An effective internal control program helps the U.S. General Services Administration (GSA) safeguard Government resources and ensures that the agency efficiently and effectively fulfills its core mission and achieves its strategic goals.
The agency's senior assessment team, the Management Control Oversight Council (MCOC), chaired by the Deputy Administrator, reviews and approves the enterprise internal control program and provides the leadership and oversight necessary for effective implementation of the agency's program.
GSA evaluates internal controls across the agency at various levels of the organization. GSA management is responsible for establishing goals and objectives around operating environments, ensuring compliance with relevant laws and regulations, and managing both expected and unanticipated events. Employees across the organization are responsible for understanding the controls applicable to their workflows and applying them in accordance with internal control guidance.
In fiscal year (FY) 2021, GSA took a significant step to increase and reinforce internal control compliance. The agency requires mandatory internal control training for all GSA employees, outlining relevant and applicable Office of Management and Budget (OMB) Circular A-123 standards and best practices. Additionally, during this fiscal year, GSA worked to address the Office of Inspector General's (OIG) management challenge related to internal controls. GSA focused on increasing accountability, resolving audit recommendations in a more timely manner, and implementing a more effective system of internal control agency-wide. Specifically, in response to the management challenge, program audit resolution is closely monitored by senior executives, program managers, and staff through performance dashboards. GSA spent considerable time this fiscal year closing out audit recommendations.
Management's Responsibility for Enterprise Risk Management and Internal Controls
Integration with Enterprise Risk
To better understand and anticipate enterprise risk, GSA identifies and prioritizes prospective threats to the organization annually. This includes an effort to integrate and effectively use information developed as part of OMB Circular A-123 internal controls assessments.
During FY 2021, GSA issued an enterprise risk management policy statement that highlights the importance of effective risk management in meeting its mission. In an effort to improve the governance of risk at GSA, an Enterprise Risk and Strategic Initiatives (ERSI) Board was chartered, which is co-chaired by the Deputy Performance Improvement Officer and the Chief Information Security Officer. The ERSI Board is charged with implementing sound risk management across GSA and translating enterprise-level strategies into actionable initiatives. Risks are managed throughout the year at the appropriate program level, with certain cross-cutting or emerging risks monitored and discussed at the enterprise level through existing governance mechanisms and decision bodies.
Procurement Management Review Function
As part of GSA's internal controls, the Office of Government-wide Policy conducts procurement management reviews (PMRs). These PMRs serve as an early warning indicator, identifying best practices and challenges in the acquisition function. In FY 2019, the agency incorporated contract administration into the procurement management review process. As a result of agency-wide findings, GSA issued a memorandum dated February 12, 2020, that directed GSA's Heads of Services and Staff Offices to partner with OGP in identifying corrective actions, addressing PMR recommendations, and mitigating agency-wide challenges. This memorandum resulted in the establishment of two national corrective action plans for FY 2020, with a strategic and balanced approach to improving GSA's internal controls environment.
In FY 2020 and 2021, the agency focused on strengthening management and internal controls in the area of contract administration. First, the PMR Division monitored agency-wide progress towards meeting standards laid out in two contract administration-based national corrective action plans. Next, PMR entity and transactional checklists were updated to strengthen the assessment of GSA's contract administration controls environment. These initiatives resulted in agency-wide attention to post-contract award support needed to drive successful post-award administration.
Findings from internal reviews are issued in a PMR report documenting the observations and key takeaways for entity and transactional reviews. The report allows users to pinpoint key areas of opportunity and other transactional data that directly correlate to management and internal controls within the specific stages of the acquisition or lease acquisition life cycle. The data available strengthens the acquisition workforce's abilities to analyze performance, informs planning and training, and identifies opportunities for efficiency.
In FY 2022, PMRs will continue to assess the basic foundational components of the acquisition function. This includes contract administration, performance-based contracting, acquisition planning, and effective contract pricing and negotiations.
Federal Managers' Financial Integrity Act of 1982
The Federal Managers' Financial Integrity Act of 1982 (FMFIA) requires that agencies establish internal controls and financial systems to provide reasonable assurance that the integrity of Federal programs and operations is protected. It also requires the head of the agency to provide an annual assurance statement on whether the agency has met this requirement and whether any material weaknesses exist.
In response to FMFIA, GSA implemented processes to hold senior managers accountable for the performance, productivity, operations, and integrity of their programs. GSA assesses compliance with the Government Accountability Office's (GAO) 5 components and 17 principles of internal control. The results are analyzed to identify internal control issues or concerns. In FY 2020 and FY 2021, the assessments were expanded to include an evaluation of activities to resolve audit findings, providing senior managers with a repository to track progress towards timely resolution.
The evaluation results and other information were provided to the MCOC to determine and advise whether there were any material weaknesses in internal control requiring disclosure in the Administrator's Statement of Assurance. For FY 2021, GSA did not identify any material weaknesses or significant deficiencies.
OMB Circular A-123, Management's Responsibility for Enterprise Risk Management and Internal Control, Appendix A and D
OMB Circular A-123, Appendices A and D, require agencies to conduct an annual management assessment of internal control over reporting and financial systems. In FY 2021, the Office of the Chief Financial Officer continued to deploy an extensive annual assessment methodology that assesses risk across key business processes and identifies the related key internal controls over reporting and financial systems.
The Appendix A risk assessment evaluated the results of the FY 2020 financial audit, the FY 2020 evaluation of GAO's 5 components and 17 principles of internal control, recent GAO and Office of Inspector General audits, and management-identified priorities. The assessment identified the Federal Acquisition Service and the Public Buildings Service (PBS)-managed assets and liabilities, financial close and reporting, year-end budget reconciliation, PBS-regulated and deregulated utilities payments, and Coronavirus Aid, Relief, and Economic Security Act (CARES Act) funding as within scope for the FY 2021 assessment.
For Appendix D, the financial system evaluation was based on initial materiality assessments. The systems in scope for this year's assessments included Pegasys (the GSA core financial system of record), the Fleet Management System, the Inventory Reporting Information System, and the Federal Supply Service Payment System.Key controls were evaluated for the appropriate design, operational effectiveness, and identified potential risk areas.
Key controls were evaluated for the appropriate design, operational effectiveness, and identified potential risk areas.
GSA's evaluation of Appendices A and D did not identify any material weaknesses in controls or material system non-conformances as of September 30, 2021.
GAO Standards for Internal Control in the Federal Government
The GAO requires entities to assess whether their agency's internal controls support 5 components and 17 principles of internal control. GSA understands the 5 components of internal control must be effectively implemented and operating in an integrated manner for an internal control system to be effective.
To ensure cohesion, in FY 2021, GSA continued to update an inventory of policies and procedures designed to support internal controls. These policies and procedures were mapped to the component and principle they support. Each year, GSA reviews new and existing policies and procedures in the inventory and updates the related mapping documentation as necessary. Annual testing is conducted to ensure GSA meets the 5 components and 17 principles of internal control.
Federal Financial Management Improvement Act of 1996
The Federal Financial Management Improvement Act of 1996 was designed to improve Federal financial management and reporting by requiring that financial management systems comply substantially with three requirements:
- Federal financial management system requirements;
- Applicable Federal accounting standards; and
- The U. S. Standard General Ledger (USSGL) at the transaction level.
The act also requires independent auditors to report on agency compliance with the three stated requirements as part of financial statement audit reports. The agency evaluated its financial management systems and has determined they substantially comply with Federal financial management systems requirements, applicable Federal accounting standards, and the USSGL at the transaction level as of September 30, 2021.
Information and Financial Management Systems Framework
The Chief Financial Officers Act assigns responsibilities for planning, developing, maintaining, and integrating financial management systems to Federal agencies. GSA currently maintains e-Payroll applications, portions of its legacy core accounting system, and general support systems, which operate on a variety of hosting platforms to support various feeder applications.
In FY 2020, GSA took steps to transition remaining ancillary financial applications to open source technology. GSA also successfully migrated the Collection Information Repository application to open source technology, and completed two additional applications, Recurring Services Notification Approval Process and Pegasys Vendor Request Management in FY 2020. In FY 2021, GSA continued this effort and completed the development work to migrate two more financial management applications, WebVendor and Pegasys Payment Search, off of proprietary database technology, and took additional steps to enhance the security posture overall of the agency's ancillary financial management application portfolio. GSA successfully completed database encryption for multiple financial management applications, as well as deployed multi-factor authentication for WebVendor and Pegasys Payment Search.
GSA has undertaken other activities that improve processes, increase automation, and further consolidate applications in its system architecture. To better secure GSA's data assets, the agency continues to move more applications to the SecureAuth single sign-on solution and integrate two- factor authentication for identity and access management services. In the area of software asset management, GSA continues to mature new tool sets and additional capabilities introduced to help combat fraud and ensure proof of purchase, license, and user agreements.
To protect and secure sensitive building information (e.g., Federal occupant agency data, floor plans, leasing data, and market surveys with competitive rental rates), PBS and the Office of GSA IT included additional security rigor into contractor requirements in the National Broker Contract. The new contract requires GSA Leasing Support Services brokers to use Government-provided systems and email to store or process all information pertaining to leases. Contractors must also use GSA-provided IT systems and email (currently virtual desktops and GSA-provided Google Accounts) to store, process, or transmit GSA information for all work performed under this contract or have been granted authority to operate non-GSA systems by GSA IT.
GSA has implemented application programming interface (API) standards to improve the consistency and documentation of public APIs.
The Office of Leasing has ensured that all brokers use Citrix-VDI and gsa.gov email to receive and access sensitive information.
In May 2021, GSA's Office of the Chief Financial Officer worked with the USDA Pegasys Financial Services team to upgrade the agency's core financial system to Momentum 7.8. This upgrade includes capabilities needed to support current G-Invoicing functionality for the U.S. Department of Treasury's initiative to have a standard database for Intragovernmental Transactions. It includes the conversion of System for Award Management Unique Entity Identifier (UEI) from DUNS, as well as incorporating new features and enhancements designed to meet current legislative and Government-mandated Federal financial management requirements and recommendations. GSA has successfully consolidated two SAP business intelligence platforms and licenses and is able to save maintenance costs and provide more seamless support to the GSA financial community.
Federal Information Security Modernization Act
The Federal Information Security Modernization Act (FISMA) requires Federal agencies to implement a set of processes and system controls designed to ensure the confidentiality, integrity, and availability of system-related information. The controls in each Federal agency must follow established Federal Information Processing Standards, National Institute of Standards and Technology (NIST) standards, and other legislative requirements pertaining to Federal information systems, such as the Privacy Act of 1974.
To facilitate FISMA compliance, GSA maintains a formal program for information security management that focuses on FISMA requirements and protecting GSA IT resources. This program determines the processes necessary to mitigate new threats and anticipate risks posed by new technologies. The program also follows NIST's cybersecurity framework for making risk-based determinations. The integration of cybersecurity with enterprise risk management has been improved and prioritizes investment decisions that mitigate those risks. In the past year, GSA closed all prior-year OIG FISMA audit findings, improved in 10 FISMA metrics, and continued to improve the cybersecurity and the information continuous monitoring security domains. To address the challenge of removing network users on a timely basis, GSA is planning to partially or fully automate this process of termination with the identity, credential, and access management and Continuous Diagnostics and Mitigation solution of Sailpoint by FY 2022.
Digital Accountability and Transparency Act (DATA Act)
The DATA Act was enacted in 2014, amending the Federal Financial Accountability and Transparency Act of 2006 (FFATA). FFATA requires reporting of obligations and award-related information for all Federal financial assistance and procurement awards. The DATA Act expands upon FFATA by adding U.S. Department of the Treasury account-level reporting; this includes reporting all Treasury Account Symbols that fund each award and contract transaction, budget authority, program activity, outlays, and budget object classes, among other data elements. The DATA Act also requires the Federal Government to collectively standardize the financial data elements reportable under the act. GSA provided monthly DATA Act submissions and certified those submissions quarterly, as required. This information is publicly accessible and searchable, and allows users to view how tax dollars are spent.
Antideficiency Act
The Antideficiency Act (ADA), Public Law 97-258, 96 Stat. 923, prohibits Federal agencies from incurring obligations or expending funds in advance or in excess of an appropriation. The law was initially enacted in 1884, with major amendments occurring in 1950 and 1982. It is now codified at 31 U.S.C. § 1341.
In FY 2021, OMB confirmed that the Federal Citizen Services Fund violated the Antideficiency Act in fiscal years 2016 and 2017 by providing DigitalSearch functionality to State and local government websites in contravention of the fund's appropriations and authorizing statutes. GSA discontinued these support services in February 2017. OMB is reviewing the ADA notification letter for transmission to the President, Congress, and GAO.
FY 2021 Statement of Assurance
The U.S. General Services Administration management is responsible for managing risks and maintaining effective internal controls to meet the objectives of Sections 2 and 4 of the Federal Managers' Financial Integrity Act. GSA conducted its assessment of risk and internal controls in accordance with the OMB Circular No. A-123, Management's Responsibility for Enterprise Risk Management and Internal Control. The assessment did not identify any material weaknesses. GSA management can provide reasonable assurance that internal controls over operations, reporting, and compliance were operating effectively as of September 30, 2021.
In FY 2021, OMB confirmed an FY 2017 ADA violation related to utilizing the Federal Citizens Services Fund to support search capability for State and local government websites. GSA corrected this by ending these services in February 2017.
GSA has assessed that it is in compliance with Federal financial management system standards, as required by the Federal Financial Management Improvement Act of 1996 and OMB Circular A-123 Appendix D. GSA is confident that all systems substantially comply with the Federal financial management system requirements, Federal accounting standards promulgated by the Federal Accounting Standards Advisory Board, and with the U.S. Standard General Ledger at the transaction level as of September 30, 2021.
Robin Carnahan
Administrator of General Services
November 12, 2021
