An effective internal control program helps the U. S. General Services Administration (GSA) safeguard Government resources and ensures that the agency efficiently and effectively fulfills its core mission and achieves its strategic goals.
The agency’s senior assessment team, the Management Control Oversight Council (MCOC), chaired by the Deputy Administrator, is responsible for establishing governance for GSA’s senior managers to provide the leadership and oversight necessary for effective implementation of the agency’s Internal Control Program.
GSA evaluates internal controls across the agency at various levels of the organization. GSA management is responsible for establishing goals and objectives around operating environments, ensuring compliance with relevant laws and regulations, and managing both expected and unanticipated events. Employees across the organization are responsible for understanding the controls applicable to their workflows and applying them in accordance with internal control guidance.
In fiscal year (FY) 2020, GSA took a significant step to increase and reinforce internal control compliance. The agency developed and launched a virtual mandatory internal control training for all GSA employees, outlining relevant and applicable Office of Management and Budget (OMB) Circular A-123 standards and best practices. GSA will update training material and require employees to complete the training annually.
Additionally, during this fiscal year, GSA worked to address the Office of Inspector General’s (OIG) management challenge related to internal controls. GSA focused on increasing accountability, resolving audit recommendations in a more timely manner, and implementing a more effective system of internal control agency-wide. Specifically, program audit resolution is monitored by senior executives, program managers, and staff through performance dashboards. GSA spent considerable time this fiscal year closing out audit recommendations.
Coronavirus Aid, Relief, and Economic Security Act
On March 27, 2020, the President signed the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) (P. L.116-136) into law. The legislation provides $326 billion in emergency supplemental appropriations to aid Americans during the coronavirus crisis. In order to ensure GSA is able to prevent, prepare for, and respond to the coronavirus domestically and internationally, GSA received $295 million. GSA allocated the supplemental appropriations to the following funds:
- Federal Buildings Fund (FBF) - $275,000,000
- Working Capital Fund (WCF) - $1,500,000
- Federal Citizen Services Fund (FCSF) - $18,650,000
Emergency supplemental appropriations create risks that are higher than normal because the need to provide services quickly can hinder the effectiveness of existing controls and permit additional opportunities for individuals to engage in fraud. The Federal Government requires agencies to mitigate these new risks by establishing internal controls to ensure funds are used for their intended purposes and are accounted for appropriately. In accordance with Federal guidance, including OMB Memorandum M-20-21, Implementation Guidance for Supplemental Funding Provided in Response to the Coronavirus Disease 2019 (COVID-19), GSA developed a supplemental CARES Act internal control plan that identified and documented the incremental risks and controls for its COVID-19 activities to ensure, among other things, compliance with the Payment Integrity Information Act of 2019. The plan describes the actions GSA has implemented to supplement current controls and additional levels of review built in to ensure accountability to protect against waste, fraud, and abuse.
GSA remains committed to both transparency in spending and contract award, as evidenced by the inclusion of COVID-19 data made available for public view on USASpending.gov. CARES Act and other funds used to perform COVID-19 response activities are tracked and monitored for compliance internally using specific funds and unique project codes.
GSA’s Executive Reporting and Management Oversight team provides GSA senior leadership, including the Administrator and Deputy Administrator, with executive-level reporting on COVID-19 activities; tracks program implementation; and assists with cross-program coordination to ensure strategic program cohesiveness. Additionally, each month, an executive report is prepared outlining GSA’s response and compliance to COVID-19-related policy and legislative updates as well as financial spend execution of supplemental funding.
Management’s Responsibility for Enterprise Risk Management and Internal Controls
Integration with Enterprise Risk
To better understand and anticipate enterprise risk, GSA identifies and prioritizes prospective threats to the organization annually. This includes an effort to integrate and effectively use information developed as part of OMB Circular A-123 internal controls assessments.
In response to the pandemic, GSA proactively conducted an analysis to understand changes to drivers of several key risks. In addition, during FY 2020, GSA conducted a survey of its senior executives to identify the level of concern related to several enterprise risks, highlighting threats and risks to business units and the agency. The results of the survey were shared and discussed with senior leadership and, based on those survey results and follow-up discussions, GSA made adjustments to the annual risk profile and prioritized some risks for additional analysis and planning. Risks are managed throughout the year at the appropriate program level, with certain cross-cutting risks monitored and discussed at the enterprise level through existing governance mechanisms and decision bodies.
Procurement Management Review Function
As part of GSA’s internal controls, the Office of Government-wide Policy (OGP) conducts procurement management reviews (PMRs), which serve as an early warning indicator for challenges in the acquisition function.
In FY 2019, the agency incorporated contract administration into the procurement management review process. As a result of agency-wide findings, GSA issued a memorandum dated February 12, 2020, that directed GSA’s Heads of Services and Staff Offices to partner with OGP in identifying corrective actions, addressing PMR recommendations, and mitigating agency-wide challenges. This memorandum resulted in the establishment of two national corrective action plans for FY 2020, with a strategic and balanced approach to improving GSA’s internal controls environment.
FY 2020 PMRs continue to assess the basic foundational components of the acquisition function — including contract administration — in addition to several special reviews — including electronic contract files — to establish a baseline of agency-wide performance in the areas of data accuracy and completeness within electronic contract files and systems of record. Additionally, GSA will implement PMRs to assess acquisition functions specific to the COVID-19 national public health emergency. OGP will continue to prioritize the aforementioned topics going forward.
Federal Managers’ Financial Integrity Act of 1982
The Federal Managers’ Financial Integrity Act of 1982 (FMFIA) requires that agencies establish internal controls and financial systems to provide reasonable assurance that the integrity of Federal programs and operations is protected. It also requires the head of the agency to provide an annual assurance statement on whether the agency has met this requirement and whether any material weaknesses exist.
In response to FMFIA, GSA implemented processes to hold senior managers accountable for the performance, productivity, operations, and integrity of their programs. GSA assesses compliance with the Government Accountability Office’s (GAO) 5 components and 17 principles of internal control. The results are analyzed to identify internal control issues or concerns. In FY 2020, the assessment was expanded to include an evaluation of activities to resolve audit findings, providing senior managers with a repository to track progress towards timely resolution.
The evaluation results and other information were provided to the MCOC to determine and advise whether there were any material weaknesses in internal control requiring disclosure in the Administrator’s Statement of Assurance. For FY 2020, GSA did not identify any material weaknesses or significant deficiencies.
OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, Appendix A and D
OMB Circular A-123, Appendices A and D, require agencies to conduct an annual management assessment of internal control over reporting and financial systems. In FY 2020, the Office of the Chief Financial Officer continued to deploy an extensive annual assessment methodology that assesses risk across key business processes and identifies the related key internal controls over reporting and financial systems.
The Appendix A risk assessment evaluated the results of the FY 2019 financial audit, the FY 2019 evaluation of GAO’s 5 components and 17 principles of internal control, recent GAO and OIG audits, and management-identified priorities. The assessment identified the Federal Acquisition Service and the Public Buildings Service (PBS) revenue and receivables, payroll and human capital management, PBS regulated utilities payments, and oversight of additional funding received from COVID-19 legislation as within scope for the FY 2020 assessment.
For Appendix D, the financial system evaluation was based on initial materiality assessments. The systems in scope for this year’s assessments included Pegasys (the GSA core financial system of record), the Occupancy Agreement Billing, Payroll Accounting and Reporting, and the Fleet Management System.
Key controls were evaluated for the appropriate design, operational effectiveness, and identified potential risk areas.
GSA’s evaluation of Appendices A and D did not identify any material weaknesses in controls or material system nonconformances as of September 30, 2020.
GAO Standards for Internal Control in the Federal Government
GAO requires entities to assess whether their agency’s internal controls support 5 components and 17 principles of internal control. GSA understands the 5 components of internal control must be effectively implemented and operating in an integrated manner for an internal control system to be effective.
To ensure cohesion, in FY 2015, GSA created an inventory of policies and procedures designed to support internal controls. These policies and procedures were mapped to the component and principle they support. Each year, GSA reviews new and existing policies and procedures in the inventory and updates the related mapping documentation as necessary. Annual testing is conducted to ensure GSA meets the 5 components and 17 principles of internal control.
Federal Financial Management Improvement Act of 1996
The Federal Financial Management Improvement Act of 1996 was designed to improve Federal financial management and reporting by requiring that financial management systems comply substantially with three requirements:
- Federal financial management system requirements;
- Applicable Federal accounting standards; and
- The U. S. Standard General Ledger (USSGL) at the transaction level.
The act also requires independent auditors to report on agency compliance with the three stated requirements as part of financial statement audit reports. The agency evaluated its financial management systems and has determined they substantially comply with Federal financial management systems requirements, applicable Federal accounting standards, and the USSGL at the transaction level.
Information and Financial Management Systems Framework
The Chief Financial Officers Act assigns responsibilities for planning, developing, maintaining, and integrating financial management systems to Federal agencies. GSA currently maintains e-Payroll applications, portions of its legacy core accounting system, and general support systems, which operate on a variety of hosting platforms to support various feeder applications.
In FY 2019 and FY 2020, GSA continued its progress in financial systems modernization. In FY 2019, GSA completed phase II of a project to move the Visual Invoice Tracking and Payment application, an accounts payable subsystem, to a new platform. The new platform improved GSA’s security posture, retired additional components of legacy FoxPro code, satisfied 508 compliance, expanded single sign-on implementation, and enhanced the overall user experience and usability of this mission-critical application. In FY 2020, GSA took steps to transition remaining ancillary financial applications to open source technology. GSA also successfully migrated the Collection Information Repository application to open source technology, and completed two additional applications, Recurring Services Notification Approval Process and Pegasys Vendor Request Management in FY 2020.
GSA has undertaken other activities that improve processes, increase automation, and further consolidate applications in its system architecture. To better secure GSA’s data assets, the agency continues to move more applications to the SecureAuth single sign-on solution and integrate twofactor authentication for identity and access management services. In the area of software asset management, GSA continues to mature new tool sets and additional capabilities introduced to help combat fraud and ensure proof of purchase, license, and user agreements.
To protect and secure sensitive building information (Federal tenant data, floor plans, leasing data, and market surveys with competitive rental rates), PBS and the Office of GSA Information Technology (GSA IT) included additional security rigor into contractor requirements in the National Broker Contract. The new contract requires GSA Leasing Support Services brokers to use Government-provided systems and email to store or process all information pertaining to leases. Contractors must also use GSA-provided IT systems and email (currently virtual desktops and GSA-provided Google Accounts) to store, process, or transmit GSA information for all work performed under this contract or have been assessed and granted an authority to operate by GSA IT.
GSA has implemented application programming interface (API) standards to improve the consistency and documentation of public APIs.
Federal Information Security Modernization Act
The Federal Information Security Management Act (FISMA) requires Federal agencies to implement a set of processes and system controls designed to ensure the confidentiality, integrity, and availability of system-related information. The controls in each Federal agency must follow established Federal Information Processing Standards, National Institute of Standards and Technology (NIST) standards, and other legislative requirements pertaining to Federal information systems, such as the Privacy Act of 1974.
To facilitate FISMA compliance, GSA maintains a formal program for information security management that focuses on FISMA requirements and protecting GSA IT resources. This program determines the processes necessary to mitigate new threats and anticipate risks posed by new technologies. The program also follows NIST’s cybersecurity framework for making risk-based determinations. Integration of cybersecurity with enterprise risk management has been improved by bringing cybersecurity risks discussion to the Investment Review Board and prioritizing investment decisions that mitigate those risks.
In FY 2019 and FY 2020, GSA meets all FISMA Cross-Agency Priority Goals for cybersecurity and has received a Managing Risk rating across all capability domains and overall for the Risk Management Assessment Scorecard. GSA has also implemented a set of Continuous Diagnostics and Mitigation (CDM) security sensor tools that feed summarized data to a CDM dashboard. The CDM dashboard provides a centralized view of cybersecurity risks across the enterprise and provides leadership with an ability to identify cybersecurity risks and prioritize actions to mitigate or accept risks based on potential effects to the mission of GSA. Other actions taken to mitigate cybersecurity risks at GSA include:
- Implementing information security requirements in accordance with FISMA mandates and GSA policies.
- Addressing weaknesses identified in GSA system-level plans of action and milestones, which are developed to manage the risks associated with all GSA applications.
Providing security and privacy awareness training to more than 17,000 employees and contractors. Developing a continuous diagnostics and mitigation program in accordance with NIST, U.S. Department of Homeland Security, and OMB direction.
Digital Accountability and Transparency Act (DATA Act)
The DATA Act was enacted in 2014, amending the Federal Financial Accountability and Transparency Act of 2006 (FFATA). FFATA requires reporting of obligations and award-related information for all Federal financial assistance and procurement awards. The DATA Act expands upon FFATA by adding U.S. Department of the Treasury account-level reporting; this includes reporting all Treasury Account Symbols that fund each award and contract transaction, budget authority, program activity, outlays, and budget object classes, among other data elements. The DATA Act also requires the Federal Government to collectively standardize the financial data elements reportable under the act. GSA submitted its monthly DATA Act submissions and certifies the monthly submission quarterly as required. This information is publicly accessible and searchable by the American public to see how tax dollars are spent. Additionally, in its biennial “Audit of the Completeness, Accuracy, Timeliness, and Quality of GSA’s 2019 DATA Act Submission” for the first quarter, the OIG found that GSA’s financial and award data to be of “higher” quality, the highest grade allowable.
Antideficiency Act
The Antideficiency Act (ADA), Pub.L. 97-258, 96 Stat. 923, prohibits Federal agencies from incurring obligations or expending funds in advance or in excess of an appropriation. The law was initially enacted in 1884, with major amendments occurring in 1950 and 1982. It is now codified at 31 U.S.C. § 1341.
In FY 2019, OMB confirmed an FY 2017 ADA violation related to the Acquisition Services Fund (ASF), and OMB is still in the process of clearing the ADA notification letter for transmission to the President; once this is complete, GSA will share the ADA notification letter with Congress and GAO. In response, GSA implemented a corrective action plan that enhances forecasting capabilities. In addition, OMB amended the FY 2019 ASF apportionment to allow for automatic increases to the apportionment in the event of unanticipated customer orders placed above the apportioned levels, thus eliminating the potential for reoccurrence of a similar ADA.
GSA is also working with OMB to reach a decision for a potential violation of the ADA related to the FCSF identified in FY 2017. The FCSF was used to improve search capability for State and local government websites without reimbursement, potentially in contravention of the fund’s authorizing statutes. GSA discontinued these support services in February 2017.