i <Financial Management Systems CornpI, ante Review Guic e, IIE October 1999 U.S. Government Chief Financial Officers The Joint Financial Management lmprdvement Council Program The members of the U.S. Government Chief Financial The JFMIP is a joint and cooperative undertaking of the Officers (CFO) Council-the CFOs and Deputy CFOs of U.S. Department of the Treasury, the General Accounting all the 24 largest Federal agencies and senior officials of Office, the Office of Management and Budget, and the Office the Office of Management and Budget and the of Personnel Management working in cooperation with each Department of the Treasury-work coll&oratively. to other and $her agencies to improve financial management improve financial management in the U.S. Government. practices in government. The Program was given statutory The CFO Council has become a strong force for active authorization in the Budget and Accounting Procedures Act of cooperation among agencies dealing with common 1950 (31 USC 65). Leadership and program guidance are problems. Its composition of both political appointees provided by the four Principals of the JFMIP-Comptroller and senior career civil servants ensures collaboration and General of the United States, Secretary of the Treasury, and continuity of effort. the Directors of the Office of Management and Budget, and Under the Chief Financial Officers Act of 1990,, the the Office of Personnel Management. Each Principal cJesignatc?s CFO Council was established to advisc’and coordinate a representative to serve on the JFMIP Steering Committee, the activities of the agencies of its members on such which is responsible for the general direction of the Program. matters as consolidation and modernization of financial The JFMIP Executive Director, and a program agency systems, improved quality of financial information, representtitive (who serves for 2 years) are also on the Steering financial data and information stanclards, internal Committee. I ,, I controls, legislation affecting financial operations and ’ The Program rjromotes strategies and guides financial organizations, and other financial management matters. management improvement across government; reviews anrl The CFO Act legislated broad authority for each CFO coordinates central agencies activities and,policy to oversee all financial management activities relating to I promulgations; and acts as catalyst and clearinghouse for the programs and operations of, the! agency. With this sharing and disseminating information about good financial authority, the CFO will ensure that sound financial management practices. This information sharing is done management practices are applied in all organizational through conferences and.orher educational events, newsletters, components of his or her agency and that modern meetings with interagency ‘groups and agency personnel, and automated financial systems and tools are used. Specific through FinanceNet, an electronic clearinghouse on the CFO authority varies agency by agency, but may include Internet. some or all of the following financial and general The JFMIP has worked on interagency projects that management components: budget formulation and developed a financial systems framework and financial syslcms execution, facilities or property management, financial requirements. For the future JFMIP plans to assist Federal operations and analysis, financial systems, grants agencies in improving their financial systems through its management, information resources management, Program Management Office. The Office will work on revising personnel, and procurement. Information of the CFO the Federal government’s requirements definition, testing, and Council can be found at its website: acquisition processes; the first target of opportunity is core www.financen&t.gov/financenet/fe@fo/cfo.htm financial systems. The objectives of the Office are to develop systems requirements, communicate and explain Federal and agency needs, provide agencies and vendors information to improve financial systems, ensure that products meet relevant system requirements, and simplify the procurement process. Information on JFMIP can be found at its website: www.financenct.gov/financenet/fed/jfmil>/jfmil,.htm or call 202/512-9201. -. JOIN T FINANCIAL MANAGEMENT IM~?R~vE~~,~NTPROGRAM 441 C Street NW, Room 3111 Date: October21, 1999 Washington, .DC 20548 To: SeniorFinancialOfficials Prlnclpals Lawrence H . Summers Secretaryof the Treasury From: ExecutiveDirector, JFM D avid M . Walker _: Comptroller General of the U .S. -’ _L Subject: FinancialManagementSystemsComplianceReview JacobLew D Ircctor Guide U .S. 0 fflce of Management and Budget JaniceR . L achance The Draft Financial Management Systems Compliance Review Guide D trector. U .S. 0 fflce of Personnel bl magem ent is attachedfor comment. This documentis sponsoredby the Chief FinancialOfficers(CFO) Council andthe Joint FinancialManagement Steering Committee ImprovementProgram(JFMIP). It will be issuedas a guide similar to Donald V. Hammond (Chair) the modelusedto issuethe Managerial Cost Accounting FiscalA asistant Secretary Department of the Treasury Implementation Guide.. The developmentandissuanceof the * Financial Management Systems Compliake Review Guide fulfills one JeffreyC. Steinhoff of the tasksincludedin the Office of Managementand Budget @MB) Actlng AsststantComptroller General U .S. General Accounttog 0 fflce andCFO Council1998 Federal Financial Management Status Report and Five-Year Plan, to supportstandardizingthe financial systems SheilaConley Acting Deput Controller environment. Thetaskrecognizesthe needto developtools to assist U .S. 0 fftce o r Management and Budget agenciesin satisfyingmultiple requirementsthat call for financial J. GIlbert Seaux managementsystemreviews,suchasthoserequiredby: the Federal Cblef Ftnanclal 0 fflcer U .S. 0 fflce of PersonnelManagement ManagementFinancialIntegrity Act (FMFIA) section4, the Federal FinancialManagementImprovementAct of 1996,OMB Circulars A- W IMam B. Early. Jr. 123,A127, andA-130; and OMB Bulletin 98-08. Currently, no C Mel Flnanctai 0 fflcer G cneral ServicesAdministratlon governmentwideproceduresor instructionson conductingfinancial managementsystemreviewsexist. Current financial system Karen ClearyAlderman assessment methodsvary. ExecuttveD hector. JFM IP The Financial Management Systems Compliance Review Guide draft was developedby a working groupof the FinancialSystem Committee underthe leadershipof R. SchuylerLesher,Chair of the CFO FinancialSystemsCommitteeand Edward Leary,.HUD. i The,-working group includedselected.representatives from ‘agencyCFO -arid, InspectorGeneralcommunities,JFMIP andOMB. The Executive Committeeof the CFO Council endorsedthe issuanceof this exposure draft. The effort hasbuilt on certainagencies’best practicesthat appearto be working and,added I practiceelementsthat the working groupfelt were necessary.The guidanceis designed@‘assist agenciesin performingfinancialmanagementsystemscompliancereviews. This Guide hasbeen draftedto enableit to grow over time to properly reflect new requirementswithout havingto L republishthe completedocument. For exampleAppendix C providesa checklist forthe Core ‘2 FinancialSystemFunctionalRequirementsto be usedin the process. Over time this appendix -_ i would be expandedto provideadditionalcheckliststo cover other JFMIP FederalFinancial i ManagementSystemsRequirements(FFMSR) documents. 1 ! In additionto generalcommentsaboutthe guide, we are looking for feedbackthat addressesthe ’ following key questions: ‘1 i (1) Would this guideassistyour agencyin conductingfinancial managementsystemsreviews?. ’ L (2) <Doesthis guideincludethe right level of information to assistyour agencyin conductingan effective andefficient financialmanagementsystemsreview? (3) Is the guide sufficiently F comprehensive?(4) Could this guidebe usedby your organizationin developmentof education andtrainingfor performingfinancial managementsystemsreviews? The documentis beingcirculatedwidely within the Federalgovernment’sfinancial management and oversightcommunitiesand to private sectorserviceproviders. It is alsobeing postedon FinanceNetat: www.financenet.gov/financenet/fed/ifmin/ifmir>exu.htm. ,’ I Pleaseprovideyour commentsby December20, 1999. Commentson any section,of this. documentareencouraged.Responseswould be more helpful to the JFMIP and the CFO Council if they alsoincludeyour rationale. Respondentsshouldalso indicatethe capacityin which they are responding.Commentsshouldbe sentto: Joint~Financial ManagementImprovement Program 441 GStreetNW,Room3111 Washington,DC 20548 Pleasebe awarethat we areworking to relocateJFMIP by the middle of November, 1999. We are working closelywith the GAO, where JFMIP is currently located,to ensurea smooth transitionof U.S. Postalandelectronicmail services.’When the exactdateof the relocationis known, informationwill bepostedon the JFMIP Homepageat: www.financenet.gov/fed/ifmit>/ifrnio.htm .If youhave any questions., pleasecontact Steve,Fisherwho may be-reachedby phoneat 202-512- ,, -- 6289; Fax at 202-512i9593or by emailat jfm$@mail~c&ri.~ ‘.‘I “’ Attachment Table of Contents E Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 B :’ Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...2 Part I - Financial Management Systems Review Process . . . . . . . . . . . . . . . . . . . . . . . . . 4 Determining Which Systems to Review. . . . . . . ‘. . . . . . . . . . . . . . . . . . . . . . . . 5 Determining Whether the Systems Comply with the Requirements . . . . . . . . . . . . . . . . 6 Reporting on the Outcome of the Reviews . . , . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Planning to Correct the Problems Identified ............................ 9 Timing of Financial Systems Reviews ................................. 9 On-Going Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IO Tools for Performing an FFMIA Compliance Review. . . . . . . . . . . . . . . . . . . . . . . . 10 Part II - Criteria for Financial Management Systems Compliance . . . . . . . , . . . . . . . . . . . . 12 Table for Comparing Financial Management Systems Compliance Guiclance . . . . . . . . . . . 14 Appendices Appendix A-l - OMB Circular A-l 27, Section 7 Financial Management System Requirements Appendix A-2 - OMB Bulletin No. 98-08, Audit Requirements for Federal Financial Statements Appendix A-3 - OMB Circular A-l 30, Section 3 Automated Information Security Programs Appendix A-4 - Federal Financial Management Improvement Act of 1996 Appendix B - Financial Management Systems Compliance Review Elements . Appendix C - Core Financial Systems Functional Requirements Appendix D -Assessment Summary Example Appendix E - Glossary , Introduction , Background, i& The Office of M,anagement and Budget (OMB) issues policy guidance in the form of circulars and e bulletins on financial management systems policies based on legislation and other requirements that i define what constitutes effective and efficient financial management systems in the Federal govern,ment. Agencies are required under the Federal Managers’ Financial Integrity Act (FMFIA) ’ Section 4 requirements and under the Federal Financja( ,Management lmprove,ment Act (FFMIA) to I assure that their systems meet this guidance and adhere to legislation and various circulars and bulletins. L F Agencies are required to conduct various financial management reviews under Federal government policy, e.g. OMB Circular A-l 27, Financial Management System Requirements; OMB Circular A-l 23, Fanagement Accountability and Control; and OMB Circular-A-I 30, Management of Federal Information Resources. In addition, OMB Bulletin No. 98-08, Audit Requirements for Federal Financial Statements, defines FFMIA audit requirements. Conducting financial management syste,m reviews should be performed in a streamlined manner using resources in as effective and efficient manner as practical to achieve the intended results, Chart A provides an overview of the elements of these policies and their relationship to financial managementsystems reviews. I OMB Circular A-127 Reviews Financial Management Systems Requirements (Section 7) FFMIA Compliance Reporting n SGL p Fin Rpt Stnds n Fin Systems Req ial Management Systems Improvements (Section ,8) I. 1 Financial Management Systems Compliance Review Guide While the policy guidance mentioned above supplies a comprehensive set of directives, no government-wide instructions are available that provide Federal agencies with implementation guidance for use in deciding whether their financial management systems comply with legislation, circulars and bulletins. However, while OMB establishes financial management systems policies, others have major roles in the financial management compliance review process. For example, the Joint Financial Management Improvement Program (JFMIP) publishes the Federal Financial Management Systems Requirements (FFMSR); auditors review financial management systems under FFMIA requirements; the Chief Financial Officers (CFO) Council and the, Chief Information Offjcers Councils over see initiatives to improve systems and set appropriate standards; and the Government Accounting Office (GAO) oversees the audit of the consolidated financial statements for the Federal government which relies heavily on financial management systems;’Coordination of these various groups is critical to the success for the financial management systems compliance review process. ;. : Purpose ,I’ This review guide is a tool to assist managers in determining whether financial management systems comply with Federal requirements. This guide is intended’to be used by managers responsible for financial management systems and individuals performing financial management systems reviews. Such individuals include finance office staff and managers responsible for financial or mixed systems. Mixed systems are referred to as feeder systems by some Federal agencies. The review of mixed (feeder) systems covers the financial portions of the systems that originate or provide financial data used in by agency management for decision making, financial reporting or being provided to other financial systems for management or control purposes. This review guide provides a set of steps to, assist Federal agencies in deciding whether their financial management systems comply with FMFIA, FFMIA, and OMB Circular A-l 27. As such, the guide is written to be understandable by both financial and non-financial program managers. Agency staff from areas such as information technology should~work in partnership to address the various aspects required in a financial management systems review. The objectives of this guide are to: 1. Assist financial managers, program managers and reviewers of financial systems or mixed (feeder) systems in determining whether a system is a financial management system; 2. Help financial managers, program managers and reviewers of financial systems or mixed (feeder) systems to decide if their financial system is compliant with OMB Circular A-l 27 requirements (See Appendix A-l) and whether deficiencies identified should be reported by management under FMFIA and/or by auditors under FFMIA, once a system is determined to be a financial management system; .. ._. ,_ i 3. Provide guidance to financial managers, program managers and reviewers of financial systems or mixed (feeder) systems on how to conduct periodic reviews to ensure their financial management systems stay compliant; and; 2 Financial Management Systems Compliance Review Guide e 4. Assist auditors who must conduct reviews under FFMIA tounderstand .how financial managers, program managers and ‘reviewers of financial systems or mixed (feeder) systems evajuated their systems. j This document supplements, but does not replace, policy information included in OMB Bulletin 98-08, which provides guidance .to auditors in conducting their work related to FFMIA (see Appendix A-2). Further, this document isnot intended to,be an audit guide. However, this document may be useful to auditors in understanding how financial managers, program managers and reviewers of financial or mixed (feeder) systems assesstheir financial management systems. ..,: ^ / .’ .;, Further, this guidance acknowledges that individual agencies may have unique financial management needs that willneed to be incorporated-in a financial management system review. i:r Tailoring the application of the concepts in this document is acceptable in applying the approaches recommended in this guide. Certain agencies may emphasize certain financial management systems requirements that,support functions and processes which are key to supporting their mission. Therefore, ‘financial management systems reviews will vary depending on the ne,edsof the agency. Additionally, Appendix C of this guide incorporates the major mandatory functions for a Core financial system. The detailed mandatory requirements that support these functions are contained in JFMIP-SR-99-4 dated February 1999. As other financial system requirement documents in the JFMIP Federal Financial Management System Requirements series are issued or updated, appendices that’describe major mandatory functions based on these requirements will be developed and incorporated into Appendix C. Part, i: ~Financial Management Systems,’ Review Ptiess .” The financial management systems review process involves the following steps: (1) determining which systems to review, (2) determining whether the systems comply with the requirements; (3) reporting on the outcome of the reviews and .+I) planning to correct the problems identified. The chart below provides an overview of the process: r. .1 Financial Management Review Pro& ,. ,_ ., ,.: Step 1 step 2 step.3 . : Step 4 Determining Determining Whether Rep&ting on Which Systems, Systems Comply with Outcomes Correctvthe to Review ; Requiretients 1 of the deviews : P;obl&ms Identified ,, ,‘1 : -t-* ’ (Eq ’ NO 1 Financial Management Systems Compliance Review Guide F The fmancial management systems review process should support the partnership between program, financial and information technology managers in establishing and maintaining systems for financial management of programs. The partnership between program and financial managers LF should result in financial management systems that ensure the integrity of information for : decision-making, measuring of performance, and financial reporting. This includes the ability to: ,* collect accurate, timely, complete, reliable, and,consistent information; l provide for adequate agency management reporting; l support government-wide and agency level policy decisions, ; ,:, l support the preparation and execution of agency budgets; l facilitate the preparation of financial statements, and other financial reports in accordance i with Federal accounting and reporting standards; 1 l provide information to central, agencies for budgeting; analysis, and government-wide ’ reporting, includingconsolidated financial statements; and ,! l provide a complete audit trail to facilitate audits. ’ In support of this objective, the program manager should establish and maintain their financial management systems with standardized information and electronic data exchange, to support.. program delivery, safeguard assets, and manage taxpayer dollars. These systems should be integrated and designed with effective and eff/cient interrelationships between software, hardware, personnel, procedures, controls, and data contained within the systems JFMIP Core Financial System Requirements, February 1999, pg. 3). For that to happen, these systems should have: i. standard data classifications (definition and formats) established and used for recording financial events; ii. common processes used for processing similar kinds of transactions; iii. internal controls over data entry, transaction processing, and reporting applied consistently; and iv. a system design that eliminates unnecessary duplication of transaction entry. Each step is of the financial management review process is described below. The scope of a financial management system review is limited to an agency’s financial management systems defined as the “financial systems and the financial portions of mixed systems necessary to support financial management.” A system should be classified as a financial management system if it is used for any of the following (OMB Circular A-l 27, July 23, 1993, Section 5: Definitions): 5 I- Financial Management Systems Compliance Review Guide . collecting, processing, maintaining, transmitting, and reporting data about financial events; l supporting financial planning or budgeting activities; l accumulating and reporting cost information; or l supporting the preparation of financial statements. Certain .information systems may support both financial and non-financial functions. An example is a system that supports grants processing that results in approval of funding. Such systems are called “mixed systems” and, for purposes of OMB Circular A-l 27, managers must ensure that the financial functions and processes of these systemscomply with all applicable factors in OMB Circular A-l 27 and, FFMIA. A system is considered a “non-financial system” when it supports non-financial functions and any financial data included in the system are, insignificant to the agency financial management and/or not required for the preparation of financial statements. Non-financial systems are not subject to financial management system reviews. Step 2 - Determining Wh‘ether the Systems Comply with the Requirements The second step is to determine whether the financial system. is in compliance with Federal financial systems requirements established under OMB Circular A-l 27. The principal criteria for a financial management systems review are defined by the 12 requirements in Section 7 of OMB Circular A-l 27 (see Appendix A-l). The compliance requirements of FFMIA, FMFIA, and Circular A-l 27 are highlighted in Part II, “Criteria for Financial Management Systems Compliance,” including the relationship among: l Financial Management Systems Compliance Review Guide, l OMB Circular A-127 Section 7, 9 OMB Circular A-l 30, FFMIA, l FMFIA Section 4 (Circular A-l 23). Appendix B: Financial Management Systems Compliance Review Elements, and Appendix C: Core Financial Systems Functional Requirements in this guide provide the basis upon which agencies should develop detailed system compliance reviews. The elements in Appendix B are comprehensive, but an agency may wish to augment the elements and compliance indicators to address unique agency needs. Appendix C contains the major mandatory functions that should be reviewed as part of the compliance review (see Part II, Table A, “G. Functional Requirements”). The detailed mandatory requirements that support these functions are contained in JFMIP-SR-99-4 dated February 1999. Appendix C will be expanded to incorporate the major functions of other system requirements documents in the JFMIP Federal Financial Management System Requirements series as they are issued or updated. 6 Financial Management Systems Compliance Review Guide i The process to determine compliance should be as follows: I. Conduqt the Financial Management Systems Review - Conduct a system compliance review to determine whether the system meets all 12 factors in Circular A-l 27. If a system meets all 12 factorsthat areapplicable,thenthe systemis compliant.For mixed systems,.some financial/accountingfactorsmay not be applicable.If the systemis determinedto not complywith oneor moreof the factors,thenthe systemis consideredto be no&compliant. The findings concerning the financial management system identified through the audit of an agency’s financial statements should be considered in performing a financial management system review. GAO and the Office of Inspector General (OIC) may identify weaknesses and material nonconformances in conducting their respective financial system audits that must be addressed L by an agency. It is important to include the’ review of the:audit and inspection findings when an ‘- agency conducts a compliance’review. Uncorrected weaknesses,’ planned corrective actions, and the status of each action, should be considered in performing financial management systems k L reviews. Agencies may elect to rely on OIC financial management system audits or other review analyses of financial management systems where such analyses apply to compliance:review elements in Appendix B. It is recommended that an assessment summary detailing the resultsof the system review be prepared to document that the system is’compliant with’circular A-127 require’ments,’ the scope of the review conducted, and the findings of’the review. The assessment summary should be supported by appropriate analyses and other documentation, that may be made available to external auditors substantiating a system’s compliance or non-compliance with Federal requirements. When an <outsideservice provider is used to support a financial function, assurance should be obtained from the service, provider that the system(s) is in compliance with required financial management systems requirements. If adequate assurance cannot be obtained for all or part of the systems supporting the financial functions, then the department/agency should ensure that additional controls are in place to ensure full compliance .with appropriate financial management systems requirements. 2. Assess Whether the Financial Management System Non-compliance is Substantial - A non-compliant system requires further analysis to decide if the deficiency that caused the non-compliance results in the system being “substantially non- compliant” with OMB Circular A-l 27. If a system’s non-compliance is not considered substantial and therefore must be reported as a systems “non-conformance” under FMFIA, then the system should be considered compliant with OMB Circular A-l 27. requirements and appropriate analysis should be documented and maintained supporting this conclusion. ,, ., .,/ ., a_.__ ,).. ,. ,.“.(.ii.,,> .,C.”,\I,~‘:’ ,I‘,;,;; ‘II . ! I-” 3: i’ , !j’ ‘j “The assessment of whether the system is substantially non-compliant may be based on factors such as: l causes material misstatements of financial information for financial reporting or agency decision-making, 7 Financial Management Systems Compliance Review Guide . internal controls are not adequate to ensure the collection of information properly reflects the financial events of the Federal government and follow government reporting requirements; l merits the attention of the agency head/senior management, the Executive Office of the President, or the relevant congressional oversight committee; l prevents the primary agency financial system from achieving adequate control over agency financial transactions and, resource balances; or l prevents conformance of financial system with (1) financial information standards and/or (2) financial system function standards. In the financial management system reviews, particular attention should be directed toward an assessment of whether the system complies substantially with Federal financial management systems requirements, applicable Federal accounting standards, and/or the United States Government Standard General Ledger (SGL) at the Transaction Level. See Appendix A-4 for the FFMIA requirements. 3. Deterqine If Substantial Non-compliance Should be Reported under FMFIA’Section 4 Requirements - For systems determined to be substantially non-compliant, the agency should also determine whether the system is required to be reported under FMFIA Section 4 as a systems “non-conformance”. Reporting under FMFIA Section 4 is required if the,agency head determines that the system’s non-compliance is significant enough to be reported outside the agency as a material financial management system non-conformance. Criteria that may be used in making such a determination would include: l Is the deficiency serious enough to affect compliance with the Government Management and Reform Act (GMRA). l The deficiency would cause a material adverse impact to the agency in terms of program efficiency and effectiveness, financial condition, compliance with,laws and regulations, or protections of government assets, l The deficiency is so serious as to warrant the attention of the President, Congress, and OMB. For consistency in reporting, it is hoped that the OIG would use similar criteria in determining whether a non-compliance is considered substantial and should be reported as part of their assessments of compliance under FFMIA. Also, agencies’ OlGs may consider using agency financial management systems review analyses, as appropriate, to support their assessmentsof compliance under FFMIA. Step 3 - Reportingon the Outcomes of the Reviews Upon the completion.of a financial management systems review, a summary of the results should be prepared. This summary of review results states whether the system is or is not in substantial compliance with financial systems requirements. If the system is in substantial’compliance, then the summary should be held on file to support the assessment conclusions for use in future systems reviews and by auditors. An example of a financial management system assessment summary is provided in Appendix D. 8 Financial Management Systems Compliance Review Guide Systems that are substantially non-compliant with OMB Circular A-1 27 generally should be reported in an agency’s FMFIA assurance statement. In addition, agencies are required to report on systems identified by audit officials that are substantially non-compliant under FFMIA when the systems do not comply with: (1) the U.S. SCL at the transactton level; (2) Federal accounting standards; or (3) Federal financial management systems requirements. Further, systems that are determined by the auditors not to meet FFMIA requirements should be reported in the annual budget submission to 1 OMB in Circular A-l 1 along with appropriate remediation plans. The effect of substantial financial systems non-compliance under FFMIA on an agency’s financial operations should also be disclosed in an agency’s financial statements which are distributed to OMB and Congress. ., If, based..on the results of the review, the agency official is unable to provide reasonable assurance that a system complies in all areas, conditional assessment may be provided identifying the‘areas i where reasonable assurance cannot be provided. An explanation of the identified weaknesses and the actions required for correction (including timeframe, if known) should be included. Step 4 - Planning to Correct the Problems If the agency determines that a system is substantially non-compliant and must be reported under FMFIA Section 4 requirements as a system non-conformance, a corrective action plan should be put in place. The plan should include a discussion of the correction efforts needed in sufficient detail that managers can understand the nature of the issues and the result desired when the corrections are completed. A corrective action plan should cover the resources, the remedies and target dates to resolve the identified issues: Resources - Estimated costs to be incurred to make the system substantially compliant: Remedies - Specific steps/tasks necessary to fix the non-conforming system and responsible parties. Target Dates - .Target dates for completing the tasks identified in the plan. Systems reported by an auditor as substantially non-compliant under FFMIA require an agency to develop a separate remediation plan. The remediation plan should be developed in consultation with OMB, and include the same level of detail as a corrective action plan with a description of resources and milestones for achieving compliance. The Inspector General’s semi-annual report should include an agency’s progress in achieving compliance as required by the IG act, as amended. Under FFMIA, the remediation plan shall “bring the agency’s financial management systems into substantial compliance no later than 3 years after the date a determination [of non-compliance] was made.” Specific waiver from this timeframe is permissible with agreement from OMB. Timing of Financial Systems Reviews Detailed systems reviews should be conducted for all major financial management systems to provide an agency’s management the ability to provide assurance that the systems are in Financial Management Systems Compliance Review Guide compliance with Federal financial systems requirements. Financial management systems that are considered not significant to the financial management of the agency or where the dollar volume of the transactions do not result in the systems being considered material to the preparation of financial statements, may be exempted from financial management system review by ,the CFO of an agency. Financial management systems reviews should be conducted at intervals that provide agency heads adequate support for their Annual Assurance Statement covering FMFIA Section 4 requirements. However, assessments are most effective when reviews are conducted at least once every-five years or more frequently if (I) major changes have been implemented that would substantially affect the qper$ions. of the system, (2) there are management concerns over the integrity of the system<or the data in the system, or (3) where the importance of .the systems requires management tp provide - ‘. external. assurance on the compliance of the systems to .[ederal Financial Systems Requirements on a more frequent basis. In addition, an independent review or audit. of thens&%rity controls in each application is required by OMB Circular A-l 30 at least every three years. On-Going Monitoring The system’s program manager is responsible for making sure deficiencies are corrected according to plan and working with GAO and the OIC on their reviews. Periodic reviews should be conducted on systems’to ensure.they continue to comply with FMFIA, FFMIA, and OMB Circular A-l 27. : Tools for Performing an FFMIA, Compliance Review Currently, methods used by agencies vary from in depth reviews that utilize custom designed guides to the use of external auditors and consultants who develop their own evaluation criteria. This guide is intended to supplement these tools and to provide additional capabilities where tools are not available. Tools available to agencies to assist Fhem in conducting internal financial management systems compliance reviews include: l Existing review guides developed by agencies, which can be shared and tailored to meet agency specific needs. l Use of this guide or other authoritative guidance such as OMB Bulletin 98-08 and related Circulars (i.e. A-l 23, A-l 27, A-l 30). “_.’ l The JFMIP core financial management system certification test. l Checklists that incorporate current financial system requirements as published by JFMIP in the Federal Financial Management System Requirements series (e.g. JFMIP-SR-99-4)‘. I ,’ -, I .‘. ..,.I . :., _ .._:,- _,,,, _‘-I: ‘. ..,. . . ,. ._.‘_( ,: ,:, ‘. I. -...> .._.,~,.~./. ./,./ 1 Checklists con,tainingall the requirementsof each of the JFMIPsystcm requirementsdocuments are available from GAO. As JFMIP updatesexistingsystem documents (or issues new ones), GAO publishesa related checklist document. These checklists can be obtained in hard copy by rolling (202) 512-6OOOor are available on the internet on.GAO’s home page (www.gao.gov). IO Financial Management Systems Compliance Review Guide Given that the JFMIP core financial management system test was designed specifically for the purpose’of assessinga software package’s ability to comply with core requirements (see JFMIP-SR-99-4). Accordingly, documenting the successful compl,etion of the test on an implemented system would be objective evidence that a core financial system is in compliance with the Federal financial management systems requirements of FFMIA. The test is currently available on the Internet at http://www.financenet.gov/ financenet/fed/jfmip/pmo.htmz for use by program and financial managers and the oversight community. It contains a test plan, test cases (scenarios), assumptions that were made and the expected test results. Part II: Criteria for Financial Management Systems Cotipliance The criteria for performing financial management systems reviews included in this guide is intended to enable Federal agencies to meet the requirements of the FFMIA, the FMFIA, and OMB Circular A-l 27. Compliance Requirements: Federal Financial Management improvement (FM/A) All financial management systems within the agency determined to be either financial or mixed, must comply with: lFederal financial management systems requirements . Applicable Federal accounting standards l U.S. SCL at the transaction level For purposes of review: Exclude systems under development unless the agency reported them in their financial/mixed systems inventory to OMB Include systems developed in-house and systems or services supplied by outside vendors in support of agency functions Financial management system compliance is based on the requirements outlined in Section 7 B Financial Management System Requirements in OMB Circular A-l 27, and in the FMFIA. The relationship of such reviews to the compliance requirements above is included in Table A . Federal Managers’ Financial Integrity Act (Section 4 reviews (FMFIA)) Section 4. Section 118(b) of the Accounting and Auditing Act of 1950 (31 U.S.C. 661 (b)), states that “each annual statement prepared pursuant to subsection (d) of this section shall include a separate report on whether the agency’s accounting system conforms to the principles, standards, and related requirements prescribed by the Comptroller General under section 112^of the Integrity Act.” Circular A- 72 7 Reviews ’ Each agency shall ensure appropriate reviews are conducted of its financial management systems. The results of these reviews shall be considered when developing financial management systems plans. OMB encourages agencies to coordinate and, where appropriate, combine required reviews. 12 Firiancial Management Systems Compliance Review Guide Reviews must comply with policies for (1) reviews of internal controls undertaken and reported on in accordance with the guidance issued by OMB for compliance with the requirements of the FMFIA and Circular A-l 23, (2) reviews of conformance of financial management systems with the principles, standards and related requirements in Section 7 of A-l 27 undertaken in accordance with the guidance issued by OMB for compliance with requirements of the FMFIA, and (3) reviews of systems and security as required under provisions of Circular A-l 30. The relationships of these reviews are presented in Table A. Table for Comparing Financial Management Systems Compliance Guidance, OMB Circular A-127 Regulations Sectioq 7, OMB Circular A-130, FFMIA, FMFIA Section 4 (OMB Circular A-123 Requirements) Financial i&&ement Systems Compliann! Rev& OMB Policy Requirements External Reporthtg Requirements Criteria OMB Circular A-l 27 (OMB Circular A-l 23) (See Appendix B for Details) OMB Circular A-l 30 FFMJA Regulations FMFIA Section 7 Section 4 I A. Comparability and A. Agency-wide Financial Consistency Information Classification I I Structure B. Integrating financial systems B. Efficiency and Economy B. Integrated Financial and eliminating duplication Management Systems C. Application of the SC1 at C. Application of the U.S. I I C. Government Standard the transaction level Government Standard General 1 1 General ledger (SGL) at the ledger at the Transaction level 1 I transaction level D. Consistency with accounting D. Financial Data D. Federal Accounting D. Applicable Federal principles and standards Standards accounting standards E. Financial information E. Financial Reporting E. Financial Reporting F. Budget formulation and F. Support for Budgeting and F. Budget Reporting execution Performance Reporting C. Functional Requirements G. Functional Requirements 1 I G. Federal financial I 1 management systems requirements H. Computer security H. Computer Security Act H. Computer Security Act (Controls for Major Requirements Requirements Applications) I. Application Security I. Documentation I. Documentation Plan J. Systems Integrity J. Internal Controls I J. Review of Application 1 Authorized Controls & processing 1 J. Internal controls / accountability for agency assets FL Training and User Support R. Training and User Support K Specialized Training 1. Maintenance 1. Maintenance 1 I Financial Management Systems Compliance Revkw Guide Appendix A - 1: References’ ,I I OMB Circular A-727, Section 7 Financial Management Sy@em Requirements 7. Financial Management System Requirements. Agency financial management systems shall comply with the following requirements: a. Agency-wide Financial lnformatiqn, Classification Structure. ,The design of the.financial management systems shall reflect ,an agent -wide financial information classification structure that is consistent with the U. S. S2 L,.provides for tracking of specrfrc program expenditures, and covers financial and financially related informatron. This structure will minimize data redundancy, ensure th,at consistent informat/on is collected for similar transactions throughout the agency, encourage consistent formats.for entering data directly into the financial management systems, and ensure that consistent information is readily available and provided to internal managers at all levels within the organization. Financial management systems’ designs shall support agency budget, accountin and financial management reporting processes by rovidin consistent information f or budget formulation, budget execution, programmatic ancf.frnancra 4 management, performance measurement and financial statement preparation. b. Integrated Financial Management S stems. Financial mana ementsystems shall be designed to, provide for effective and ef fytcient interrelationships %etween software, hardware, personnel, rocedures, controls, and data contained within the systems. In doing so, they shall have t Re following characteristics: - Common Data Elements. Standard data classifications (definitions and formats) shall. be established and used for recording financial events. Common data elements shall be used to meet reporting requirements and, to the extent possible, used throughout the agency for collection, storage and retrieval of financial information. Government-wide information standards (e.g., the U. S. SCL) and other external. reporting requirements shall be incorporated into the agency’s standard data classification requirements. - Common TransactionProcessing.Commonprocessesshallbe usedfor processing similar kinds of transactionsthroughoutthe systemto enablethesetransactionsto be reportedin a consistentmanner. - Consistent Internal Controls. Internal controls over data entry,. transaction processing and reporting shall be applied consistently throughout the system to ensure the validity of information and protection of Federal government resources. - Efficient Transaction Entry. Financial system designs shall eliminate unnecessary duplication of transaction entry. Wherever appropriate, data needed by the systems to support ‘financial ‘functions shall beentered Z-ily’once and othei+arts of the system shall be updated through electronic means consistent with the timing requirements of normal business/transaction cycles. A-l Financial Management Systems Compliance ,Review Guide c. Application of the U. S. SC1 at the Transaction kvel. Financial events shall, be recorded by agencies throughout the financial management system applying the requirements of the U.S. SGL at the transaction level. Application of the SCL at the transaction level means that the financial management s stems will process transactions following the definitions and defined uses of the general Yedger accounts as described in the SCL. Compliance with this standard requires: - Data in Financial Reports Consistent with.the SCL. Reports produced by the systems that provide financial information, whether used internally or externally, shall provide financial data that can be traced directly to the SCL accounts. ” --Transactions Recorded Consistent with SGL Rules. The criteria (e.g., timing, processin rules/conditions) for recording financial events in all financial mana ement systems shall Ee consistent with accounting transaction definitionsand processing ruEies defined’,in ~ the SGL. 2 Supportin Transaction Detail for SCL Accounts Readily Available. Transaction detail supporting S8 L accounts shall be available.in the financial,management systems and directly traceable to specific SCL account codes. ‘.. ., 7. Agencies may supplement their application of the SCL to meet a ency specific information requirements in accordance with guidance provided in the U.S. !zCL supplement to the Treasury Financial Manual. d. Federal Accounting Standards. Agency financial management systems shall maintain accountin data to permit reporting in accordance with accounting standards recommended by the Fecferal Accounting Standards Advisory Board (FASAB) and issued by the Director of OMB, and reporting requirements issued by the Director of OMB and/or the Secretary of the Treasury. Where no accounting standards have been recommended by FASAB and.issued by the Director of OMB, the s stems shall maintain data in accordance with the applicable accounting standards used ii y the agent for preparation of its financial statements. Agency financial. management systems shall be cresigned flexibly to adapt to changes in accounting standards. :/ e. Financial ,ReportinQ The agency financial, management system shall meet the following agency reporting requrrements: -A ency Financial Mana ement Reporting. The agency financial management system shall be a%le to provide financia 7 information in a timely and useful fashion to (1) su port management’s fiduciary role; (2) support the legal, regulatory and other specia Pmanagement requirements of the agency; (3) support budget formulation and execution functions; (4) support fiscal management of program delivery and pro ram decision making, (5) comply with Internal and external reporting requirements, inclu 8 ing, as necessary, the requirements for financial statements prepared in accordance with the form and content rescnbed by management system to ensure the integrity of 7.rnancraldr ata. R OMB and reporting requirements prescribed b Treasur * and (6) monitor t e financial Y Performance Measures. Agency financial management systemsshall be able to capture ‘and ‘produce~financial ‘i$o,rm,ation’ requiiedjo ,me~asu@prog~~,r;ll.p~;fo;r~~~~, financial performance, and financial management performance as needed to sup ort budgeting, program management and financial statement presentation. As new pe rpormance measures are established, agencies shall incorporate the necessary information and reporting requirements, as appropriate and feasible, into their financial management systems. A-2 Financial Management Systems Compliance Review Guide r f. Budget Reporting. Agency financial mana ement systems shall enable th,e agency to ~ prepare, execute and report on the agent ‘s,% udget in accordance with the requirements of OMB Circular No. A-l 1(Preparation and J ubmissron of Budget Estimates), OMB Circular No. i A-34 (Instructions on Budget Execution) and other circulars G-rd bulletins-&red ,by the OMB. g. Functibnal Requirements. Agency financial management systems shall conform to existing applicable functional requirements for the design, development, operation, and maintenance of financial management systems. Functional .re uirements are defined in a series of publications entitled Federal Financial Management 9 ystems Requirements issued by the JFMIP. Additional functional requirements may be established through OMB circulars and bulletins and the Treasury Financial Manual..Agencies are ex ected to tm lement expeditiously new functional requirements as they are establishe 8 and/or ma cpe effective. hi Cbmputer Secuiity’Act Requirements. Agencies shall plan for and incorporate security controls in accordance with the Computer Security Act of ‘, 1987 and Circular A-l 30 for those financial management syste’ms that contain “sensitive information” as defined by the Computer Security Act. r i. Documentation. Agency financial management s stems and processing instructions shall be clearly documented in hard co y or electronical y in accordance with (a) the requirements contained in the Fecreral Financial Management Systems Requirements documents published by JFMIP or (b) other applicable requirements. All documentation (software, system, operations, user manuals, operatin procedures, etc.) shall be kept up-to-date and be readily available for examination. 9ystem user documentation shall be in sufficient, detail to permit a person, knowledgeable of the agency’s programs and of systems generally, to obtain a comprehensive understanding of the entire operation of each system. Technical systems documentation such as requirements documents, systems specifications and operating instructions shall be adequate to enable technical personnel to,operate the system in an effective and efficient manner. j. Internal Controls. The financial management s stems shall include a s stem of internal controls that ensure resource use is consistent wit tl laws, regulations, ancypolicies; resources are safe uarded against waste, loss, and misuse; and reliable data are obtained, maintained, and discqosed in reports. Appropriate internal controls shall be applied to all system inputs, processing, and outputs. Such system related controls form a portron .of the management control structure required by Circular A-l 23. k. Training and User Su port. Adequate training and appropriate user support shall be provided to the users oft R e financial management s stems, based on the level, responsibility and roles of individual users, to enable the users of trl e systems at all levels to understand, operate and maintain the system. I. Maintenance. On-going maintenance of the financial management systems shall be erformed to enable the systems to continue to operate in an effective and efficient manner. f! he agency shall periodically evaluate how effective1 and efficiently the financial management systems support the agency’s changing il usiness practices and make appropriate modifications. ;. <., %,~, .; :::t; k _I,,: ‘. (” _j, i.,“” “- :“./ i:. A-3 Financial Management Systems Compliance Review Guide Appendix A - 2: References OMB Bulletin No. 98-08, Audit Requirements foi Federal Financial Statements /i Relationship to Section 4 of FMFIA (the integrity Act) i There is a close, if not overlapping, relationship between FFMIA and the FMFIA. Since the acronyms are similar, this guidance refers to FMFIA as the Integrity Act. The Integrity Act requires that, the agency head, on an annual basis no later than December 31’, ‘prov’ide an assurance statement with respect to agency management controls (Section 2) and agency compliance with financial I: I-. management system requirements (Section 4). For the most part, in many agencies,, the Integrity Act i. statement of assurance for Section 4 provides management’s assertion of compliance with section 803(a) of FFMIA. Section 803, Implementation of FFMIA Section 803 (a), cited above, states: “In General - Each agency shall implement and maintain financial management systems that comply substantially with Federal financial management systems requirements, applicable Federal accounting standards, and the U.S. SGL at the transaction level.” This’section of the guidance more fully describes (1) Federal financial management systems req.uirements; (2) applicable Federal accounting standards; and (3) the SGL at the transaction level. In each section, information is provided on substantial compliance and types of indicators to be used in assessingtihether an agency is in substantial compli,ance. The criteria are broad and flexible; yet, they provide a practical basis for measuring achievement in complying with the FFMIA requirements. (1) Federal Financial Management Systems Requirements Circular A-l 27 prescribes policies and standards for agencies to follow in developing, operating, evaluating, and reporting on financial management systems. In addition, Circular A-l 27 also incorporates by reference: Circular A-l 23, “Management Accountability and Control;” Circular A-l 30, “Management of Federal Information Resources;” other operating policies and related requirements prescribed by OMB; and Federal Financial Management Systems Requirements issued by JFMIP. The financial management systems subject to the requirements of FFMIA are included in the inventory of financial management systems subject to the requirements of Section 4 of the Integrity Act. Compliance with the financial management systems requjrements of FFMIA applies to al\ financial management systems essential to meeting financial statement preparation and budgetary reporting requirements. An agency of the Federal government is considered to be in substantial compliance with financial management system requirements if: A-4 Financial Management Systems Compliance Review Guide l Financial management systems meet Circular A-l 27 requirements which, for purposes of complying with this Act, call for systems to: support management’s fiduciary role; support the legal, regulatory, and other special management requirements of the agency; support the budget execution functions; support fiscal management of program delivery and program decision-making; comply with internal ,and external reporting requirements, including, as necessary, the requirement for financial statements prepared in accordance with the form and content prescribed by OMB and reporting requirements prescribed by Treasury; and be monitored by agency staff to ensure the integrity of financial ‘data. This is accomplished through a unified set of systems comprised of financial systems and- financial portions of mixed systems. These systems may or may not be operated by the CFO’s office. l Financial management systems follow requirkments published in JFMIP’s Federal Financial Management System ,Requirements seiies which prescribe’the functions that must be performed by systems to.ctipture informatidn for financial statement preparation.’ l Compensating procedures are applied to financial management information produced by third parties, such as service bureaus, when it is determined that‘sjlstems used by third parties to provide those services do not comply with the provjsions of the FFMIA. l Security over financial itifdrmation is provided in accordance with Circular A-l 30, Appendix 3. l :Internal controls over finaricial management systems are designed properly and operating ‘effectively. Internal controls are described in OMB Bulletin 98-08. It is not expected that the scope of the auditor’s work in this area would extend beyond the requirements of the .:Bulletin. Indicators: l Annual assurance statement issued pursuant to’ the Section 4 Integrity Act report does not reflect any material non-conformance related to financial management systems covered by FFMIA. l Audit procedures performed for the purpose of obtaining evidence in support of the auditor’s opinion on the financial statements did not disclose material weaknesses or noncompliance with legal or regulatory requirements of the agency.3 l Standard budget execution information is provided on a timely basis to OMB and Treasury in the manner requested and is consistent with budget execution information used internally within the agency. l Agency senior management and program managers have access to timely financial information on the status of funds (commitments, reservation and obligations) by operating units and programs that allows analysis of data for decision-making. 3 In very limited circumstances, reportable conditions that significantly impair an entity’s ability to meet Federal financial management systems requirements (such as reportable conditions related to computer security over financial information covered by OMB Circular A-l 30, Appendix 3) may represent conditions reportable under FFMIA. A-5 Financial Management Systems Compliance Review Guide l Funds control decisions are based on information provided from the agency’s financial management systems. k l The agency core financial system, subported by, other systems containing the detailed data F t summarized in the core,financial system, is the source of information used in the preparation I’.’ I- of the annual financia! statemenp and other internal and external reporting requirements. Detailed information contained In these other systems also may be used as the source I information for reporting where >ummarized information contained in the agency core system I does not provide the details necessary to meet reporting requirements. -’ / I l The agency has a management control program that identifies,and reports deficiencies in financial,management systems, including deficiencies resulting in a .lack of substantial compliance with the three requirements of FFMIA, and ensures such deficiencies are corrected. (2) Federal Accoufiting Standards. , An agency of the Federal Covertiment will be considered in substantial compliance with Federal accounting standards if the agency prepares audited financial statements in accordance with the hierarchy of Federal accounting standards included in paragraph 5 of OMB Bulletin 98-08. Substantial compliavce does not require all transactions to be in full compliance with Federal accounting stand,ards at the point of original entry, but that financial information used in the preparation of financial statements, based on such transactions, is adequately supported by detailed financial records (automated or manual). Indicators: l An unqualified opinion on the agency’s financial statements. For a qualified opinion, a review of the underlying reasons for the qualified opinion is needed to determine whether or not the agency ._e_is. in substantial . . compliance with this requirement. In limited circumstances, a qualitied opinion on the agency’s financial statements may indicate substantial compliance with this requirement when it is solely due to reasons other than the agency’s ability to prepare auditable financial statements. Further, a disclaimer of opinion may not indicate that there is a lack of substantial compliance with this requirement when it results from a material uncertainty, such as resolution of litigation or projecting future economic events. The audit disclosed no material weaknesses in internal controls that affect the agency’s ability to prepare auditable financial statements and related disclosures.4 (3) SGL at the Transaction Level Implementing the SCL at the transaction level requires that the Core Fiqancial System General Ledger Management Function is in full compliance with the SCL chart of accounts descriptipns and 4 In very limited circumstances, reportable conditions that significantly impair an entity’s ability to meet Federal financial management systems requirements (such as reportable conditions related to computer security over financial information covered by OMB Circular A-l 30, Appendix 3) may represent conditions reportable under FFMIA. A-6 Financial Management Systems Compliance Review Guide posting rules; transactions from feeder systems are summarized and fed into the Core Financial System’s General Ledger following SGL requirements through an interface (automated or manual); detail supporting the interface transactions can be traced back to the source transactions in the feeder systems; and the feeder systems process transactions consistent with SCL account descriptions and posting. An agency of the Federal government will be considered in substantial compliance with the SCL at the transaction level requirement if the agency’s classification of financial events for its financial statements and required financial information provided to the Department of the Treasury and OMB is consistent with the account descriptions and posting rules as approved by the SGL Board and published by the Treasury Department’s Financial Management Service in the Treasury Financial Manual. indicators: The agency’s core financial system uses the SGL number to capture financial information, or the agency uses analternative code (pseudo-code) following the same account descriptions and posting rules that are used by the SCL to capture financial information, and the information can be appropriately matched to SCL codes for reporting to OMB or Treasury and for preparing financial statements. The use of the SGL code in the feeder system is not’ necessary as long as the code definitions used to capture information are consistent with the SCL definitions. l Systems must capture information using the same descriptions and posting rules as in the SGL. Detailed information captured in feeder systems can be summarized in the core financial system; however, information shall be captured and summarized so that it follows the SGL descriptions and posting rules and is captured at the level necessary to meet OMB or Treasury reporting requirements and for preparing financial statements. Transactions can be traced back to the source/point-of-entry in the feeder systems and to supporting information. Audit Considerations Based on the fore oing, the auditor shall use professional judgment in determining substantial compliance with t‘f,e systems requirements of FFMIA. However, lack of substantial compliance with the requirementi in any one or more of the three areas included in FFMIA - Federal financial management system requirements, Federal accounting standards, and the SCL - would result in lack of substantial compliance with FFMIA. Further, a lack of substantial compliance with any one or more of the indicators described herein would typically result in a lack of substantial compliance with one or more of the three areas described above and, thus, a lack of substantial compliance with the systems requirements of FFMIA. Judgment shall be used in determining a lack of substantial comp!iance.vvith a,n indicator. ‘For’instance;if,an auditor”finds that a”few budget execution reports Were subnii&dlate to OMB and contained minor inaccuracies, this may not result in a lack of substantial compliance with the indicator regarding standard budget execution information. A-7 Financial Management Systems Compliance Review Guide Appendix A - 3: References OMB Circular A- 730, Section 3 Automa ted Information Security Programs Automated Information Security Programs. Agencies shall implement and maintain a program to assure that adequate security is provided for all agency information-collected, processed, transmitted, stored, or disseminated in general support systems ,and major tipplications. ” , ., Each agency’s program shall implement policies, standards and procedures which are consistent I with government-wide policies, standards, and procedures issued by OMB, the Department of Commerce, the General Services Administration and the Office of Personnel Management (OPM). Different or more stringent requirements for securing national security information should be incorporated into agency programs as required by appropriatenational security directives. At a minimum, agency programs shall include the following controlsin their general support systems and major applications: . aControls for general support systems. 1) Assign Responsibility for Security. Assign responsibility for security in each system to an individual knowledgeable in the information technology used in the system and in providing security for such technology. 2) System Security Plan. Plan for adequate security of each general support system as part of the organization’s information resources management (IRM) planning process. The security plan shall be consistent with guidance issued by the National Institute of Standards and Technology (NIST). Independent advice and comment on the security plan shall be solicited prior to the plan’s implemqntation. A summary of the security pla,ns.shall be incorporated into the strategic IRM plan required by the Paperwork Reduction Act (44 U.S.C. Chapter 3.5) and Section 8(b) of this circular. Security plans shall include: a) Rules of the System. Establish a set of rules of behavior concerning use of, security in, and the acceptable level of risk for, the system. The rules shall be based on the needs of the various users of. the system. The security required by the rules shall be only as stringent as necessary to provide adequate security for information in the system. Such rules shall clearly delineate res onsibilities and expected behavior of’all individuals with access to the system. They shaPI also include appropriate limits on interconnections to other systems and shall define service provision and restoration priorities. Finally, they shall be clear about the consequences of behavior not consistent with the rules. b) Training. Ensure that all individuals are appropriately trained in how to fulfill their security resppnsibilities before allow.i.ngthem access to the.s .stem,. Such.training shall ,. assure thatI.. employees ,~j,ii- are versed inthe ru!es.of,;the’system I- ,,:i,,,+.‘...I,1 II ,~,:4;?le~,consistent,.with,guldaqce issued by NIST and OPM, and apprise them’about ‘available assistance and technical ’ security products and techniques. Behavior consistent with the rules of the system and periodic refresher training shall be required for continued access to the system. c) Personnel Controls. Screen individuals who are authorized to bypass significant technical and operational security controls of the system commensurate with the risk and A-8 Financial Management Systems Compliance Review Guide i magnitude of harm they could cause. Such screening shail occur prior to an individual being authorized to bypass controls and periodically thereafter. d) Incident Response Capability. Ensure that there is a capability to provide ,help to users when a security incident occurs in the system and to share information concerning common vulnerabilities and threats. This capability shall share information with other organizations, consistent with NIST coordination, and should assist the agency in pursuing appropriate legal action, consistent with Department of Justice guidance. e) Continuity of Support. Establish and periodically test the capability to continue ~ provjding service within a system based upon the needs and priorities of the participants of the system. f) Technical Security. Ensure that cost-effective security products and techniques are appropriately used within the system. , ‘, g) System Interconnection. Obtain written management authorization, based upon the acceptance of risk to the system, prior to connecting.with other systems. Where connection is authorized, controls shall be established which are consistent with the rules of the system and in accordance with guidance from NIST. 3) Review of Security Controls. Review the security controls in each system when significant modifications are made to the system, but at least every three years. The scope and frequency of the review should be commensurate with the acceptable level of risk for the system. Depending on the potential risk and magnitude of harm that could occur, consider identifying a deftciency pursuant to OMB Circular, No. A-l 23, “Management Accountability and Control” and the FMFIA, if there is no assignment of security responsibility, no security plan, or no authorization to process for a system. 4) Authorize Processing. Ensure that a management official authorizes in writing the use of each general support system based on implementation of its security plan before beginning or significantly changing processing in the system. Use of the system shall be re-authorized at least every three years. b. Controls.for Major Applications. 1) Assign Responsibility for Security. Assign responsibility for security of each major application to a management official knowledgeable in the nature of the information and process supported by the application and in the management, personnel, operational, and technical controls used to protect it. This official shall assure that effective security roducts and techniques are appropriately used in the application and shall be contacted w I:en a security incident occurs concerning the application. 2) Application Security Plan. Plan for the adequate security of each major application, taking into ,account the. security of all systems,jn which the application will operate; ,The plan shall .. -be~consistemt.witk:guidance issued -by,NISTr-:Advice;andicomme~t-oil’~he;;pla’ii:~~~ll be solicited from’the official responsible for ,security in the primary system in’whichthe application will operate prior to the plan’s implementation. A summary of the security plans shall be incorporated into the strategic IRM plan required by the Paperwork Reduction Act. Application security plans shall include: A-9 Financial Management Systems Compliance Review Guide f a) Application Rules. Establish a set of rules concerning use of and behavior within the application. The rules shall be as stringent as necessary to provide adequatesecurity for the application and the information in it. Such rules shall clearly delineate responsibilities and expected behavior of all individuals with access to the application. In addition, the rules shall be clear about the consequences of behavior not consistent with the rules. b) Specialized Training. Before allowing individuals access to the application, ensure that all individuals receive specialized training focused on ,their responsibilities and the application rules. This may be in addition to the training required for access to a system. Such training may vary from a notification at the time of access (e.g;, for members of the public using an information retrieval application) to formal training (e.g.; for an employee that works with a high-risk application). c) Personnel Security; Incorporate controls such as separation of duties, least privilege and individual accountability into the application and application rules as appropriate. In cases where such controls cannot adequately protect the application or information in it, screen individuals commensurate’with the risk and magnitude of the harm they could cause. Such screening shall be do’ne prior to the individuals’ being authorized to access the application and periodically thereafter. d) Contingency Planning. Establish and periodically test the capa,bility to perform the agency function supported by the application in the event of failure of its a,utomated support. e) Technical Controls. Ensure that appropriate security controls a’re specified, designed into, tested, and accepted in the application in accordance with appropriate guidance issued bv NIST. I f) Information Sharing. Ensure that information shared from the application is protected appropriately, comparable to the protection provided when information is within the application. g) Public Access Controls. Where an agency’s application promotes or permits public access, additional security controls shall be added to protect the integrity of the application and the confidence the public has in the application. Such controls shall include segregating information made directly accessible to the public from official agency records. 3) Review of Application Controls. Perform an independent review or audit of the security controls in each application at least every three years. Consider identifying a deficiency pursuant to OMB Circular No. A-l 23, “Management Accountability and Control” and the FMFIA if there is no assignment of responsibility for security, no security plan, or no authorization to process for the application. 4) Auth,orize Processing. Ensure that a management official authorizes in writing use of the applicatfon~,by .confirming that its security plan,as implemented ;adequately securesthe applicatron. Results of the most recent review or audit of controls shall be a factor in management authorizations. The application must be authorized prior to operating and re-authorized at least every three years thereafter. Management authorization implies accepting the risk of each system used by the application. A-l 0 Financial Management Systems Compliance Review Guide L ,: Appendix A - 4’ 1 Federal Financial ManagemeM Improvement Act of 799s An Act Making omnibus consolidated appropriations for,the fiscal year ending September 30, 1997, and for other purposes. ((NOTE: Sept. 30, 1996 - [H.R. 36101)) Be it enacted by the Senate a.nd House of Representatives of the United States of America ((NOTE: Omnibus: Consolidated Appropriations Act, 1997.)) in Congress assembled,...’ : TITLE VI&--FEDERAL FINANCIAL ((NOTE: Federal Financial Management Improvement Act of 1996.31 USC 3512 note.), MANAGEMENT IMPROVEMENT i,, * i SEC. 801. SHORT +ITLE ..’ This title may be cited as the “Federal Financial Management Improvement Act of 1996.” SEC. 802. <<NOTE:31 USC 3512 note.)) FINDINGS AND, PURPOSES. , (a)(Findings.,-The Congress finds the following: ” ’ (l)(Much effort has been devoted’ to strengthening Federal ‘internal accounting controls in the past: Although progress has been made in recent years, Federal accountjng standards have not been uniformly implemented in financial management systems for’agencies. (2)(Federal financial management continues to be seriously deficient, and Federal financial management and fiscal practices have failed to- (A) identify costs fully; (B) reflect the total liabilities of congressional actions; and (C) accurately report the financial condition, of the Federal Government (3) Current Federal accounting practices do not ‘accurately report financial results of the Federal I Government or the full costs of programs and activities. The continued use of these practices undermines the Government’s ability to provide credible and reliable financial data and encourages already widespread Government waste, and will not assist in achieving a’ balanced budget. (4) Waste and inefficiency in the Federal Government undermine the confidence of the American people in the government and reduce the federal Government’s ability to address vital public needs adequately. ,’ (5) To rebuild the accountability and credibility,of the Federal Government, and restore public confidence in, the Federal Government, agencies must incorporate accounting standards and reporting objectives established for the Federal Government into their financial management systems so that all the assetsand liabilities, revenues, and expenditures’or expenses, and the full costs of programs and activities of the Federal Government can be-consistently and accurately - ,v,recof&& moiiit6red,:and /fo&jj; ~e‘po;i~~d”tH~~~~~h‘aijt’Yh~;~iii;cie~~l’.’~a3er~~~rit,,7 .” : (6) Since,its establishment in October 1990, the Federal Accounting Standards Advisory Board (hereinafter referred to as the “FASAB”) has made substantial -progresstoward developing and recommending a comprehensive set of accounting concepts and standards for the Federal Government. When the accounting concepts and standards developed by FASAB are A-l 1 Financial Management Systems Compliance Review Guide incorporated into Federal financial management systems, agencies will,be able to provide cost and financial information that will assist the Congress and financial managers to evaluate the cost and performance of Federal programs and activities, and will therefore provide important information that has been lacking, but is needed for improved decision making by financial i; managers and the Congress. ” 12 (7) The development of financial management systems with the capacity to support these j. standards and concepts will, over the long term, improve Federal financial management. (b) Purpose-The purposes of this Act are to- (I) provide for consistency of accounting by an agency from one fiscal year to the next, and uniform accounting standards throughout the Federal Government; (2) require Federal financial management systems to support full disclosure of Federal financial data, including the full costs of Federal programs and activities, to i- the citizens, the Congress, the President, and agency management, so that programs I- and activities can be considered based on ‘their full costs and merits; (3) increase the accountability and credibility of federal financial management; (4) improve performance, productivity and efficiency of Federal Government financial management; (5) establish financial management’systems to support controlling the cost of Federal Government; (6) build upon and complement the Chief Financial Officers Act of 1990 (Public Law 101-576; 104 Stat 2838), the Government Performance and Results Act of 1993 (Public Law 103-62.,107 Stat. 285) and the Government Management Reform Act of 1994 (Public Law 103-356; 108 Stat. 3410); and (7) increase the capability of agencies to monitor execution of the budget by more readily permitting reports that compare spending of resources to results of activities. SEC. 803. ((NOTE: 31 USC 3512 note.)) IMPLEMENTATION OF FEDERAL FINANCIAL MANAGEMENT IMPROVEMENTS. (a) In General .-Each agency shall implement and maintain financial management systems that comply substantially with Federal financial management systems requirements, applicable Federal accounting standards, and the United States Government Standard General Ledger at the transaction level. (b) Audit Compliance Finding.- [[Page 110 STAT. 3009-39111 (1) In general.- Each audit required by section 3521 (e) of title 31, United States Code, shall report whether the agency financial management systems comply with the requirements of subsection (a) (2) Content of Reports- When the person performing the audit required by section 3521 (e) of title 31, United States Code, reports that the agency financial management systems do not comply with the requirements of subsection (a), the person performing the audit shall include in the report on the auclit- ^-- ~.:v‘ ‘. ,, .,..; I (A) the entity or organization responsible for the financial management systems that ‘have been found not to comply with the requirements of subsection (a); (B) all facts pertaining to the failure to comply with the requirements of subsection (a), including- (i) the nature and extent of the noncompliance including areas in which there is substantial but not full compliance; A-l 2 financial Management Systems Compliance Review Guide (ii) the primary reason or cause of.the noncompliance; (iii) the entity or organization responsible forthe non-compliance; and (iv) any relevant comments from any responsible officer or employee; and (C) a statement with respect to the recom.mended remedial actions and the time frames to implement such actions.; (b)(Compliance Implementation.- (1,)Determination .-No later than ,the date described under paragraph (2), the Bead of an agency shall. determine whether the financial management systems of the agency comply with the requirements of subsection (a). Such, determination shall be based,o&-- ’ (A) a review of the report on the applicable agency- wide audited financial statement; (B) any other information the Head of the agency considers relevant’and appropriate. (2) Date of determination. --The determination under paragraph (1) shall,be made no later than 120 days after the earlier of- (A) the date of the receipt of an agency-wide audited financial statement; or (B) the last day of the fiscal year following the year covered by such statement. (3) Remediation plan.- (A) If the Head of an agency determines thatthe agency’s financial management systems do not comply with the requirements of subsection (a), the head of the agency, in consultation with the Director, shall establish a remediation plan that shall include resources, remedies, and intermediate target dates necessary to bring the agency’s financial management systems into substantial compliance. (B) If the determination of the head of the agency differs from the audit compliance findings required in subsection (b), the Director shall review such determinations,and provide a report on the findings to the appropriate,committees of the Congress. [[Page 110 STAT. 3009-39211 (4) Time period for compliance. -A remediation plan shall bring the agency’s financial management systems into substantial compliance no later than 3 years after the date a determination is made under paragraph (I), unless the agency, with concurrence of the Director- (A) determines that the agency’s financial management systems cannot comply with the requirements of subsection (a) within 3 years; (B) specifies the most feasible date for bringing the agency’s financial management systems into compliance with the requirements of subsection (a); and (C) desi nates an official of the agency who shall be responsible for bringing the agency’s financia 7 management systems into compliance with the requirements of s’ubsection (a) by the date specified under subparagraph (B). SEC. 804. ((NOTE: 31 USC 3512 note.)) REPORTING REQUIREMENTS. (a)(Reports by the Director.- No later than March 31 of each year, the Director shall submit a report to the Congress regarding implementation .of.this Act. The Director. may include the re ort in t,he financialr,management status report and,+the,.$year ,fln,~nFia!..manage~~nt.p!an supbmitted under section 3512 (a) (1) of title 31, United States Code. (b) Reports by the Inspector Ceneral- Each Inspector General who prepares a report under section 5(a) of the Inspector General Act of 1978 (5 U.S.C. App.) shall report to Congress instances and A-l 3 Financial Management Systems Compliance Review Guide ; I reasons when an agency has not met the intermediate target dates established in the remediation plan required under section 3(c). Specifically the report shall include- (1) the entity or organization res onsible for the non-compliance; i (2) the facts pertaining to the fai Pure to comply with the requirements of subsection (a), ip including the nature and extent of the non-compliance, the primary reason or cause for the failure to comply, and any extenuating circumstances; and 1:; (3) a statement of the remedial actions needed to comply. L (c).Reports by the Comptroller General.- No later than October 1,1997, and October 1, of each I year thereafter, the Comptroller General of the United States shall report to the appropriate I! committees of the Congress concerning- (I) compliance with the requirements of section 3(a) of this Act, including whether the ~ financial statements of the Federal Government have been prepared in accordance with i-. : applicable accounting standards; and k (2) the adequacy of applicable accounting standards for the Federal Government. “_. - SEC. 805. ((NOTE: 31 USC 3512 note.)) CONFORMING AMENDMENTS. t: (a)(Audits by Agencies.- Section 3521 (f) (1) of title 31, United States Code, is amended in the first ‘.- sentence by inserting “and the Controller of the Office of Federal Financial Management” before the period. c (b)(Financial Management Status Report- Section 3512 (a) (2) of title 31, United States Code, is ~3 amended by- (1) in subparagraph (D) by striking “and’ after the semicolon; L-m (2) by redesignating subparagraph (E) as subparagraph (F); and i- [[Page 110 STAT. 3009-39311 (3) by inserting after subparagraph (D) the following: (E) a listing of agencies whose financial management systems do not comply substantially with the requirements of Section 3(a) the Federal Financial Management Improvement Act of 1996, and a summary statement of the efforts underway to remedy the noncompliance; and’ (c) Inspector , General Act of 1978.-Section 5(a) of the Inspector ((NOTE: 5 USC app.)) General Act of 1978 is 1 amended- (I) in paragraph (11) by / striking “and” after the semicolon; (2) in paragraph (12) by striking the period and inserting and”; and (3) by addin at the end the following new paragraph:(l3) the information described under section 05(b) oft a e Federal Financial Management Improvement Act of 1996.” SEC. 806. ((NOTE: 31 USC 3512 note.)) DEFINITIONS. For purposes of this title:’ (1) Agency.-The term “a ency” means a department or agency of the United States Government as defined in section 901( %) of title 31, United States Code. (2) Director .-The term “Director” meansthe Director of the Office of Management and Budget. (3) FederaLAccounting Standards. -The term “Federal accountin standards” means’applicable accounting principles, standards, and requirements consistent wit R section 902 (a) (3) (A) of title 31, United States Code. (4) Financial management systems.-The term “financial management systems’ ‘ includes the financial systems and the financial portions of mixed systems necessary to support financial A-l 4 1 i- Financial Management Systems Compliance Review Guide b management, including automated and manual processes, procedures, controls, data, hardware, software, and support personnel dedicated to the operation and maintenance of system functions. (5) Financial system.- The term “financial system’ includes an information system, comprised of one or more applications, that is used for- (A) collecting, processing, maintaining, g transmitting, or reporting data about financial events; (B) supporting financial planning or 1: budgeting activities; (C) accumulating and reporting costs information; or (D) supporting the B. preparation of financial statements. I (6) Mixed system.-The term “mixed system’ means an information system that supports both ’ financial and nonfinancial functions of the Federal Government or components thereof. SEC. 807. ((NOTE: 31 USC 3512 note.)) EFFECTIVE DATE. This title shall take effect for the fiscal year ending Septemberjo, 1997. A-l 5 ,, ,, Financial Management Systems Compliance Review Guide Appendix B Financial Management Systems Compliance Review Elements A. Comparability and Consistency Financial management data should be recorded and reported in the same manner throughout the Agency, using uniform definitions. Accounting should be synchronized with budgeting. Consistency over time should be maintained. New and revised systems should adopt common, existing definitions and classifications. . If system maintains and recorcls activities such as funding kommitments, obligations, etc.), disbursement of funds, receipt of funds, budgeting- are the transactions consistent with the U.S. Government Standard General Ledger (SGL)? . Are similar type of activities processed in a similar way throughout the Agency (e.g., are obligations processed consistently for all programs)? . Are standard formats used for transaction processing? Is information available in a consistent format throughout the Agency for budget formulation, budget execution, programmatic and financial management, performance measurement, and financial statement preparation? Financial Management Systems Compliance Review Guide Compliance Indicators Data are recorded and reported in a consistent manner throughout the Agency, using standard definitions and classifications. The system permits the organization classification of data on at least the following levels of aggreg4on: agency, office, or division. Accounts are established and maintained at a level that enables data to be aggregated readily into appropriation or fund accounts. The system permits,the fund classification of data to support the distribution of funds at the foljowing levels: .allolment, suballotment or Agency limitation L3llow+ince, target, operating budget, etc.) Accounts may I~a.summarbt!tl by responsibility center, object of c~xpc~mliture and, by program, antl permit roclassificalion lo reflect organizational ant! other changes. .’ : i .. Financial Management Systems Compliance Review Guide B. Efficiency and Economy Financial management systems should be designed and operated with reasonable total costs and transaction costs, in accordance with OMB @delines. Financial syslems which are excessively costly should be identified and phased out. This should be accomplished through nstallation of effective systems of planning ancl evaluation, sharing of data, elimination of overlap and duplication, and use of the best contemporary .echnology, including commercially available packages with proven success n other agencies:c?r the private sector. ‘. . Does the system use standard data classifications for recording financial events, consistent wirh Agency and Government-wide stantlartls? . Are common processes metl for processing similar kinds of c transactions? . Is there-adequate internal controls over data entry, transaction processing, and reporting? Are there reconciliations (either automated or manual) to verify the accuracy of transactions processing and reporting? - Are data entered one time into the,system and updates are passed t-d Financial Management Systems Compliance Review Guide Compliance Indicators Systems components are designed in an integrated but modular and table-driven fashion so that if an extensive change is required, the pertinent talk can be localized, revised as needed, and instailed. A single datum entry automatically provides the updating of all accounts and records affected by the event for which the entry is made. The dala base is slruclured lo reduce reduntlgncy, is available to a variety of uscarsfor update and concurrent retrieval (consistent with proper internal controls) and permits a variety of application mntlules to run intlcpcntlcnlly. The ~&IMP is nctlurali/etl or common &ILI Minilions are actively maint,+incttl in the systtam’s(M-I dktionarics. . I, Financial Management Systems Comp;liance Review Guide The existing data base is responsive to user needs in terms of both efficiency and effectiveness, and provides timely change/corrective actions. The system is periodically evaluated to see if the application of newer technology/software could improve its efficiency and/or effectiveness. The system provides all data needed on a timely basis. . Financial Management Systems Compliance Review Guide C. Application of the SGL at the transaction level The general ledger function of a financial system, must be in full compliance with the Standard General Ledger chart of accounts descriptions and piling rules: transactions from feeder systems are summarized and fed into the GL following SGL requirements; and audit trail supporting the interface transactions to the source transactions; and feeder system process transactions consistent with SCL account descriptions and posting. . Is the core financial system in full compliance with the SGL chart of ncconnls and’l~osling rules? . Arc transactions from fcetler systems summarized and fed into the Cc>neral L(+er following SGL requirements thrcqh an interface (nrilomdltd or manudl)? . Can the tlotrtilss11l)l)ortin~ the intcv-face transactions be traced back IO the source transactions in the feeder systems? _ . Do the fecdcr systems follow business rules that arc consistent with SGL account definitions and processing rules? L __ ..T ..,I L .., Financial Management Systems Compliance Review Guide D. Financial Data Dl. Usefulness Financial data should be gathered and processed only where necessary to meet specific internal management neecls or external requirements. Repot-Is should be tdoretl to specific user neecls ancl if report usage does not justify cost, reports should be terminatecl. Usefulness should be cletermined in prtnershipwith users. Compliance Indicators The system procclssf~s tmrvsdctions, gent~ratrv outlds, and l)rocluces final corr~:tc(l cl&4 in timcx to mcclt reporting ilntl user rcvpirc~ments. The system timely recorcls ancl processes financial data, and generates finnncial reports to meet both functional and statutory requirements. . r -- I ., /, -- Financial Management Systems Compliance Review Guide D2. Full Financial Disclosure ‘inancial management data are to be recorded and reported as required by 3MB or Treasury, to provide for full financial disclosure and accountability n accordance with appropriate budget and accounting principles and ;tandards. Full disclosure is required to central management agencies, such 1sOMB and Treasury, and to Agency managemenl officials. . Is accounting data maintained that permits reporting in accordance with Federal Accounting Standards Advisory Board (FASAB) and reporting requirements issued by OMB and Treasury? . Are the details that support the numbers maintained in the core financial system supported in the feeder systems? Zompliance Indicators juflicient tlrtta are maintained on e&h account to provide a history of all activity related to amounts due and/or paid. Data outputs by this system are periodically evaluated to ensure that they Ire necessary, useful, and justified. Financial Management Systems Compliance Review Guide E. Financial reporting El. Timeliness Financial management data should be recorded as soon as practicable after the occurrence of the event, and relevant preliminary data should be made available to managers by the fifth working day following the end of the reporting period. Other standards of timeliness may be established where the Agency has inventoried reports ancl set specific stanclards, with user participation. Final, corrected data shoulcl be available in time to meet external reporling requirements. Compliance Indicators - Standards of timeliness have been established and fully documented (e.g. user requirc~mcnls~. Transactions are recorded at the time of the event or soon afterward and are properly classified. The system publishes the information as close as possible to the report date, or the end of the reporting period, consistent with the need for reliability and economy. Financial Management Systems Compliance Review Guide E2. Support for Management Financial management consists of protecting resources against loss, waste, and misuse; preparing and properly executing.the budget; and, managing resources. The Tatter in turn consists of managing not only the resource balances, but also the claims against those resources, the resource flows, measuring performance and reporting on the results of these efforts. Financial management systems should provide meaningful and relevant information IO assist managers in the discharge of these responsibilities. Compliance Indicators The system generates reports which alert management when established controls have been violated or significant deviations from program have accruc~tl. Financial reports generated by the system for internal Agency management contain meaningful, coherent and reliable information responsive to the Agency’s need. Financial Management Systems Compliance Review Guide E3. Reliability and Completeness Financial mana ement information should be reasonably complete and accurate, verifiaB le, drawn from the official records and systems, and no more detailed than necessary to meet the needs of management and external requirements. Financial data should be gathered and processed onl where necessary to meet specific internal management needs or externa Yrequirements. Reports should be tailored to s ecific user needs and if report usage does not justify cost, reports should Fle terminated.Usefulness should be determined in partnership with users. . Does the system provide information in a timely and useful manner that supports management’s fiduciary role, supports budget formulation and execution functions, supports the fiscal management of program delivery and decision making, complies with internal and external reporting requirements? . Does the system capture and produce financial information necessary to measure program and financial management performance to support budgeting program management and financial statement presentation? Compliance Indicators Adequate audit trails are in place to establish individual accountability for transactions. If the system is a batch system, the process use control totals for batches. If the system is using electronic documents, document control numbers are assigned. .,. Financial Management Systems Compliance Review Guide Compliance Indicators .- Adequate audit trails are in place to establish individual accountability for transactions. If the system is a batch system, the process use control totals for batches. If the system is using electronic documents, document control numbers are assigned. B-l 3 Financial Management Systems Compliance Review Guide F. Support for Budgeting and Performance Reporting An essential function of each financial management system is to record, control and report the Agency’s collections, obligations and spending in a manner that supports execution of the budget, to include detailed support for reports required by OMB Circular A-34 and budget preparation as outlined in OMB CircularA- 11. . Does the system provide the information necessary to prepare, execute and report on the agency’s budget in conformance with government-wide standards? . Does the system address GPRA (Government Performance and Resulk Act 1 rccluiremcnts as well as account for agency goals and performnncch m++surc:s? L B-14 Financial Management Systems Compliance Review Guide Compliance Indicators The system produces measurement data which permit comparisons with other units and.other periods (such as ratios, comparative measures of activities in different locations or units, trends, etc.) The system provides performance measures which permit tracking perforniance at the lowest level of the organization directly responsible for accomplishment. The system provides measurement data on the system’s performance (number of and type of transactions processed within identified time periods; cost per type of transaction; percentage of items processed within target timeframe; percentage of workload growth met through automation; t:Ic.). .: The syslcm accuyatoly forecasts and reports outlays (the measure of payrnt’nrs by v$c?uCmeans) for each legal or Agency limitation. Financial Management Systems Compliance Review Guide C. Functional Requirements . Does the system conform to the functional requirements issued by the Joint Financial Management improvement Program (JFMIP), OMB, and the Treasury? . Are systems updated in a timely manner to support new functional and legal requirements? B-l 6 Financial Management Systems Compliance Review Guide Compliance Indicators ystems functional requirements comply with the latest JFMIP financial Istems requirements as identified in Appendix C. he systems functional requirements were determined by users.and the ?chnical staff before being approved by management. ystems components are designed in an integrated but modular and rble-driven fashion so that if an extensive change is required, the pertinent ibles can be localized, revised as needed, and installed. ; a change management process in place to ensure proper change Irlndgement including evaluation, implementation, monitoring and ocumc~~tation. rocetluros are in lk=~ce to document problems identified in operational /stems, to monitor corrective actions and to report to management on 3.u)Iution status. ,, Financial Management Systenis Compliance Review Guide H. Computer Security Act Requirements l If agency has conducted an A-l 30, Management of Federal Information Resources review, what was the outcome? l If agency has not conducted an A-l 30 review, what actions have been taken to ensure compliance with the provisions of the computer Security A& and A-l 301 Does the agency have a security plan in place? Financial Management Systems Compliance Review Guide Compliance Indicators The system is included in the contingency plan or backup recovery plan. That plan has been documented, tested, and regularly updated to ensure both continuity of operations and availability in disaster situations. The contingency plan complies with the governing directive guidance for automated information systems issued by various oversight agencies, e.g. OMB and the National Institute of Standards and Technology. The system ensures continuing availability of information processing by providing backup, recovery, and retention procedures. Systems managers routinely consider the degree of vulnerability in this system to destruction, modification, disclosure and delay of information availability when making safeguard and protection decisions. Systems managers have certified that system security controls for the system operate. An adequate security awareness program is in place to help personnel Financial Management Systems Compliance Review Guide I. Documentation . Documentation may be maintained in hard copy or electronic format. . Documentation includes software, system manuals, operations t manuals, user manuals, operating procedures, etc. . Is documentation kept current and readily available? . Does user documentation provide detail to enable a person to obtain an understanding of the system? . Does the technical documentation provide the technical personnel with the information necessary to operate the system in an effective and efficient manner? B-20 . ( j -quawaJybaJ ~OJWIOZ pue Jasn qJoq payyes I! jey aJnsse 03 ~uawa~.~equa Jo!ew Jo IuawdolaAap aJo)aq paAoJdde pup pama!AaJ ‘pawawnmp sewB!sap t.ualsAsaql esa3JnosaJaJeMyos/elep 10 am sJasn paz!Joyine aql OYM sa!g!xads q3!q~ uo!~eu.IJo~u!sapnpu! uope~uauJn3oa -palalduro3 ApuaBaJ JO pajuauraldur! ‘pauueld %!aq ‘paJ!nbaJ aJe q3!q~ suo!~e~~!pour wa& ay] 40 I!PJ)]!pne ue ap!AoJd 01 lilale!JdoJdde pajepdn pue pau!elujeur s! uo!ge]uaurnsoa -alq!ssaBDe Al!peaJ pue.‘paJepdn AlJel&aJ ‘a(qepuqsJapun ‘paz!ue%o IlaM ‘a]aldluoD s! uo!gewacun3op LuagAs ayl wo.ua sura@3 ah)oiaJ 01 uayel aq II!M suo!33e aNpaJJo3 ‘he I! ‘@I#3403 se uo!s!sap Alawg e y32aJ pue sJasn a41 y$M 3lnsuos sJa8euew surawk letf3 aJnsua 01 ls!xa saJnpa3oJd paluaurn3oa Financial Management Systems Complianc6 Review Guide J. Systems Integrity The design, operation and evaluation of financial management systems should reflect the general and specific management control standards in OMB Circulars A-l 23 and A-l 30. . Does system have controls to adequately safeguard resources against waste, loss, and misuse? * Are controls adequate to ensure that resource use is consistent with laws, regulations, and policies? . Are controls applied to system inputs, processing and outputs? Are there any Material Weaknesses identified with this system? If so, has a remediation plan been formulated showing milestones and target dates? . Financial Management Systems Compliance Review Guide Compliance Indicators Management controls have been established and implemented to identify program errors, specification deficiencies or other systems problems in a timely manner. Procedures to control access, such as passwords, are used and software generated transactions are displayed on appropriate media and made available for authorization and reconciliation with related data. Access control procedures have been established and documented to limit access by authorized users based on the principles of “need to know” or “least privilege.“’ The system includes procedures and controls which protect hardware, software, data and documentation from physical damage, loss, modification and unauthorized access, whether inadvertent or deliberate. . . B-23 Financial Management Systems Comp/iance Review Guide The system includes management controls to prevent and/or detect the following situations: . Failure to record or process a transaction . Incorrect or incomplete recording/processingof a transaction; . Recording/processingduplicate transactions; . Processing out-of-balance conditions; . Loss of a transaction document in processing; . Directly changing account/master file/data base records without an authorized transaction; and . Use of erroneous files or records in processing. Key duties such as authorizing, approving, performing, processing recording and reviewing transactions, are assigned to different individuals or compensating controls exist. Transactions are authorized and executed only by persons acting within the scope of their authority. Controls and safeguards exist to ensure that outputs which contain sensitive clata are adequately protected (i.e., safeguards are commensurate with the value of the data). The ability to override or bypass edit and validation system features is restricted to authorized personnel. g-24 L- - Finamid Management Systems Compkmce Review Guide K. Training and User Support . Is there adequaie training and support to enable users to understand, operate and maintain the system? . Are new users tiained prior to providing authority to access the system? . Is there periodic training available, such as Computer Based training, on-g&q training programs, video training, etc.? Compliance Indicators The technical sbff ancl mxqement who are associated with this system have rccttivc4 or are scheduled lo receive required training on security and managm(W t:ontrols. Helpdesk and problem resc)lution process is in place to respond to users. Financial Management SystemsCompliance Review Guide L Maintenance 1 Is on-going maintenance performed to keep system current and operating in an effective and efficient manner? . When was the system last updated? Compliance Indicators Major modifications to this system are developed, released, and documented according to agency system design. Agency syslc’m design guidelines define configuration management procedures and ‘standards for the review, approval, and oversight of ,-rgency’sevolving softwclrc. Control mechanisms are in place to ensure timely, concurrent hclntlling of changes to system software and all affected cloc:~rnic~nldlion. Sufficht r(5ourccs for operations and/or maintenance are in place to prevent significant downlime. The system was designed and developed to be easily modified to accommodate changing needs and new requirements in a timely manner. Maintenance actions are routinely quantified and analyzed to help evaluate Appendix C core Financial systems Functional Requhments (Based bn JFklP FFMSR-I) The governmentwide functional requirements for a core financial system to support the fundamental financial functions of a Federal agency. The major functions supported by a core financial system are: ,* Core Financial System Management l General Ledger Management l Funds Management ‘.: l Payment Management l Receipt Management l Cost Management l Reporting These functions together provide the basic information and control needed to carry out financial management functions, manage the financial operations of an agency, and report on the agency’s financial status to central agencies, Congress, and’the public, including data needed to prepare the principal financial statements for federal agencies as defined by OMB. C-l Financial Management Systems Compliance Review Guide I. Core Financial System Management Function The Core Financial System Management function consists of the processes necessary to maintain system processing rules consistent with established accounting policy. The Core Financial System Management function consists of the following processes: . Accounting Classification Structure Management . Standard General Ledger . Transaction Control , . Archiving and Purging IComments: Within each deparfmenf or agency, the accounting classification structure, standard general ledger and suhsidjary account structure, and definitions must be sfandaidized to ensure consistency, uniformity, and efficiency in accounfing freafmcnf, classification, and reporting. furfhermore, the procedures for capturing, classifjing, communicating, processing, and storing data and transactions must be uniform for translatable among the various subsystems or system componenfs as necessary).J Compliance Implications (Yes/No) I (a) Accounting Classification Structure Management Process 0 Does the system support a Accounting Classification Structure Management j process provide a consistent basis for: . Consolidating governmentwide financial information. . Integrating planning, budgeting and accounting. . Capturing data at the lowest level of detail -- at the point of data entry -- throughout the agency in a manner that ensures that when the data is rolled up to the level that is standardized, it is consistent at the standardized level. , Comparing and combining similar programs across agencies and calculating overall program results. ‘Comments: :OMB Circular A-127 requires financial management sysfems to rekf an Igency-wide financial information classification structure that is consistent with the U.S. hernmenf Yandard Genera/ Ledger 6CL), provides for tracking of specific program Fxpendifures, and covers financial and financially related information. Financial nanagement sysfem designs shall supporf agency budget, accounting, and financial nanagement reporting processes by providing consistent financial information for wdgef formulation, budget execution, programmatic and financial management, wformance measurement, and financial stafemenf preparation.1 c L/ Financial Management Systems Compliance Review Guide I lb) Standard General ledger Process 0 Does the system support a general ledger account structure for the agency in accordance with the U.S. Covermnent Standard General ledger WI.) and the transaction edit and posting rules to recorcl financial events. IComments: The Standard General Ledger process consists of two activities: Account Definition and Trankziction Definition. Account Definition. OMB Circular A- 127 requires implementation of the KL at fhe transaction level. The SGL is described in a supplement to the Treasury Financial Manual, which includes the chart of accounts, account descriptions and postings, accounting transactions, suggested data elementslsubaccounts, and crosswalks to standard external reports. Each agency must implement a chart of accounts that is consistent with the SCL and meets the agency’s information needs. Transaction Definition. The Transartion Definition activity defines the editing and posting rules for transactions in the Core fmancial system. OMB Circular A-127 requires common processes to be used for processing similar kinds of transactions throughout an integrated financial management system to enable transactions to be reported in a consistent manner. It also requires financial events to be recorded app/ying the requiremen& of the SGI at the transaction level. Many of the SCL accounting transaction descriptions require a sing/e accounting event to update multiple budgetary and proprietary acc0unts.f 1w Transaction Control Process 0 Is the Core financial system able to process transactions originally entered into the Core financial system as well as transactions originating in other. systems, recording and keeping track of such transactions and related information, in order to provide the basis for central financial control? lThe Transaction Con&o/process requirements are grouped under two activities: Audit Trails and Transaction Processing.1 0 Does the system have adequate audit trails critical to providing support for transactions and balances maintained by the Core financial systemlf Audit Trails1 0 Does the Transaction Processing activity ensure that all transactions are hanclled consistently, regardless of their point of origin? Are transactions controlled properly to provide reasonable assurance that the recording, processing, and reporting of financial data are properly performed and that the completeness and accuracy of authorized transactions are ensured. [Transaction Processing] I(d) Archiving and Purging Process 0 Does the Archiving and Purging process support data management for the Core financial system? /Comments: Archiving removes data which is no longer needed for immediate access from the system data stores u.sed for inquiry and rrporting on current inform,ltion. Archiving moves data to a storage mcditrm that has a longer access time, for example, from disk to tape. Purging deletes data altogether. Archiving and purging criteria should be joint/y agreed to by the sysrrm administrator and usrrs to b,r/ancr u.ser nerds with resource limitations.1 c-3 Financial Management Systems Compliance Review Guide II. General Ledger Management Function General Ledger Management is the central function of the Core finanrial system. The general ledger is the highc>st level of summarization and must maintain account balances by the fund structure and indiviclual general ledger accounts established in the Core Financial System Management function. Depending on the agency’s reporting requirements, some or all general ledger accounts may have balances broken out by additional elements of the accounting classifiqation structure. The General Ledger Management function consists of the following processes: . General Ledger Posting . Accruals, Closing, and Consolidation . General Ledger Analysis and Reconciliation /Comments: The general /edger is supported by subsidiary /edgers at various /eve/s of detail. These subsicliary /edge& may be maintained within the Core financial system or in other systems. For example, dcl&d property records supporti+ the equipment account in Ihe genera/ /edger might be maintained in a system devotecl fo ‘controlling and maintaining ec/uipmenf. The payro// system might coniain detailed employee pay records which supp& records ofexpenditure by object c/ass and organization in the Core financial system, which in turn provide parfial support for expenditure and expense accounts in the grneral /edger. A// transactions to record financial events musf post, either individually or in summary, to the general /edger, regardless of the origin offhe transaction. Posting of transactions whose initial point ofenfry is the Core financial sysfem would norma//)* he expected to occur for each transacfion individually. Posting of transaction originated in ofher sysfems may occur either for individuJ transaction or for summarizrd transactions as long as an adec/uate audit trail is maintained. The Core financial system is not expected to maintain duplicates of ever) transaction occurring in other systems. For example, rather than posting every payroll transaction for every employee, summar) transactions by organization could IX passed to the Core financial system for posting.1 Compliance Implications ‘(yes/No) II (a) General Ledger Posting Process 0 Does the general ledger posing process use double-entry accounting? Kommenf: The posting rules that specify which accounts to debit and credit for each transaction are defined in the Standard Genera/ Ledpr process of the Core Financial System Management function.1 II (W Accruals, Closing and Consolidation Process 0 Does the system support creating accrual transactions and closing entries needed at the end of a period (month or year) for reporting purposes? J Does the system control and execute period-end system processes needed by the system to open a new reporting period, such as rolling forward account balances to supports the preparation of consolklatecl financial statements by identifying information needed in that process? 11(cl General Ledger Analysis and Reconciliation Process ] Does the system support the control functions of the General Ledger? ‘Comments: The Core financial sysstem provides information for accounfanfs to u.se in determining that amounts posted lo grneral Cclger control accounts agree with more jetailed subsidiary accounb and in reconciling system balances with reports from rreasury and other agencies. AS infernal confrols improve and system infrgration ncreases, the likelihood of out-of-balance conditions decreases; however, the mssibilify will a/ways exist as a result of system failures, incorrfcf transaction fefinitions, etc.1 c-4 ;-
Financial Management Systems Compliance Review Guide
Published by the Government Accountability Office on 1999-10-21.
Below is a raw (and likely hideous) rendition of the original report. (PDF)