Technology (CIT). HHS concurs with the auditor’s findings. In last year’s report (FY 2004 PAR), the auditors reported 3 FFMIA non-compliances: 1) Financial Systems and Processes, 2) CMS Financial Systems and Analysis, and 3) Departmental Payroll System. These three non-compliances have now been consolidated into one noncompliance with 2 sub-components. In addition, the auditors identified 2 new non-compliances -- the core accounting system and the NIH Center for Information Technology (CIT) which they are reporting as additional sub-components of the one non-compliance, Financial Systems and Processes .
To make the HHS general ledger USSGL- compliant, the Department has created an extension, based on the Common Accounting Number (CAN)-Budget Accounting Classification Structure (BACS) crosswalk, which will select the correct Treasury transaction codes. This extension will enforce rules and populate the correct values to make the Unified Financial Management System (UFMS) USSGL-compliant. The FY 2005 audit recognized the significant steps taken by the Department to resolve material weaknesses found in previous years. The following is a summary of some of the corrective actions taken and the current status for each of the areas of noncompliance. Corrective Actions FFMIA Systems and Processes The Department’s long-term strategic plan to resolve this material weakness is to replace the existing accounting systems and certain other financial systems within the Department with the UFMS. The short-term focus has been on improving the quality of the data in the accounting systems by increasing periodic reconciliation and analyses, and implementing a web-based automated financial system for collecting and consolidating financial statements Department-wide. Over the last several years HHS has continued to make progress in strengthening its financial management and has a plan to bring its FFMIA systems into compliance by replacing antiquated financial systems with the UFMS. A major subcomponent of UFMS is the CMS Healthcare Integrated General Ledger Accounting System (HIGLAS). The lack of an integrated financial management system continues to impair CMS’ and the Medicare contractors’ abilities to adequately support and analyze accounts receivable and other financial balances reported.
The CMS is implementing a comprehensive plan to bring its financial systems into compliance. Specifically, CMS has initiated steps to implement an integrated standard general ledger system, known as HIGLAS, for the Medicare contractors and regional and central offices. HIGLAS will initially integrate the CMS’ financial systems with two of the Medicare contractors’ existing shared claims processing systems. The CMS’ current mainframe-based financial system will also be replaced by HIGLAS, the foundation of which is a web-based, commercial-off-the-shelf system. The HIGLAS has been deployed at four of the largest CMS Medicare contractors. Two pilot Medicare contractors, Palmetto GBA (Fiscal Intermediary, May 2005) and Empire Medicare Services (Carrier, July 2005), and two non-pilot Medicare contractors, Empire Medicare Services (Fiscal Intermediary August 2005) and First Coast Service Options (Fiscal Intermediary, September 2005). This level of deployment makes progress towards compliance with the requirements of the FFMIA. The CMS will meet its original goal for materiality of financial operations by the end of FY 2006. HIGLAS will be FFMIA compliant in FY 2008, and fully implemented by FY 2011 .
Medicare General and Application Controls The CMS recognizes the significance of security measures regarding Medicare EDP issues as they relate to the integrity, confidentiality, and availability of sensitive Medicare data. The CMS continues to accept risk, primarily due to the large size and complexity of the Medicare fee-for-service claims processing system and number of data centers. The sheer magnitude of the Medicare claims processing system, encompassing 14 data centers and 32 entities that process claims, coupled with the level of aggressive oversight guarantees that there will always be findings. The major focus needs to be on limiting the number of findings including critical or high-risk vulnerabilities. The CMS revised its strategy to address CFO EDP audit issues in FY 2005. This strategy was successfully implemented as the prior material weakness has been downgraded to reportable conditions in the areas of logical access controls; and application security, development and program change control. The report of the independent contractors noted improvements in the areas of entity-wide security program, systems software and service continuity planning and testing. The CMS has now refined the strategy further to eliminate the two reportable conditions. This refinement extends through FY 2007 after which CMS plans for the CFO EDP reportable conditions to be eliminated from its financial statements. The CMS’ objectives are to eliminate by September 30, 2006 all findings within each of the reportable conditions as reported as part of the CFO EDP audit that are attributable to inadequate management oversight. By September 30, 2007, CMS’ objective is to put into place the appropriate processes and controls to eliminate both the reportable conditions and the root causes for the reportable conditions. The CMS strategy to accomplish the objectives involves a short-, mid- and long-term approach to correct all technical and management vulnerabilities and emplace a strong management oversight program to eliminate the root causes of the problems. The short-term strategy is simply to correct all vulnerabilities attributable to inadequate management oversight from whatever source in FY 2006. Whatever source includes SAS 70 audits, CFO EDP findings, and the results of other evaluations, tests or assessments at both central office and the Medicare contractors. The mid-term strategy is to address the system or root causes for the vulnerabilities. The long-term strategy is to sustain the improvements implemented in the short and mid-term. The CMS’ progress in addressing individual findings is measured by its Plan of Actions and Milestones Report, which is submitted to HHS and OMB. The long-term strategy in eliminating the reportable conditions also includes the CMS’ revitalization initiative that will further improve its security posture. A more secure system environment is a key component of the revitalization plan. The CMS is building security into the agency’s modernized infrastructure through capital investments targeted to reduce its security perimeter. The CMS will limit its exposure to risk through preemptive measures such as data center consolidation and Medicare contractor reform. This simplification of CMS’ contractor environment will leave less opportunity for exploitation than is the case in the current highly complex systems environment. The CMS plans for its security perimeter to be considerably smaller than is the situation today. Payroll System The independent Service Auditor’s Report for the Human Resources Service Personnel and Payroll Systems’ General Information Technology and Application Controls identified certain controls related to the application software development and change controls for the Commissioned Corps Personnel/Payroll System (COPPS) were not operating effectively. Centers of Excellence HHS currently meets the following goals of the Financial Management Line of Business (FMLoB) Goal : Select a Center of Excellence (COE) which will host the Department’s core financial management systems and to which the Department may migrate its financial management services. Status : Commercial centers of excellence are currently hosting HHS’ core accounting systems. Additional milestones related to the selection of a different hosting facility are not appropriate for consideration until the HHS Unified Financial Management System (UFMS) implementation has been completed. Goal : Migrate financial management hosting (and potentially services) to the selected COE. Status : Commercial facilities are currently being utilized for the hosting of HHS’ core accounting systems (CMS HIGLAS: IBM facilities; UFMS: AT&T facility via the CDC Mid-Tier Data Center). Additional milestones related to the migration to different hosting facility are not appropriate for consideration until the HHS Unified Financial Management System (UFMS) implementation has been completed. |