From Prior Year

5

5

2

1

0

New

0

0

0

0

3

Corrected/Reclassified

0

3*

1

1**

0

Outstanding as of 9/30/2004

3

From Prior Year

0

0

1

1

1

New

0

1*

0

0

0

Corrected/Reclassified

0

0

0

0

0

Outstanding as of 9/30/2004

1

FISMA significant deficiency
ID: HHS-04-01

FY 2004

End of FY 2005

Departmental Payroll System
ID: HHS-04-02

FY 2004

End of FY 2005

Departmental Financial Reporting
ID: HHS-04-03

FY 2004

FY 2005

1a

Financial Systems & Processes
ID: HHS 00-01

FY 2001

UFMS FMFIA and FFMIA compliance (FY 2006)

UFMS full implementation (FY 2007)

1b

CMS Financial Systems Analysis and Oversight (Including Medicare Accounts Receivable and Managed Care)
ID: CMS 01-02 (formerly HCFA 97-02)

FY 2001

HIGLAS FFMIA compliance (FY 2006)

HIGLAS full implementation (FY 2007)

1c

Medicare EDP Controls, including Application Controls for Medicare Contractors
ID: CMS 01-02 (formerly HCFA 98-01a)

FY 2001

FY 2006

(Previously reported as FY 2004 in

FY 2003 report)

This material weakness was first identified in FY 2004.

The Department’s Payroll System internal controls need strengthening. The auditor's findings included some errors in pay, annual and sick leave balances, FEGLI withholding and insufficient or incorrect supporting documentation.

Summary of Corrective Action Approach: HHS has made significant changes to its human resources operation in response to the President’s Management Agenda (PMA). It was one of the first agencies to embrace the e-Gov e-Payroll initiative to consolidate to four payroll providers. As part of this initiative, in FY 2001, HHS established a goal of consolidating its human resources services activities. Beginning in FY 2002, several of our Operating Divisions internally consolidated their human resources function to a single office. The final step in the consolidation took place in January 2004, when we established the Human Resources Centers (HRCs). The recent implementation of this consolidation was designed to consolidate more than 40 decentralized HR offices into 4 HR service centers. This initiative has helped us recognize the need for improvement in our HR operations to include more training, periodic review of how our systems interface, and establishment of consistent processes and policies across the Department.

As we move forward in these areas, our human resources staff are also devoting an enormous amount of time to other efforts. For example, of primary concern is the transition of payroll services to the Defense Finance and Accounting Service (DFAS), which is scheduled for March 2005. Additionally, the Electronic Official Personnel Folders (eOPF) project is scheduled for implementation from December 2004 - September 2005

These initiatives (i.e., HR consolidation, transition to DFAS, and migration to the eOPF) have focused our attention on several issues we need to address before the transition to DFAS and eOPF. We are also committed to putting any necessary remedial or preventive mechanisms in place to improve our audit standing. However, there are some areas where reasonable explanations were provided to findings and these areas may not change. We fully embrace having solid oversight responsibilities for payroll and personnel and have already implemented procedures and processes that address many of the concerns discovered during our massive data cleanup efforts. We believe that our efforts in the HR consolidation, implementing Department wide automated HR systems, and the DFAS transition will enhance our ability to have a solid payroll system.

Target Correction Date: FY 2005 - We believe the HR consolidation, implementation of the e-OPF and transition to the DFAS are providing the Department with opportunities to comply with the FMFIA by the end of FY 2005.

Completed Corrective Actions:

• Organized and planned for e-Payroll transition.  May 2003  
• Analyzed and built Phase1 and 2 for e-Payroll transition.  October 2004
• Established Human Resources Workgroup to identify requirements, prioritize enhancement requests, participate in testing EHRP changes, and serve as conduit for information on HR, e-Payroll.   August 2004
• Established an accountability and technology initiative to ensure communications and teamwork.  August 2004
• Trained human resources staff  (i.e., timekeepers, payroll liaisons, ITAS representatives, etc.) to prepare for expected move to DFAS.  August 2004
• Reissued documentation on appropriate Commissioned Corps survivor benefit procedures.  December 2004

FY 2005 Planned Actions:

This material weakness was first identified in FY 2004.

Accelerated government-wide financial reporting requirements include the fact that policy decisions that have an impact on agency financial statements are to be resolved by Federal agencies timely to ensure that audited financial statements are issued timely and within federal requirements.  In order to meet these requirements, HHS policy officials need to develop a more effective approach for the early identification and resolution of significant policy issues that have an impact on HHS financial statements.  This approach should include coordination early and throughout the process with appropriate officials both within and outside HHS.

The issue that gave rise to this problem is that HHS had a significant policy issue at the end of FY ’04 that had a material impact on its financial statements. This issue was below the materiality threshold in prior years. As a result, the HHS auditors found that the Department lacks a coordinated process among cross-functional teams of finance, operations, and legal personnel to monitor business activities and identify situations where accounting evaluation or decision-making may be necessary; and that no structured process exists to communicate potential loss contingencies to legal or accounting personnel.  Further, the auditors found that upon identification of potential loss contingencies, no rational, structured process exists to ensure timely resolution of accounting questions by appropriate personnel.  This condition could also impact the ability to rely on financial reporting from other OPDIVs or HHS as a whole.

One of the auditor’s recommendations is the establishment of appropriate polices, procedures and protocol, including clearly assigning responsibility, to address situations or transactions that require cross-functional involvement in determining accounting-related estimates.  The financial management function should coordinate and facilitate the involvement of the other cross functional units whose input are important factors in formulating the amount of the estimate.

Target Correction Date: FY 2005

Summary of Corrective action Approach: HHS will:  (1) appoint a single point of contact (POC) within the HHS CFO’s office responsible for early identification and resolution of significant policy issues that have an impact on HHS financial statements; (2) strengthen its existing CFO Quarterly Meetings with OPDIV CFOs at the Department level to ensure coordination among cross-functional teams of finance, operations, and legal personnel to identify significant programmatic activities that may impact the quarterly and annual financial statements; (3) hold OPDIV CFOs accountable for ensuring that programmatic and related legal issues are promptly identified and communicated to the HHS CFO POC; and 4) engage the active participation of OMB officials in the resolution of any significant policy issues. 

• Appoint a HHS CFO POC who will be responsible to develop an effective approach for the early identification and resolution of significant policy issues that have an impact on HHS financial statements.  The approach will be approved by appropriate policy officials and clearly communicated to affected personnel.  December 2004
• The HHS CFO POC will meet with OPDIV CFOs on lessons learned from the FY ’04 audit. OPDIV CFOs will assess their current internal review processes for early identification of any issues with materiality and legal implications that could lead to significant financial statement adjustments including review of their OPDIV’s FY ’04 legal representation letters with legal staff as a baseline.  Any such issues will be promptly communicated to the HHS CFO POC who will follow the established approach including notification and coordination within and outside HHS.    January 2005
• Beginning with the first CFO quarterly meeting in CY ’05, utilize individual CFO Quarterly meetings with OPDIV CFOs to reinforce to OPDIV CFOs their obligation to reach out to program directors and legal staff to identify early significant programmatic activities that may materially impact the quarterly and annual financial statements to promptly notify the HHS CFO POC, and to assist in timely resolution of all issues to meet financial reporting requirements.
  February 2005 and quarterly, thereafter
• Continue to hold financial statement assessment meetings with OPDIV CFOs to address significant issues that may impact the financial statement audit and reinforce and follow the approved approach.  At least quarterly

This Department-wide material nonconformance was first identified in FY 2000.

The Department continues to have serious internal control weaknesses in its financial systems and processes for producing financial statements.  The FY 2003 CFO audit and the FMFIA Report reflected a material non-conformance Department-wide under the FFMIA, which was reclassified in FY 2001 under Section 4 of the FMFIA as Financial Systems and Processes  (HHS-00-01). This finding combined the Department-wide audit finding with the audit findings at CMS.  CMS’ FY 2003 financial statements audit revealed the same two material weaknesses as in the FY 2002 audit, specifically: Financial Systems and Analysis (CMS-01-01) and Medicare EDP Controls (CMS 01-02). For NIH, the auditors concluded that NIH financial systems, including mixed systems, do not fully conform to all government-wide standards required by OMB Circular A-127, Financial Management Systems. For CDC, the FY 2003 audit reported that CDC’s financial system did not have the capability to generate financial statements.

Target Correction Date: FY 2006 - FFMIA/FMFIA compliance for UFMS and HIGLAS (the largest Medicare contractors will be using HIGLAS).  Implementation of UFMS in accordance with approved implementation plan will allow HHS to comply with the FFMIA/FMFIA by the end of FY 2006. OMB, as a result of its review of key UFMS planning documents and discussions with HHS officials, recognized in its quarterly progress reports for the President’s Management Agenda (PMA) that the Department’s current PMA financial management "status” could improve when the UFMS is substantially implemented at the end of FY 2006 and this nonconformance is resolved or downgraded to a reportable condition.  In the short term, account analysis and reconciliations are helping to mitigate systems weaknesses.  Full UFMS/HIGLAS implementation is expected in FY 2007.

FY 2004 Milestones:

• HIGLAS -- Delivered the capability to execute the claims payment processing cycle including inbound claim, payment generation with AR/AP netting, and outbound notification. Provided the business flow in the pilot contractor setting.   Completed October 2003
• NIH/NBS -- Finance and accounting functionality go live with FY 2004 travel transactions being posted to the ORACLE sub-ledgers and flowing to the general ledger.  Completed October 2003
• UFMS/Global -- Conducted CRP2 conference room pilots in CDC, Atlanta to validate: (1) that the system as configured can accommodate CDC's integrated business processes; (2) the integration of specific external systems using interface processes plus cross-module and cross-functional activities, not including data validation; and (3) specific global interfaces and extensions. Completed March 23 through April 1, 2004
• UFMS/Global -- Based on discussions with OMB, HHS submitted draft proposal to OMB regarding PMA criteria for "Accurate financial information on demand used for day-to-day management.”  June 2004 (Draft proposal pending management and OMB review)
• UFMS/Global -- Shared Services study was completed on schedule.  Recommendations for a structure focused on continuous quality improvements were presented to the UFMS Planning and Development and Steering Committees and approval for implementation and/or further development was granted.  Completed May 2004
• NIH/NBS System -- Continue and complete data conversion.  May 2004
• HIGLAS -- Add history, deliver functionality for system and accounting audit ability, and summary/detail document level history.  Also add the balance of functionality needed to complete the full business "footprint" of the claims payment process.  September 2004

FY 2005 Milestones:

• CDC and FDA implement UFMS general ledger and payroll accounting activities.  October 2004
• CDC to implement grant accounting.   First quarter
• FDA and CDC to implement the full scope of UFMS.   April 2005
• HIGLAS: Will implement at Medicare Part A pilot contractor in FY 2005
• HIGLAS: Will implement at Medicare Part B pilot contractor in FY 2005.
• HIGLAS:Roll-out Wave 1 will see 3 additional Medicare contractors transitioned through third quarter FY 2005.  June 2005
• HIGLAS: Roll out Wave 2 will see 3 additional Medicare contractors transitioned.  September 2005            

Long-Term UFMS Milestones:

• NIH Business and Research Support System (NBRSS) - complete deployment.  FY 2007
• UFMS and HIGLAS: FFMIA Compliance.  End of FY 2006
• UFMS: Department-wide Full Implementation.  FY 2007
• HIGLAS:Full Implementation.  FY 2007

First Year Identified: FY 1997

The financial statement auditors reported that CMS relies on a decentralized organization, complex and antiquated systems, and ad hoc reports to accumulate data for financial reporting due to the lack of an integrated accounting system at the Medicare contractor level.  An integrated financial system and strong oversight are needed to ensure that periodic analyses and reconciliation are completed to detect errors in a timely manner. Also, improvement is called for in the oversight of the Managed Care program. The auditors disclosed that there was a lack of and/or inconsistent documentation to evidence the ongoing monitoring and oversight reviews of the Managed Care program.  For the Medicaid and the State Children's Health Insurance Programs, the auditors also found that CMS needs to improve its communication processes and procedures to prevent financial statements from being issued that are materially misstated.

Target Correction Date: FY 2006- FFMIA/FMFIA compliance for UFMS and HIGLAS (the largest Medicare contractors will be using HIGLAS).  Implementation of UFMS in accordance with approved implementation plan will allow HHS to comply with FFMIA by the end of FY 2006.

Brief Description of Corrective Action Plan: While CMS has made significant improvements in financial reporting, the long-term solution to this material weakness is HIGLAS.  Until this system is implemented, CMS will continue projects and activities aimed at compensating for the lack of the modernized system.  Until this system can be fully implemented, CMS will continue to implement short-term corrective actions, as outlined in its CFO’s Comprehensive Plan for Financial Management, to address this material weakness.  The four key financial management objectives of this plan are to:  (1) improve financial reporting, guidance, and oversight by providing timely, reliable, and accurate financial information that will enable CMS managers and other decision makers to make timely and accurate program and administrative decisions, (2) design and implement effective financial management systems that comply with FFMIA, (3) improve debt collection and internal accounting operations, and (4) validate key financial data to ensure its accuracy and reliability.

Managed Care Program: With regard to the oversight of the Managed Care program, the CMS central office staff will follow up with all regional offices to ensure that the regional offices follow the audit protocols for cost plans, demonstrations, and health care pre-payment plans, follow the Medicare+Choice/Medicare Advantage monitoring guide, and maintain adequate documentation to evidence these reviews.  The Health Plan Management System used for management of the Managed Care program will be updated for changes in a timely manner.

FY 2005 Milestones:

• Acquire Statement of Accounting Standards (SAS) 70, Service Organizations, and agreed upon procedure services to validate receivable balances and other financial data.  April 2005
• Provide annual financial management training, including analysis, to contractors. July 2005
• Complete SAS 70 internal control reviews. August 2005
• Revise financial management Internet manual. September 2005
• Complete agreed-upon procedure reviews. September 2005
• Establish corrective action plans from agreed-upon procedure reviews. September 2005
• Contractors to implement corrective action plans from reviews. September 2005
• Perform on-site reviews at a sample of contractors. September 2005
• Monitor the monthly CMS 1522 reconciliation submitted by contractors. Monthly
• Perform trend analysis on receivable balances reported. Quarterly
• Implement HIGLAS at selected Medicare contractor locations.  FY 2005
• Complete HIGLAS implementation.  FY 2007

Managed Care:

• Maintain Medicare Managed Care organization-related documents.Ongoing
• Update Health Plan Management System for any changes in a timely manner. Ongoing

Medicaid:

• Conduct quarterly meetings that include the Administrator, Deputy Administrator, Chief Operating Officer, Chief Actuary, CFO, and Chief Counsel, to ensure all financial statement issues (e.g., potential liabilities) are identified.  Quarterly
• Increase regional office oversight of the Medicaid program.  Ongoing

First Year Identified: FY 1998

The financial statement auditors reported that EDP control weaknesses at CMS central office and the Medicare contractors exist in the areas of entitywide security programs, logical and physical access controls, application security development and program change controls, systems software, and service continuity planning and testing. The majority of the weaknesses were noted at the Medicare contractors, rather than the CMS central office. Audit procedures disclosed no evidence of actual system compromise of security, but in the aggregate the weaknesses identified were considered material. The Department anticipates that this weakness will carry over into FY 2006.

Target Correction Date: FY 2006.  The correction date reported in the FY 2003 Performance and Accountability Report was FY 2004.  The reason for the change in date is that the CMS modernization is programmed to commence in FY 2004. 

Brief Description of Corrective Action Plan:  The CMS recognizes the significance of security measures regarding Medicare EDP issues as they relate to the integrity, confidentiality, and availability of sensitive Medicare data.  CMS received funding in August 2002 to mitigate the most vulnerable weaknesses at the Medicare contractors and data centers.  The distribution based on risk analysis was to fund system security plans for the contractor claims processing systems, access controls, systems software, segregation of duties, and service continuity.  Funding decisions were risk-based and business-driven.  Additional weaknesses were funded in FY 2004 through redistribution of funds remaining from the initial FY 2002 distribution.  The full implementation of the modernization program will address issues contributing to the material weakness.

Primarily due to the large size and complexity of the Medicare Fee-for-Service claims processing system and number of data centers, the completion dates will extend into FY 2006. The sheer magnitude of the Medicare claims processing system, encompassing 16 data centers and 33 entities that process claims, coupled with the level of aggressive oversight, guarantees that there will always be findings.  The issue is to keep these findings to a manageable number with no critical vulnerabilities.

It is important to note that funding has been requested and received for FY 2004 as part of the CMS Modernization initiative.  Additional funding is requested for FY 2005.  The CMS Modernization initiative is the long-term plan for addressing these security issues, e.g., by reducing the security perimeter through Medicare contractor reform and data center consolidation.

FY 2005 Milestones:

• Require Medicare contractors to use CMS systems security methodology to develop plans in the future as funding permits. September 2005
• Develop and implement consistent and effective physical and logical access procedures, including administration and monitoring of access by contractor personnel in the course of their job responsibilities.   September 2005
• Provide guidance to contractors for computer security configuration settings.  Completed
• Develop and implement consistent and effective application security, development and program change controls, e.g., to document and control the authorized use of system edits.   September 2005
• Develop additional testing procedures for selected Medicare sites for application changes.   September 2005
• Enhance system software settings/controls for network servers.   Completed
• Develop and implement more consistent change control procedures for selected applications.   September 2005
• Strengthen password controls for selected applications.   September 2005
• Ensure service continuity planning and testing at both contractor sites and at the CMS central office.  September 2005
• Implement security enhancements addressing the performance problem areas.   September 2006
• In conjunction with the OIG, develop a strategy focusing on repeat findings, and based on the funding availability, take action to address the root causes of findings enterprise-wide.  September 2006