Appendix D - FY 2004 Federal Managers' Financial
Integrity Act Report on Systems and Controls
The Federal Managers' Financial Integrity Act (FMFIA) requires agencies to provide an annual statement of assurance on the effectiveness of their management, administrative, and accounting controls (Section 2 of the Act), and financial management systems (Section 4 of the Act). Significant deficiencies in internal controls are considered material weaknesses; significant deficiencies in financial management systems are considered material nonconformances. The full text of the Secretary's assurance statement for FY 2004 can be found in the Secretary's Letter at the beginning of this report; the Sections 2 and 4 results are discussed in the following pages. At the end of FY 2004, the Secretary reported three material weaknesses and one material nonconformance.
Status
of Outstanding FMFIA Material Weaknesses or
Nonconformances
|
#
|
Title &
Identification Code
|
First FY
Reported
|
Target Correction
Date
|
Section 2
|
|
FISMA significant
deficiency
ID: HHS-04-01
|
FY 2004
|
End of FY 2005
|
|
Departmental Payroll
System
ID: HHS-04-02
|
FY 2004
|
End of FY 2005
|
|
Departmental Financial
Reporting
ID: HHS-04-03
|
FY 2004
|
FY 2005
|
Section 4
|
1a
|
Financial Systems &
Processes
ID: HHS 00-01
|
FY 2001
|
UFMS FMFIA and FFMIA
compliance (FY 2006)
UFMS full
implementation (FY 2007)
|
1b
|
CMS Financial Systems
Analysis and Oversight (Including Medicare Accounts
Receivable and Managed Care)
ID: CMS 01-02 (formerly
HCFA 97-02)
|
FY 2001
|
HIGLAS FFMIA compliance
(FY 2006)
HIGLAS full
implementation (FY 2007)
|
1c
|
Medicare EDP Controls,
including Application Controls for Medicare
Contractors
ID: CMS 01-02 (formerly
HCFA 98-01a)
|
FY 2001
|
FY 2006
(Previously reported as
FY 2004 in
FY 2003 report)
|
Section 2 Material Weaknesses
HHS reports three new Section 2 material weaknesses: 1) FISMA significant deficiency; 2) Departmental Payroll System , and 3) Departmental Financial Reporting.
Federal Information Systems Management Act (FISMA) Significant Deficiency (HHS-04-01)
In the Department's FY 2004 FISMA report to the Office of Management and Budget (OMB), dated October 6, 2004, the OIG executive overview identified one "significant deficiency" at the Department level:
"Our FY 2004 FISMA evaluation determined that the Department has a significant deficiency in its information system security program relating to contingency planning and disaster recovery. Our evaluation identified weaknesses in these areas at 11 of 13 HHS Agencies. For 6 HHS Agencies this was a repeat finding from a previous FISMA evaluation. "
Per OMB FY 2004 guidance, a significant deficiency under FISMA is to be reported as an FMFIA material weakness under Section 2. HHS believes that although contingency planning and disaster recovery need to be addressed, this significant deficiency has little impact on day-to-day processing. According to the HHS Chief Information Officer, this finding is not a statement that some particular system has been compromised, although the FISMA report notes a few areas of improvement and contains a list of things HHS needs to do better. OIG also reported that another component of the deficiency is the Medicare EDP controls, which has already been identified through the Chief Financial Officer (CFO) audit process. This is a repeat finding and is addressed separately as part of the one Section 4 material nonconformance discussed below.
The FISMA report contains a corrective action plan to address these findings and includes a target date of September 30, 2005 for completing corrective action. However, due to FISMA confidentiality requirements, FISMA report findings are not published and therefore a detailed corrective action plan is not included in this published FMFIA report.
Departmental Payroll System (HHS-04-02)
The auditors found that there are significant deficiencies in the Departmental Payroll System that could result in misstatements to payroll-account balances and the Commission Corp liability, improper payments, release of sensitive data, and reduced controls over safeguarding of assets.
The Department is committed to putting any necessary remedial or preventive mechanisms in place to improve our audit standing. However, there are some areas where reasonable explanations were provided to findings and these areas may not change. We fully embrace having solid oversight responsibilities for payroll and personnel and have already implemented procedures and processes that address many of the concerns discovered during our massive data cleanup efforts. We believe that our efforts in the HR consolidation, implementing Department wide automated HR systems, and the transition to the Defense Finance and Accounting Service scheduled for March 2005 will enhance our ability to have a solid payroll system.
Departmental Financial Reporting (HHS-04-03)
The auditors found that the department lacks a coordinated process among cross-functional teams of finance, operations and legal personnel to monitor business activities to identify situations where accounting evaluation or decision-making may be necessary. The issue that gave rise to this problem is that HHS had a significant policy issue at the end of FY '04 that had a material impact on its financial statements. This issue was below the materiality threshold in prior years.
In response to the auditor's findings, HHS is taking the following actions. HHS will: (1) appoint a single point of contact (POC) within the HHS CFO's office responsible for early identification and resolution of significant policy issues that have an impact on HHS financial statements; (2) strengthen its existing CFO Quarterly Meetings with OPDIV CFOs at the Department level to ensure coordination among cross-functional teams of finance, operations, and legal personnel to identify significant programmatic activities that may impact the quarterly and annual financial statements; (3) hold OPDIV CFOs accountable for ensuring that programmatic and related legal issues are promptly identified and communicated to the HHS CFO POC; and 4) engage the active participation of OMB officials in the resolution of any significant policy issues.
Section 4 Material Nonconformance
At the end of FY 2004, HHS reported one Section 4 nonconformance, Financial Systems and Processes (HHS 00-01). This finding comprised three component findings: the Department-wide audit finding, and the two separate audit findings at the Centers for Medicare & Medicaid Services (CMS) -- Financial Systems Analysis and Oversight (CMS 01-01) and Medicare EDP [electronic data processing] Controls (CMS 01-02). Implementation of the Unified Financial Management System (UFMS) will provide the long-term solution to these problems and eliminate the Section 4 nonconformance by the end of FY 2006. As part of the Financial Analysis and Oversight component finding the auditors also determined that internal controls over the Managed Care program need to be improved. The auditors disclosed that there was a lack of and/or inconsistent documentation to evidence the on-going monitoring and oversight reviews of the Managed Care program.
HHS auditors have cited the Department's lack of an integrated accounting system as a material weakness and a specific impediment in preparing timely financial reports and statements. As part of Secretary Thompson's "One HHS" approach to managing the Department, HHS is developing and implementing an integrated UFMS to provide for Department-wide financial reporting. UFMS will generate interim and annual financial statements, as well as other required external and internal financial reports. UFMS consists of two primary components: the Health Care Integrated General Ledger System (HIGLAS), dedicated to CMS, and the second dedicated to the rest of HHS. FY 2005 will see a significant achievement for the UFMS effort. By the end of the year the system will be deployed at the Centers for Disease Control and Prevention (CDC) and the Food and Drug Administration (FDA). The National Institutes of Health (NIH) Business and Research Support System (NBRSS) has already been "stood up" and the HIGLAS will have been deployed at eight of the largest CMS Medicare contractors. This level of deployment will not comply with the requirements of the Federal Financial Management Improvement Act (FFMIA). The Department will not meet this level of materiality of financial operations until the end of FY 2006.
In the short term, HHS Agencies have continued to make substantial progress in addressing account analysis and reconciliation problems that contribute to the Department's FMFIA Section 4 nonconformance.
NIH has implemented numerous additional analyses and reconciliations; a new, more disciplined and controlled process to prepare the trial balances from which NIH financial statements are prepared; and has identified additional areas of potential improvement on which NIH has already begun work. Also, NIH plans to validate or change certain internal processes and provide significant training to staff. This effort will result in benefits to accounting operations and to the administrative operations of Institutes and Centers. The Office of Financial Management, working with the NIH Center for Information Technology, has implemented a new web-based tool that allows staff to analyze all general ledger accounts individually and by transaction codes online. This has allowed NIH to correct and compensate for some of the deficiencies noted by auditors. The information is more reliable and available in a timely manner for review and reporting.
CDC conducts periodic reviews, as well as monthly and quarterly reconciliations. CDC created the trial balance and financial statements offline using a manually-intensive process, which required excessive resources and increased the chance of error. The new UFMS will eliminate this material weakness by generating financial statements without the manually-intensive process.
Auditors reported in their FY 2004 CMS audit report that, overall, the Medicare contractors continue to significantly improve the maintenance of supporting records for financial activities and year end balances. However, the lack of an integrated financial management system continues to impair CMS and its Medicare contractors' abilities to efficiently and effectively support and analyze accounts receivable and other reported financial balances on a timely basis. The CMS long-range plan to address this material weakness is to implement, including Medicare contractors, a Joint Financial Management Improvement Program-approved integrated general ledger accounting software package.
Managed Care Program -- CMS central office has revised its Standard Operating Procedures (SOP) regarding the Managed Care program and has posted the SOP on the Intranet. The Preferred Provider Organization Demonstration Guide was completed June 2004, and the Health Care Pre-payment Plans Guide was revised and completed in June 2004. The attestation module in the Health Plan Management System has been completed and is operational.
CMS also continues to make substantial progress on mitigating the EDP control weaknesses and has revised its target for completing the related corrective action to FY 2006. CMS reports that the material weakness for the Medicare EDP controls is very complex involving approximately 33 contracts with the fiscal intermediaries and carriers who process claims using 16 data centers. Because of this complexity, resolution of the material weakness will take time and resources. The long-term strategy in eliminating the material weakness is rooted in the CMS modernization initiative that will further improve HHS' security posture. The President's budget for FY 2005 includes funding for information technology modernization. A more secure system environment is a key component of the IT modernization plan. CMS is implementing its plan using a two-track policy for security. On the first track, CMS is aggressively taking reasonable and appropriate remedial steps to close the highest risk vulnerabilities. These actions are reflected in HHS' Plan of Action and Milestones (POA&M) report. On the second complementary track, CMS is building security into the agency's modernized infrastructure through capital investments targeted to reduce its security perimeter. CMS will limit its exposure to risk through such preemptive measures as data center consolidation and simplifying application development in a way that leaves less opportunity for exploitation than is the case in the current highly complex systems environment. To reinforce this further, CMS' Information Services Modernization Implementation Strategy includes security components for application modernization, data modernization, and infrastructure modernization. The CMS' main effort is on building a secure infrastructure versus managing corrective actions. CMS intends to be proactive in managing IT modernization and will address all audit results as part of the POA&M report process.
The following tables provide corrective action plans for the following:
- Departmental Payroll System (material weakness);
- Departmental Financial Reporting (material weakness); and
- Financial Systems and Processes, a material nonconformance, which includes three sub-components:
- Departmentwide (HHS-00-01),
- CMS Finanical Systems Analysis and Oversight (CMS 01-02), and
- Medicare Information System Controls (CMS 01-02)
Section 2 Material Weakness HHS
04-02 Departmental Payroll System
|
Background
|
This material
weakness was first identified in FY 2004.
The
Department’s Payroll System internal controls need
strengthening. The auditor's findings included some
errors in pay, annual and sick leave balances, FEGLI
withholding and insufficient or incorrect supporting
documentation.
Summary of
Corrective Action Approach: HHS
has made significant changes to its human resources
operation in response to the President’s Management
Agenda (PMA). It was one of the first
agencies to embrace the e-Gov e-Payroll initiative to
consolidate to four payroll providers. As part of
this initiative, in FY 2001, HHS established a goal
of consolidating its human resources services activities.
Beginning in FY 2002, several of our Operating Divisions
internally consolidated their human resources function to
a single office. The final step in the
consolidation took place in January 2004, when we
established the Human Resources Centers
(HRCs). The recent implementation of this
consolidation was designed to consolidate more than 40
decentralized HR offices into 4 HR service centers. This
initiative has helped us recognize the need for
improvement in our HR operations to include more training,
periodic review of how our systems interface, and
establishment of consistent processes and policies across
the Department.
As we move forward in
these areas, our human resources staff are also devoting
an enormous amount of time to other efforts. For
example, of primary concern is the transition of payroll
services to the Defense Finance and Accounting Service
(DFAS), which is scheduled for March 2005.
Additionally, the Electronic Official Personnel Folders
(eOPF) project is scheduled for implementation from
December 2004 - September 2005
These initiatives
(i.e., HR consolidation, transition to DFAS, and migration
to the eOPF) have focused our attention on several issues
we need to address before the transition to DFAS and
eOPF. We are also committed to putting any necessary
remedial or preventive mechanisms in place to improve our
audit standing. However, there are some areas where
reasonable explanations were provided to findings and
these areas may not change. We fully embrace having
solid oversight responsibilities for payroll and personnel
and have already implemented procedures and processes that
address many of the concerns discovered during our massive
data cleanup efforts. We believe that our efforts in
the HR consolidation, implementing Department wide
automated HR systems, and the DFAS transition will enhance
our ability to have a solid payroll system.
Target Correction
Date: FY 2005 - We believe the
HR consolidation, implementation of the e-OPF and
transition to the DFAS are providing the Department with
opportunities to comply with the FMFIA by the end of FY
2005.
|
Key Milestones
for Corrective Action
|
Completed
Corrective Actions:
-
Organized and planned for e-Payroll
transition. May 2003
-
Analyzed and built Phase1 and 2 for
e-Payroll transition. October 2004
-
Established Human Resources Workgroup to
identify requirements, prioritize enhancement requests,
participate in testing EHRP changes, and serve as conduit
for information on HR, e-Payroll. August
2004
-
Established an accountability and
technology initiative to ensure communications and
teamwork. August 2004
-
Trained human resources staff (i.e.,
timekeepers, payroll liaisons, ITAS representatives, etc.)
to prepare for expected move to DFAS. August
2004
-
Reissued documentation on appropriate Commissioned Corps
survivor benefit procedures. December 2004
FY 2005 Planned
Actions:
Continue to present to the IT Investment
Review Board (ITIRB) all changes to the HR systems.
December 2004 - September 2005
Test and prepare for e-Payroll transition
to DFAS. March 2005
Cleanup and validate personnel files; and
test and prepare for the migration to the eOPF:
implementation. December 2004 - September
2005
Provide training and/or distribute guidelines on time and
leave policy. January - September 2005
Implement periodic checks for accuracy on
civilian and Commissioned Corps actions. FY
2005
Provide mini training sessions that target specific
recurring types of errors (i.e., special pay, retention
allowances, timekeeper, data entry, and systems,
etc.). January - September FY 2005
|
Section 2 Material Weakness HHS
04-03 Departmental Financial Reporting
|
Background
|
This material
weakness was first identified in FY 2004.
Accelerated
government-wide financial reporting requirements include
the fact that policy decisions that have an impact on
agency financial statements are to be resolved by Federal
agencies timely to ensure that audited financial
statements are issued timely and within federal
requirements. In order to meet these requirements,
HHS policy officials need to develop a more effective
approach for the early identification and resolution of
significant policy issues that have an impact on HHS
financial statements. This approach should include
coordination early and throughout the process with
appropriate officials both within and outside HHS.
The issue that gave
rise to this problem is that HHS had a significant policy
issue at the end of FY ’04 that had a material
impact on its financial statements. This issue was below
the materiality threshold in prior years. As a result, the
HHS auditors found that the Department lacks a coordinated
process among cross-functional teams of finance,
operations, and legal personnel to monitor business
activities and identify situations where accounting
evaluation or decision-making may be necessary; and that
no structured process exists to communicate potential loss
contingencies to legal or accounting personnel.
Further, the auditors found that upon identification of
potential loss contingencies, no rational, structured
process exists to ensure timely resolution of accounting
questions by appropriate personnel. This condition
could also impact the ability to rely on financial
reporting from other OPDIVs or HHS as a whole.
One of the
auditor’s recommendations is the establishment of
appropriate polices, procedures and protocol, including
clearly assigning responsibility, to address situations or
transactions that require cross-functional involvement in
determining accounting-related estimates. The
financial management function should coordinate and
facilitate the involvement of the other cross functional
units whose input are important factors in formulating the
amount of the estimate.
Target Correction
Date: FY 2005
Summary of
Corrective action Approach: HHS
will: (1) appoint a single point of contact (POC)
within the HHS CFO’s office responsible for early
identification and resolution of significant policy issues
that have an impact on HHS financial statements; (2)
strengthen its existing CFO Quarterly Meetings with OPDIV
CFOs at the Department level to ensure coordination among
cross-functional teams of finance, operations, and legal
personnel to identify significant programmatic activities
that may impact the quarterly and annual financial
statements; (3) hold OPDIV CFOs accountable for
ensuring that programmatic and related legal issues are
promptly identified and communicated to the HHS CFO POC;
and 4) engage the active participation of OMB officials in
the resolution of any significant policy
issues.
|
Key Milestones
for Corrective Action
|
-
Appoint a HHS CFO POC who will be
responsible to develop an effective approach for the
early identification and resolution of significant policy
issues that have an impact on HHS financial
statements. The approach will be approved by
appropriate policy officials and clearly communicated to
affected personnel. December 2004
-
The HHS CFO POC will meet with OPDIV CFOs on lessons
learned from the FY ’04 audit.
OPDIV CFOs
will assess their current internal review processes for
early identification of any issues with materiality and
legal implications that could lead to significant
financial statement adjustments including review of their
OPDIV’s FY ’04 legal representation letters
with legal staff as a baseline. Any such issues will
be promptly communicated to the HHS CFO POC who will
follow the established approach including notification and
coordination within and outside HHS.
January 2005
-
Beginning with the first CFO quarterly meeting in CY
’05, utilize individual CFO Quarterly meetings with
OPDIV CFOs to reinforce to OPDIV CFOs their obligation to
reach out to program directors and legal staff to identify
early significant programmatic activities that may
materially impact the quarterly and annual financial
statements to promptly notify the HHS CFO POC, and to
assist in timely resolution of all issues to meet
financial reporting requirements.
February 2005 and quarterly,
thereafter
-
Continue to hold financial statement
assessment meetings with OPDIV CFOs to address significant
issues that may impact the financial statement audit and
reinforce and follow the approved approach.
At least quarterly
|
Section 4 Material
Nonconformance HHS
00-01 Department-wide Financial Systems and
Processes
|
Background
|
This
Department-wide material nonconformance was first
identified in FY 2000.
The Department
continues to have serious internal control weaknesses in
its financial systems and processes for producing
financial statements. The FY 2003 CFO audit and the
FMFIA Report reflected a material non-conformance
Department-wide under the FFMIA, which was reclassified in
FY 2001 under Section 4 of the FMFIA as Financial Systems
and Processes (HHS-00-01). This finding combined the
Department-wide audit finding with the audit findings at
CMS. CMS’ FY 2003 financial statements audit
revealed the same two material weaknesses as in the FY
2002 audit, specifically: Financial Systems and Analysis
(CMS-01-01) and Medicare EDP Controls (CMS 01-02). For
NIH, the auditors concluded that NIH financial systems,
including mixed systems, do not fully conform to all
government-wide standards required by OMB Circular A-127,
Financial Management Systems. For CDC, the FY 2003
audit reported that CDC’s financial system did not
have the capability to generate financial
statements.
Target Correction
Date: FY 2006 - FFMIA/FMFIA
compliance for UFMS and HIGLAS (the largest Medicare
contractors will be using HIGLAS). Implementation of
UFMS in accordance with approved implementation plan will
allow HHS to comply with the FFMIA/FMFIA by the end of FY
2006. OMB, as a result of its review of key UFMS planning
documents and discussions with HHS officials, recognized
in its quarterly progress reports for the
President’s Management Agenda (PMA) that the
Department’s current PMA financial management
"status” could improve when the UFMS is
substantially implemented at the end of FY 2006 and this
nonconformance is resolved or downgraded to a reportable
condition. In the short term, account analysis and
reconciliations are helping to mitigate systems
weaknesses. Full UFMS/HIGLAS implementation is
expected in FY 2007.
|
Key Milestones for
Corrective Action
|
FY 2004
Milestones:
-
HIGLAS -- Delivered the capability to
execute the claims payment processing cycle including
inbound claim, payment generation with AR/AP netting, and
outbound notification. Provided the business flow in the
pilot contractor setting. Completed October
2003
-
NIH/NBS -- Finance and accounting
functionality go live with FY 2004 travel transactions
being posted to the ORACLE sub-ledgers and flowing to the
general ledger. Completed October 2003
-
UFMS/Global -- Conducted CRP2 conference
room pilots in CDC, Atlanta to validate: (1) that the
system as configured can accommodate CDC's integrated
business processes; (2) the integration of specific
external systems using interface processes plus
cross-module and cross-functional activities, not
including data validation; and (3) specific global
interfaces and extensions. Completed March 23 through
April 1, 2004
-
UFMS/Global -- Based on discussions with
OMB, HHS submitted draft proposal to OMB regarding PMA
criteria for "Accurate financial information on
demand used for day-to-day management.”
June 2004 (Draft proposal pending management and OMB
review)
-
UFMS/Global -- Shared Services study was
completed on schedule. Recommendations for a
structure focused on continuous quality improvements were
presented to the UFMS Planning and Development and
Steering Committees and approval for implementation and/or
further development was granted. Completed May
2004
-
NIH/NBS System -- Continue and complete
data conversion. May 2004
-
HIGLAS -- Add history, deliver
functionality for system and accounting audit ability, and
summary/detail document level history. Also add the
balance of functionality needed to complete the full
business "footprint" of the claims payment
process. September 2004
FY 2005
Milestones:
-
CDC and FDA implement UFMS general ledger
and payroll accounting activities. October
2004
-
CDC to implement grant accounting.
First quarter
-
FDA and CDC to implement the full scope of
UFMS. April 2005
-
HIGLAS: Will implement at Medicare Part A
pilot contractor in FY 2005
-
HIGLAS: Will implement at Medicare Part B
pilot contractor in FY 2005.
-
HIGLAS:Roll-out Wave 1 will see 3
additional Medicare contractors transitioned through third
quarter FY 2005. June 2005
-
HIGLAS: Roll out Wave 2 will see 3
additional Medicare contractors transitioned.
September
2005
Long-Term UFMS
Milestones:
-
NIH Business and Research Support System
(NBRSS) - complete deployment. FY 2007
-
UFMS and HIGLAS: FFMIA Compliance.
End of FY 2006
-
UFMS: Department-wide Full
Implementation. FY 2007
-
HIGLAS:Full
Implementation. FY 2007
|
Material
Nonconformance
CMS 01-01 CMS
Financial Systems, Analysis and Oversight
*This finding is a
subset of the Section 4 Department-wide material
nonconformance HHS 00-01*
|
Background
|
First Year
Identified: FY 1997
The financial
statement auditors reported that CMS relies on a
decentralized organization, complex and antiquated
systems, and ad hoc reports to accumulate data for
financial reporting due to the lack of an integrated
accounting system at the Medicare contractor level.
An integrated financial system and strong oversight are
needed to ensure that periodic analyses and reconciliation
are completed to detect errors in a timely manner. Also,
improvement is called for in the oversight of the Managed
Care program. The auditors disclosed that there was a lack
of and/or inconsistent documentation to evidence the
ongoing monitoring and oversight reviews of the Managed
Care program. For the Medicaid and the State
Children's Health Insurance Programs, the auditors
also found that CMS needs to improve its communication
processes and procedures to prevent financial statements
from being issued that are materially misstated.
Target Correction
Date: FY 2006- FFMIA/FMFIA
compliance for UFMS and HIGLAS (the largest Medicare
contractors will be using HIGLAS). Implementation of
UFMS in accordance with approved implementation plan will
allow HHS to comply with FFMIA by the end of FY
2006.
Brief Description
of Corrective Action Plan: While
CMS has made significant improvements in financial
reporting, the long-term solution to this material
weakness is HIGLAS. Until this system is
implemented, CMS will continue projects and activities
aimed at compensating for the lack of the modernized
system. Until this system can be fully implemented,
CMS will continue to implement short-term corrective
actions, as outlined in its CFO’s Comprehensive
Plan for Financial Management, to address this
material weakness. The four key financial management
objectives of this plan are to: (1) improve
financial reporting, guidance, and oversight by providing
timely, reliable, and accurate financial information that
will enable CMS managers and other decision makers to make
timely and accurate program and administrative decisions,
(2) design and implement effective financial management
systems that comply with FFMIA, (3) improve debt
collection and internal accounting operations, and (4)
validate key financial data to ensure its accuracy and
reliability.
Managed Care
Program: With regard to the
oversight of the Managed Care program, the CMS central
office staff will follow up with all regional offices to
ensure that the regional offices follow the audit
protocols for cost plans, demonstrations, and health care
pre-payment plans, follow the Medicare+Choice/Medicare
Advantage monitoring guide, and maintain adequate
documentation to evidence these reviews. The Health
Plan Management System used for management of the Managed
Care program will be updated for changes in a timely
manner.
|
Key Milestones for
Corrective Action
|
FY 2005
Milestones:
-
Acquire Statement of Accounting Standards
(SAS) 70, Service Organizations, and agreed upon
procedure services to validate receivable balances and
other financial data. April 2005
-
Provide annual financial management
training, including analysis, to contractors. July
2005
-
Complete SAS 70 internal control reviews.
August 2005
-
Revise financial management Internet
manual. September 2005
-
Complete agreed-upon procedure reviews.
September 2005
-
Establish corrective action plans from
agreed-upon procedure reviews. September
2005
-
Contractors to implement corrective action
plans from reviews. September 2005
-
Perform on-site reviews at a sample of
contractors. September 2005
-
Monitor the monthly CMS 1522 reconciliation
submitted by contractors. Monthly
-
Perform trend analysis on receivable
balances reported. Quarterly
-
Implement HIGLAS at selected Medicare
contractor locations. FY 2005
-
Complete HIGLAS implementation. FY
2007
Managed
Care:
-
Maintain Medicare Managed Care
organization-related documents.Ongoing
-
Update Health Plan Management System for
any changes in a timely manner. Ongoing
Medicaid:
-
Conduct quarterly meetings that include the
Administrator, Deputy Administrator, Chief Operating
Officer, Chief Actuary, CFO, and Chief Counsel, to ensure
all financial statement issues (e.g., potential
liabilities) are identified. Quarterly
-
Increase regional office oversight of the
Medicaid program. Ongoing
|
Material Nonconformance
CMS
01-02 Medicare EDP Controls
*This
finding is a subset of the Section 4 Department-wide
material nonconformance HHS 00-01*
|
Background
|
First Year
Identified: FY 1998
The financial
statement auditors reported that EDP control weaknesses at
CMS central office and the Medicare contractors exist in
the areas of entitywide security programs, logical and
physical access controls, application security development
and program change controls, systems software, and service
continuity planning and testing. The majority of the
weaknesses were noted at the Medicare contractors, rather
than the CMS central office. Audit procedures disclosed no
evidence of actual system compromise of security, but in
the aggregate the weaknesses identified were considered
material. The Department anticipates that this weakness
will carry over into FY 2006.
Target Correction
Date: FY 2006. The
correction date reported in the FY 2003 Performance and
Accountability Report was FY 2004. The reason
for the change in date is that the CMS modernization is
programmed to commence in FY 2004.
Brief Description
of Corrective Action Plan: The CMS recognizes the significance of security
measures regarding Medicare EDP issues as they relate to
the integrity, confidentiality, and availability of
sensitive Medicare data. CMS received funding in
August 2002 to mitigate the most vulnerable weaknesses at
the Medicare contractors and data centers. The
distribution based on risk analysis was to fund system
security plans for the contractor claims processing
systems, access controls, systems software, segregation of
duties, and service continuity. Funding decisions
were risk-based and business-driven. Additional
weaknesses were funded in FY 2004 through redistribution
of funds remaining from the initial FY 2002
distribution. The full implementation of the
modernization program will address issues contributing to
the material weakness.
Primarily due to the
large size and complexity of the Medicare Fee-for-Service
claims processing system and number of data centers, the
completion dates will extend into FY 2006. The sheer
magnitude of the Medicare claims processing system,
encompassing 16 data centers and 33 entities that process
claims, coupled with the level of aggressive oversight,
guarantees that there will always be findings. The
issue is to keep these findings to a manageable number
with no critical vulnerabilities.
It is important to
note that funding has been requested and received for FY
2004 as part of the CMS Modernization initiative.
Additional funding is requested for FY 2005. The CMS
Modernization initiative is the long-term plan for
addressing these security issues, e.g., by reducing the
security perimeter through Medicare contractor reform and
data center consolidation.
|
Key Milestones for
Corrective Action
|
FY 2005
Milestones:
-
Require Medicare contractors to use CMS
systems security methodology to develop plans in the
future as funding permits. September 2005
-
Develop and implement consistent and
effective physical and logical access procedures,
including administration and monitoring of access by
contractor personnel in the course of their job
responsibilities. September 2005
-
Provide guidance to contractors for
computer security configuration settings.
Completed
-
Develop and implement consistent and
effective application security, development and program
change controls, e.g., to document and control the
authorized use of system edits. September
2005
-
Develop additional testing procedures for
selected Medicare sites for application changes.
September 2005
-
Enhance system software settings/controls
for network servers. Completed
-
Develop and implement more consistent
change control procedures for selected applications.
September 2005
-
Strengthen password controls for selected
applications. September 2005
-
Ensure service continuity planning and
testing at both contractor sites and at the CMS central
office. September 2005
-
Implement security enhancements addressing
the performance problem areas. September
2006
-
In conjunction with the OIG, develop a
strategy focusing on repeat findings, and based on the
funding availability, take action to address the root
causes of findings enterprise-wide. September
2006
|
|