Agencies are gaining more control over how to upgrade their financial management systems.
Instead of a strict set of rules around the technology requirements for federal systems, the Office of Management and Budget will rescind Circular A- 127 that governs financial systems, and, through this memo, move and simplify those regulations into Appendix D of Circular A-123. OMB Director Sylvia Burwell wrote in a memo to agency leaders that said, “The goal of this Appendix is to transform our compliance framework so that it will contribute to efforts to reduce the cost, risk, and complexity of financial system modernizations. The objective of this approach will be to provide additional flexibility for federal agencies to initiate smaller-scale financial modernizations as long as relevant financial management outcomes (e.g., clean audits, proper controls, timely reporting) are maintained.”
In a nutshell, implementing the Federal Financial Management Improvement Act (FFMIA) has become arduous and ended up forcing agencies into costly financial management upgrades.
So now Appendix D is more streamlined. OMB reduced the number of requirements from more than 500 to about 60 that focus on outcome or output.
OMB began to dismantle FFMIA regulations over the last several years. The administration closed down the Federal Systems Integration Office (FSIO) in March 2011 and moved a lot of the oversight and standards work to the Treasury Department’s Office of Financial Innovation and Transformation (OFIT).
FSIO, and its predecessor the Joint Financial Management Improvement Program (JFMIP), which stopped approving vendor software several years ago, set requirements for federal financial systems to meet and it took vendors years to gain approval.
Today, OFIT has subsumed much of that work, placing a higher level of focus on shared services and setting financial management standards.
In the memo, Burwell said Appendix D no longer includes the lengthy, resource- intensive financial system software test and certification requirement. It also disposes of the rule that forced agencies to use a single technology product to meet all the financial management system requirements. Instead, Burwell said the appendix “emphasizes the deployment of newer, cost-effective technology through shared service approaches.”
OMB mandated in March agencies move to shared services for their financial systems when they are ready to upgrade.
The appendix specifically addresses how FFMIA applies to shared services providers and agency customers.
“For agencies that use shared service organizations, the service organizations are required to provide customer agencies with a report on controls at a service organization relevant to user entities’ internal control over financial reporting (also known as a SOC 1),” OMB wrote. “The SOC 1 is an important tool for agency management and auditors as they evaluate the effect of the controls at the service organization on the user entities’ controls for financial reporting. Agency and auditor testing of a service provider’s controls could take the form of input/output controls, performance monitoring or process controls.”
More broadly, OMB said agency compliance should focus on reducing and managing risk based on its goals around financial management.
“An agency does not have to be at low risk for each compliance indicator to be in compliance with FFMIA,” the appendix stated. “Still, lower risk should decrease the likelihood that an agency is not in compliance, while higher risk should increase the likelihood that an agency is not in compliance.”
OMB also issued an A-123 Compliance Framework that breaks down the necessary steps agencies need to take into three buckets:
Financial management goals, which include financial information management and reporting;
Compliance indicators, which includes internal control reviews, audit results and cybersecurity reviews.
Section 803(a) requirements, which includes accounting standards, system requirements and standard general ledge rules.
“The FFMIA Compliance Determination Framework goals and compliance indicators are intended to be used during the ongoing operation of federal financial management systems,” OMB wrote. “Agency heads should use the goals and compliance indicators to assist in determining FFMIA compliance. If a goal is not met, then the agency head should evaluate the associated financial management system requirements and the effectiveness of related internal controls to help identify the root cause(s) of failure to meet the goal.”