Financial Management: Agencies Face Many Challenges in Meeting the Goals
of the Federal Financial Management Improvement Act (Testimony,
06/06/2000, GAO/T-AIMD-00-178).

Pursuant to a congressional report, GAO discussed the challenges most of
the major federal department agencies face in meeting the basic
expectations laid out in the Federal Financial Management Improvement
Act of 1996 (FFMIA), focusing on: (1) problems with agencies' systems
that prevent them from meeting the expectations of FFMIA; (2) how
agencies are able to receive a "clean" audit opinion on their financial
statements even though their financial systems do not comply with
FFMIA's requirements; and (3) key elements in addressing these systems
problems, including the importance of sound information technology
investment and control processes.

GAO noted that: (1) FFMIA requires auditors performing annual financial
statement audits of the Chief Financial Officers (CFO) Act of agencies
to report whether agencies' financial management systems comply with the
act's requirements; (2) the act defines financial management systems as
the financial systems and financial portions of mixed systems necessary
to support financial management, including automated and manual
processes, procedures, controls, data, hardware, software, and support
personnel dedicated to the operation and maintenance of systems
functions; (3) based on GAO's review of fiscal year (FY) 1999 audit
reports for the 20 agencies reported to be noncompliant with FFMIA, GAO
identified five primary reasons: (a) nonintegrated financial management
systems; (b) inadequate reconciliation procedures; (c) noncompliance
with the U.S. Government Standard General Ledger; (d) lack of adherence
to federal accounting standards; and (e) weak security over information
systems; (4) although the number of agencies receiving unqualified audit
opinions is increasing, the financial management systems of most
agencies continue to be compliant with FFMIA's requirements; (5) in many
cases, agencies spent considerable resources to obtain a clean opinion
because their financial statements could not be produced from their
financial systems; (6) key elements for improving financial systems
include: (a) plans to replace or overhaul agencies' systems; (b)
information technology investment and security guidance; (c) Joint
Financial Management Improvement Program (JFMIP) software certification;
and (d) systems requirements documents and checklist; (7) the federal
government's size and complexity and the discipline needed to overhaul
or replace its financial management systems presents a significant
challenge, not simply a challenge to overcome a technical glitch, but a
demanding management challenge that requires attention from the highest
levels of government; and (8) however, with concerted effort, the
federal government can make progress toward improving its financial
management systems and thus achieve the goals of the CFO Act and provide
accountability to the nation's taxpayers.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-00-178
     TITLE:  Financial Management: Agencies Face Many Challenges in
	     Meeting the Goals of the Federal Financial Management
	     Improvement Act
      DATE:  06/06/2000
   SUBJECT:  Financial management systems
	     Financial statement audits
	     Noncompliance
	     Internal controls
	     Federal agency accounting systems
	     Accountability
	     Financial records
	     Information resources management

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO/T-AIMD-00-178

   * For Release on Delivery
     Expected at
     10 a.m.

Tuesday,

June 6, 2000

GAO/T-AIMD-00-178

financial management

Agencies Face Many Challenges in Meeting the Goals of the Federal Financial
Management Improvement Act

        Statement of Jeffrey C. Steinhoff

Assistant Comptroller General

Accounting and Information Management Division

Testimony

Before the Subcommittee on Government Management, Information and
Technology, Committee on Government Reform, House of Representatives

United States General Accounting Office

GAO

Mr. Chairman and Members of the Subcommittee:

I am pleased to be here today to discuss the challenges most of the major
federal departments and agencies face in meeting the basic expectations laid
out in the Federal Financial Management Improvement Act of 1996 (FFMIA).
That act, and several before it dating back to 1982, most notably the Chief
Financial Officers (CFO) Act of 1990, have underscored the importance of
improving financial management across the federal government. As such, FFMIA
and predecessor legislation, as well as many audit reports by our office and
the Inspector General (IG) community have continually pointed out that
reliable, useful, and timely information has not been available across
government to ensure financial accountability and to help improve economy,
efficiency, and effectiveness. The central challenge in generating reliable
and timely data throughout the year is overhauling financial and related
management information systems. To help focus attention on this challenge, 4
years ago the Congress passed FFMIA, which requires the 24 major departments
and agencies to implement and maintain financial management systems that
comply substantially with (1) federal financial systems requirements,
(2) applicable federal accounting standards, and (3) the U.S. Government
Standard General Ledger (SGL) at the transaction level.

Today I will discuss (1) problems with agencies' systems that prevent them
from meeting the expectations of FFMIA, (2) how agencies are able to receive
a "clean" (unqualified) audit opinion on their financial statements even
though their financial systems do not comply with FFMIA's requirements, and
(3) key elements in addressing these systems problems, including the
importance of sound information technology investment and control processes.
As required by the act, we plan to issue our fourth annual report on agency
compliance with FFMIA by October 1 of this year.

Mr. Chairman, from the outset today, I want to dispel the notion that this
is merely a compliance issue. The expectations in the CFO Act and FFMIA are
integral to producing the data needed to efficiently and effectively manage
the day-to-day operations of the federal government and provide
accountability to the taxpayers. When federal agencies can meet these
expectations, they will have achieved what the Comptroller General has
referred to as the "end game"-systems and processes that routinely generate
reliable, useful, and timely information the government needs to assure
accountability to taxpayers, manage for results, and help decisionmakers
make timely, well-informed judgments.

Aside from poor data and weak assurances regarding accountability, the
issues I will discuss today can result in excessive time spent by staff in
trying to correct data problems and compensate for systems shortcomings. We
recently issued an Executive Guide: Creating Value Through World-class
Financial Management, which describes some of the best practices used by
effective finance operations to support the mission objectives of their
organizations. They devote an increasingly smaller portion of their staff
resources to routine accounting activities, such as external reporting and,
instead, are able to use reliable and timely financial and other data to
provide products and services that directly support strategic
decision-making and ultimately improve overall business performance.

FFMIA Is a Key Component of the Management Reform Framework

So, in the 1990s, the Congress passed additional management reform
legislation to improve the general and financial management of the federal
government. The combination of reforms ushered in by (1) the Chief Financial
Officers Act of 1990, (2) the Government Management and Reform Act of 1994,
(3) FFMIA, (4) the Government Performance and Results Act of 1993, and (5)
the Clinger-Cohen Act of 1996, if successfully implemented, provides a basis
for improving accountability over government operations and routinely
producing sound cost and operating performance information, thereby making
it possible to better assess and improve the government's financial
condition and operating performance. In addition, we recently updated our
Standards for Internal Control in the Federal Government, which is issued
pursuant to the Financial Integrity Act to help agency managers implement
effective internal control, an integral part of improving financial
management systems.

FFMIA requires auditors performing annual financial statement audits of the
CFO Act agencies to report whether agencies' financial management systems
comply with the act's requirements. The act defines financial management
systems as the financial systems and financial portions of mixed systems
necessary to support financial management, including automated and manual
processes, procedures, controls, data, hardware, software, and support
personnel dedicated to the operation and maintenance of system functions.
FFMIA also requires agency heads to determine annually, based on the audit
report on the entity's financial statements and any other relevant
information, whether their agency financial management systems satisfy the
act's requirements. If the agency head determines that the systems do not
comply, FFMIA requires the agency head, in consultation with the Director of
the Office of Management and Budget (OMB), to establish a remediation plan
to bring the systems into substantial compliance. FFMIA also contains a
requirement that IGs are to report instances and reasons when an agency has
not met the intermediate target dates established in their remediation
plans.

To develop this testimony, we reviewed fiscal year 1999 audit results for
the 23 CFO Act agencies that had issued audited financial statements as of
June 1, 2000. We also relied on our ongoing work on FFMIA, including reviews
of agency remediation plans, federal accounting standards, and federal
financial systems requirements. We did our work from February through May
2000, in accordance with generally accepted government auditing standards.

Widespread Noncompliance Indicates Serious Systems Problems

Auditors for 20 of the 23 CFO Act agencies, whose audit reports have been
issued, reported that for fiscal year 1999, the agencies' systems did not
comply substantially with federal financial systems requirements, federal
accounting standards, and/or the SGL. Auditors for three agencies-the
Department of Energy, the National Aeronautics and Space Administration, and
the National Science Foundation-reported the agencies' systems to be in
substantial compliance. These results were similar to those for fiscal years
1997 and 1998. Reasons for noncompliance range from nonintegrated financial
management systems to information security weaknesses. This continuing
widespread noncompliance with FFMIA is indicative of the overall
long-standing poor condition of agency financial systems. Correcting the
systems problems that cause noncompliance with FFMIA is a challenge for many
agencies because of the age and poor condition of their critical financial
systems. Some of the federal government's computer systems were originally
designed and developed years ago and do not meet current systems
requirements and cannot provide reliable financial information for managing
day-to-day government operations and holding managers accountable. Further,
the inadequacy of federal financial management systems prevents a host of
financial reporting and financial analysis needs from being met.

Based on our review of fiscal year 1999 audit reports for the 20 agencies
reported to be noncompliant, we identified five primary reasons:

   * nonintegrated financial management systems,
   * inadequate reconciliation procedures,
   * noncompliance with the SGL,
   * lack of adherence to federal accounting standards, and
   * weak security over information systems.

Table 1 shows the 20 noncompliant agencies and problems reported by their
auditors.

Table 1: Problems Reported by Auditors in Fiscal Year 1999

                Nonintegrated                                Lack of    Weak
                              Inadequate                     adherence  security
 Agency         financial     reconciliation  Non-compliance to federal over
                management                    with the SGL
                systems       procedures                     accounting information
                                                             standards  systems
 Department of
 Agriculture    ?             ?               ?              ?          ?
 Department of
 Commerce       ?             ?               ?                         ?
 Department of
 Defense        ?             ?               ?              ?          ?
 Department of
 Education      ?             ?                              ?          ?
 Department of
 Health and     ?             ?                                         ?
 Human Services
 Department of
 Housing and
 Urban          ?             ?               ?              ?          ?
 Development
 Department of
 the Interior                                                ?          ?
 Department of
 Justice        ?             ?                              ?          ?
 Department of
 Labor          ?             ?               ?              ?          ?
 Department of
 Transportation ?                             ?              ?          ?
 Department of
 the Treasury   ?             ?               ?              ?          ?
 Department of
 Veterans       ?             ?               ?              ?          ?
 Affairs
 Agency for
 International  ?             ?               ?              ?          ?
 Development
 Environmental
 Protection                   ?                              ?          ?
 Agency
 Federal
 Emergency
 Management     ?             ?                                         ?
 Agency
 General
 Services                                                               ?
 Administration
 Nuclear
 Regulatory                                                  ?
 Commission
 Office of
 Personnel                    ?               ?              ?          ?
 Management
 Small Business
 Administration ?                             ?              ?          ?
 Social Security
 Administration                                                         ?
 Totals         14            14              11             15         19

Source: GAO analysis of agency audit reports for fiscal year 1999.

To understand how these weaknesses affect agencies' financial management
efforts and to bring about any lasting improvements, it is important to
understand what these weaknesses mean and their impact on the government's
operations. The following sections describe the five types of weaknesses and
provide examples identified by the agencies' auditors.

Nonintegrated Financial Management Systems

When agencies do not have an integrated financial management system-which
includes a budget system and program systems that maintain financial
information, such as logistics, personnel, and acquisition systems-they are
often forced to rely on ad hoc programming or analysis or actions, such as
taking physical inventories to determine what assets they have on hand, in
order to satisfy financial reporting and analysis responsibilities. In these
situations, agencies must expend major effort and resources, and some
agencies rely heavily on external consultants to develop information that
their systems should be able to provide on a daily or recurring basis. In
addition, opportunities for errors are significantly increased when
agencies' systems are not integrated.

Modern, integrated financial systems rely on transaction-based entries to
update all relevant accounts, be they for budgetary control, proprietary
accounting objectives, or program management. In these modern, integrated
systems, financial data is carried in a common format, and the effects of
financial transactions in one application are accurately transmitted to
other affected applications. Accordingly, aside from the timeliness in
recording transactions, the use of integrated systems largely negates the
risk of out-of-balance situations and data entry errors. Thus, agencies can
have at their disposal information that can quickly provide year-to-date
balances, but more importantly, can be used for analysis throughout the
year.

A continuing, serious problem is that agencies lack modern, integrated
financial management systems. As shown in table 1, auditors for 14 of the 20
noncompliant agencies reported this as a problem. For example, as we
testified before this Subcommittee this February, the Internal Revenue
Service (IRS) had to focus substantial efforts on developing compensating
processes to work around its serious systems and internal control weaknesses
to derive year-end balances for its financial statements. Because IRS' aging
financial management systems have not been redesigned to meet current
systems requirements and financial reporting standards, IRS' approach to
preparing financial statements relied heavily on costly, time-consuming
processes, statistical projections, and external consultants to derive
year-end balances. For instance, IRS has pervasive problems in managing and
reporting unpaid assessments. IRS does not have a subsidiary ledger that
tracks and accumulates unpaid assessments and their status on an ongoing
basis. The absence of the subsidiary ledger adversely affects IRS' ability
to effectively manage and accurately report these assessments. Typically, an
entity's accounts receivable balances would be supported by detailed
records, listings, or a subsidiary ledger of individual amounts, which are
all part of an integrated financial management system. To compensate for the
lack of an unpaid assessment subsidiary ledger, IRS uses ad hoc programs
that extract data from the tax master files-its database of taxpayer
information. However, as in past years, the results still required
significant adjustments totaling tens of billions of dollars before taxes
receivable can be reliably reported on the balance sheet. IRS top management
recognizes this and has demonstrated a strong commitment to developing an
integrated system as part of tax systems modernization.

As we testified before this Subcommittee last month, the Department of
Defense (DOD) lacks integrated accounting systems. DOD relies on an
inventory of 168 systems-consisting of 98 finance and accounting systems and
70 critical feeder systems-to carry out its financial management
responsibilities. These critical feeder systems provide about 80 percent of
the data needed for sound financial management. Because DOD lacks the
integrated systems needed to properly control assets and accumulate costs,
millions of transactions are keyed and then re-keyed into a vast number of
systems. To illustrate the degree of difficulty faced by DOD, figure 1,
which we included in our earlier testimony, shows for one business
area-contract and vendor payments-the number of systems involved and their
relationships to one another.

Figure 1: DOD's Current Systems Environment for the Contract and Vendor
Payment Process

In addition to the 22 financial systems involved in the contract payment
process that are shown in figure 1, DOD has identified many other critical
acquisition systems used in the contract payment process that are not shown
on this diagram. To further complicate the processing of these transactions,
each transaction must be recorded using a nonstandard, complex line of
accounting that accumulates appropriation, budget, and management
information for contract payments. For example, the following line of
accounting is used for the Army's Operations and Maintenance appropriation.

2162020573106325796.BD26FBQSUPCA200GRE12340109003AB22WORNAAS34030

As we previously testified, because DOD's financial management systems are
not integrated and payment and accounting processes are complex and
generally involve separate functions carried out by separate offices using
different systems, each line of accounting must be manually entered multiple
times, compounding the likelihood of data entry errors. Billions of dollars
of adjustments are made to correct transactions processed for functions such
as inventory and contract payments. During fiscal year 1999, almost one of
every three dollars in contract payment transactions was made to adjust a
previously recorded transaction. In addition, DOD's IG found that $7.6
trillion of adjustments to DOD's accounting transactions were required last
year to prepare DOD's financial statements. As with IRS, DOD's top
management recognizes the severity of the problems and has several actions
planned and underway to address these problems.

Inadequate Reconciliation Procedures

As shown in table 1, auditors for 14 of the 20 noncompliant agencies
reported that the agencies had reconciliation problems, including difficulty
reconciling their Fund Balance with Treasury accounts (that is, their cash
accounts) with the Department of the Treasury's records. Treasury policy
requires agencies to reconcile their accounting records with Treasury
records monthly, which is comparable to individuals reconciling their
checkbooks to their monthly bank statements.

For example, the Department of Education's auditors reported that Education
did not perform proper or timely reconciliations of its financial accounting
records throughout fiscal year 1999. And, at fiscal year-end, the balance in
Education's Fund Balance with Treasury account varied considerably from the
related balance reported by Treasury. In order to make the account balances
agree, Education made an unsupported adjustment of a net amount of about
$244 million to its Fund Balance with Treasury account. This means that
Education simply changed its records to agree with Treasury balances without
determining the causes of the differences and without modifying the
underlying transactions or accounts giving rise to the discrepancies.
Because Education had not been performing periodic reconciliations and
discerning reasons for differences on an ongoing basis, it could not
determine which records, if any, were correct and accordingly, relied on
Treasury's records, not its own.

In another example, the Department of Housing and Urban Development's (HUD)
IG reported that HUD fell behind schedule in its reconciliation processes to
identify discrepancies with Treasury because of the implementation of a new
core accounting system. As a result, HUD made many adjustments to make its
Fund Balance with Treasury accounts agree with Treasury records. HUD made 42
adjustments totaling about
$17.6 billion to adjust fiscal year 1998 ending balances and 242 adjustments
totaling about $59.6 billion to adjust fiscal year 1999 activity. Therefore,
on a day-to-day basis, HUD's decisionmakers cannot be assured that the
information in its financial systems is reliable. In addition, the
reconciliation problems delayed closing of the general ledger and
preparation of the financial statements which in turn contributed to the
IG's disclaimer of opinion on HUD's fiscal year 1999 financial statements.

Noncompliance With the SGL

A Treasury official stated in testimony before this Subcommittee on
March 31, that the federal government needs to increase the use of the SGL
in agency accounting systems to improve the reliability and accuracy of
financial information. The official continued by stating

Our ability to prepare the consolidated financial report using SGL data so
that it is consistent with data in agency statements is hampered by the fact
that a large number of agencies do not properly use the SGL. In many
instances, agencies cannot adequately produce and send the SGL data to
Treasury because their systems do not record accounting events using the SGL
at the transaction level as mandated by the FFMIA. This results in
additional workload and processes to ensure that amounts are recorded in the
proper accounts. Additionally, this frustrates attempts to maximize
efficiency through the creation of automated analytical tools.

For example, the Agency for International Development's (AID) IG reported
that AID did not record accounts receivable in accordance with the SGL at
the transaction level. AID relied on data calls to obtain the total amount
of outstanding accounts receivable because it did not have integrated
financial management systems. These data calls were posted to the general
ledger at the summary level as opposed to the transaction level as required.
According to the IG, by using data calls to determine outstanding accounts
receivable, AID is at risk that the information obtained is not accurate or
complete.

Lack of Adherence to Federal Accounting Standards

As shown in table 1, auditors for 15 of the 20 noncompliant agencies
reported that the agencies had problems complying with one or more federal
accounting standards. Some agencies have experienced difficulty implementing
these standards because their financial management systems are not capable
of producing the financial data needed.

For example, the processes and procedures used by the Department of
Agriculture's (USDA) lending agencies to estimate and reestimate loan
subsidy costs do not comply with SFFAS No. 2, Accounting for Direct Loans
and Loan Guarantees. SFFAS No. 2, which generally mirrors the requirements
of the Federal Credit Reform Act of 1990, contains guidance for agencies to
estimate the cost of direct and guaranteed loan programs when preparing
their annual budgets. The data used for these budgetary estimates are
generally reestimated after the fiscal year-end to reflect any changes in
actual loan performance since the budget was prepared. SFFAS No. 2 also
contains guidance for recording the reestimated cost of direct loans and the
reestimated liability for loan guarantees in the agency's financial
statements. Further, SFFAS No. 2 states that agencies should use historical
experience as a primary factor upon which estimates of future loan
performance should be developed.

We testified before this Subcommittee in March that USDA was unable to
develop reasonable estimates of the costs of its loan programs because its
financial systems were not able to capture the data needed to make these
estimates. Also, USDA lacked historical information on borrower behavior,
such as how many borrowers will pay early, pay late, or default on their
loans and at what point in time. As a result, Congress and other
decisionmakers do not know whether they can rely on the agency-reported
costs of USDA's loan programs included in the agency's budget request and in
its annual financial statements-estimated to be in excess of $27.3 billion
as of September 30, 1999-for programmatic and budgetary decision-making.
Cost estimates based on unreliable data can affect the availability of
credit programs to potential borrowers because changes in these estimates
can affect the number and amount of loans and guarantees that can be made.

The Department of Transportation (DOT) also has had difficulty implementing
federal accounting standards. DOT's IG reported that DOT did not comply with
SFFAS No. 4, Managerial Cost Accounting Concepts and Standards for the
Federal Government, because its accounting system cannot capture costs by
major program. According to SFFAS No. 4, federal agencies must provide
reliable and timely information on the full costs of their programs,
activities, and outputs. The CFO Act also calls for the development of cost
information and the systematic measurement of performance. Agencies need
this cost information to successfully implement the Government Performance
and Results Act (GPRA), which seeks to shift the focus of federal management
and decision-making from a preoccupation with the number of tasks completed
or services provided to a more direct consideration of the results of
programs-that is, the real differences the tasks or services make to the
nation or individual taxpayer. The lack of cost accounting information
limits an agency's ability to meaningfully evaluate performance in terms of
efficiency and cost-effectiveness. Agency cost accounting information can be
used by the Congress and federal managers to make decisions about allocating
federal resources, authorizing and modifying programs, and evaluating
program performance, as called for in GPRA. However, without relevant and
reliable cost accounting information, which is a governmentwide problem,
federal managers cannot be sure that resources are spent to achieve expected
results and outputs and that waste and inefficiency are minimized.

Weak Security Over Information Systems

As shown in table 1, auditors for 19 of the 20 noncompliant agencies
reported information security weaknesses as a problem in fiscal year 1999.
Further, our analyses as well as those of agency inspectors general show
that virtually all of the largest federal agencies have significant computer
security weaknesses. These weaknesses, which we designated as a
governmentwide high-risk area in 1997 and 1999, are placing enormous amounts
of federal assets at risk of inadvertent or deliberate misuse, financial
information at risk of unauthorized modification or destruction, sensitive
information at risk of inappropriate disclosure, and critical operations at
risk of disruption. Our recent update to the federal government's internal
control standards highlights the need for adequate control over automated
information systems to ensure protection from inappropriate access and
unauthorized use by hackers and other trespassers or inappropriate use by
agency personnel.

The most serious reported information security problem is inadequately
restricted access to agency data, including sensitive data such as taxpayer
records, personal medical information, and law enforcement data. Other types
of information security weaknesses include inadequacies in segregating
duties to help ensure that people do not conduct unauthorized actions
without detection, in preventing unauthorized software from being
implemented, and in mitigating and recovering from unplanned interruptions
in computer service. Unresolved information security weaknesses could
adversely affect the ability of agencies to produce accurate data for
decision-making and financial reporting because such weaknesses could
compromise the reliability and availability of data that are recorded in or
transmitted by an agency's financial management systems.

For example, we testified in May that the Department of Education was
plagued by serious internal control and system deficiencies, including
computer security vulnerabilities. Education places significant reliance on
its financial management systems to perform basic functions, such as making
payments to grantees and maintaining budget controls. Consequently,
weaknesses in Education's information systems, such as lack of an effective
process to monitor security violations, increase the risk of unauthorized
access or disruption in services and make Education's sensitive grant and
loan data vulnerable to inadvertent or deliberate misuse, fraudulent use,
improper disclosure, or destruction, all of which could occur without being
detected in a timely manner. Given the high volume of transactions that flow
through Education's Grant Administration and Payment System alone-over $30
billion a year-it is imperative that Education focus on addressing its
computer security vulnerabilities.

The Department of Health and Human Services (HHS) is another agency with
weak security over its information systems. HHS' IG cited weaknesses in the
entitywide security structure at the Health Care Financing Administration
(HCFA), which administers the Medicare program. HCFA relies on extensive
computer operations at both its central office and the Medicare contractors
to administer the Medicare program and to process and account for Medicare
expenditures, which totaled more than $200 billion in fiscal year 1999.
Controls over these operations are essential to ensure the integrity,
confidentiality, and reliability of critical data while reducing the risk of
errors, fraud, and other illegal acts. These control weaknesses do not
effectively prevent unauthorized access to and disclosure of sensitive
Medicare information.

One more example of an agency with serious information security weaknesses
is the Environmental Protection Agency (EPA). In February, we reported that
EPA's agencywide security program was ineffective because of pervasive
problems, the most serious of which were related to inadequate protection
from intrusions through the Internet and poor security planning. We
identified weaknesses that made it possible for intruders, as well as EPA
employees or contractors, to bypass or disable computer access controls and
undertake any of a wide variety of inappropriate or malicious acts,
including tampering with data, browsing sensitive information, and seriously
disrupting or disabling computer-supported operations. Weaknesses we
identified were associated with the operating systems of EPA's main
computers and agencywide network and therefore affect the security of all of
the EPA operations that rely on them. These operations include computer
applications that EPA relies on to carry out their day-to-day operations,
including financial management. EPA officials recognize the seriousness of
the issues and have informed us of some corrective actions and announced
other plans which, if properly implemented, can begin to address several of
these serious problems.

Increasing Number of Agencies Receive Unqualified Audit Opinion, but Systems
Weaknesses Remain

Although the number of agencies receiving "clean" or unqualified audit
opinions is increasing, the financial management systems of most agencies
continue to be noncompliant with FFMIA's requirements and, therefore, fall
short of the CFO Act's and FFMIA's goal to provide reliable, useful, and
timely information to assist in day-to-day management. Fourteen of the 23
CFO Act agencies whose audit reports were issued as of June 1, 2000,
received unqualified audit opinions on their financial statements for fiscal
year 1999, up from 12 in fiscal year 1998 and 11 in fiscal year 1997. Yet
FFMIA noncompliance has been fairly consistent since fiscal year 1997 when
the systems of 20 of the 24 CFO Act agencies were reported to be
noncompliant. In fiscal year 1998, the systems of 21 of the 24 agencies were
reported to be noncompliant, and in fiscal year 1999, the systems of 20 of
the 23 agencies whose audit reports had been issued were reported to be
noncompliant. The Department of State, which had not issued its audit report
as of June 1, 2000, was found to be noncompliant with FFMIA in fiscal years
1997 and 1998.

Auditors of 11 of the 14 agencies that received unqualified audit opinions
reported that the agencies' financial systems did not comply substantially
with FFMIA's requirements in fiscal year 1999. In many cases, these agencies
spent considerable resources to obtain a clean opinion because their
financial statements could not be produced from their financial systems.
Table 2 summarizes the auditors' FFMIA determinations and financial
statement opinions for fiscal year 1999 and highlights the 11 agencies that
received clean audit opinions in spite of their systems problems.

Table 2: Auditors' FFMIA Determinations and Financial Statement Opinions for
Fiscal Year 1999
                     Auditor's
 Agency              determination of      Audit opinion
                     substantial
                     compliance
                     Yes              No   Unqualified  QualifiedDisclaimer
 Department of
 Agriculture                          ?                          ?
 Department of
 Commerce                             ?    ?
 Department of
 Defense                              ?                          ?
 Department of
 Education                            ?                 a
 Department of
 Energy b            ?                     ?
 Department of
 Health and Human                     ?    ?
 Services
 Department of
 Housing and Urban                    ?                          ?
 Development
 Department of the
 Interior                             ?    ?
 Department of
 Justice                              ?                 ?
 Department of Labor                  ?    ?
 Department of State
 c
 Department of
 Transportation                       ?    ?
 Department of the
 Treasury                             ?                 ?
 Department of
 Veterans Affairs                     ?    ?
 Agency for
 International                        ?                          ?
 Development
 Environmental
 Protection Agency                    ?                 ?
 Federal Emergency
 Management Agency                    ?    ?
 General Services
 Administration                       ?    ?
 National
 Aeronautics and
 Space               ?                     ?
 Administration
 National Science
 Foundation          ?                     ?
 Nuclear Regulatory
 Commission                           ?    ?
 Office of Personnel
 Management                           ?    d
 Small Business
 Administration                       ?    ?
 Social Security
 Administration                       ?    ?
 Total               3                20   14           3        4

aEducation received a disclaimer of opinion on its Statement of Financing
and qualified opinions on its other financial statements.

bAccording to OMB guidance in OMB Bulletin 98-08, material weaknesses in
internal controls that affect an agency's ability to prepare auditable
financial statements and related disclosures is an indication of
noncompliance with FFMIA. In its fiscal year 1999 Report on Internal
Controls, the Department of Energy's IG reported a material weakness related
to the Western Area Power Administration's new financial management system.
The report states, "While the Department's systems as a whole substantially
comply with FFMIA, the new financial management system implemented by
Western was not in compliance with the FFMIA requirements as of September
30, 1999....Thus, Western was unable to adequately track and report on
budget execution and meet external reporting requirements, including
preparation of financial statements."

cAudit report not issued as of June 1, 2000.

dThe Office of Personnel Management does not prepare agency-wide financial
statements. For fiscal year 1999, OPM received disclaimers of opinion on its
financial statements for Revolving Fund and Salaries and Expenses and
unqualified opinions on the financial statements for the Retirement, Health
Benefits Insurance, and Life Insurance Programs.

Source: GAO analysis of agency audit reports for fiscal year 1999.

Financial statement audit results are key indicators of the quality of
agency financial data at year-end and provide an annual public scorecard on
accountability. Agencies are to be commended for receiving unqualified audit
opinions. At the same time, a clean audit opinion is not an end in and of
itself. A clean audit opinion assures financial statement users only that
the information is fairly presented as of the date of the financial
statements. It provides no assurance about the effectiveness and efficiency
of financial systems used to prepare the statements or whether use of the
same or other information for management use would be appropriate. The
results shown in table 2 indicate that, although auditors reported that the
financial statements of 14 of the 23 CFO Act agencies were fairly presented
and reliable at the end of the fiscal year, the financial systems of 20 of
the agencies have weaknesses, some of which are so serious that they are not
able to routinely provide reliable, useful, and timely information on an
ongoing basis.

It bears repeating that the goal of the CFO Act, FFMIA, and other key
financial legislation is to establish systems that routinely produce
reliable, useful, and timely financial information for decisionmakers in the
agency, in the Congress, and elsewhere as part of agencies' ongoing daily
operations. In order to receive an unqualified opinion, many agencies whose
systems did not comply with FFMIA had to rely on time-consuming ad hoc
programming and analysis of data produced by inadequate systems that are not
integrated or reconciled and often require significant audit adjustments.

HHS is an example of an agency that obtained a clean opinion, even though
its systems did not satisfy FFMIA requirements. HHS' IG reported that the
accounting systems used by HHS and its operating divisions did not meet
FFMIA criteria because they were not adequate for preparing reliable and
timely financial statements. Because of these systems inadequacies, HHS
resorted to a manually intensive and error-prone process, involving numerous
manual account adjustments. Together, this led to delays in preparing the
statements, increased the risk of material misstatements, and limited the
resources available for financial analyses. The extent and magnitude of
account adjustments required at year-end demonstrate that the systems were
not operating efficiently or effectively. For example, HCFA, HHS' largest
operating division with almost
$300 billion in net outlays in fiscal year 1999, issued its initial
financial statements in mid-December 1999 and then made billions of dollars
in adjustments to payables and receivables before producing final, auditable
financial statements in late January 2000.

Likewise, while IRS was able to receive a clean audit opinion on its fiscal
year 1999 Statement of Custodial Activity, its systems do not comply with
FFMIA. We were able to verify that the reported balances on the Statement of
Custodial Activity were fairly stated, in all material respects, only after
extensive audit procedures and tens of billions of dollars of adjustments.
IRS had to rely on extensive, labor-intensive, and time consuming
compensating ad hoc procedures to enable it to report reliable revenue and
refund balances on its Statement of Custodial Activity.

DOT received its first unqualified opinion on its fiscal year 1999
departmentwide financial statements. However, like several other agencies,
in spite of the clean opinion, DOT's IG reported that its systems did not
comply substantially with FFMIA. DOT's existing core accounting
system-designed to be the primary system for producing financial information
and financial statements-was not the primary source of information used to
prepare the financial statements. Because the core system did not provide
the necessary data, DOT made about 800 adjusting entries totaling $36
billion. Also, according to the IG, the Federal Aviation Administration's
property systems were not designed as an integrated system to accurately
account for property costs. Therefore, DOT hired additional contractors,
detailed employees, and used extensive overtime and compensatory time to
provide sufficient evidence to support the amounts of property, plant, and
equipment shown on its financial statements. The IG reported that these
manual and labor-intensive methods are expensive; prone to errors, mistakes,
and inaccuracies; and cannot be sustained.

As I have just illustrated, many agencies rely on time-consuming, costly
procedures to receive a clean opinion. Absent substantive improvements in
underlying financial systems, these agencies will likely continue to rely on
these procedures every year to maintain that opinion. Similarly, agencies
that have not yet achieved the milestone of receiving a clean opinion will
feel pressure to also perform such costly procedures every year until their
systems are able to produce reliable, useful, and timely financial
information. Having good systems would eliminate the time and expense needed
to routinely produce a complete set of auditable financial statements and
allow financial management staff to address other critical and frankly more
valuable functions, such as analyzing cost data and other financial data and
developing financial and program results information.

The Social Security Administration (SSA) has achieved the end game-systems
and processes that routinely generate reliable, useful, and timely
information. SSA is able to prepare financial statements from information in
its financial system. SSA's audited financial statements for fiscal year
1999, for which it received a clean opinion, were issued on November 18,
1999, only 7 weeks after the close of the fiscal year and almost 3ï¿½ months
before the March 1 statutory deadline. SSA's auditor did find serious
problems with computer security and continuity of operations but otherwise
found that SSA's financial systems substantially comply with FFMIA.

Having an effective, integrated financial management system that can produce
financial statements in a timely manner would prevent the need for
time-consuming and costly procedures. In our Executive Guide: Creating Value
Through World-class Financial Management, we identified the success factors,
practices, and outcomes associated with world-class financial management
efforts. We found that many leading finance organizations have a goal to
reduce the time spent on routine accounting activities, such as financial
statement preparation, so that financial management staff can spend more
time on activities such as business performance analysis or cost analysis.

Mr. Chairman, these problems are not new. As I mentioned at the outset of my
testimony, financial systems problems date back many years, and agencies
have known about their severity for just as long. In 1989, we reported that
many federal financial systems were weak, outdated, and inefficient and
could not routinely produce relevant, timely, and comprehensive data. Now,
over 10 years later, the vast majority of agencies' financial systems still
do not meet the goals of the CFO Act, although today, through the rigors of
the financial statement audit process and the requirements of FFMIA,
agencies have a better understanding of their problems and the impetus to
resolve those problems. As I will discuss later, agencies have efforts
planned or underway to address their systems problems, and we are seeing a
commitment across government. However, until these systems problems are
resolved, agencies will continue with their extraordinary, inefficient,
time-consuming efforts to obtain a clean opinion.

We may be back in a few years to report that substantially more, perhaps
even all, of the 24 CFO Act agencies have received clean audit opinions. I
feel less confident that their systems will, in the short term, comply with
FFMIA and meet the intended results of the CFO Act. The biggest concern is
that while all or almost all agencies will have devised and mastered a
repeatable process for developing reliable annual results of operations and
year-end balances, overhauling financial systems is a much more difficult
challenge. Overhauling systems is at the heart of the end game we have
spoken about-reliable, useful, and timely data for accurately measuring
performance and providing a basis for ongoing management and
decision-making.

Key Elements for Improving Financial Management Systems

Plans to Replace or Overhaul Agencies' Systems

Information Technology Investment and Security Guidance

To ensure that information technology dollars are directed toward prudent
investments designed to achieve cost savings, increase productivity, and
improve the timeliness and quality of service delivery, agencies need to
apply the framework outlined in the Clinger-Cohen Act and implementing
guidance. This includes adopting sound information technology investment and
control processes, designing well-developed architectures to guide
information flows and technical standards, and establishing disciplined
approaches for developing and acquiring computer software.

In this regard, we have worked on strengthening federal agency management of
information technology investment and have developed guidance based on best
practices in the public and private sectors related to information
technology investment. Two guides resulting from our work are:

   * Assessing Risks and Returns: A Guide for Evaluating Agencies' IT
     Investment Decision-making (GAO/AIMD-10.1.13, February 1997) and
   * Executive Guide: Measuring Performance and Demonstrating Results of
     Information Technology Investments (GAO/AIMD-98-89, March 1998).

However, it is important to remember that these guides are not a "silver
bullet" to guarantee success. Rather, the key is for an organization to
adopt and effectively implement policies and procedures, such as those
described in the guides, that foster the necessary discipline for the
organization to produce predictable and repeatable results. Therefore, it is
critical that an organization first choose the practices that are compatible
with its culture and then effectively implement those practices.

In addition to the guidance we issued on information technology investment
decisions, we have issued guides to help agencies improve security over
their information systems. As mentioned previously, weaknesses in
information systems security was a reported cause of FFMIA noncompliance for
19 of the 20 noncompliant agencies. We have identified best practices for
improving information security management, which we published in two guides:

   * Information Security Management: Learning from Leading Organizations
     (GAO/AIMD-98-68, May 1998) and
   * Information Security Risk Assessment: Practices of Leading
     Organizations (GAO/AIMD-00-33, November 1999).

Our guides are consistent with guidance on information security program
management provided to agencies by OMB and the National Institute of
Standards and Technology. In addition, the May 1998 guide has been endorsed
by the federal Chief Information Officers Council as a useful resource for
agency managers.

JFMIP Software Certification

In fiscal year 1999, the PMO implemented a new software testing process in
which it tests vendor products to certify that they meet current JFMIP
systems requirements. The PMO publishes the testing results in its Web-based
electronic repository, called the Knowledgebase, which also includes
information for agencies and vendors about financial systems requirements,
business practices, and certified vendor products. JFMIP compliant systems
help assure an agency that the system properly records transactions defined
in the JFMIP Core Financial System Requirements document. However, agencies
will still need to define their business requirements and then compare the
various applications against those requirements to identify gaps. Once these
gaps are identified, agencies need to determine the cost, schedule, and
performance impacts associated with these gaps and determine the best
approach to accomplishing the requirement-modifying the system or, if the
desired functionality is not cost effective, eliminating the requirement.
OMB Circular A-127, Financial Management Systems, requires that agencies
replacing software to meet core financial system requirements use
off-the-shelf software that has been tested and certified through the JFMIP
software certification process as meeting JFMIP core financial system
requirements.

Systems Requirements Documents and Checklists

JFMIP has also been updating existing financial management systems
requirements, as well as issuing requirements documents covering systems
where none previously existed. JFMIP's systems requirements publications are
the primary source of governmentwide requirements for financial management
systems. These requirements are detailed in the Federal Financial Management
Systems Requirements (FFMSR) series issued by JFMIP which, according to OMB
Circular A-127, Financial Management Systems, agencies are required to
follow. Table 3 lists the publications in the FFMSR series and their issue
dates.

Table 3: Publications in the Federal Financial Management System
Requirements Series
 Federal Financial Management System
 Requirements (FFMSR) Document                              Issue date

 FFMSR-0        Framework for Federal Financial Management  January 1995
                Systems
 FFMSR-7        Inventory System Requirements               June 1995

 FFMSR-8        Managerial Cost Accounting System           February 1998
                Requirements
 JFMIP-SR-99-4  Core Financial System Requirements          February 1999

 JFMIP-SR-99-5  Human Resources & Payroll Systems           April 1999
                Requirements
 JFMIP-SR-99-8  Direct Loan System Requirements             June 1999
 JFMIP-SR-99-9  Travel System Requirements                  July 1999

 JFMIP-SR-99-14 Seized Property and Forfeited Asset Systems December 1999
                Requirements
 JFMIP-SR-00-01 Guaranteed Loan System Requirements         March 2000

JFMIP is also developing systems requirements where none existed. JFMIP
issued an exposure draft on Property Management System Requirements this
past April and is finalizing its Grant Financial System Requirements. JFMIP
systems requirements, among other things, provide a framework for
establishing integrated financial management systems to support program and
financial managers. JFMIP also issued an exposure draft of a guide to assist
agencies in performing financial management systems reviews as required by
FFMIA and other legislation.

As one of the JFMIP's principals, we have published checklists to assist
agencies in implementing and monitoring their systems and to assist
management and auditors in reviewing systems to determine whether they are
in substantial compliance with FFMIA. The checklists are based on JFMIP
systems requirements documents. We issue them when JFMIP requirements are
published for the first time and when requirements are updated. Table 4
lists the checklists we have issued in final form or as exposure drafts.

Table 4: Checklists for Reviewing Systems Under the Federal Financial
Management Improvement Act
 Checklist                                                  Issue date

 GAO/AIMD-98-21.2.1  Framework for Federal Financial        May 1998
                     Management System Checklist

 GAO/AIMD-00-21.2.2  Core Financial System Requirements     February 2000
                     Checklist

 GAO/AIMD-00-21.2.3  Human Resources and Payroll Systems    March 2000
                     Checklist
 GAO/AIMD-98-21.2.4  Inventory System Checklist             May 1998
                     Seized Property and Forfeited Assets
 GAO/AIMD-21.2.5     System Requirements Checklist          April 2000
                     (exposure draft)

 GAO/AIMD-21-2.6     Direct Loan System Requirements        April 2000
                     Checklist
 GAO/AIMD-21.2.8     Travel System Requirements Checklist   May 2000

 GAO/AIMD-99-21.2.9  System Requirements for Managerial     January 1999
                     Cost Accounting Checklist

Lessons Learned From Year 2000 Efforts

We testified before this Subcommittee in January about the Year 2000
computing challenge, including lessons that can be carried forward to
improve the management of information technology activities. Among the
lessons learned were the importance of (1) providing high-level
congressional and executive branch leadership, (2) understanding the
importance of computer-supported operations, (3) providing standard
guidance, (4) establishing partnerships, (5) facilitating progress and
monitoring performance, and (6) implementing fundamental information
technology improvements. The Year 2000 efforts have reinforced an
understanding of the importance of consistent and persistent top management
attention, which is essential to solving any intractable problem.

According to officials at OMB, the Year 2000 problem also gave agency chief
information officers a "crash course" in how to accomplish projects. Many
chief information officers were relatively new in their positions, and
expediting Year 2000 efforts required many of them to quickly gain an
understanding of their agency's systems, work extensively with agency
program managers and chief financial officers, and become familiar with
budgeting and financial management practices. Addressing these issues, in
turn, provided them with real-time experience in responding to far-reaching
management problems and in finding solutions. These experiences could prove
valuable to resolving the systems issues impeding compliance with FFMIA.

Conclusions

The federal government's size and complexity and the discipline needed to
overhaul or replace its financial management systems present a significant
challenge-not simply a challenge to overcome a technical glitch, but a
demanding management challenge that requires attention from the highest
levels of government. We recognize that it will take time, investment, and
sustained emphasis on correcting deficiencies to improve federal financial
management systems to the level required by FFMIA and for effectively
managing government funds. However, with concerted effort, including
attention from top agency management and the Congress, the federal
government can make progress toward improving its financial management
systems and thus achieve the goals of the CFO Act and provide accountability
to the nation's taxpayers.

Contacts and Acknowledgments

(916351)

        Orders by Internet

For information on how to access GAO reports on the Internet, send an e-mail
message with "info" in the body to:

[email protected]

or visit GAO's World Wide Web home page at:

http://www.gao.gov

        Web site: http://www.gao.gov/fraudnet/fraudnet.htm

E-mail: [email protected]

1-800-424-5454 (automated answering system)
  
*** End of document. ***