Performance and Accountability Report
Fiscal Year 2002
Appendix D - HHS FY 2002
Federal Financial Management Improvement Act (FFMIA) Report on Compliance
Auditors of Executive Agencies' financial statements are required to report if the agencies' financial management systems are in substantial compliance with the requirements of the Federal Financial Management Improvement Act (FFMIA) of 1996. Such audits are to be conducted in accordance with OMB's revised FFMIA Implementation Guidance, dated January 4, 2001.
Under FFMIA, agencies also are required to report whether their financial management systems substantially comply with the federal financial management systems requirements, applicable federal accounting standards, and the United States Government Standard General Ledger at the transaction level.
The Department's FY 2002 financial statement audit revealed two instances (discussed below) in which HHS financial management systems did not substantially comply with federal financial management systems requirements. HHS concurs with the auditors' findings.
Instances of Non-Compliance
Non-Compliance Number 1: Financial Management Systems and Processes
- The financial management systems and processes used by HHS and the operating divisions made it difficult to prepare reliable, timely financial statements. The processes required extensive, time-consuming manual spreadsheets and adjustments in order to report accurate financial information;
- At most operating divisions, suitable systems were not in place to adequately support sufficient reconciliation and analyses of significant fluctuations in account balances; and
- The CMS did not have an integrated accounting system to capture expenditures at the Medicare contractor level, and certain aspects of the financial reporting system did not conform to the requirements specified by the Joint Financial Management Improvement Program. The CMS needed extensive consultant support to establish reliable accounts receivable balances.
Non-Compliance Number 2: Medicare Information Systems Controls
- Access and application controls over the Medicare contractors' financial management systems were significant departures from requirements specified in OMB Circular A-127, "Financial Management Systems," and OMB A-130, "Management of Federal Information Resources."
The FY 2002 audit recognized the significant steps taken by the Department to resolve material weaknesses found in previous years. Following is a summary of some of the corrective actions taken and the current status for each of the areas of non-compliance.
Financial Management Systems and Processes
The Department's long-term strategic plan to resolve this material weakness is to replace the existing accounting systems and certain other financial systems within the Department. The short-term focus has been on improving the quality of the data in the accounting systems by increasing periodic reconciliations and analyses, and implementing a web-based Automated Financial System (AFS) for collecting and consolidating financial statements department-wide. Over the last several years HHS has continued to make progress in strengthening its financial management and has a plan to bring its financial management systems into compliance with the FFMIA by replacing antiquated financial systems with the Unified Financial Management System (UFMS). A major sub-component of the unified system is the Healthcare Integrated General Ledger Accounting System (HIGLAS), which will replace the 53 different systems currently used by Medicare contractors. HIGLAS will integrate with Medicare's three existing standard claims processing systems. In addition, the current mainframe-based financial system will be replaced by this web-based system. With national implementation of HIGLAS, the financial material weakness under FFMIA will be eliminated. Following are examples of the Department's FY 2002 achievements:
- At the CMS central office (CO), procedures were implemented that resulted in adjustments to accounts receivable balances reported by the contractors. However, these procedures did not ensure that accounts receivable activity included on the contractor financial reports was properly supported by detailed transactions. CMS use formal procedures for financial reporting analysis; and
- CMS continues to provide instructions and guidance to the Medicare contractors and our CO and regional offices (RO). We continue to contract with Independent Public Accountants (IPA) to test financial management internal controls and to analyze accounts receivable at Medicare contractors. CMS created workgroups comprised of CO and RO consortia staff to serve as subject matter experts responsible for addressing four key areas: follow up on the Corrective Action Plans; reconciliations of funds expended to paid claims; trend analysis; and internal controls. As CMS progresses toward its long-term goal of developing an integrated general ledger system, we continue to provide training to the contractors to promote a uniform method of reporting and accounting for accounts receivable and related financial data. CMS also completed automated applications for preparing all five required principal financial statements.
Unified Financial Management System (UFMS)
- Established the UFMS PMO, including hiring the UFMS Program Director, to lead the effort.
- Hired a nationally recognized company to serve as the program's systems integrator.
- Established the UFMS governance structure in which top departmental executives, including the operating components' Chief Financial Officers are Chief Information Officers, actively participate.
- Selected the commercial off-the shelf software to serve as the core system application/infrastructure.
- Developed a departmentwide budget and accounting classification structure (BACS).
- Compiled departmentwide financial requirements applicable to UFMS.
- Developed key planning documents, including Risk Assessment and Mitigation Plan, Change Management (Business Transformation) Plan, Performance Management Plan, and Core Target Business Model.
- Developed the UFMS business case (which was finalized by the UFMS PMO and approved by the HHS Information Technology Internal Review Board on November 5, 2002).
- NIH commenced implementation of the general ledger component of the NIH New Business System in October 2002.
- NIH is participating in the UFMS planning and global activities. NIH will assess the impact of changes to its core financial management implementation and will work with the UFMS program team to incorporate the changes as global elements are determined. NIH will participate in and follow the direction of the UFMS Change Control Board.
Healthcare Integrated General Ledger Accounting System (HIGLAS)
- Established CMS HIGLAS Program Office; staffed 20 FTEs
- Initiated implementation of an approved CMS Joint Financial Management Improvement Program (JFMIP) Commercial Off-the-shelf (COTS) product at the two pilot Medicare contractors.
- Established the HIGLAS project baseline and began the design and build of HIGLAS functional solution for two Medicare contractor pilots.
- Finalized the following project management plans:
- Business Solution Test Plan
- Communications Plan
- Configuration Management Plan
- Detailed Pilot Implementation Plans
- Master Project Plan
- Project Management Plan
- Project Work Plan
- Quality Assurance Plan
- Requirements Management Plan
- Risk Management Plan
- Stress Test Plan
- Systems Software Process Improvement Plan
- First of multiple iterations of the Architectural View
- Conducted four Conference Room Pilots to refine business requirements and solutions.
- Established the Application Service Provider and technical infrastructure, and are running 11 non-production instances of the Oracle software in a test environment.
- Established the HIGLAS Change Control Board with support from the Technical Configuration Committee, Requirements Management Committee, and the Performance Work Group to assure decisions are made accurately and timely.
- Established an Earned Value Management System that produces reports to assist project monitoring and control.
- Established HIGLAS Systems Engineering Portal for project communication.
- Created a HIGLAS Web site at www.cms.hhs.gov/ to provide program status for project stakeholders.
Medicare Information Systems Controls
The OIG acknowledged in its findings that during FY 2002 the Department made considerable progress in identifying weaknesses in its automated processing systems. Specifically, CMS identified several weaknesses in the performance of vulnerability assessments, SAS 70 internal control reviews, the compilation of Medicare contractor controls self-assessments, OIG assessment and related procedures. This effort provides a base line for further improvements. CMS embraces the need to assess the risks inherent in its operations and programs, assess financial and operational priorities, and seek additional resources as necessary to correct known deficiencies.
CMS relies extensively on EDP operations at CO and the Medicare contractors to administer the Medicare program and to process and account for Medicare expenditures. Internal controls over these operations are essential to ensure the integrity, confidentiality, and reliability of critical data while reducing the risk of errors, fraud, and other illegal acts. In FY 2001, weaknesses at the Medicare contractors, as well as certain application control weaknesses at the contractors' shared systems, continued. Such weaknesses do not effectively prevent: 1) unauthorized access to and disclosure of sensitive information; 2) malicious changes that could interrupt data processing or destroy files; 3) improper Medicare payments; or 4) disruption of critical operations. The OIG aggregated the findings at the Medicare contractors and CMS CO into one material weakness. No findings at a single location were considered material.
CMS continues to make progress toward resolving this issue by revising our information systems security requirements for Medicare contractors. The CMS Core Information Security Requirements adhere to guidelines in the Office of Management and Budget (OMB) Circular A-130 and implement effective control procedures. In FY 2002, CMS completed a prototype of a system security plan methodology for Medicare contractors and developed and implemented new background investigation procedures. We also developed policy and procedures for software quality assurance, as well as developed, tested, and implemented a systems software change audit review process.
In the long term, HHS will continue to improve data integrity and reliability of its financial statements and financial reporting processes. Performing routine periodic reconciliations and financial analysis will help do this. Past performance on the part of HHS resulted in improved financial discipline and the achievement of an unqualified audit opinion on HHS financial statements for FYs 1999, 2000, 2001, and 2002. In addition, HHS will continue to strengthen Medicare EDP controls and improve systems security.
The corrective actions to remedy these issues will be developed by HHS components and included in the HHS CFO Five-Year Plan.