Analysis of systems, controls and legal compliance

Banner with background image of a blue sky and cloud on the left and a glass building on the right, with text 2022, Agency Financial Report, Adapting to our changing world

An effective internal control program helps us safeguard government resources and ensures that the agency efficiently and effectively fulfills our core mission and achieves our strategic goals.

The agency’s senior assessment team, the Management Control Oversight Council, chaired by the deputy administrator, reviews and approves the enterprise internal control program and provides the leadership and oversight necessary for effective implementation of the agency’s program.

We evaluate internal controls across the agency at various levels of the organization. Our management is responsible for establishing goals and objectives around operating environments, ensuring compliance with relevant laws and regulations, and managing both expected and unanticipated events. Employees across the organization are responsible for understanding the controls applicable to their workflows and applying them in accordance with internal control guidance.

In fiscal year 2022, we continued efforts to increase and reinforce internal control compliance. The agency requires mandatory internal control training for all employees, outlining relevant and applicable Office of Management and Budget Circular A-123 standards and best practices. Additionally, during this fiscal year, we continued our focus on increasing accountability, resolving audit recommendations, and implementing a more effective system of internal control agencywide. Specifically, senior executives, program managers, and staff closely monitor program audit resolution through performance dashboards.

Management’s responsibility for enterprise risk management and internal controls

Integration with enterprise risk

To better understand and anticipate enterprise risk, we identify and prioritize prospective threats to the organization annually. This includes an effort to integrate and effectively use information developed as part of OMB Circular A-123 internal controls assessments.

We established an enterprise risk management policy statement, which highlights the importance of effective risk management in meeting our mission. The Enterprise Risk and Strategic Initiatives Board, co-chaired by the deputy performance improvement officer and the chief information security officer, works to continuously improve risk governance at our agency. The ERSI board is charged with implementing sound risk management across the agency and translating enterprise-level strategies into actionable initiatives. Risks are managed throughout the year at the appropriate program level, with certain cross-cutting or emerging risks monitored and discussed at the enterprise level through existing governance mechanisms and decision bodies.

Procurement management review function

As part of our internal controls, the Office of Government-wide Policy conducts procurement management reviews. These reviews help the agency identify best practices and challenges in the acquisition function.

In FY 2022, we continued our focus on strengthening management and internal controls in the area of contract administration. Procurement management reviews assessed the basic foundational components of the acquisition function, including contract administration, performance-based contracting, acquisition planning, and effective contract pricing and negotiations.

We will play an important role in advancing the administration’s priorities through leadership in government-wide acquisition, including economic growth, climate resiliency, and strengthening diversity, equity, inclusion, and accessibility. Achieving these goals will require a modern, accessible, and streamlined acquisition ecosystem and a robust marketplace that connects buyers to the suppliers and businesses that meet their mission needs.

The procurement management review process continues to play an important role in helping to ensure the agency meets our ambitious goals. For example, in FY 2022, the PMR Division reviewed the multiple award schedule process for vendor rejections and withdrawals. As the MAS Program Management Office continues to examine its processes on procurement acquisition lead time, overall agency workload management, and supplier onboarding, the review will assist the MAS PMO in accomplishing its goal of promoting and improving quality in the acquisition process.

We continue to strengthen methodologies for procurement management reviews to assess known challenges. For example, the PMR Division did not provide to the regional acquisition personnel with an advance list of the electronic contract files selected for a procurement management review. The change in process enabled a true assessment of complete and accurate electronic contract files, previously identified as a challenge. Updating the approach for ECF assessments aligns to other auditing practices used by the Office of Inspector General and the Government Accountability Office. Our service and staff offices have made significant strides in the agency’s ECF landscape.

In FY 2023, the PMRD will continue its focus on contract administration and electronic contract filing, verifying adequate management and internal controls are in place to ensure sufficient government oversight of the goods and services procured.

The PMRD will continue to prioritize activities that ensure the Administration priorities and our acquisition policies have a significant and lasting positive impact on the American public and its stakeholders.

Federal Managers’ Financial Integrity Act of 1982

The Federal Managers’ Financial Integrity Act of 1982 requires that agencies establish internal controls and financial systems to provide reasonable assurance that the integrity of federal programs and operations is protected. It also requires the head of the agency to provide an annual assurance statement on whether the agency has met this requirement and whether any material weaknesses exist.

In response to FMFIA, the agency implemented processes to hold managers accountable for the performance, productivity, operations, and integrity of their programs through the use of internal controls. Our Office of the Chief Financial Officer continues to use an Entity Level Evaluation Tool that incorporates the evaluation factors of GAO’s 5 components and 17 principles of Internal Control, and OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control.

All controls were operating as intended with the exceptions identified in the FY 2022 Statement of Assurance. Corrective actions were implemented during the year to help address this weakness.

OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, Appendices A and D

OMB Circular A-123, Appendices A and D, require agencies to conduct an annual management assessment of internal control over reporting and financial systems. In FY 2022, OCFO deployed an extensive methodology that assessed risk across key business processes and identified the related key internal controls over reporting and financial systems.

The Appendix A risk assessment evaluated the results of the FY 2021 financial audit, the FY 2021 evaluation of GAO’s five components and 17 principles of internal control, recent GAO and Office of Inspector General audits, and management-identified priorities. In FY 2022, GSA assessed:

Budget and finance.
Federal Acquisition Service procurement, accounts payable and payments.
Public Buildings Service procurement, accounts payable and payments.

For Appendix D, the financial system evaluation was based on initial materiality assessments. The systems in scope for this year’s assessments included:

Pegasys — GSA’s core financial system of record.
HR Links — GSA’s human capital management system.
Assisted Services Shared Information System — a single, integrated solution for all GSA-assisted acquisitions.
Federal Supply Service Payment System — a vendor invoicing system.
Order Management System — an order fulfillment service primarily servicing the GSA Global Supply and Retail Operations.
Electronic Acquisition System Integration — a solution that streamlines and automates the acquisition process.
Requisitioning, Ordering, and Documentation System — a feeder system used to create purchase requests for vehicles.

Key controls were evaluated for the appropriate design, operating effectiveness, and identified potential risk areas.

Our evaluation of Appendices A and D did not identify any material weaknesses in controls or material system non-conformances as of Sept. 30, 2022.

GAO standards for internal control in the federal government

The GAO requires entities to assess whether their agency’s internal controls support five components and 17 principles of internal control. We understand the five components of internal control must be effectively implemented and operating in an integrated manner for an internal control system to be effective.

To ensure cohesion, in FY 2022, we continued to update an inventory of policies and procedures designed to support internal controls. These policies and procedures were mapped to the component and principle they support. Each year, we review new and existing policies and procedures in the inventory and updates the related mapping documentation as necessary. We annually test the five components and 17 principles of internal control for compliance.

Federal Financial Management Improvement Act of 1996

The Federal Financial Management Improvement Act of 1996 was designed to improve federal financial management and reporting by requiring that financial management systems comply substantially with three requirements:

Federal financial management system requirements.
Applicable federal accounting standards.
The U.S. Standard General Ledger at the transaction level.

The act also requires independent auditors to report on agency compliance with the three stated requirements as part of financial statement audit reports. The agency evaluated its financial management systems and has determined they substantially comply with federal financial management systems requirements, applicable federal accounting standards, and the USSGL at the transaction level.

Information and financial management systems framework

The Chief Financial Officers Act of 1990 assigns responsibilities for planning, developing, maintaining, and integrating financial management systems to federal agencies. Over the past few years, we have worked to transition applications to open-source technology, implemented various security enhancements, executed various system upgrades to meet legislative or other government-wide requirements, and decommissioned legacy systems. Additional emphasis has been placed on upgrades focusing on automation. These changes are described in more detail below.

We currently maintain e-payroll applications, portions of its legacy core accounting system, and general support systems that operate on different hosting platforms to support various feeder applications. In FY 2020, we took steps to transition remaining ancillary financial applications to open-source technology. We also successfully migrated the Collection Information Repository application to open-source technology, and completed two additional applications, Recurring Services Notification Approval Process and Pegasys Vendor Request Management in FY 2020. In FY 2021, we continued this effort and migrated two more financial management applications, WebVendor and Pegasys Payment Search, off of proprietary database technology, and took additional steps to enhance the overall security posture of the agency’s ancillary financial management application portfolio. We successfully completed database encryption for multiple financial management applications and deployed multi-factor authentication for WebVendor and Pegasys Payment Search. In FY 2022, we deployed multi-factor authentication for FEDPAY for government users and migrated all applications using a custom-coded password service into our enterprise password management solution, Password Manager Pro.

We have successfully consolidated two business intelligence platforms and licenses and are able to save maintenance costs and provide more seamless support to our financial community. We continue to take steps to increase automation, migrate systems to cloud-based solutions, modernize legacy systems, and consolidate operations in the agency’s information technology portfolio. We continue to move more applications to the SecureAuth single sign-on solution and integrate two-factor authentication for identity and access management services to enhance the security of our data assets. To better insulate software assets from fraud and to ensure the agency appropriately records proof of purchase, licenses, and end-user agreements, we have continued to mature our software asset management toolkit. To accelerate the process of granting initial access and recertifying continued access to financial and other enterprise applications, GSA IT migrates business applications to an automated identity and provisioning management solution. This allows us to decommission legacy access management solutions. Future migrations will automate the processing of access requests that are currently manually processed through the Enterprise Access Request System to a more simple case management solution.

To protect and secure sensitive building information, like federal agency occupant data, floor plans, leasing data, and market surveys with competitive rental rates, the Public Buildings Service and GSA IT included additional security rigor into contractor requirements.

To further secure our assets, the current Leasing Support Services Plus contract requires contractors to use agency-provided IT systems and email to store, process, or transmit our information for all work performed under this contract. If this is not feasible, contractors must be granted authority to operate non-GSA systems by GSA IT. Similarly, PBS’s Office of Leasing implemented measures requiring all brokers to use a secure virtual desktop interface (Citrix-VDI) and gsa.gov email to receive and access sensitive information.

Federal Information Security Modernization Act

The Federal Information Security Modernization Act requires federal agencies to implement a set of processes and system controls designed to ensure the confidentiality, integrity, and availability of system-related information. The controls in each federal agency must follow established Federal Information Processing Standards, National Institute of Standards and Technology standards, and other legislative requirements pertaining to federal information systems, such as the Privacy Act of 1974.

To facilitate FISMA compliance, we maintain a formal program for information security management that focuses on FISMA requirements and protecting GSA IT resources. This program determines the processes necessary to mitigate new threats and anticipate risks posed by new technologies. The program also follows NIST’s cybersecurity framework for making risk-based determinations. GSA IT will closely integrate cybersecurity with enterprise risk management; we will improve and prioritize investment decisions that continue to mitigate those risks.

In May 2021, the President issued Executive Order 14028, Improving the Nation’s Cybersecurity, directing federal agencies to make a series of enhancements in their cybersecurity capabilities, implement software supply chain integrity, and transition to a zero trust architecture. EO 14028, supported by a series of OMB memoranda and Cybersecurity and Infrastructure Security Agency directives, represents a fundamental change in approach to how the government secures its information and information system resources. We fully support the administration’s goals to advance zero trust architecture and have aligned our approach to available best practices from NIST, CISA, and OMB Memorandum M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles [PDF]. In FY 2022, we submitted a proposal to the Technology Modernization Fund and were awarded $29.8 million to advance zero trust architecture that focuses on information technology security, including users and devices, networks, and security operations, as described below:

Users and devices: We will meet the newer demands of telework through a multi-domain, hybrid cloud architecture approach that adheres to enhanced security principles.
Networks: We will implement distinct network security segments by leveraging a secure access service edge, or SASE solution, and, in this manner, upgrade public buildings’ security network.
Security operations: We will adopt increased machine learning and artificial intelligence-driven algorithms to help connect diverse data sources and highlight threats, while also providing security oversight for cyber supply chain risk management. The agency will continue to enhance core security operations centers, like governmentwide public-facing digital services.

We have further aligned our cybersecurity program to the new capability-driven metrics in the FY 2022 FISMA evaluation process, of which 82 of 120 metrics are new this fiscal year. By prioritizing zero trust and the new capability-driven measures, we will work to maintain our overall FISMA rating of “Managing Risk” across the five core cybersecurity functions — identify, protect, detect, respond, and recover — and the corresponding nine security domains.

Digital Accountability and Transparency Act

The Federal Financial Accountability and Transparency Act of 2006 requires federal agencies to report obligations and award-related information for all federal financial assistance and procurement awards. The Digital Accountability and Transparency Act of 2014 expands upon FFATA by adding U.S. Department of the Treasury account-level reporting. This includes reporting all Treasury Account Symbols that fund each award and contract transaction, budget authority, program activity, outlay, and budget object class, among other data elements. The DATA Act also requires the federal government to collectively standardize the financial data elements that are reportable under the Act. In FY 2022, we provided monthly DATA Act submissions and certified those submissions each quarter, as required. This information is publicly accessible on the USAspending website, which allows users to view how federal tax dollars are spent.

Antideficiency Act

The Antideficiency Act, Public Law 97-258, 96 Stat. 923, prohibits federal agencies from incurring obligations or expending funds in advance or in excess of an appropriation. The law was initially enacted in 1884, with major amendments occurring in 1950 and 1982. It is now codified at 31 U.S.C. § 1341 and 1342.

We regularly monitor program spending against the levels apportioned by the Office of Management and Budget as well as the levels of actual resources collected to ensure the agency does not spend more funding than authorized. Additionally, we have controls in place in its financial system, Pegasys, to prevent spending above the levels apportioned to our various funds. These systematic controls increase efforts to comply with the Antideficiency Act.

Statement of assurance

Our management is responsible for managing risks and maintaining effective internal controls to meet the objectives of Sections 2 and 4 of the Federal Managers’ Financial Integrity Act. We conducted our assessment of risk and internal controls in accordance with the Office of Management and Budget Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control. Our management can provide reasonable assurance that internal controls over operations, reporting, and compliance were operating effectively as of Sept. 30, 2022, with the exception of the financial reporting process, where a material weakness has been identified.

We identified an accounting error that impacted the temporarily unavailable balances for multiple years. Although the cumulative amount was immaterial, we did not have the proper controls over balances to identify the error in a timely manner and adjustments were made in the prior-year Statement of Budgetary Resources. In addition, the audit identified inadequate second-level reviews over manual transactions processed in Pegasys, the agency’s core financial system. We implemented multiple corrective actions in FY 2022 to mitigate the issue and will further develop and execute corrective action plans in FY 2023, as described in the “Corrective Action Plans” section. These two control deficiencies when aggregated result in a material weakness.

We have assessed that we are in compliance with federal financial management standards, as required by the Federal Financial Management Improvement Act of 1996 and OMB Circular A-123 Appendix D. We are confident that all systems substantially comply with the federal financial management system requirements, federal accounting standards promulgated by the Federal Accounting Standards Advisory Board, and with the U.S. Standard General Ledger at the transaction level as of Sept. 30, 2022.

Robin Carnahan
Administrator of General Services
November 14, 2022

Summary of material weaknesses

Controls over financial statement balances

In FY 2022, management identified an issue where the budgetary resources related to certain reimbursable activities were misclassified in the general ledger resulting in errors in current and prior years’ balances. In addition, our independent auditors identified a deficiency related to controls over certain manual journal entries. The finding specifically noted insufficient controls in the process where manual transactions were entered in the financial system without a proper second-level review and approval. These two control deficiencies, when considered together, resulted in a material weakness.

Corrective action plans

We implemented multiple corrective measures in FY 2022 to address these issues. We corrected the error in its financial statements that deferred the recognition of RWA revenue as “direct activities” by recording adjustments to the applicable line items in the Statement of Budgetary Resources for fiscal years that ended on Sept. 30, 2022, and 2021. In FY 2023, we will update our reporting categories and processes for validating and verifying general ledger balances that are reflected in the Statement of Budgetary Resources.

We also reviewed large-dollar transactions to detect the possibility of misstatement in the Consolidated Financial Statements, analyzed the impact of accounting errors, established second-level reviews and approvals over manual transactions with the largest potential impact, randomly sampled the population of manual journal entries, and recorded adjusting entries to correct any significant errors identified. We concluded that there were no material misstatements in the aggregate for FY 2022.

To further address the insufficient controls over processes that impact the financial statement balances, we will enlist a third party to conduct a comprehensive review of internal controls over manual journal entries into the core financial system and to provide the agency with recommendations for process improvement. We will also implement key changes in our workflow processes to incorporate two levels of approvals for manual transactions. For those transactions where the second-level approval can be automated, we will initiate the requirements development process to add this functionality within Pegasys, our core financial system, and any other business system interfaces as necessary.