oversight

Financial Management Systems Compliance Review Guide

Published by the Government Accountability Office on 1999-10-21.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

              i




<Financial Management
 Systems CornpI, ante
     Review Guic e,




                               IIE


                   October   1999
U.S. Government Chief Financial Officers                      The Joint Financial Management lmprdvement
Council                                                       Program
      The members of the U.S. Government Chief Financial             The JFMIP is a joint and cooperative undertaking of the
 Officers (CFO) Council-the      CFOs and Deputy CFOs of        U.S. Department of the Treasury, the General Accounting
 all the 24 largest Federal agencies and senior officials of    Office, the Office of Management and Budget, and the Office
 the Office of Management and Budget and the                    of Personnel Management working in cooperation with each
 Department of the Treasury-work         coll&oratively. to     other and $her agencies to improve financial management
 improve financial management in the U.S. Government.           practices in government. The Program was given statutory
 The CFO Council has become a strong force for active           authorization in the Budget and Accounting Procedures Act of
 cooperation among agencies dealing with common                 1950 (31 USC 65). Leadership and program guidance are
 problems. Its composition of both political appointees         provided by the four Principals of the JFMIP-Comptroller
 and senior career civil servants ensures collaboration and    General of the United States, Secretary of the Treasury, and
 continuity of effort.                                         the Directors of the Office of Management and Budget, and
      Under the Chief Financial Officers Act of 1990,, the     the Office of Personnel Management. Each Principal cJesignatc?s
 CFO Council was established to advisc’and coordinate          a representative to serve on the JFMIP Steering Committee,
 the activities of the agencies of its members on such         which is responsible for the general direction of the Program.
 matters as consolidation and modernization of financial       The JFMIP Executive Director, and a program agency
systems, improved quality of financial information,            representtitive (who serves for 2 years) are also on the Steering
financial data and information stanclards, internal            Committee.       I ,,    I
controls, legislation affecting financial operations and          ’ The Program rjromotes strategies and guides financial
organizations, and other financial management matters.         management improvement across government; reviews anrl
     The CFO Act legislated broad authority for each CFO       coordinates central agencies activities and,policy
to oversee all financial management activities relating to   I promulgations; and acts as catalyst and clearinghouse for
the programs and operations of, the! agency. With this         sharing and disseminating information about good financial
authority, the CFO will ensure that sound financial            management practices. This information sharing is done
management practices are applied in all organizational         through conferences and.orher educational events, newsletters,
components of his or her agency and that modern                meetings with interagency ‘groups and agency personnel, and
automated financial systems and tools are used. Specific       through FinanceNet, an electronic clearinghouse on the
CFO authority varies agency by agency, but may include         Internet.
some or all of the following financial and general                  The JFMIP has worked on interagency projects that
management components: budget formulation and                  developed a financial systems framework and financial syslcms
execution, facilities or property management, financial        requirements. For the future JFMIP plans to assist Federal
operations and analysis, financial systems, grants             agencies in improving their financial systems through its
management, information resources management,                  Program Management Office. The Office will work on revising
personnel, and procurement. Information of the CFO             the Federal government’s requirements definition, testing, and
Council can be found at its website:                           acquisition processes; the first target of opportunity is core
www.financen&t.gov/financenet/fe@fo/cfo.htm                    financial systems. The objectives of the Office are to develop
                                                               systems requirements, communicate and explain Federal and
                                                               agency needs, provide agencies and vendors information to
                                                               improve financial systems, ensure that products meet relevant
                                                               system requirements, and simplify the procurement process.
                                                                    Information on JFMIP can be found at its website:
                                                               www.financenct.gov/financenet/fed/jfmil>/jfmil,.htm     or call
                                                               202/512-9201.                 -.
  JOIN T FINANCIAL MANAGEMENT
      IM~?R~vE~~,~NTPROGRAM




      441 C Street NW, Room 3111                    Date:        October21, 1999
         Washington, .DC 20548
                                                    To:          SeniorFinancialOfficials
Prlnclpals
Lawrence H . Summers
Secretaryof the Treasury                            From:        ExecutiveDirector, JFM
D avid M . Walker                                           _:
Comptroller General of the U .S.               -’
                                          _L        Subject:     FinancialManagementSystemsComplianceReview
JacobLew
D Ircctor
                                                                 Guide
U .S. 0 fflce of Management and Budget

JaniceR . L achance                                 The Draft Financial Management Systems Compliance Review Guide
D trector. U .S. 0 fflce of Personnel
bl magem ent                                        is attachedfor comment. This documentis sponsoredby the Chief
                                                    FinancialOfficers(CFO) Council andthe Joint FinancialManagement
Steering Committee                                  ImprovementProgram(JFMIP). It will be issuedas a guide similar to
Donald V. Hammond (Chair)                           the modelusedto issuethe Managerial Cost Accounting
FiscalA asistant
              Secretary
Department of the Treasury                          Implementation Guide.. The developmentandissuanceof the *
                                                    Financial Management Systems Compliake Review Guide fulfills one
JeffreyC. Steinhoff                                 of the tasksincludedin the Office of Managementand Budget @MB)
Actlng AsststantComptroller General
U .S. General Accounttog 0 fflce                    andCFO Council1998 Federal Financial Management Status Report
                                                    and Five-Year Plan, to supportstandardizingthe financial systems
SheilaConley
Acting Deput Controller                             environment. Thetaskrecognizesthe needto developtools to assist
U .S. 0 fftce o r Management and Budget
                                                    agenciesin satisfyingmultiple requirementsthat call for financial
J. GIlbert Seaux                                    managementsystemreviews,suchasthoserequiredby: the Federal
Cblef Ftnanclal 0 fflcer
U .S. 0 fflce of PersonnelManagement
                                                    ManagementFinancialIntegrity Act (FMFIA) section4, the Federal
                                                    FinancialManagementImprovementAct of 1996,OMB Circulars A-
W IMam B. Early. Jr.                                123,A127, andA-130; and OMB Bulletin 98-08. Currently, no
C Mel Flnanctai 0 fflcer
G cneral ServicesAdministratlon                     governmentwideproceduresor instructionson conductingfinancial
                                                    managementsystemreviewsexist. Current financial system
Karen ClearyAlderman                                assessment  methodsvary.
ExecuttveD hector. JFM IP

                                                    The Financial Management Systems Compliance Review Guide draft
                                                    was developedby a working groupof the FinancialSystem Committee
                                                    underthe leadershipof R. SchuylerLesher,Chair of the CFO
                                                    FinancialSystemsCommitteeand Edward Leary,.HUD. i The,-working
                                                    group includedselected.representatives
                                                                                         from ‘agencyCFO -arid,
                                                    InspectorGeneralcommunities,JFMIP andOMB. The Executive
                                                    Committeeof the CFO Council endorsedthe issuanceof this exposure
                                                    draft.
The effort hasbuilt on certainagencies’best practicesthat appearto be working and,added                I
practiceelementsthat the working groupfelt were necessary.The guidanceis designed@‘assist
agenciesin performingfinancialmanagementsystemscompliancereviews. This Guide hasbeen
draftedto enableit to grow over time to properly reflect new requirementswithout havingto              L
republishthe completedocument. For exampleAppendix C providesa checklist forthe Core                   ‘2
FinancialSystemFunctionalRequirementsto be usedin the process. Over time this appendix                 -_
                                                                                                       i
would be expandedto provideadditionalcheckliststo cover other JFMIP FederalFinancial                   i
ManagementSystemsRequirements(FFMSR) documents.
                                                                                                       1
                                                                                                       !
In additionto generalcommentsaboutthe guide, we are looking for feedbackthat addressesthe      ’
following key questions:                                                                               ‘1
                                                                                                        i
(1) Would this guideassistyour agencyin conductingfinancial managementsystemsreviews?.             ’    L
(2) <Doesthis guideincludethe right level of information to assistyour agencyin conductingan
effective andefficient financialmanagementsystemsreview? (3) Is the guide sufficiently                 F
comprehensive?(4) Could this guidebe usedby your organizationin developmentof education
andtrainingfor performingfinancial managementsystemsreviews?

The documentis beingcirculatedwidely within the Federalgovernment’sfinancial management
and oversightcommunitiesand to private sectorserviceproviders. It is alsobeing postedon
FinanceNetat:

         www.financenet.gov/financenet/fed/ifmin/ifmir>exu.htm.
   ,’   I
Pleaseprovideyour commentsby December20, 1999. Commentson any section,of this.
documentareencouraged.Responseswould be more helpful to the JFMIP and the CFO Council
if they alsoincludeyour rationale. Respondentsshouldalso indicatethe capacityin which they
are responding.Commentsshouldbe sentto:

               Joint~Financial
                            ManagementImprovement Program
               441 GStreetNW,Room3111
               Washington,DC 20548

Pleasebe awarethat we areworking to relocateJFMIP by the middle of November, 1999. We
are working closelywith the GAO, where JFMIP is currently located,to ensurea smooth
transitionof U.S. Postalandelectronicmail services.’When the exactdateof the relocationis
known, informationwill bepostedon the JFMIP Homepageat:

               www.financenet.gov/fed/ifmit>/ifrnio.htm

.If youhave any questions.,
                         pleasecontact Steve,Fisherwho may be-reachedby phoneat 202-512-           ,, --
 6289; Fax at 202-512i9593or by emailat jfm$@mail~c&ri.~ ‘.‘I “’

Attachment
Table of Contents
                                                                                                                                      E
  Introduction.    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1                      B
                                                                                                                                      :’
        Background      . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
        Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...2


  Part I - Financial Management        Systems Review Process . . . . . . . . . . . . . . . . . . . . . . . . . 4
       Determining Which Systems to Review. . . . . . . ‘. . . . . . . . . . . . . . . . . . . . . . . . 5
       Determining Whether the Systems Comply with the Requirements                               . . . . . . . . . . . . . . . . 6
       Reporting on the Outcome of the Reviews . . , . . . . . . . . . . . . . . . . . . . . . . . . . . 8
       Planning to Correct the Problems Identified             ............................                                       9
       Timing of Financial Systems Reviews .................................                                                      9
       On-Going Monitoring.          . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IO
       Tools for Performing an FFMIA Compliance Review. . . . . . . . . . . . . . . . . . . . . . . . 10


 Part II - Criteria for Financial Management Systems Compliance                          . . . . . . . , . . . . . . . . . . . . 12
       Table for Comparing Financial Management Systems Compliance Guiclance                              . . . . . . . . . . . 14
 Appendices
       Appendix A-l - OMB Circular A-l 27, Section 7 Financial Management                            System Requirements
       Appendix A-2 - OMB Bulletin No. 98-08, Audit Requirements for Federal Financial Statements
       Appendix A-3 - OMB Circular A-l 30, Section 3 Automated                            Information Security Programs
       Appendix A-4 - Federal Financial Management Improvement Act of 1996
       Appendix B - Financial Management Systems Compliance Review Elements                                      .
       Appendix C - Core Financial Systems Functional Requirements
       Appendix D -Assessment Summary Example
       Appendix E - Glossary
,
 Introduction                                                  ,
Background,                                                                                           i&
The Office of M,anagement and Budget (OMB) issues policy guidance in the form of circulars and        e
bulletins on financial management systems policies based on legislation and other requirements that   i
define what constitutes effective and efficient financial management systems in the Federal
govern,ment. Agencies are required under the Federal Managers’ Financial Integrity Act (FMFIA)        ’
Section 4 requirements and under the Federal Financja( ,Management lmprove,ment Act (FFMIA) to        I
assure that their systems meet this guidance and adhere to legislation and various circulars and
bulletins.
                                                                                                      L
                                                                                                      F
Agencies are required to conduct various financial management reviews under Federal government
policy, e.g. OMB Circular A-l 27, Financial Management System Requirements; OMB Circular
A-l 23, Fanagement Accountability and Control; and OMB Circular-A-I 30, Management of Federal
Information Resources. In addition, OMB Bulletin No. 98-08, Audit Requirements for Federal
Financial Statements, defines FFMIA audit requirements. Conducting financial management syste,m
reviews should be performed in a streamlined manner using resources in as effective and efficient
manner as practical to achieve the intended results, Chart A provides an overview of the elements
of these policies and their relationship to financial managementsystems  reviews.
                                                             I




                                 OMB Circular A-127
                                     Reviews
                            Financial Management Systems
                               Requirements (Section 7)
                                               FFMIA
                                             Compliance
                                              Reporting

                                         n   SGL
                                         p Fin Rpt Stnds
                                         n   Fin Systems Req




                                    ial Management Systems
                                Improvements (Section ,8)
                                                                          I.




                                               1
Financial Management          Systems Compliance          Review Guide


While the policy guidance mentioned above supplies a comprehensive set of directives, no
government-wide instructions are available that provide Federal agencies with implementation
guidance for use in deciding whether their financial management systems comply with legislation,
circulars and bulletins. However, while OMB establishes financial management systems policies,
others have major roles in the financial management compliance review process. For example, the
Joint Financial Management Improvement Program (JFMIP) publishes the Federal Financial
Management Systems Requirements (FFMSR); auditors review financial management systems under
FFMIA requirements; the Chief Financial Officers (CFO) Council and the, Chief Information Offjcers
Councils over see initiatives to improve systems and set appropriate standards; and the Government
Accounting Office (GAO) oversees the audit of the consolidated financial statements for the Federal
government which relies heavily on financial management systems;’Coordination of these various
groups is critical to the success for the financial management systems compliance review process.
                                                                           ;. :
Purpose                ,I’
This review guide is a tool to assist managers in determining whether financial management systems
comply with Federal requirements. This guide is intended’to be used by managers responsible for
financial management systems and individuals performing financial management systems reviews.
Such individuals include finance office staff and managers responsible for financial or mixed
systems. Mixed systems are referred to as feeder systems by some Federal agencies. The review of
mixed (feeder) systems covers the financial portions of the systems that originate or provide financial
data used in by agency management for decision making, financial reporting or being provided to
other financial systems for management or control purposes.

This review guide provides a set of steps to, assist Federal agencies in deciding whether their
financial management systems comply with FMFIA, FFMIA, and OMB Circular A-l 27. As such, the
guide is written to be understandable by both financial and non-financial program managers.
Agency staff from areas such as information technology should~work in partnership to address the
various aspects required in a financial management systems review.

The objectives of this guide are to:

1. Assist financial managers, program managers and reviewers of financial systems or mixed (feeder)
   systems in determining whether a system is a financial management system;

2. Help financial managers, program managers and reviewers of financial systems or mixed (feeder)
   systems to decide if their financial system is compliant with OMB Circular A-l 27 requirements
   (See Appendix A-l) and whether deficiencies identified should be reported by management
   under FMFIA and/or by auditors under FFMIA, once a system is determined to be a financial
   management system;                                                                  ..
       ._.      ,_ i
3. Provide guidance to financial managers, program managers and reviewers of financial systems or
   mixed (feeder) systems on how to conduct periodic reviews to ensure their financial
   management systems stay compliant; and;




                                                      2
                              Financial Management Systems Compliance Review Guide                    e


4. Assist auditors who must conduct reviews under FFMIA tounderstand .how financial managers,
   program managers and ‘reviewers of financial systems or mixed (feeder) systems evajuated their
   systems.
                                                                                                      j
This document supplements, but does not replace, policy information included in OMB Bulletin
98-08, which provides guidance .to auditors in conducting their work related to FFMIA (see
Appendix A-2). Further, this document isnot intended to,be an audit guide. However, this
document may be useful to auditors in understanding how financial managers, program managers
and reviewers of financial or mixed (feeder) systems assesstheir financial management systems.
                        ..,:
                          ^                               /           .’ .;,
Further, this guidance acknowledges that individual agencies may have unique financial
management needs that willneed to be incorporated-in a financial management system review.            i:r
Tailoring the application of the concepts in this document is acceptable in applying the approaches
recommended in this guide. Certain agencies may emphasize certain financial management systems
requirements that,support functions and processes which are key to supporting their mission.
Therefore, ‘financial management systems reviews will vary depending on the ne,edsof the agency.

Additionally, Appendix C of this guide incorporates the major mandatory functions for a Core
financial system. The detailed mandatory requirements that support these functions are contained
in JFMIP-SR-99-4 dated February 1999. As other financial system requirement documents in the
JFMIP Federal Financial Management System Requirements series are issued or updated,
appendices that’describe major mandatory functions based on these requirements will be
developed and incorporated into Appendix C.
Part, i: ~Financial Management                                 Systems,’ Review
Ptiess        .”
The financial management systems review process involves the following steps: (1) determining
which systems to review, (2) determining whether the systems comply with the requirements; (3)
reporting on the outcome of the reviews and .+I) planning to correct the problems identified. The
chart below provides an overview of the process:
                                        r.                                  .1
                              Financial Management Review Pro&
                                                       ,.     ,_                                                     .,
                                                          ,.:
        Step 1                 step 2                     step.3    .        :
                                                                                            Step 4
        Determining            Determining   Whether      Rep&ting    on
        Which     Systems,     Systems Comply with        Outcomes                        Correctvthe
        to Review            ; Requiretients            1 of the deviews                : P;obl&ms      Identified




                                                        ,, ,‘1                          :
                                                                                 -t-*   ’      (Eq
                                                                                        ’




                                                                        NO
                                                                                                         1
                               Financial Management         Systems Compliance         Review Guide      F


The fmancial management systems review process should support the partnership between
program, financial and information technology managers in establishing and maintaining systems for
financial management of programs. The partnership between program and financial managers                 LF
should result in financial management systems that ensure the integrity of information for                :
decision-making, measuring of performance, and financial reporting. This includes the ability to:

    ,* collect accurate, timely, complete, reliable, and,consistent information;
    l  provide for adequate agency management reporting;
    l  support government-wide and agency level policy decisions,            ;      ,:,
    l  support the preparation and execution of agency budgets;
    l  facilitate the preparation of financial statements, and other financial reports in accordance     i
       with Federal accounting and reporting standards; 1
    l  provide information to central, agencies for budgeting; analysis, and government-wide         ’
       reporting, includingconsolidated financial statements; and
                                                                                               ,!
    l  provide a complete audit trail to facilitate audits.             ’

In support of this objective, the program manager should establish and maintain their financial
management systems with standardized information and electronic data exchange, to support..
program delivery, safeguard assets, and manage taxpayer dollars.

These systems should be integrated and designed with effective and eff/cient interrelationships
between software, hardware, personnel, procedures, controls, and data contained within the
systems JFMIP Core Financial System Requirements, February 1999, pg. 3). For that to happen,
these systems should have:

  i. standard data classifications (definition and formats) established and used for recording
  financial events;

   ii. common processes used for processing similar kinds of transactions;

  iii. internal controls over data entry, transaction processing, and reporting applied consistently;
  and

  iv. a system design that eliminates unnecessary duplication of transaction entry.

Each step is of the financial management review process is described below.




The scope of a financial management system review is limited to an agency’s financial management
systems defined as the “financial systems and the financial portions of mixed systems necessary to
support financial management.” A system should be classified as a financial management system if it
is used for any of the following (OMB Circular A-l 27, July 23, 1993, Section 5: Definitions):



                                               5

                                                                                                         I-
Financial Management Systems Compliance                      Review Guide


       . collecting, processing, maintaining, transmitting, and reporting data about financial events;
       l supporting financial planning or budgeting activities;
       l accumulating and reporting cost information; or
       l supporting the preparation of financial statements.

Certain .information systems may support both financial and non-financial functions. An example is
a system that supports grants processing that results in approval of funding. Such systems are called
“mixed systems” and, for purposes of OMB Circular A-l 27, managers must ensure that the financial
functions and processes of these systemscomply with all applicable factors in OMB Circular A-l 27
and, FFMIA.

A system is considered a “non-financial system” when it supports non-financial functions and any
financial data included in the system are, insignificant to the agency financial management and/or
not required for the preparation of financial statements. Non-financial systems are not subject to
financial management system reviews.


Step 2 - Determining Wh‘ether the Systems Comply with the Requirements

The second step is to determine whether the financial system. is in compliance with Federal financial
systems requirements established under OMB Circular A-l 27. The principal criteria for a financial
management systems review are defined by the 12 requirements in Section 7 of OMB Circular
A-l 27 (see Appendix A-l).

The compliance requirements of FFMIA, FMFIA, and Circular A-l 27 are highlighted in Part II,
“Criteria for Financial Management Systems Compliance,” including the relationship among:

   l Financial Management Systems Compliance Review Guide,
   l OMB Circular A-127 Section 7,
   9 OMB Circular A-l 30, FFMIA,
   l FMFIA Section 4 (Circular A-l 23).

Appendix B: Financial Management Systems Compliance Review Elements, and Appendix C: Core
Financial Systems Functional Requirements in this guide provide the basis upon which agencies
should develop detailed system compliance reviews. The elements in Appendix B are
comprehensive, but an agency may wish to augment the elements and compliance indicators to
address unique agency needs. Appendix C contains the major mandatory functions that should be
reviewed as part of the compliance review (see Part II, Table A, “G. Functional Requirements”).
The detailed mandatory requirements that support these functions are contained in JFMIP-SR-99-4
dated February 1999. Appendix C will be expanded to incorporate the major functions of other
system requirements documents in the JFMIP Federal Financial Management System Requirements
series as they are issued or updated.




                                                         6
                                 Financial Management         Systems Compliance          Review Guide     i


The process to determine compliance should be as follows:

I. Conduqt the Financial Management Systems Review - Conduct a system compliance review to
   determine whether the system meets all 12 factors in Circular A-l 27. If a system meets all 12
       factorsthat areapplicable,thenthe systemis compliant.For mixed systems,.some
       financial/accountingfactorsmay not be applicable.If the systemis determinedto not complywith
       oneor moreof the factors,thenthe systemis consideredto be no&compliant.

   The findings concerning the financial management system identified through the audit of an
   agency’s financial statements should be considered in performing a financial management system
   review. GAO and the Office of Inspector General (OIC) may identify weaknesses and material
   nonconformances in conducting their respective financial system audits that must be addressed           L
   by an agency. It is important to include the’ review of the:audit and inspection findings when an       ‘-
   agency conducts a compliance’review. Uncorrected weaknesses,’ planned corrective actions, and
   the status of each action, should be considered in performing financial management systems              k
                                                                                                           L
   reviews. Agencies may elect to rely on OIC financial management system audits or other review
   analyses of financial management systems where such analyses apply to compliance:review
   elements in Appendix B.

   It is recommended that an assessment summary detailing the resultsof the system review be
   prepared to document that the system is’compliant with’circular A-127 require’ments,’ the scope
   of the review conducted, and the findings of’the review. The assessment summary should be
   supported by appropriate analyses and other documentation, that may be made available to
   external auditors substantiating a system’s compliance or non-compliance with Federal
   requirements.

   When an <outsideservice provider is used to support a financial function, assurance should be
   obtained from the service, provider that the system(s) is in compliance with required financial
   management systems requirements. If adequate assurance cannot be obtained for all or part of
   the systems supporting the financial functions, then the department/agency should ensure that
   additional controls are in place to ensure full compliance .with appropriate financial management
   systems requirements.

2. Assess Whether the Financial Management System Non-compliance is Substantial - A
   non-compliant system requires further analysis to decide if the deficiency that caused the
   non-compliance results in the system being “substantially non- compliant” with OMB Circular
   A-l 27. If a system’s non-compliance is not considered substantial and therefore must be
   reported as a systems “non-conformance” under FMFIA, then the system should be considered
   compliant with OMB Circular A-l 27. requirements and appropriate analysis should be
   documented and maintained supporting this conclusion.
                     ,, ., .,/ .,      a_.__
                                          ,).. ,.  ,.“.(.ii.,,>
                                                       .,C.”,\I,~‘:’ ,I‘,;,;; ‘II . ! I-” 3: i’ , !j’ ‘j
  “The assessment of whether the system is substantially non-compliant may be based on factors
   such as:

   l     causes material misstatements of financial information for financial reporting or agency
         decision-making,


                                                 7
 Financial Management             Systems Compliance           Review Guide


        . internal controls are not adequate to ensure the collection of information properly reflects the
          financial events of the Federal government and follow government reporting requirements;
        l merits the attention of the agency head/senior management, the Executive Office of the
          President, or the relevant congressional oversight committee;
        l prevents the primary agency financial system from achieving adequate control over agency
          financial transactions and, resource balances; or
        l prevents conformance of financial system with (1) financial information standards and/or (2)
          financial system function standards.

   In the financial management system reviews, particular attention should be directed toward an
   assessment of whether the system complies substantially with Federal financial management
   systems requirements, applicable Federal accounting standards, and/or the United States
   Government Standard General Ledger (SGL) at the Transaction Level. See Appendix A-4 for the
   FFMIA requirements.

3. Deterqine If Substantial Non-compliance Should be Reported under FMFIA’Section 4
   Requirements - For systems determined to be substantially non-compliant, the agency should
   also determine whether the system is required to be reported under FMFIA Section 4 as a
   systems “non-conformance”. Reporting under FMFIA Section 4 is required if the,agency head
   determines that the system’s non-compliance is significant enough to be reported outside the
   agency as a material financial management system non-conformance. Criteria that may be used
   in making such a determination would include:

    l       Is the deficiency serious enough to affect compliance with the Government Management and
            Reform Act (GMRA).
    l       The deficiency would cause a material adverse impact to the agency in terms of program
            efficiency and effectiveness, financial condition, compliance with,laws and regulations, or
            protections of government assets,
    l       The deficiency is so serious as to warrant the attention of the President, Congress, and OMB.

   For consistency in reporting, it is hoped that the OIG would use similar criteria in determining
   whether a non-compliance is considered substantial and should be reported as part of their
   assessments of compliance under FFMIA. Also, agencies’ OlGs may consider using agency
   financial management systems review analyses, as appropriate, to support their assessmentsof
   compliance under FFMIA.


Step 3 - Reportingon the Outcomes of the Reviews

Upon the completion.of a financial management systems review, a summary of the results should
be prepared. This summary of review results states whether the system is or is not in substantial
compliance with financial systems requirements. If the system is in substantial’compliance, then the
summary should be held on file to support the assessment conclusions for use in future systems
reviews and by auditors. An example of a financial management system assessment summary is
provided in Appendix D.


                                                           8
                               Financial Management Systems Compliance                Review Guide


Systems that are substantially non-compliant with OMB Circular A-1 27 generally should be reported
in an agency’s FMFIA assurance statement. In addition, agencies are required to report on systems
identified by audit officials that are substantially non-compliant under FFMIA when the systems do
not comply with: (1) the U.S. SCL at the transactton level; (2) Federal accounting standards; or (3)
Federal financial management systems requirements. Further, systems that are determined by the
auditors not to meet FFMIA requirements should be reported in the annual budget submission to            1
OMB in Circular A-l 1 along with appropriate remediation plans. The effect of substantial financial
systems non-compliance under FFMIA on an agency’s financial operations should also be disclosed
in an agency’s financial statements which are distributed to OMB and Congress.            .,

If, based..on the results of the review, the agency official is unable to provide reasonable assurance
that a system complies in all areas, conditional assessment may be provided identifying the‘areas        i
where reasonable assurance cannot be provided. An explanation of the identified weaknesses and
the actions required for correction (including timeframe, if known) should be included.


Step 4 - Planning to Correct the Problems

If the agency determines that a system is substantially non-compliant and must be reported under
FMFIA Section 4 requirements as a system non-conformance, a corrective action plan should be
put in place. The plan should include a discussion of the correction efforts needed in sufficient
detail that managers can understand the nature of the issues and the result desired when the
corrections are completed. A corrective action plan should cover the resources, the remedies and
target dates to resolve the identified issues:

   Resources - Estimated costs to be incurred to make the system substantially compliant:

  Remedies - Specific steps/tasks necessary to fix the non-conforming system and responsible parties.

  Target Dates - .Target dates for completing the tasks identified in the plan.

Systems reported by an auditor as substantially non-compliant under FFMIA require an agency to
develop a separate remediation plan. The remediation plan should be developed in consultation
with OMB, and include the same level of detail as a corrective action plan with a description of
resources and milestones for achieving compliance. The Inspector General’s semi-annual report
should include an agency’s progress in achieving compliance as required by the IG act, as
amended.

Under FFMIA, the remediation plan shall “bring the agency’s financial management systems into
substantial compliance no later than 3 years after the date a determination [of non-compliance] was
made.” Specific waiver from this timeframe is permissible with agreement from OMB.

Timing of Financial Systems Reviews

Detailed systems reviews should be conducted for all major financial management systems to
provide an agency’s management the ability to provide assurance that the systems are in
  Financial Management Systems Compliance Review Guide

  compliance with Federal financial systems requirements. Financial management systems that are
  considered not significant to the financial management of the agency or where the dollar volume of
  the transactions do not result in the systems being considered material to the preparation of
  financial statements, may be exempted from financial management system review by ,the CFO of an
  agency.

   Financial management systems reviews should be conducted at intervals that provide agency heads
   adequate support for their Annual Assurance Statement covering FMFIA Section 4 requirements.
   However, assessments are most effective when reviews are conducted at least once every-five years
   or more frequently if (I) major changes have been implemented that would substantially affect the
   qper$ions. of the system, (2) there are management concerns over the integrity of the system<or the
   data in the system, or (3) where the importance of .the systems requires management tp provide                               -
‘. external. assurance on the compliance of the systems to .[ederal Financial Systems Requirements on
   a more frequent basis. In addition, an independent review or audit. of thens&%rity controls in each
   application is required by OMB Circular A-l 30 at least every three years.

  On-Going Monitoring

  The system’s program manager is responsible for making sure deficiencies are corrected according
  to plan and working with GAO and the OIC on their reviews. Periodic reviews should be conducted on
  systems’to ensure.they continue to comply with FMFIA, FFMIA, and OMB Circular A-l 27.          :

 Tools for Performing an FFMIA, Compliance Review

 Currently, methods used by agencies vary from in depth reviews that utilize custom designed guides
 to the use of external auditors and consultants who develop their own evaluation criteria. This guide
 is intended to supplement these tools and to provide additional capabilities where tools are not
 available.

 Tools available to agencies to assist Fhem in conducting internal financial management systems
 compliance reviews include:

     l   Existing review guides developed by agencies, which can be shared and tailored to meet
         agency specific needs.
     l   Use of this guide or other authoritative guidance such as OMB Bulletin 98-08 and related
         Circulars (i.e. A-l 23, A-l 27, A-l 30).         “_.’
     l   The JFMIP core financial management system certification test.
     l   Checklists that incorporate current financial system requirements as published by JFMIP in the
         Federal Financial Management System Requirements series (e.g. JFMIP-SR-99-4)‘.                    I
                                                                                              ,’
                  -, I .‘.
                ..,.I      .      :., _ .._:,-
                                           _,,,, _‘-I: ‘.  ..,. . . ,. ._.‘_(
                                                                          ,: ,:, ‘. I. -...>
                                                                                        .._.,~,.~./. ./,./

          1     Checklists con,tainingall the requirementsof each of the JFMIPsystcm requirementsdocuments     are available
               from GAO. As JFMIP updatesexistingsystem      documents (or issues new ones), GAO publishesa    related
               checklist document. These checklists can be obtained in hard copy by rolling (202) 512-6OOOor    are available
               on the internet on.GAO’s home page (www.gao.gov).




                                                                    IO
                             Financial Management Systems Compliance              Review Guide


Given that the JFMIP core financial management system test was designed specifically for the
purpose’of assessinga software package’s ability to comply with core requirements (see
JFMIP-SR-99-4). Accordingly, documenting the successful compl,etion of the test on an
implemented system would be objective evidence that a core financial system is in compliance with
the Federal financial management systems requirements of FFMIA. The test is currently available on
the Internet at http://www.financenet.gov/ financenet/fed/jfmip/pmo.htmz for use by program and
financial managers and the oversight community. It contains a test plan, test cases (scenarios),
assumptions that were made and the expected test results.
 Part II: Criteria for Financial                               Management
 Systems Cotipliance
The criteria for performing financial management systems reviews included in this guide is intended
to enable Federal agencies to meet the requirements of the FFMIA, the FMFIA, and OMB Circular
A-l 27.

Compliance Requirements:

Federal Financial Management improvement            (FM/A)

All financial management systems within the agency determined to be either financial or mixed,
must comply with:

    lFederal financial management systems requirements
   . Applicable Federal accounting standards
   l U.S. SCL at the transaction level

For purposes of review:

   Exclude systems under development unless the agency reported them in their financial/mixed
   systems inventory to OMB

   Include systems developed in-house and systems or services supplied by outside vendors in
   support of agency functions

Financial management system compliance is based on the requirements outlined in Section 7 B
Financial Management System Requirements in OMB Circular A-l 27, and in the FMFIA. The
relationship of such reviews to the compliance requirements above is included in Table A .


Federal Managers’ Financial Integrity Act (Section 4 reviews (FMFIA))

Section 4. Section 118(b) of the Accounting and Auditing Act of 1950 (31 U.S.C. 661 (b)), states that
“each annual statement prepared pursuant to subsection (d) of this section shall include a separate
report on whether the agency’s accounting system conforms to the principles, standards, and
related requirements prescribed by the Comptroller General under section 112^of the Integrity Act.”


Circular A- 72 7 Reviews           ’

Each agency shall ensure appropriate reviews are conducted of its financial management systems.
The results of these reviews shall be considered when developing financial management systems
plans. OMB encourages agencies to coordinate and, where appropriate, combine required reviews.


                                                     12
                              Firiancial Management Systems Compliance Review Guide

Reviews must comply with policies for (1) reviews of internal controls undertaken and reported on
in accordance with the guidance issued by OMB for compliance with the requirements of the
FMFIA and Circular A-l 23, (2) reviews of conformance of financial management systems with the
principles, standards and related requirements in Section 7 of A-l 27 undertaken in accordance with
the guidance issued by OMB for compliance with requirements of the FMFIA, and (3) reviews of
systems and security as required under provisions of Circular A-l 30.

The relationships of these reviews are presented in Table A.
                                  Table for Comparing Financial Management Systems Compliance Guidance,
                                                   OMB Circular A-127 Regulations Sectioq 7,
                                OMB Circular A-130, FFMIA, FMFIA Section 4 (OMB Circular A-123 Requirements)

    Financial i&&ement
 Systems Compliann!    Rev&                                     OMB Policy Requirements                                              External Reporthtg     Requirements
             Criteria

                                                  OMB Circular A-l 27                                                                                            (OMB Circular     A-l 23)
(See Appendix       B for Details)                                                   OMB Circular      A-l 30                   FFMJA
                                                     Regulations                                                                                                          FMFIA
                                                      Section 7                                                                                                          Section 4
                                                                                                                I
A. Comparability         and               A. Agency-wide     Financial
Consistency                                Information    Classification        I                               I
                                           Structure
                                                                                                                                                          B. Integrating financial systems
B. Efficiency     and Economy              B. Integrated      Financial
                                                                                                                                                          and eliminating   duplication
                                           Management         Systems

C. Application      of the SC1 at          C. Application   of the U.S.         I                               I C. Government      Standard
the transaction      level                 Government     Standard General      1                               1 General ledger (SGL) at the
                                           ledger at the Transaction    level   1                               I transaction  level
                                                                                                                                                          D. Consistency with accounting
D. Financial      Data                     D. Federal Accounting                                                    D. Applicable Federal
                                                                                                                                                          principles and standards
                                           Standards                                                                accounting standards
                                                                                                                                                          E. Financial   information
E. Financial     Reporting                 E. Financial     Reporting
                                                                                                                                                          F. Budget formulation        and
F. Support for Budgeting             and   F. Budget      Reporting
                                                                                                                                                          execution
Performance   Reporting

C. Functional      Requirements            G. Functional      Requirements      1                               I G. Federal financial
                                                                                I                               1 management     systems
                                                                                                                  requirements
                                                                                    H. Computer security
H. Computer        Security    Act         H. Computer        Security    Act
                                                                                    (Controls for Major
Requirements                               Requirements
                                                                                    Applications)
                                                                                    I. Application   Security
I. Documentation                           I. Documentation
                                                                                    Plan

J. Systems Integrity                       J. Internal    Controls
                                                                                I J. Review of
                                                                                  Application
                                                                                1 Authorized
                                                                                               Controls &
                                                                                               processing       1
                                                                                                                                                          J. Internal controls /
                                                                                                                                                          accountability   for agency assets


FL Training     and User Support           R. Training     and User Support         K Specialized    Training

1. Maintenance                             1. Maintenance
                                                                                1                               I
                             Financial Management         Systems Compliance Revkw Guide


Appendix            A - 1: References’                                  ,I          I
OMB Circular A-727, Section 7 Financial Management                                      Sy@em
Requirements
7. Financial Management System Requirements. Agency financial management systems shall
  comply with the following requirements:

     a. Agency-wide Financial lnformatiqn, Classification Structure. ,The design of the.financial
     management systems shall reflect ,an agent -wide financial information classification
     structure that is consistent with the U. S. S2 L,.provides for tracking of specrfrc program
     expenditures, and covers financial and financially related informatron. This structure will
     minimize data redundancy, ensure th,at consistent informat/on is collected for similar
     transactions throughout the agency, encourage consistent formats.for entering data directly
     into the financial management systems, and ensure that consistent information is readily
     available and provided to internal managers at all levels within the organization. Financial
     management systems’ designs shall support agency budget, accountin and financial
     management reporting processes by rovidin consistent information f or budget formulation,
     budget execution, programmatic ancf.frnancra   4 management, performance measurement and
     financial statement preparation.

     b. Integrated Financial Management S stems. Financial mana ementsystems shall be
     designed to, provide for effective and ef fytcient interrelationships %etween software, hardware,
     personnel, rocedures, controls, and data contained within the systems. In doing so, they
     shall have t Re following characteristics:
            - Common Data Elements. Standard data classifications (definitions and formats)
            shall. be established and used for recording financial events. Common data elements
            shall be used to meet reporting requirements and, to the extent possible, used
            throughout the agency for collection, storage and retrieval of financial information.
            Government-wide information standards (e.g., the U. S. SCL) and other external.
            reporting requirements shall be incorporated into the agency’s standard data
            classification requirements.
             - Common TransactionProcessing.Commonprocessesshallbe usedfor processing
            similar kinds of transactionsthroughoutthe systemto enablethesetransactionsto be
            reportedin a consistentmanner.
            - Consistent Internal Controls. Internal controls over data entry,. transaction
            processing and reporting shall be applied consistently throughout the system to
            ensure the validity of information and protection of Federal government resources.
            - Efficient Transaction Entry. Financial system designs shall eliminate unnecessary
            duplication of transaction entry. Wherever appropriate, data needed by the systems
            to support ‘financial ‘functions shall beentered Z-ily’once and othei+arts of the system
            shall be updated through electronic means consistent with the timing requirements of
            normal business/transaction cycles.




                                            A-l
Financial Management       Systems Compliance ,Review Guide

     c. Application of the U. S. SC1 at the Transaction kvel. Financial events shall, be recorded
     by agencies throughout the financial management system applying the requirements of the
     U.S. SGL at the transaction level. Application of the SCL at the transaction level means that
     the financial management s stems will process transactions following the definitions and
     defined uses of the general Yedger accounts as described in the SCL. Compliance with this
     standard requires:

     - Data in Financial Reports Consistent with.the SCL. Reports produced by the systems that
     provide financial information, whether used internally or externally, shall provide financial
     data that can be traced directly to the SCL accounts.         ”

     --Transactions Recorded Consistent with SGL Rules. The criteria (e.g., timing, processin
     rules/conditions) for recording financial events in all financial mana ement systems shall Ee
     consistent with accounting transaction definitionsand processing ruEies defined’,in
                                                                                ~        the SGL.

     2 Supportin Transaction Detail for SCL Accounts Readily Available. Transaction detail
     supporting S8 L accounts shall be available.in the financial,management systems and directly
     traceable to specific SCL account codes.                         ‘..
                                                                              .,    7.
     Agencies may supplement their application of the SCL to meet a ency specific information
     requirements in accordance with guidance provided in the U.S. !zCL supplement to the
     Treasury Financial Manual.
     d. Federal Accounting Standards. Agency financial management systems shall maintain
     accountin data to permit reporting in accordance with accounting standards recommended
     by the Fecferal Accounting Standards Advisory Board (FASAB) and issued by the Director of
     OMB, and reporting requirements issued by the Director of OMB and/or the Secretary of the
     Treasury. Where no accounting standards have been recommended by FASAB and.issued by
     the Director of OMB, the s stems shall maintain data in accordance with the applicable
     accounting standards used ii y the agent for preparation of its financial statements. Agency
     financial. management systems shall be cresigned flexibly to adapt to changes in accounting
     standards.                                                                 :/

    e. Financial ,ReportinQ The agency financial, management system shall meet the following
    agency reporting requrrements:

    -A     ency Financial Mana ement Reporting. The agency financial management system shall
    be a%le to provide financia 7 information in a timely and useful fashion to (1) su port
    management’s fiduciary role; (2) support the legal, regulatory and other specia Pmanagement
    requirements of the agency; (3) support budget formulation and execution functions; (4)
    support fiscal management of program delivery and pro ram decision making, (5) comply
    with Internal and external reporting requirements, inclu 8 ing, as necessary, the requirements
    for financial statements prepared in accordance with the form and content rescnbed by

    management system to ensure the integrity of 7.rnancraldr ata.
                                                                                 R
    OMB and reporting requirements prescribed b Treasur * and (6) monitor t e financial


    Y Performance Measures. Agency financial management systemsshall be able to capture
    ‘and ‘produce~financial ‘i$o,rm,ation’ requiiedjo ,me~asu@prog~~,r;ll.p~;fo;r~~~~, financial
     performance, and financial management performance as needed to sup ort budgeting,
     program management and financial statement presentation. As new pe rpormance measures
    are established, agencies shall incorporate the necessary information and reporting
    requirements, as appropriate and feasible, into their financial management systems.




                                                  A-2
                             Financial Management Systems Compliance                 Review Guide       r

     f. Budget Reporting. Agency financial mana ement systems shall enable th,e agency to               ~
     prepare, execute and report on the agent ‘s,% udget in accordance with the requirements of
     OMB Circular No. A-l 1(Preparation and J ubmissron of Budget Estimates), OMB Circular No.          i
     A-34 (Instructions on Budget Execution) and other circulars G-rd bulletins-&red ,by the OMB.

     g. Functibnal Requirements. Agency financial management systems shall conform to
     existing applicable functional requirements for the design, development, operation, and
     maintenance of financial management systems. Functional .re uirements are defined in a
     series of publications entitled Federal Financial Management 9 ystems Requirements issued
     by the JFMIP. Additional functional requirements may be established through OMB circulars
     and bulletins and the Treasury Financial Manual..Agencies are ex ected to tm lement
     expeditiously new functional requirements as they are establishe 8 and/or ma cpe effective.

     hi Cbmputer Secuiity’Act Requirements. Agencies shall plan for and
     incorporate security controls in accordance with the Computer Security Act of     ‘,
     1987 and Circular A-l 30 for those financial management syste’ms that contain “sensitive
     information” as defined by the Computer Security Act.


                                                          r
     i. Documentation. Agency financial management s stems and processing instructions shall
     be clearly documented in hard co y or electronical y in accordance with (a) the
     requirements contained in the Fecreral Financial Management Systems Requirements
     documents published by JFMIP or (b) other applicable requirements. All documentation
     (software, system, operations, user manuals, operatin procedures, etc.) shall be kept
     up-to-date and be readily available for examination. 9ystem user documentation shall be in
     sufficient, detail to permit a person, knowledgeable of the agency’s programs and of systems
     generally, to obtain a comprehensive understanding of the entire operation of each system.
     Technical systems documentation such as requirements documents, systems specifications
     and operating instructions shall be adequate to enable technical personnel to,operate the
     system in an effective and efficient manner.

    j. Internal Controls. The financial management s stems shall include a s stem of internal
    controls that ensure resource use is consistent wit tl laws, regulations, ancypolicies; resources
    are safe uarded against waste, loss, and misuse; and reliable data are obtained, maintained,
    and discqosed in reports. Appropriate internal controls shall be applied to all system inputs,
    processing, and outputs. Such system related controls form a portron .of the management
    control structure required by Circular A-l 23.

     k. Training and User Su port. Adequate training and appropriate user support shall be
     provided to the users oft R e financial management s stems, based on the level, responsibility
     and roles of individual users, to enable the users of trl e systems at all levels to understand,
     operate and maintain the system.
    I. Maintenance. On-going maintenance of the financial management systems shall be
       erformed to enable the systems to continue to operate in an effective and efficient manner.
    f! he agency shall periodically evaluate how effective1 and efficiently the financial
    management systems support the agency’s changing il usiness practices and make
    appropriate modifications.
;. <., %,~, .;              :::t;              k _I,,:          ‘. (” _j,     i.,“”       “- :“./ i:.




                                           A-3
 Financial Management Systems Compliance                  Review Guide


 Appendix              A - 2: References
 OMB Bulletin No. 98-08, Audit Requirements                               foi Federal
 Financial Statements
                                                                                                         /i
 Relationship to Section 4 of FMFIA (the integrity Act)                                                  i



There is a close, if not overlapping, relationship between FFMIA and the FMFIA. Since the acronyms
are similar, this guidance refers to FMFIA as the Integrity Act. The Integrity Act requires that, the
agency head, on an annual basis no later than December 31’, ‘prov’ide an assurance statement with
respect to agency management controls (Section 2) and agency compliance with financial                   I:
                                                                                                         I-.
management system requirements (Section 4). For the most part, in many agencies,, the Integrity Act      i.
statement of assurance for Section 4 provides management’s assertion of compliance with section
803(a) of FFMIA.

Section 803, Implementation of FFMIA

Section 803 (a), cited above, states: “In General - Each agency shall implement and maintain
financial management systems that comply substantially with Federal financial management systems
requirements, applicable Federal accounting standards, and the U.S. SGL at the transaction level.”

This’section of the guidance more fully describes (1) Federal financial management systems
 req.uirements; (2) applicable Federal accounting standards; and (3) the SGL at the transaction level.
 In each section, information is provided on substantial compliance and types of indicators to be
used in assessingtihether an agency is in substantial compli,ance. The criteria are broad and
flexible; yet, they provide a practical basis for measuring achievement in complying with the FFMIA
requirements.

(1) Federal Financial Management Systems Requirements

Circular A-l 27 prescribes policies and standards for agencies to follow in developing, operating,
evaluating, and reporting on financial management systems. In addition, Circular A-l 27 also
incorporates by reference: Circular A-l 23, “Management Accountability and Control;” Circular
A-l 30, “Management of Federal Information Resources;” other operating policies and related
requirements prescribed by OMB; and Federal Financial Management Systems Requirements issued
by JFMIP.

The financial management systems subject to the requirements of FFMIA are included in the
inventory of financial management systems subject to the requirements of Section 4 of the Integrity
Act.

Compliance with the financial management systems requjrements of FFMIA applies to al\ financial
management systems essential to meeting financial statement preparation and budgetary reporting
requirements.

An agency of the Federal government is considered to be in substantial compliance with financial
management system requirements if:




                                                     A-4
                                                  Financial Management                   Systems Compliance                  Review Guide

            l     Financial management systems meet Circular A-l 27 requirements which, for purposes of
                  complying with this Act, call for systems to: support management’s fiduciary role; support the
                  legal, regulatory, and other special management requirements of the agency; support the
                  budget execution functions; support fiscal management of program delivery and program
                  decision-making; comply with internal ,and external reporting requirements, including, as
                  necessary, the requirement for financial statements prepared in accordance with the form and
                  content prescribed by OMB and reporting requirements prescribed by Treasury; and be
                  monitored by agency staff to ensure the integrity of financial ‘data. This is accomplished
                  through a unified set of systems comprised of financial systems and- financial portions of mixed
                  systems. These systems may or may not be operated by the CFO’s office.

        l         Financial management systems follow requirkments published in JFMIP’s Federal Financial
                  Management System ,Requirements seiies which prescribe’the functions that must be
                  performed by systems to.ctipture informatidn for financial statement preparation.’
        l         Compensating procedures are applied to financial management information produced by
                  third parties, such as service bureaus, when it is determined that‘sjlstems used by third parties
                  to provide those services do not comply with the provjsions of the FFMIA.

        l         Security over financial itifdrmation is provided in accordance with Circular A-l 30, Appendix 3.

        l        :Internal controls over finaricial management systems are designed properly and operating
                  ‘effectively. Internal controls are described in OMB Bulletin 98-08. It is not expected that the
                 scope of the auditor’s work in this area would extend beyond the requirements of the
                 .:Bulletin.

Indicators:

    l            Annual assurance statement issued pursuant to’ the Section 4 Integrity Act report does not
                 reflect any material non-conformance related to financial management systems covered by
                 FFMIA.

    l            Audit procedures performed for the purpose of obtaining evidence in support of the auditor’s
                 opinion on the financial statements did not disclose material weaknesses or noncompliance
                 with legal or regulatory requirements of the agency.3

    l            Standard budget execution information is provided on a timely basis to OMB and Treasury in
                 the manner requested and is consistent with budget execution information used internally
                 within the agency.

    l            Agency senior management and program managers have access to timely financial
                 information on the status of funds (commitments, reservation and obligations) by operating
                 units and programs that allows analysis of data for decision-making.


3               In very limited circumstances, reportable conditions that significantly impair an entity’s ability to meet Federal
                financial management systems requirements (such as reportable conditions related to computer security over
                financial information covered by OMB Circular A-l 30, Appendix 3) may represent conditions reportable under
                FFMIA.




                                                                       A-5
 Financial Management                      Systems Compliance                  Review Guide



          l    Funds control decisions are based on information provided from the agency’s financial
               management systems.
                                                                                                                                        k
          l   The agency core financial system, subported by, other systems containing the detailed data                                F
                                                                                                                                        t
              summarized in the core,financial system, is the source of information used in the preparation                             I’.’
                                                                                                                                        I-
              of the annual financia! statemenp and other internal and external reporting requirements.
              Detailed information contained In these other systems also may be used as the source                                      I
              information for reporting where >ummarized information contained in the agency core system                                I
              does not provide the details necessary to meet reporting requirements.           -’                                       /
                                                                                                                                        I
      l       The agency has a management control program that identifies,and reports deficiencies in
              financial,management systems, including deficiencies resulting in a .lack of substantial
              compliance with the three requirements of FFMIA, and ensures such deficiencies are
              corrected.
(2) Federal Accoufiting Standards.                      ,

An agency of the Federal Covertiment will be considered in substantial compliance with Federal
accounting standards if the agency prepares audited financial statements in accordance with the
hierarchy of Federal accounting standards included in paragraph 5 of OMB Bulletin 98-08.
Substantial compliavce does not require all transactions to be in full compliance with Federal
accounting stand,ards at the point of original entry, but that financial information used in the
preparation of financial statements, based on such transactions, is adequately supported by detailed
financial records (automated or manual).

Indicators:

  l           An unqualified opinion on the agency’s financial statements. For a qualified opinion, a review
              of the underlying reasons for the qualified opinion is needed to determine whether or not the
              agency
                  ._e_is. in substantial
                             . .         compliance with this requirement. In limited circumstances, a
              qualitied opinion on the agency’s financial statements may indicate substantial compliance
              with this requirement when it is solely due to reasons other than the agency’s ability to
              prepare auditable financial statements. Further, a disclaimer of opinion may not indicate that
              there is a lack of substantial compliance with this requirement when it results from a material
              uncertainty, such as resolution of litigation or projecting future economic events.

The audit disclosed no material weaknesses in internal controls that affect the agency’s ability to
prepare auditable financial statements and related disclosures.4
(3) SGL at the Transaction Level

Implementing the SCL at the transaction level requires that the Core Fiqancial System General
Ledger Management Function is in full compliance with the SCL chart of accounts descriptipns and


               4   In very limited circumstances, reportable conditions that significantly impair an entity’s ability to meet Federal
                   financial management systems requirements (such as reportable conditions related to computer security over
                   financial information covered by OMB Circular A-l 30, Appendix 3) may represent conditions reportable under
                   FFMIA.




                                                                          A-6
                               Financial Management Systems Compliance Review Guide


posting rules; transactions from feeder systems are summarized and fed into the Core Financial
System’s General Ledger following SGL requirements through an interface (automated or manual);
detail supporting the interface transactions can be traced back to the source transactions in the
feeder systems; and the feeder systems process transactions consistent with SCL account
descriptions and posting.

An agency of the Federal government will be considered in substantial compliance with the SCL at
the transaction level requirement if the agency’s classification of financial events for its financial
statements and required financial information provided to the Department of the Treasury and
OMB is consistent with the account descriptions and posting rules as approved by the SGL Board
and published by the Treasury Department’s Financial Management Service in the Treasury
Financial Manual.

indicators:

      The agency’s core financial system uses the SGL number to capture financial information, or
      the agency uses analternative code (pseudo-code) following the same account descriptions
      and posting rules that are used by the SCL to capture financial information, and the
      information can be appropriately matched to SCL codes for reporting to OMB or Treasury
      and for preparing financial statements. The use of the SGL code in the feeder system is not’
      necessary as long as the code definitions used to capture information are consistent with the
      SCL definitions.

  l   Systems must capture information using the same descriptions and posting rules as in the SGL.
      Detailed information captured in feeder systems can be summarized in the core financial
      system; however, information shall be captured and summarized so that it follows the SGL
      descriptions and posting rules and is captured at the level necessary to meet OMB or Treasury
      reporting requirements and for preparing financial statements.

      Transactions can be traced back to the source/point-of-entry in the feeder systems and to
      supporting information.
Audit Considerations

Based on the fore oing, the auditor shall use professional judgment in determining substantial
compliance with t‘f,e systems requirements of FFMIA. However, lack of substantial compliance with
the requirementi in any one or more of the three areas included in FFMIA - Federal financial
management system requirements, Federal accounting standards, and the SCL - would result in
lack of substantial compliance with FFMIA.

 Further, a lack of substantial compliance with any one or more of the indicators described herein
would typically result in a lack of substantial compliance with one or more of the three areas
described above and, thus, a lack of substantial compliance with the systems requirements of
 FFMIA. Judgment shall be used in determining a lack of substantial comp!iance.vvith a,n indicator.
‘For’instance;if,an auditor”finds that a”few budget execution reports Were subnii&dlate to OMB
and contained minor inaccuracies, this may not result in a lack of substantial compliance with the
indicator regarding standard budget execution information.




                                              A-7
  Financial Management Systems Compliance Review Guide


  Appendix A - 3: References
  OMB Circular A- 730, Section 3 Automa ted Information                                                   Security
  Programs
  Automated Information Security Programs. Agencies shall implement and maintain a program to
  assure that adequate security is provided for all agency information-collected, processed,
  transmitted, stored, or disseminated in general support systems ,and major tipplications.
                                                               ” ,                           .,
  Each agency’s program shall implement policies, standards and procedures which are consistent
I with government-wide policies, standards, and procedures issued by OMB, the Department of
  Commerce, the General Services Administration and the Office of Personnel Management (OPM).
  Different or more stringent requirements for securing national security information should be
  incorporated into agency programs as required by appropriatenational security directives. At a
  minimum, agency programs shall include the following controlsin their general support systems and
  major applications:      .

     aControls     for general support systems.
          1) Assign Responsibility for Security. Assign responsibility for security in each system to an
          individual knowledgeable in the information technology used in the system and in providing
          security for such technology.
          2) System Security Plan. Plan for adequate security of each general support system as part of
          the organization’s information resources management (IRM) planning process. The security
          plan shall be consistent with guidance issued by the National Institute of Standards and
          Technology (NIST). Independent advice and comment on the security plan shall be solicited
          prior to the plan’s implemqntation. A summary of the security pla,ns.shall be incorporated
          into the strategic IRM plan required by the Paperwork Reduction Act (44 U.S.C. Chapter 3.5)
          and Section 8(b) of this circular. Security plans shall include:
            a) Rules of the System. Establish a set of rules of behavior concerning use of, security in,
            and the acceptable level of risk for, the system. The rules shall be based on the needs of
            the various users of. the system. The security required by the rules shall be only as
            stringent as necessary to provide adequate security for information in the system. Such
            rules shall clearly delineate res onsibilities and expected behavior of’all individuals with
            access to the system. They shaPI also include appropriate limits on interconnections to
            other systems and shall define service provision and restoration priorities. Finally, they
            shall be clear about the consequences of behavior not consistent with the rules.
            b) Training. Ensure that all individuals are appropriately trained in how to fulfill their
            security resppnsibilities before allow.i.ngthem access to the.s .stem,. Such.training shall
     ,.     assure    thatI.. employees
                 ,~j,ii-                       are versed inthe ru!es.of,;the’system
                               I- ,,:i,,,+.‘...I,1                                      II
                                                                                   ,~,:4;?le~,consistent,.with,guldaqce
            issued by NIST and OPM, and apprise them’about ‘available assistance and technical ’
            security products and techniques. Behavior consistent with the rules of the system and
            periodic refresher training shall be required for continued access to the system.
            c) Personnel Controls. Screen individuals who are authorized to bypass significant
            technical and operational security controls of the system commensurate with the risk and



                                                              A-8
                               Financial Management Systems Compliance Review Guide


       i   magnitude of harm they could cause. Such screening shail occur prior to an individual
           being authorized to bypass controls and periodically thereafter.
           d) Incident Response Capability. Ensure that there is a capability to provide ,help to users
           when a security incident occurs in the system and to share information concerning
           common vulnerabilities and threats. This capability shall share information with other
           organizations, consistent with NIST coordination, and should assist the agency in pursuing
           appropriate legal action, consistent with Department of Justice guidance.
           e) Continuity of Support. Establish and periodically test the capability to continue
  ~        provjding service within a system based upon the needs and priorities of the participants
           of the system.
           f) Technical Security. Ensure that cost-effective security products and techniques are
           appropriately used within the system.                              , ‘,
           g) System Interconnection. Obtain written management authorization, based upon the
           acceptance of risk to the system, prior to connecting.with other systems. Where
           connection is authorized, controls shall be established which are consistent with the rules
           of the system and in accordance with guidance from NIST.
      3) Review of Security Controls. Review the security controls in each system when significant
      modifications are made to the system, but at least every three years. The scope and
      frequency of the review should be commensurate with the acceptable level of risk for the
      system. Depending on the potential risk and magnitude of harm that could occur, consider
      identifying a deftciency pursuant to OMB Circular, No. A-l 23, “Management Accountability
      and Control” and the FMFIA, if there is no assignment of security responsibility, no security
      plan, or no authorization to process for a system.
   4) Authorize Processing. Ensure that a management official authorizes in writing the use of
   each general support system based on implementation of its security plan before beginning
   or significantly changing processing in the system. Use of the system shall be re-authorized at
   least every three years.

b. Controls.for Major Applications.

   1) Assign Responsibility for Security. Assign responsibility for security of each major
   application to a management official knowledgeable in the nature of the information and
   process supported by the application and in the management, personnel, operational, and
   technical controls used to protect it. This official shall assure that effective security roducts
   and techniques are appropriately used in the application and shall be contacted w I:en a
   security incident occurs concerning the application.
    2) Application Security Plan. Plan for the adequate security of each major application, taking
    into ,account the. security of all systems,jn which the application will operate; ,The plan shall
.. -be~consistemt.witk:guidance issued -by,NISTr-:Advice;andicomme~t-oil’~he;;pla’ii:~~~ll be
    solicited from’the official responsible for ,security in the primary system in’whichthe
    application will operate prior to the plan’s implementation. A summary of the security plans
    shall be incorporated into the strategic IRM plan required by the Paperwork Reduction Act.
   Application security plans shall include:




                                              A-9
Financial Management Systems Compliance Review Guide                                                     f


        a) Application Rules. Establish a set of rules concerning use of and behavior within the
        application. The rules shall be as stringent as necessary to provide adequatesecurity for
        the application and the information in it. Such rules shall clearly delineate responsibilities
        and expected behavior of all individuals with access to the application. In addition, the
        rules shall be clear about the consequences of behavior not consistent with the rules.
       b) Specialized Training. Before allowing individuals access to the application, ensure that
       all individuals receive specialized training focused on ,their responsibilities and the
       application rules. This may be in addition to the training required for access to a system.
       Such training may vary from a notification at the time of access (e.g;, for members of the
       public using an information retrieval application) to formal training (e.g.; for an employee
       that works with a high-risk application).
       c) Personnel Security; Incorporate controls such as separation of duties, least privilege and
       individual accountability into the application and application rules as appropriate. In
       cases where such controls cannot adequately protect the application or information in it,
       screen individuals commensurate’with the risk and magnitude of the harm they could
       cause. Such screening shall be do’ne prior to the individuals’ being authorized to access
       the application and periodically thereafter.
       d) Contingency Planning. Establish and periodically test the capa,bility to perform the
       agency function supported by the application in the event of failure of its a,utomated
       support.
       e) Technical Controls. Ensure that appropriate security controls a’re specified, designed
       into, tested, and accepted in the application in accordance with appropriate guidance
       issued bv NIST.
               I




       f) Information Sharing. Ensure that information shared from the application is protected
       appropriately, comparable to the protection provided when information is within the
       application.
       g) Public Access Controls. Where an agency’s application promotes or permits public
       access, additional security controls shall be added to protect the integrity of the
       application and the confidence the public has in the application. Such controls shall
       include segregating information made directly accessible to the public from official agency
       records.
    3) Review of Application Controls. Perform an independent review or audit of the security
    controls in each application at least every three years. Consider identifying a deficiency
    pursuant to OMB Circular No. A-l 23, “Management Accountability and Control” and the
    FMFIA if there is no assignment of responsibility for security, no security plan, or no
    authorization to process for the application.
    4) Auth,orize Processing. Ensure that a management official authorizes in writing use of the
    applicatfon~,by .confirming that its security plan,as implemented ;adequately securesthe
    applicatron. Results of the most recent review or audit of controls shall be a factor in
    management authorizations. The application must be authorized prior to operating and
    re-authorized at least every three years thereafter. Management authorization implies
    accepting the risk of each system used by the application.




                                                  A-l 0
                                    Financial Management          Systems Compliance         Review Guide            L


,:   Appendix              A - 4’               1
     Federal Financial ManagemeM                          Improvement          Act of 799s
     An Act
     Making omnibus consolidated appropriations for,the fiscal year ending September 30, 1997, and
     for other purposes. ((NOTE: Sept. 30, 1996 - [H.R. 36101))
     Be it enacted by the Senate a.nd House of Representatives of the United States of America ((NOTE:
     Omnibus: Consolidated Appropriations Act, 1997.)) in Congress assembled,...’
                                                           :


     TITLE VI&--FEDERAL FINANCIAL ((NOTE: Federal Financial Management Improvement Act of
     1996.31 USC 3512 note.), MANAGEMENT IMPROVEMENT
                                                              i,, * i
     SEC. 801. SHORT +ITLE                                         ..’

     This title may be cited as the “Federal Financial Management Improvement Act of 1996.”
     SEC. 802. <<NOTE:31 USC 3512 note.)) FINDINGS AND, PURPOSES.                 ,
     (a)(Findings.,-The Congress finds the following:                  ”        ’
         (l)(Much effort has been devoted’ to strengthening Federal ‘internal accounting controls in the
              past: Although progress has been made in recent years, Federal accountjng standards have
             not been uniformly implemented in financial management systems for’agencies.
         (2)(Federal financial management continues to be seriously deficient, and Federal financial
             management and fiscal practices have failed to-
             (A) identify costs fully;
             (B) reflect the total liabilities of congressional actions; and
             (C) accurately report the financial condition, of the Federal Government
         (3) Current Federal accounting practices do not ‘accurately report financial results of the Federal         I
             Government or the full costs of programs and activities. The continued use of these practices
             undermines the Government’s ability to provide credible and reliable financial data and
             encourages already widespread Government waste, and will not assist in achieving a’
             balanced budget.
         (4) Waste and inefficiency in the Federal Government undermine the confidence of the
         American people in the government and reduce the federal Government’s ability to address vital
         public needs adequately.
                              ,’
         (5) To rebuild the accountability and credibility,of the Federal Government, and restore public
         confidence in, the Federal Government, agencies must incorporate accounting standards and
         reporting objectives established for the Federal Government into their financial management
         systems so that all the assetsand liabilities, revenues, and expenditures’or expenses, and the full
         costs of programs and activities of the Federal Government can be-consistently and accurately           -
       ,v,recof&& moiiit6red,:and /fo&jj;           ~e‘po;i~~d”tH~~~~~h‘aijt’Yh~;~iii;cie~~l’.’~a3er~~~rit,,7
                                                                                                          .” :

        (6) Since,its establishment in October 1990, the Federal Accounting Standards Advisory Board
        (hereinafter referred to as the “FASAB”) has made substantial -progresstoward developing and
        recommending a comprehensive set of accounting concepts and standards for the Federal
        Government. When the accounting concepts and standards developed by FASAB are



                                                  A-l 1
Financial Management          Systems Compliance         Review Guide


    incorporated into Federal financial management systems, agencies will,be able to provide cost
    and financial information that will assist the Congress and financial managers to evaluate the cost
    and performance of Federal programs and activities, and will therefore provide important
    information that has been lacking, but is needed for improved decision making by financial            i;

    managers and the Congress.                                                                             ”
                                                                                                           12
    (7) The development of financial management systems with the capacity to support these                j.
    standards and concepts will, over the long term, improve Federal financial management.
        (b) Purpose-The purposes of this Act are to-
                (I) provide for consistency of accounting by an agency from one fiscal year to the
                next, and uniform accounting standards throughout the Federal Government;
                (2) require Federal financial management systems to support full disclosure of
                Federal financial data, including the full costs of Federal programs and activities, to   i-



               the citizens, the Congress, the President, and agency management, so that programs         I-




               and activities can be considered based on ‘their full costs and merits;
               (3) increase the accountability and credibility of federal financial management;
               (4) improve performance, productivity and efficiency of Federal Government
               financial management;
               (5) establish financial management’systems to support controlling the cost of Federal
               Government;
               (6) build upon and complement the Chief Financial Officers Act of 1990 (Public Law
               101-576; 104 Stat 2838), the Government Performance and Results Act of 1993
               (Public Law 103-62.,107    Stat. 285) and the Government Management Reform Act of
               1994 (Public Law 103-356; 108 Stat. 3410); and (7) increase the capability of
               agencies to monitor execution of the budget by more readily permitting reports that
               compare spending of resources to results of activities.
SEC. 803. ((NOTE: 31 USC 3512 note.)) IMPLEMENTATION            OF FEDERAL FINANCIAL
MANAGEMENT IMPROVEMENTS.
(a) In General .-Each agency shall implement and maintain financial management systems that
comply substantially with Federal financial management systems requirements, applicable Federal
accounting standards, and the United States Government Standard General Ledger at the
transaction level.
(b) Audit Compliance Finding.-
[[Page 110 STAT. 3009-39111
      (1) In general.- Each audit required by section 3521 (e) of title 31, United States Code, shall
      report whether the agency financial management systems comply with the requirements of
      subsection (a) (2) Content of Reports- When the person performing the audit required by
      section 3521 (e) of title 31, United States Code, reports that the agency financial
      management systems do not comply with the requirements of subsection (a), the person
      performing the audit shall include in the report on the auclit-
                    ^--    ~.:v‘ ‘.                      ,,        .,..;               I
      (A) the entity or organization responsible for the financial management systems that ‘have
      been found not to comply with the requirements of subsection (a);
      (B) all facts pertaining to the failure to comply with the requirements of subsection (a),
      including-
               (i) the nature and extent of the noncompliance including areas in which there is
               substantial but not full compliance;



                                                     A-l 2
                               financial   Management        Systems Compliance Review Guide


               (ii) the primary reason or cause of.the noncompliance;
               (iii) the entity or organization responsible forthe non-compliance; and
               (iv) any relevant comments from any responsible officer or employee; and
       (C) a statement with respect to the recom.mended remedial actions and the time frames to
       implement such actions.;
(b)(Compliance Implementation.-

    (1,)Determination .-No later than ,the date described under paragraph (2), the Bead of an
    agency shall. determine whether the financial management systems of the agency comply with
    the requirements of subsection (a). Such, determination shall be based,o&--                    ’
        (A) a review of the report on the applicable agency- wide audited financial statement;
        (B) any other information the Head of the agency considers relevant’and appropriate.
    (2) Date of determination. --The determination under paragraph (1) shall,be made no later than
    120 days after the earlier of-
        (A) the date of the receipt of an agency-wide audited financial statement; or
        (B) the last day of the fiscal year following the year covered by such statement.
    (3) Remediation plan.-
        (A) If the Head of an agency determines thatthe agency’s financial management systems do
        not comply with the requirements of subsection (a), the head of the agency, in consultation
        with the Director, shall establish a remediation plan that shall include resources, remedies,
        and intermediate target dates necessary to bring the agency’s financial management systems
        into substantial compliance.
        (B) If the determination of the head of the agency differs from the audit compliance findings
        required in subsection (b), the Director shall review such determinations,and provide a
        report on the findings to the appropriate,committees of the Congress.

[[Page 110 STAT. 3009-39211

   (4) Time period for compliance. -A remediation plan shall bring the agency’s financial
   management systems into substantial compliance no later than 3 years after the date a
   determination is made under paragraph (I), unless the agency, with concurrence of the
   Director-
       (A) determines that the agency’s financial management systems cannot comply with the
       requirements of subsection (a) within 3 years;
       (B) specifies the most feasible date for bringing the agency’s financial management systems
       into compliance with the requirements of subsection (a); and
       (C) desi nates an official of the agency who shall be responsible for bringing the agency’s
       financia 7 management systems into compliance with the requirements of s’ubsection (a) by
       the date specified under subparagraph (B).

SEC. 804. ((NOTE: 31 USC 3512 note.)) REPORTING REQUIREMENTS.

(a)(Reports by the Director.- No later than March 31 of each year, the Director shall submit a
    report to the Congress regarding implementation .of.this Act. The Director. may include the
    re ort in t,he financialr,management status report and,+the,.$year ,fln,~nFia!..manage~~nt.p!an
    supbmitted under section 3512 (a) (1) of title 31, United States Code.

(b) Reports by the Inspector Ceneral- Each Inspector General who prepares a report under section
5(a) of the Inspector General Act of 1978 (5 U.S.C. App.) shall report to Congress instances and




                                              A-l 3
 Financial Management         Systems Compliance Review Guide                                              ;

                                                                                                           I
 reasons when an agency has not met the intermediate target dates established in the remediation
 plan required under section 3(c). Specifically the report shall include-
        (1) the entity or organization res onsible for the non-compliance;       i
        (2) the facts pertaining to the fai Pure to comply with the requirements of subsection (a),        ip
        including the nature and extent of the non-compliance, the primary reason or cause for the
        failure to comply, and any extenuating circumstances; and                                          1:;
        (3) a statement of the remedial actions needed to comply.                                           L
(c).Reports by the Comptroller General.- No later than October 1,1997, and October 1, of each               I
year thereafter, the Comptroller General of the United States shall report to the appropriate              I!
committees of the Congress concerning-
       (I) compliance with the requirements of section 3(a) of this Act, including whether the             ~
       financial statements of the Federal Government have been prepared in accordance with                i-. :
       applicable accounting standards; and                                                                k
       (2) the adequacy of applicable accounting standards for the Federal Government.
                                                                                                           “_.
                                                                                                           -
SEC. 805. ((NOTE: 31 USC 3512 note.)) CONFORMING AMENDMENTS.                                               t:
(a)(Audits by Agencies.- Section 3521 (f) (1) of title 31, United States Code, is amended in the first     ‘.-
    sentence by inserting “and the Controller of the Office of Federal Financial Management”
    before the period.                                                                                      c
(b)(Financial Management Status Report- Section 3512 (a) (2) of title 31, United States Code, is           ~3
    amended by-

    (1) in subparagraph (D) by striking “and’ after the semicolon;                                         L-m
    (2) by redesignating subparagraph (E) as subparagraph (F); and
                                                                                                           i-
[[Page 110 STAT. 3009-39311

    (3) by inserting after subparagraph (D) the following:
     (E) a listing of agencies whose financial management systems do not comply substantially with
the requirements of Section 3(a) the Federal Financial Management Improvement Act of 1996, and
a summary statement of the efforts underway to remedy the noncompliance; and’ (c) Inspector                ,
General Act of 1978.-Section 5(a) of the Inspector ((NOTE: 5 USC app.)) General Act of 1978 is             1
amended- (I) in paragraph (11) by                                                                          /
striking “and” after the semicolon; (2) in paragraph (12) by striking the period and inserting and”;
and (3) by addin at the end the following new paragraph:(l3) the information described under
section 05(b) oft a e Federal Financial Management Improvement Act of 1996.”
SEC. 806. ((NOTE: 31 USC 3512 note.)) DEFINITIONS.
For purposes of this title:’
(1) Agency.-The term “a ency” means a department or agency of the United States Government
as defined in section 901( %) of title 31, United States Code.
(2) Director .-The term “Director” meansthe Director of the Office of Management and Budget.
(3) FederaLAccounting Standards. -The term “Federal accountin standards” means’applicable
accounting principles, standards, and requirements consistent wit R section 902 (a) (3) (A) of title 31,
United States Code.
(4) Financial management systems.-The term “financial management systems’ ‘ includes the
financial systems and the financial portions of mixed systems necessary to support financial




                                                     A-l 4
                                                                                                           1
                                                                                                           i-
                                Financial Management Systems Compliance             Review Guide        b

management, including automated and manual processes, procedures, controls, data, hardware,
software, and support personnel dedicated to the operation and maintenance of system functions.
    (5) Financial system.- The term “financial system’ includes an information system, comprised of
        one or more applications, that is used for- (A) collecting, processing, maintaining,            g
        transmitting, or reporting data about financial events; (B) supporting financial planning or    1:
        budgeting activities; (C) accumulating and reporting costs information; or (D) supporting the   B.
        preparation of financial statements.                                                            I
(6) Mixed system.-The term “mixed system’ means an information system that supports both                ’
financial and nonfinancial functions of the Federal Government or components thereof.
SEC. 807. ((NOTE: 31 USC 3512 note.)) EFFECTIVE DATE.
This title shall take effect for the fiscal year ending Septemberjo, 1997.




                                              A-l 5
                                                                                                                                     ,,   ,,



Financial Management                              Systems Compliance                              Review Guide


Appendix                                B
Financial Management                                       Systems Compliance                                      Review Elements



A. Comparability            and Consistency


Financial      management           data should          be recorded        and reported         in the same
manner        throughout      the Agency,         using uniform         definitions.         Accounting
should       be synchronized         with     budgeting.       Consistency          over time should              be
maintained.         New and revised            systems should          adopt      common,        existing
definitions      and classifications.


         .    If system maintains           and recorcls      activities      such as funding
                kommitments,      obligations,  etc.), disbursement      of funds, receipt of
                funds, budgeting-       are the transactions    consistent with the U.S.
                Government         Standard       General      Ledger       (SGL)?


         .    Are similar    type of activities           processed        in a similar    way throughout
                the Agency        (e.g., are obligations        processed         consistently      for all
               programs)?


         .    Are standard        formats     used for transaction             processing?


Is information        available     in a consistent         format     throughout         the Agency        for
budget       formulation,      budget       execution,       programmatic           and financial
management,           performance           measurement,         and financial         statement
preparation?
                                                                                                     Financial Management   Systems Compliance   Review Guide




Compliance       Indicators

Data are recorded  and reported    in a consistent manner                 throughout        the
Agency, using standard definitions    and classifications.


The system permits the organization     classification of data on at least the
following levels of aggreg4on:    agency, office, or division.


Accounts are established  and maintained     at a level that enables                    data to be
aggregated readily into appropriation   or fund accounts.


The system permits,the          fund classification    of data to support         the distribution
of funds at the foljowing   levels: .allolment,    suballotment           or Agency
limitation L3llow+ince, target, operating      budget, etc.)


Accounts     may I~a.summarbt!tl        by responsibility     center,    object    of
c~xpc~mliture    and, by program, antl permit         roclassificalion     lo reflect
organizational     ant! other changes.




                    .’      :
                         i ..
                                                                                                                           Financial Management   Systems Compliance   Review Guide




B. Efficiency and Economy


Financial       management             systems should          be designed            and operated          with
reasonable           total costs and transaction              costs, in accordance               with OMB
@delines.            Financial       syslems which          are excessively           costly should         be
identified       and phased           out.    This should        be accomplished                through
nstallation          of effective     systems of planning               ancl evaluation,          sharing       of data,
elimination          of overlap       and duplication,           and use of the best contemporary
.echnology,           including      commercially           available     packages        with proven            success
n other agencies:c?r              the private       sector. ‘.


       .       Does the system use standard                    data classifications             for recording
                financial events,            consistent      wirh Agency        and Government-wide
                stantlartls?


       .       Are common             processes         metl for processing           similar     kinds of
           c    transactions?


       .       Is there-adequate             internal     controls      over data entry,          transaction
                processing,         and reporting?           Are there      reconciliations           (either
                automated            or manual) to verify            the accuracy        of transactions
                processing          and reporting?


       -       Are     data entered          one time into the,system                 and updates           are passed
                                                                                t-d
Financial Management              Systems Compliance              Review Guide




 Compliance   Indicators

Systems components are designed in an integrated but modular and
table-driven fashion so that if an extensive change is required, the pertinent
talk can be localized, revised as needed, and instailed.

A single datum entry automatically provides the updating of all accounts
and records affected by the event for which the entry is made.

 The dala base is slruclured lo reduce reduntlgncy, is available to a variety
 of uscarsfor update and concurrent retrieval (consistent with proper internal
 controls) and permits a variety of application mntlules to run
 intlcpcntlcnlly.

 The ~&IMP is nctlurali/etl or common &ILI Minilions       are actively
 maint,+incttl in the systtam’s(M-I dktionarics.
                                                                                                                     .                   I,




                                                                               Financial Management   Systems Comp;liance Review Guide




The existing data base is responsive to user needs in terms of both
efficiency and effectiveness, and provides timely change/corrective actions.

The system is periodically evaluated to see if the application of newer
technology/software could improve its efficiency and/or effectiveness.


The system provides all data needed on a timely basis.




                                                                                                                              .
Financial Management              Systems Compliance Review Guide




C. Application   of the SGL at the transaction   level

The general ledger function of a financial system, must be in full
compliance with the Standard General Ledger chart of accounts
descriptions and piling rules: transactions from feeder systems are
summarized and fed into the GL following SGL requirements; and audit
trail supporting the interface transactions to the source transactions; and
feeder system process transactions consistent with SCL account descriptions
and posting.

    .   Is the core financial system in full compliance with the SGL chart of
        ncconnls and’l~osling rules?
    .   Arc transactions from fcetler systems summarized and fed into the
        Cc>neral L(+er following SGL requirements thrcqh an interface
        (nrilomdltd   or manudl)?
    .   Can the tlotrtilss11l)l)ortin~ the intcv-face transactions be traced back
        IO the source transactions in the feeder systems? _
    .   Do the fecdcr systems follow business rules that arc consistent with
        SGL account definitions and processing rules?




                                                                                    L
          __   ..T   ..,I
L
    ..,
        Financial Management                        Systems Compliance                          Review Guide




        D. Financial Data

        Dl.     Usefulness

         Financial    data should     be gathered      and processed        only where     necessary            to
        meet specific internal management      neecls or external requirements.
        Repot-Is should be tdoretl  to specific user neecls ancl if report usage does
         not justify cost, reports      should    be terminatecl.       Usefulness     should      be
        cletermined       in prtnershipwith         users.



         Compliance        Indicators

        The system procclssf~s tmrvsdctions,            gent~ratrv   outlds,       and l)rocluces       final
         corr~:tc(l    cl&4 in timcx to mcclt reporting        ilntl user rcvpirc~ments.


         The system timely        recorcls    ancl processes    financial      data, and generates
         finnncial    reports   to meet both functional        and statutory       requirements.




    .


r --

I
                                                                                                                      .,   /,              --



                                                                               Financial Management   Systems Compliance    Review Guide




D2. Full Financial Disclosure

‘inancial management data are to be recorded and reported as required by
3MB or Treasury, to provide for full financial disclosure and accountability
n accordance with appropriate budget and accounting principles and
;tandards. Full disclosure is required to central management agencies, such
1sOMB and Treasury, and to Agency managemenl officials.

    .   Is accounting data maintained that permits reporting in accordance
        with Federal Accounting Standards Advisory Board (FASAB) and
        reporting requirements issued by OMB and Treasury?

    .   Are the details that support the numbers maintained in the core
        financial system supported in the feeder systems?



Zompliance Indicators

juflicient tlrtta are maintained on e&h account to provide a history of all
activity related to amounts due and/or paid.

Data outputs by this system are periodically evaluated to ensure that they
Ire necessary, useful, and justified.
Financial Management               Systems Compliance           Review Guide




E. Financial reporting

El. Timeliness

Financial management data should be recorded as soon as practicable after
the occurrence of the event, and relevant preliminary data should be made
available to managers by the fifth working day following the end of the
reporting period. Other standards of timeliness may be established where
the Agency has inventoried reports ancl set specific stanclards, with user
participation. Final, corrected data shoulcl be available in time to meet
external reporling requirements.



Compliance    Indicators                                              -

 Standards of timeliness have been established and fully documented       (e.g.
 user requirc~mcnls~.

Transactions are recorded at the time of the event or soon afterward and
are properly classified.

The system publishes the information as close as possible to the report date,
or the end of the reporting period, consistent with the need for reliability
and economy.
                                                                                                       Financial Management   Systems Compliance   Review Guide




E2. Support for Management

Financial    management       consists of protecting           resources     against    loss, waste,
and misuse;     preparing     and properly        executing.the         budget;     and, managing
resources.    The Tatter in turn consists          of managing          not only the resource
balances,    but also the claims        against   those resources,         the resource      flows,
measuring     performance       and reporting           on the results of these efforts.
Financial management    systems should provide                    meaningful   and relevant
information IO assist managers in the discharge                   of these responsibilities.


Compliance      Indicators

The system generates         reports    which     alert management           when      established
controls have been violated            or significant      deviations     from program        have
accruc~tl.


Financial reports generated    by the system for internal                  Agency management
contain meaningful,   coherent   and reliable information                   responsive to the
Agency’s need.
Financial Management                    Systems Compliance Review Guide




 E3. Reliability     and Completeness

 Financial mana ement information should be reasonably complete and
 accurate, verifiaB le, drawn from the official records and systems, and no
 more detailed than necessary to meet the needs of management and
 external requirements.

 Financial data should be gathered and processed onl where necessary to
 meet specific internal management needs or externa Yrequirements.
 Reports should be tailored to s ecific user needs and if report usage does
 not justify cost, reports should Fle terminated.Usefulness should be
 determined in partnership with users.

        .     Does the system provide information in a timely and useful
              manner that supports management’s fiduciary role, supports
              budget formulation and execution functions, supports the fiscal
              management of program delivery and decision making, complies
              with internal and external reporting requirements?

        .      Does the system capture and produce financial information
              necessary to measure program and financial management
              performance to support budgeting program management and
              financial statement presentation?


 Compliance        Indicators

 Adequate audit trails are in place to establish individual accountability for
 transactions.
 If the system is a batch system, the process use control totals for batches.
 If the system is using electronic documents, document control numbers
 are assigned.
                           .,.
                                                                                                             Financial Management   Systems Compliance   Review Guide




Compliance            Indicators
                          .-

Adequate      audit     trails are in place     to establish     individual     accountability      for
transactions.

If the system is a batch system, the process                   use control    totals for batches.

If the system is using electronic             documents,       document       control   numbers      are
assigned.




                                                                                                          B-l 3
Financial Management                          Systems Compliance Review Guide




F. Support for Budgeting and Performance                    Reporting

An essential function of each financial management         system is to record,
control and report the Agency’s collections,   obligations     and spending in a
manner that supports execution    of the budget, to include detailed support
for reports     required      by OMB    Circular   A-34 and budget         preparation    as
outlined      in OMB       CircularA-   11.


      .       Does the system provide          the information       necessary   to prepare,
              execute and report on the agency’s            budget     in conformance      with
              government-wide   standards?


      .       Does the system address          GPRA (Government           Performance  and
              Resulk Act 1 rccluiremcnts        as well as account       for agency goals and
              performnncch  m++surc:s?




                                                                 L




                                                                                                  B-14
                                                                                Financial Management   Systems Compliance   Review Guide




Compliance   Indicators

The system produces measurement data which permit comparisons with
other units and.other periods (such as ratios, comparative measures of
activities in different locations or units, trends, etc.)

The system provides performance measures which permit tracking
perforniance at the lowest level of the organization directly responsible for
accomplishment.

The system provides measurement data on the system’s performance
(number of and type of transactions processed within identified time
periods; cost per type of transaction; percentage of items processed within
target timeframe; percentage of workload growth met through automation;
t:Ic.).           .:

The syslcm accuyatoly forecasts and reports outlays (the measure of
payrnt’nrs by v$c?uCmeans) for each legal or Agency limitation.
Financial Management           Systems Compliance             Review Guide




C. Functional Requirements

     .   Does the system conform to the functional requirements issued by
          the Joint Financial Management improvement Program (JFMIP),
          OMB, and the Treasury?

     . Are systems updated in a timely manner to support new functional
        and legal requirements?




                                                                            B-l 6
                                                                                                  Financial Management   Systems Compliance Review Guide




Compliance Indicators

ystems functional         requirements        comply   with   the latest JFMIP financial
Istems requirements          as identified      in Appendix    C.


he systems functional          requirements       were determined       by users.and      the
?chnical   staff before     being approved         by management.


ystems components           are designed        in an integrated    but modular     and
rble-driven fashion so that if an extensive              change is required,      the pertinent
ibles can be localized, revised as needed,                and installed.


; a change management      process            in place to ensure    proper change
Irlndgement    including evaluation,            implementation,     monitoring  and
ocumc~~tation.


rocetluros are in lk=~ce to document    problems identified in operational
/stems, to monitor corrective   actions and to report to management        on
3.u)Iution status.
                                                                              ,,


Financial Management             Systenis Compliance           Review Guide




 H. Computer   Security Act Requirements


      l    If agency has conducted an A-l 30, Management of Federal
           Information Resources review, what was the outcome?


      l    If agency has not conducted an A-l 30 review, what actions have
           been taken to ensure compliance with the provisions of the
           computer Security A& and A-l 301

          Does the agency have a security plan in place?
                                                                               Financial Management   Systems Compliance   Review Guide




Compliance   Indicators

The system is included in the contingency plan or backup recovery plan.
That plan has been documented, tested, and regularly updated to ensure
both continuity of operations and availability in disaster situations.

The contingency plan complies with the governing directive guidance for
automated information systems issued by various oversight agencies, e.g.
OMB and the National Institute of Standards and Technology.

The system ensures continuing availability of information   processing by
providing backup, recovery, and retention procedures.

Systems managers routinely consider the degree of vulnerability in this
system to destruction, modification, disclosure and delay of information
availability when making safeguard and protection decisions.

Systems managers have certified that system security controls for the system
operate.

An adequate security awareness program is in place to help personnel
Financial Management                  Systems Compliance              Review Guide




 I. Documentation


        .   Documentation      may be maintained in hard copy or electronic
             format.

        .   Documentation includes software, system manuals, operations
    t
             manuals, user manuals, operating procedures, etc.

        .   Is documentation    kept current and readily available?

        .   Does user documentation provide detail to enable a person to
             obtain an understanding of the system?

        .   Does the technical documentation provide the technical personnel
             with the information necessary to operate the system in an
             effective and efficient manner?




                                                                                 B-20   .
                                                            (




                                                            j




                                                    -quawaJybaJ ~OJWIOZ
pue Jasn qJoq payyes I! jey aJnsse 03 ~uawa~.~equa Jo!ew Jo IuawdolaAap
       aJo)aq paAoJdde pup pama!AaJ ‘pawawnmp      sewB!sap t.ualsAsaql

                                      esa3JnosaJaJeMyos/elep 10 am sJasn
  paz!Joyine aql OYM sa!g!xads q3!q~ uo!~eu.IJo~u!sapnpu! uope~uauJn3oa

                                        -palalduro3 ApuaBaJ JO pajuauraldur!
 ‘pauueld %!aq ‘paJ!nbaJ aJe q3!q~ suo!~e~~!pour wa&        ay] 40 I!PJ)]!pne
    ue ap!AoJd 01 lilale!JdoJdde pajepdn pue pau!elujeur s! uo!ge]uaurnsoa


                                  -alq!ssaBDe Al!peaJ pue.‘paJepdn AlJel&aJ
   ‘a(qepuqsJapun   ‘paz!ue%o IlaM ‘a]aldluoD s! uo!gewacun3op LuagAs ayl

                                    wo.ua sura@3 ah)oiaJ 01 uayel aq II!M
  suo!33e aNpaJJo3 ‘he I! ‘@I#3403 se uo!s!sap Alawg e y32aJ pue sJasn a41
y$M 3lnsuos sJa8euew surawk letf3 aJnsua 01 ls!xa saJnpa3oJd paluaurn3oa
Financial Management                         Systems Complianc6                         Review Guide




J. Systems       Integrity


The design, operation   and evaluation  of financial management    systems
should reflect the general and specific management     control standards in
OMB       Circulars   A-l 23 and       A-l 30.


      .      Does system have controls           to adequately       safeguard      resources
              against waste, loss, and misuse?


      *     Are controls     adequate      to ensure    that resource         use is consistent     with
              laws, regulations,       and policies?


      .     Are controls     applied     to system inputs,       processing      and outputs?


            Are there any Material         Weaknesses        identified   with     this system?      If
              so, has a remediation        plan been formulated           showing      milestones
              and target dates?
                                                                                                                      .




                                                                               Financial Management   Systems Compliance   Review Guide




Compliance   Indicators

Management controls have been established and implemented to identify
program errors, specification deficiencies or other systems problems in a
timely manner.

Procedures to control access, such as passwords, are used and software
generated transactions are displayed on appropriate media and made
available for authorization and reconciliation with related data.

Access control procedures have been established and documented to limit
access by authorized users based on the principles of “need to know” or
“least privilege.“’

The system includes procedures and controls which protect hardware,
software, data and documentation from physical damage, loss, modification
and unauthorized access, whether inadvertent or deliberate.




                .

                .


                                                                            B-23
Financial Management                      Systems Comp/iance                          Review Guide




The system includes        management       controls      to prevent      and/or   detect     the
following situations:


        . Failure to record or process a transaction
        . Incorrect or incomplete   recording/processingof                   a transaction;
        . Recording/processingduplicate              transactions;
        . Processing    out-of-balance      conditions;
        . Loss of a transaction      document        in processing;
        . Directly changing account/master              file/data      base records    without      an
              authorized  transaction; and
        . Use of erroneous        files or records     in processing.


Key duties such as authorizing,     approving,   performing,    processing
recording   and reviewing  transactions,    are assigned to different individuals                    or
compensating    controls exist. Transactions     are authorized    and executed
only by persons acting within the scope of their authority.


Controls and safeguards exist to ensure that outputs which contain sensitive
clata are adequately  protected (i.e., safeguards are commensurate with the
value of the data).


The ability to override     or bypass edit and validation              system features        is
restricted to authorized      personnel.




                                                                                                          g-24
L-
-
Finamid          Management                       Systems Compkmce                               Review Guide




 K. Training and User Support


       .    Is there adequaie    training and support to enable                            users to
              understand,   operate and maintain the system?


       .    Are new users tiained                prior to providing          authority      to access the
             system?


       .    Is there     periodic     training       available,     such as Computer             Based
             training,     on-g&q         training      programs,      video      training,     etc.?



Compliance        Indicators

The technical      sbff ancl mxqement                    who are associated              with this system
 have rccttivc4 or are scheduled                  lo receive      required      training      on security     and
 managm(W       t:ontrols.


 Helpdesk    and problem            resc)lution       process     is in place to respond              to users.
                                                                               Financial Management SystemsCompliance Review Guide



L Maintenance


      1 Is on-going maintenance performed to keep system current and
         operating in an effective and efficient manner?
      . When was the system last updated?

Compliance      Indicators


Major modifications to this system are developed, released, and
documented according to agency system design.

Agency syslc’m design guidelines define configuration management
procedures and ‘standards for the review, approval, and oversight of
,-rgency’sevolving softwclrc. Control mechanisms are in place to ensure
timely, concurrent hclntlling of changes to system software and all affected
cloc:~rnic~nldlion.

Sufficht r(5ourccs for operations and/or maintenance are in place to
prevent significant downlime.

The system was designed and developed to be easily modified to
accommodate changing needs and new requirements in a timely manner.

Maintenance actions are routinely quantified and analyzed to help evaluate
Appendix              C
core Financial systems Functional                Requhments               (Based bn JFklP FFMSR-I)

The governmentwide functional requirements for a core financial system to support the
fundamental financial functions of a Federal agency. The major functions supported by a core
financial system are:


   ,* Core Financial System Management
   l  General Ledger Management
   l  Funds Management                                              ‘.:
   l  Payment Management
   l  Receipt Management
   l  Cost Management
   l  Reporting


These functions together provide the basic information and control needed to carry out financial
management functions, manage the financial operations of an agency, and report on the agency’s
financial status to central agencies, Congress, and’the public, including data needed to prepare the
principal financial statements for federal agencies as defined by OMB.




                                                    C-l
Financial Management Systems Compliance Review Guide




    I.          Core Financial System Management                                                                  Function
The Core      Financial System Management     function                      consists    of the processes necessary to maintain system        processing     rules consistent   with
established     accounting   policy. The Core Financial                      System     Management      function consists of the following     processes:

.             Accounting        Classification       Structure       Management

.             Standard        General      Ledger

.             Transaction        Control
                                                                                                                                                                ,
.             Archiving       and Purging

IComments:     Within each deparfmenf        or agency, the accounting        classification      structure, standard general ledger and suhsidjary         account
structure,  and definitions    must be sfandaidized      to ensure consistency,        uniformity,       and efficiency in accounfing  freafmcnf,  classification,
and reporting.    furfhermore,     the procedures    for capturing,  classifjing,      communicating,         processing,  and storing data and transactions        must
be uniform for translatable      among the various subsystems       or system componenfs                as necessary).J


                                                                                                                            Compliance           Implications
                                                                                                                            (Yes/No)

I (a)         Accounting         Classification       Structure         Management            Process

0     Does the system support a Accounting                       Classification        Structure   Management
                                                                                                   j
process provide a consistent  basis for:

.             Consolidating         governmentwide              financial     information.

.             Integrating      planning,      budgeting          and accounting.

.             Capturing  data at the lowest level of detail -- at the point of data entry --
              throughout   the agency in a manner that ensures that when the data is rolled
              up to the level that is standardized, it is consistent at the standardized  level.

,             Comparing     and combining             similar      programs       across agencies       and calculating
              overall program    results.

‘Comments:    :OMB Circular A-127 requires financial management                     sysfems to rekf       an
Igency-wide   financial information       classification   structure     that is consistent     with the U.S.
hernmenf      Yandard       Genera/ Ledger 6CL), provides            for tracking of specific program
Fxpendifures,   and covers financial and financially          related information.          Financial
nanagement     sysfem designs shall supporf agency budget, accounting,                    and financial
nanagement     reporting     processes by providing       consistent      financial information       for
wdgef formulation,       budget execution,       programmatic        and financial management,
wformance     measurement,         and financial stafemenf        preparation.1
                                                                                                                      c
                                                                                                                      L/
                                                       Financial Management Systems Compliance Review Guide


 I lb)         Standard       General      ledger      Process

0     Does     the system support a general ledger account structure                      for the agency        in
accordance       with the U.S. Covermnent     Standard General      ledger                 WI.) and the
transaction     edit and posting rules to recorcl financial events.

IComments:        The Standard General Ledger process consists of two activities: Account
 Definition   and Trankziction         Definition.
Account      Definition.      OMB Circular A- 127 requires implementation                         of the KL at fhe
transaction     level. The SGL is described               in a supplement           to the Treasury Financial
Manual, which includes the chart of accounts, account                             descriptions    and postings,
accounting     transactions,       suggested data elementslsubaccounts,                       and crosswalks    to
standard external reports.            Each agency must implement                     a chart of accounts that is
consistent    with the SCL and meets the agency’s information                            needs.
Transaction       Definition.      The Transartion           Definition     activity defines the editing and
posting rules for transactions            in the Core fmancial system. OMB Circular A-127
requires common           processes to be used for processing                  similar kinds of transactions
throughout      an integrated       financial management               system to enable transactions          to be
reported    in a consistent       manner.        It also requires financial events to be recorded
app/ying the requiremen&              of the SGI at the transaction                level. Many of the SCL
accounting     transaction       descriptions        require a sing/e accounting             event to update
multiple budgetary          and proprietary         acc0unts.f



1w             Transaction       Control     Process

0      Is the Core financial system able to process transactions          originally entered into the
Core financial system as well as transactions      originating     in other. systems, recording     and
 keeping track of such transactions     and related information,        in order to provide the
 basis for central financial control? lThe Transaction       Con&o/process         requirements are
grouped under two activities:      Audit Trails and Transaction         Processing.1

0      Does    the system have adequate             audit trails critical to providing         support for
transactions      and balances maintained            by the Core financial systemlf             Audit Trails1

0      Does the Transaction        Processing   activity ensure that all transactions      are hanclled
consistently,   regardless of their point of origin? Are transactions          controlled     properly  to
provide reasonable        assurance     that the recording,   processing,   and reporting of financial
data are properly      performed      and that the completeness        and accuracy     of authorized
transactions   are ensured.       [Transaction    Processing]



I(d)           Archiving     and Purging        Process

0      Does the Archiving        and Purging        process      support   data   management        for the Core
financial system?

/Comments:    Archiving     removes data which is no longer needed for immediate           access
from the system data stores u.sed for inquiry and rrporting       on current inform,ltion.
Archiving moves data to a storage mcditrm that has a longer access time, for example,
from disk to tape. Purging deletes data altogether.     Archiving    and purging criteria
should be joint/y agreed to by the sysrrm administrator       and usrrs to b,r/ancr u.ser nerds
with resource limitations.1




                                                                                           c-3
Financial Management Systems Compliance Review Guide



    II.           General Ledger Management Function
    General Ledger Management      is the central function                         of the Core finanrial system. The general ledger is the highc>st level of
    summarization   and must maintain account       balances                        by the fund structure      and indiviclual general ledger accounts   established  in the Core
    Financial System Management      function.    Depending                         on the agency’s reporting requirements,          some or all general ledger accounts may
    have balances broken out by additional      elements of                        the accounting    classifiqation   structure.

    The General       Ledger     Management             function      consists     of the following       processes:

    .             General       Ledger      Posting

    .             Accruals,      Closing,      and Consolidation

    .             General       Ledger      Analysis     and Reconciliation

/Comments:     The general /edger is supported    by subsidiary /edgers at various /eve/s of detail. These subsicliary     /edge& may be maintained
within the Core financial system or in other systems.         For example, dcl&d     property records supporti+      the equipment     account in Ihe
genera/ /edger might be maintained     in a system devotecl fo ‘controlling and maintaining      ec/uipmenf.    The payro// system might coniain
detailed employee    pay records which supp&        records ofexpenditure    by object c/ass and organization     in the Core financial system, which
in turn provide parfial support for expenditure      and expense accounts in the grneral /edger.

A// transactions        to record financial events musf post, either individually       or in summary,    to the general /edger, regardless of the origin offhe
 transaction.       Posting of transactions     whose initial point ofenfry    is the Core financial sysfem would norma//)* he expected to occur for each
transacfion      individually.     Posting of transaction    originated in ofher sysfems may occur either for individuJ         transaction or for summarizrd
transactions       as long as an adec/uate audit trail is maintained.        The Core financial system is not expected to maintain duplicates         of ever)
transaction      occurring     in other systems.    For example, rather than posting every payroll transaction         for every employee,   summar)
transactions       by organization     could IX passed to the Core financial system for posting.1


                                                                                                                                     Compliance   Implications
                                                                                                                                    ‘(yes/No)

II (a)           General       Ledger       Posting     Process

0         Does    the general      ledger      posing     process      use double-entry            accounting?

Kommenf:     The posting rules that specify which                          accounts to debit and credit for each
transaction are defined in the Standard Genera/                            Ledpr process of the Core Financial
System Management       function.1

II (W            Accruals,      Closing       and Consolidation                Process

0     Does the system support                   creating accrual transactions  and closing                       entries   needed
at the end of a period (month                   or year) for reporting purposes?

J     Does the system control and execute       period-end  system processes needed by the
system to open a new reporting      period, such as rolling forward account balances to
supports the preparation   of consolklatecl  financial statements   by identifying
information   needed in that process?

11(cl            General       Ledger       Analysis     and Reconciliation              Process

]         Does   the system       support       the control        functions     of the General         Ledger?

‘Comments:        The Core financial sysstem provides information           for accounfanfs      to u.se in
determining      that amounts posted lo grneral Cclger control accounts agree with more
jetailed subsidiary     accounb     and in reconciling      system balances with reports from
rreasury and other agencies.         AS infernal confrols improve and system infrgration
ncreases, the likelihood      of out-of-balance      conditions    decreases; however,        the
mssibilify   will a/ways exist as a result of system failures, incorrfcf          transaction
fefinitions,  etc.1




                                                                                                       c-4


                                                                                                                                                                                    ;-