Analysis of Systems, Controls and Legal Compliance (2024)

Analysis of Systems, Controls and Legal Compliance (1)

An effective internal control program helps the U.S. General Services Administration (GSA) safeguard Government resources and ensures that the agency efficiently and effectively fulfills its core mission and achieves its strategic goals.

The agency's senior assessment team, the Management Control Oversight Council (MCOC), chaired by the Deputy Administrator, reviews and approves the enterprise internal control program and provides the leadership and oversight necessary for effective implementation of the agency's program.

GSA evaluates internal controls across the agency at various levels of the organization. GSA management is responsible for establishing goals and objectives around operating environments, ensuring compliance with relevant laws and regulations, and managing both expected and unanticipated events. Employees across the organization are responsible for understanding the controls applicable to their workflows and applying them in accordance with internal control guidance.

In fiscal year (FY) 2021, GSA took a significant step to increase and reinforce internal control compliance. The agency requires mandatory internal control training for all GSA employees, outlining relevant and applicable Office of Management and Budget (OMB) Circular A-123 standards and best practices. Additionally, during this fiscal year, GSA worked to address the Office of Inspector General's (OIG) management challenge related to internal controls. GSA focused on increasing accountability, resolving audit recommendations in a more timely manner, and implementing a more effective system of internal control agency-wide. Specifically, in response to the management challenge, program audit resolution is closely monitored by senior executives, program managers, and staff through performance dashboards. GSA spent considerable time this fiscal year closing out audit recommendations.

Management's Responsibility for Enterprise Risk Management and Internal Controls

Integration with Enterprise Risk

To better understand and anticipate enterprise risk, GSA identifies and prioritizes prospective threats to the organization annually. This includes an effort to integrate and effectively use information developed as part of OMB Circular A-123 internal controls assessments.

During FY 2021, GSA issued an enterprise risk management policy statement that highlights the importance of effective risk management in meeting its mission. In an effort to improve the governance of risk at GSA, an Enterprise Risk and Strategic Initiatives (ERSI) Board was chartered, which is co-chaired by the Deputy Performance Improvement Officer and the Chief Information Security Officer. The ERSI Board is charged with implementing sound risk management across GSA and translating enterprise-level strategies into actionable initiatives. Risks are managed throughout the year at the appropriate program level, with certain cross-cutting or emerging risks monitored and discussed at the enterprise level through existing governance mechanisms and decision bodies.

Procurement Management Review Function

As part of GSA's internal controls, the Office of Government-wide Policy conducts procurement management reviews (PMRs). These PMRs serve as an early warning indicator, identifying best practices and challenges in the acquisition function. In FY 2019, the agency incorporated contract administration into the procurement management review process. As a result of agency-wide findings, GSA issued a memorandum dated February 12, 2020, that directed GSA's Heads of Services and Staff Offices to partner with OGP in identifying corrective actions, addressing PMR recommendations, and mitigating agency-wide challenges. This memorandum resulted in the establishment of two national corrective action plans for FY 2020, with a strategic and balanced approach to improving GSA's internal controls environment.

In FY 2020 and 2021, the agency focused on strengthening management and internal controls in the area of contract administration. First, the PMR Division monitored agency-wide progress towards meeting standards laid out in two contract administration-based national corrective action plans. Next, PMR entity and transactional checklists were updated to strengthen the assessment of GSA's contract administration controls environment. These initiatives resulted in agency-wide attention to post-contract award support needed to drive successful post-award administration.

Findings from internal reviews are issued in a PMR report documenting the observations and key takeaways for entity and transactional reviews. The report allows users to pinpoint key areas of opportunity and other transactional data that directly correlate to management and internal controls within the specific stages of the acquisition or lease acquisition life cycle. The data available strengthens the acquisition workforce's abilities to analyze performance, informs planning and training, and identifies opportunities for efficiency.

In FY 2022, PMRs will continue to assess the basic foundational components of the acquisition function. This includes contract administration, performance-based contracting, acquisition planning, and effective contract pricing and negotiations.

Federal Managers' Financial Integrity Act of 1982

The Federal Managers' Financial Integrity Act of 1982 (FMFIA) requires that agencies establish internal controls and financial systems to provide reasonable assurance that the integrity of Federal programs and operations is protected. It also requires the head of the agency to provide an annual assurance statement on whether the agency has met this requirement and whether any material weaknesses exist.

In response to FMFIA, GSA implemented processes to hold senior managers accountable for the performance, productivity, operations, and integrity of their programs. GSA assesses compliance with the Government Accountability Office's (GAO) 5 components and 17 principles of internal control. The results are analyzed to identify internal control issues or concerns. In FY 2020 and FY 2021, the assessments were expanded to include an evaluation of activities to resolve audit findings, providing senior managers with a repository to track progress towards timely resolution.

The evaluation results and other information were provided to the MCOC to determine and advise whether there were any material weaknesses in internal control requiring disclosure in the Administrator's Statement of Assurance. For FY 2021, GSA did not identify any material weaknesses or significant deficiencies.

OMB Circular A-123, Management's Responsibility for Enterprise Risk Management and Internal Control, Appendix A and D

OMB Circular A-123, Appendices A and D, require agencies to conduct an annual management assessment of internal control over reporting and financial systems. In FY 2021, the Office of the Chief Financial Officer continued to deploy an extensive annual assessment methodology that assesses risk across key business processes and identifies the related key internal controls over reporting and financial systems.

The Appendix A risk assessment evaluated the results of the FY 2020 financial audit, the FY 2020 evaluation of GAO's 5 components and 17 principles of internal control, recent GAO and Office of Inspector General audits, and management-identified priorities. The assessment identified the Federal Acquisition Service and the Public Buildings Service (PBS)-managed assets and liabilities, financial close and reporting, year-end budget reconciliation, PBS-regulated and deregulated utilities payments, and Coronavirus Aid, Relief, and Economic Security Act (CARES Act) funding as within scope for the FY 2021 assessment.

For Appendix D, the financial system evaluation was based on initial materiality assessments. The systems in scope for this year's assessments included Pegasys (the GSA core financial system of record), the Fleet Management System, the Inventory Reporting Information System, and the Federal Supply Service Payment System.Key controls were evaluated for the appropriate design, operational effectiveness, and identified potential risk areas.

Key controls were evaluated for the appropriate design, operational effectiveness, and identified potential risk areas.

GSA's evaluation of Appendices A and D did not identify any material weaknesses in controls or material system non-conformances as of September 30, 2021.

GAO Standards for Internal Control in the Federal Government

The GAO requires entities to assess whether their agency's internal controls support 5 components and 17 principles of internal control. GSA understands the 5 components of internal control must be effectively implemented and operating in an integrated manner for an internal control system to be effective.

To ensure cohesion, in FY 2021, GSA continued to update an inventory of policies and procedures designed to support internal controls. These policies and procedures were mapped to the component and principle they support. Each year, GSA reviews new and existing policies and procedures in the inventory and updates the related mapping documentation as necessary. Annual testing is conducted to ensure GSA meets the 5 components and 17 principles of internal control.

Federal Financial Management Improvement Act of 1996

The Federal Financial Management Improvement Act of 1996 was designed to improve Federal financial management and reporting by requiring that financial management systems comply substantially with three requirements:

  • Federal financial management system requirements;
  • Applicable Federal accounting standards; and
  • The U. S. Standard General Ledger (USSGL) at the transaction level.

The act also requires independent auditors to report on agency compliance with the three stated requirements as part of financial statement audit reports. The agency evaluated its financial management systems and has determined they substantially comply with Federal financial management systems requirements, applicable Federal accounting standards, and the USSGL at the transaction level as of September 30, 2021.

Information and Financial Management Systems Framework

The Chief Financial Officers Act assigns responsibilities for planning, developing, maintaining, and integrating financial management systems to Federal agencies. GSA currently maintains e-Payroll applications, portions of its legacy core accounting system, and general support systems, which operate on a variety of hosting platforms to support various feeder applications.

In FY 2020, GSA took steps to transition remaining ancillary financial applications to open source technology. GSA also successfully migrated the Collection Information Repository application to open source technology, and completed two additional applications, Recurring Services Notification Approval Process and Pegasys Vendor Request Management in FY 2020. In FY 2021, GSA continued this effort and completed the development work to migrate two more financial management applications, WebVendor and Pegasys Payment Search, off of proprietary database technology, and took additional steps to enhance the security posture overall of the agency's ancillary financial management application portfolio. GSA successfully completed database encryption for multiple financial management applications, as well as deployed multi-factor authentication for WebVendor and Pegasys Payment Search.

GSA has undertaken other activities that improve processes, increase automation, and further consolidate applications in its system architecture. To better secure GSA's data assets, the agency continues to move more applications to the SecureAuth single sign-on solution and integrate two- factor authentication for identity and access management services. In the area of software asset management, GSA continues to mature new tool sets and additional capabilities introduced to help combat fraud and ensure proof of purchase, license, and user agreements.

To protect and secure sensitive building information (e.g., Federal occupant agency data, floor plans, leasing data, and market surveys with competitive rental rates), PBS and the Office of GSA IT included additional security rigor into contractor requirements in the National Broker Contract. The new contract requires GSA Leasing Support Services brokers to use Government-provided systems and email to store or process all information pertaining to leases. Contractors must also use GSA-provided IT systems and email (currently virtual desktops and GSA-provided Google Accounts) to store, process, or transmit GSA information for all work performed under this contract or have been granted authority to operate non-GSA systems by GSA IT.

GSA has implemented application programming interface (API) standards to improve the consistency and documentation of public APIs.

The Office of Leasing has ensured that all brokers use Citrix-VDI and email to receive and access sensitive information.

In May 2021, GSA's Office of the Chief Financial Officer worked with the USDA Pegasys Financial Services team to upgrade the agency's core financial system to Momentum 7.8. This upgrade includes capabilities needed to support current G-Invoicing functionality for the U.S. Department of Treasury's initiative to have a standard database for Intragovernmental Transactions. It includes the conversion of System for Award Management Unique Entity Identifier (UEI) from DUNS, as well as incorporating new features and enhancements designed to meet current legislative and Government-mandated Federal financial management requirements and recommendations. GSA has successfully consolidated two SAP business intelligence platforms and licenses and is able to save maintenance costs and provide more seamless support to the GSA financial community.

Federal Information Security Modernization Act

The Federal Information Security Modernization Act (FISMA) requires Federal agencies to implement a set of processes and system controls designed to ensure the confidentiality, integrity, and availability of system-related information. The controls in each Federal agency must follow established Federal Information Processing Standards, National Institute of Standards and Technology (NIST) standards, and other legislative requirements pertaining to Federal information systems, such as the Privacy Act of 1974.

To facilitate FISMA compliance, GSA maintains a formal program for information security management that focuses on FISMA requirements and protecting GSA IT resources. This program determines the processes necessary to mitigate new threats and anticipate risks posed by new technologies. The program also follows NIST's cybersecurity framework for making risk-based determinations. The integration of cybersecurity with enterprise risk management has been improved and prioritizes investment decisions that mitigate those risks. In the past year, GSA closed all prior-year OIG FISMA audit findings, improved in 10 FISMA metrics, and continued to improve the cybersecurity and the information continuous monitoring security domains. To address the challenge of removing network users on a timely basis, GSA is planning to partially or fully automate this process of termination with the identity, credential, and access management and Continuous Diagnostics and Mitigation solution of Sailpoint by FY 2022.

Digital Accountability and Transparency Act (DATA Act)

The DATA Act was enacted in 2014, amending the Federal Financial Accountability and Transparency Act of 2006 (FFATA). FFATA requires reporting of obligations and award-related information for all Federal financial assistance and procurement awards. The DATA Act expands upon FFATA by adding U.S. Department of the Treasury account-level reporting; this includes reporting all Treasury Account Symbols that fund each award and contract transaction, budget authority, program activity, outlays, and budget object classes, among other data elements. The DATA Act also requires the Federal Government to collectively standardize the financial data elements reportable under the act. GSA provided monthly DATA Act submissions and certified those submissions quarterly, as required. This information is publicly accessible and searchable, and allows users to view how tax dollars are spent.

Antideficiency Act

The Antideficiency Act (ADA), Public Law 97-258, 96 Stat. 923, prohibits Federal agencies from incurring obligations or expending funds in advance or in excess of an appropriation. The law was initially enacted in 1884, with major amendments occurring in 1950 and 1982. It is now codified at 31 U.S.C. § 1341.

In FY 2021, OMB confirmed that the Federal Citizen Services Fund violated the Antideficiency Act in fiscal years 2016 and 2017 by providing DigitalSearch functionality to State and local government websites in contravention of the fund's appropriations and authorizing statutes. GSA discontinued these support services in February 2017. OMB is reviewing the ADA notification letter for transmission to the President, Congress, and GAO.

FY 2021 Statement of Assurance

The U.S. General Services Administration management is responsible for managing risks and maintaining effective internal controls to meet the objectives of Sections 2 and 4 of the Federal Managers' Financial Integrity Act. GSA conducted its assessment of risk and internal controls in accordance with the OMB Circular No. A-123, Management's Responsibility for Enterprise Risk Management and Internal Control. The assessment did not identify any material weaknesses. GSA management can provide reasonable assurance that internal controls over operations, reporting, and compliance were operating effectively as of September 30, 2021.

In FY 2021, OMB confirmed an FY 2017 ADA violation related to utilizing the Federal Citizens Services Fund to support search capability for State and local government websites. GSA corrected this by ending these services in February 2017.

GSA has assessed that it is in compliance with Federal financial management system standards, as required by the Federal Financial Management Improvement Act of 1996 and OMB Circular A-123 Appendix D. GSA is confident that all systems substantially comply with the Federal financial management system requirements, Federal accounting standards promulgated by the Federal Accounting Standards Advisory Board, and with the U.S. Standard General Ledger at the transaction level as of September 30, 2021.

Analysis of Systems, Controls and Legal Compliance (2)

Robin Carnahan
Administrator of General Services
November 12, 2021

Analysis of Systems, Controls and Legal Compliance (2024)


What is a control system in compliance? ›

Compliance and control are often used synonymously, but in an audit context, compliance and control represent two parts of a successful process. Control is the part of the process designed to accomplish a goal. Compliance is the execution of the process that was designed.

What are the requirements for FFMIA compliance? ›

FFMIA requires all Chief Financial Officer (CFO) Act agencies to implement financial management systems that comply with three essential requirements: Federal financial management systems requirements, Federal accounting standards, and U.S. Standard General Ledger at the transaction level.

Why is control and compliance important? ›

It ensures that a company complies with state and federal laws and regulations in managing the financial data of the organization. Having strong internal controls can improve efficiency and ensure accuracy in financial reporting during external and internal audits.

What are the 5 internal controls? ›

Five Interrelated Components
  • Control Environment. The control environment sets the tone of an organization, influencing the control consciousness of its people. ...
  • Risk Assessment. ...
  • Control Activities. ...
  • Information and Communication. ...
  • Monitoring.

What makes an effective compliance system? ›

An effective compliance program should have clear policies, a healthy path of communication between employees and those who oversee the program, and not shy away from taking corrective action when the compliance program is breached.

What are 4 examples of control systems? ›

Examples of control systems in your day-to-day life include an air conditioner, a refrigerator, an air conditioner, a bathroom toilet tank, an automatic iron, and many processes within a car – such as cruise control.

What are the four 4 steps in control system? ›

Establishing Performance Standards. Measuring the Actual Performance. Comparing Actual Performance to the Standards. Taking Corrective Action.

What are three 3 types of controls used in the control processes? ›

Output controls involve measurable results. Behavioral controls involve regulating activities rather than outcomes. Clan control relies on a set of shared values, expectations, traditions, and norms. Over time, a series of fads intended to improve organizational control processes have emerged.

What are the 12 types of compliance requirements? ›

The 12 types of compliance requirements and potential applicability to the SVOG program:
  • Activities Allowed or Unallowed. ...
  • Allowable Costs/Cost Principles. ...
  • Cash Management. ...
  • (Reserved)
  • Eligibility. ...
  • Equipment and Real Property Management. ...
  • Matching, Level of Effort, Earmarking. ...
  • Period of Performance.
Mar 3, 2022

What is SOX compliance requirements? ›

SOX compliance is an annual obligation derived from the Sarbanes-Oxley Act (SOX) that requires publicly traded companies doing business in the U.S. to establish financial reporting standards, including safeguarding data, tracking attempted breaches, logging electronic records for auditing, and proving compliance.

What are the requirements for C SOX compliance? ›

C-SOX compliance refers to the annual audit in which a public company is obligated to provide proof of accurate, data-secured financial reporting. To comply, with C-SOX, Canadian companies must deliver a “reasonable assurance” they have mitigated the risk of material misstatement.

What are three techniques for monitoring compliance? ›

How we monitor compliance
  • desktop monitoring and assessment using publicly available chemical information.
  • review of data submitted by introducers and other agencies.
  • pre-arranged or unannounced inspections using the monitoring powers available to us under the Regulatory Powers Act.

What is the main purpose of compliance? ›

The purpose of compliance is to adhere to both internal policies and procedures, along with governmental laws. By implementing compliance procedures protects your company's reputational risk and improves your company's vision and value as well prevent and detect violations of rules.

What is an example of a compliance internal control? ›

A system of internal controls weaves together various types of processes and rules to assure an effective internal control process. Some examples of internal controls are internal audits, firewall deployment, training, and employee disciplinary procedures.

What is the compliance objective of internal control? ›

The purposes of internal controls are to: Protect assets; • Ensure that records are accurate; • Promote operational efficiency; • Achieve organizational mission and goals; and • Ensure compliance with policies, rules, regulations, and laws.

What is internal compliance requirements? ›

Internal compliance requirements for corporations include:

Holding onto all files of your transactions, policies and procedures, and bylaws. Keeping records of any licenses and contracts, including all additions and revisions. Providing stock to shareholders. Recording all stock transfers. Having a board of directors.

What are seven key components of an internal compliance plan? ›

Seven Elements of an Effective Compliance Program
  • Implementing written policies and procedures. ...
  • Designating a compliance officer and compliance committee. ...
  • Conducting effective training and education. ...
  • Developing effective lines of communication. ...
  • Conducting internal monitoring and auditing.

How do you establish effective internal controls? ›

Here is a five-step process to follow when developing and implementing effective internal controls in an organization:
  1. Step 1: Establish an Appropriate Control Environment.
  2. Step 2: Assess Risk.
  3. Step 3: Implement Control Activities.
  4. Step 4: Communicate Information.
  5. Step 5: Monitor.


Top Articles
Latest Posts
Article information

Author: Msgr. Benton Quitzon

Last Updated:

Views: 6551

Rating: 4.2 / 5 (63 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Msgr. Benton Quitzon

Birthday: 2001-08-13

Address: 96487 Kris Cliff, Teresiafurt, WI 95201

Phone: +9418513585781

Job: Senior Designer

Hobby: Calligraphy, Rowing, Vacation, Geocaching, Web surfing, Electronics, Electronics

Introduction: My name is Msgr. Benton Quitzon, I am a comfortable, charming, thankful, happy, adventurous, handsome, precious person who loves writing and wants to share my knowledge and understanding with you.