This is the accessible text file for GAO report number GAO-04-774 entitled 'Financial Management: Department of Homeland Security Faces Significant Financial Management Challenges' which was released on July 29, 2004. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Ranking Minority Member, Committee on Governmental Affairs, U.S. Senate: July 2004: FINANCIAL MANAGEMENT: Department of Homeland Security Faces Significant Financial Management Challenges: GAO-04-774: GAO Highlights: Highlights of GAO-04-774, a report to The Honorable Joseph I. Lieberman, Ranking Minority Member, Committee on Governmental Affairs, U.S. Senate: Why GAO Did This Study: When the Department of Homeland Security (DHS) began operations in March 2003, it faced the daunting task of bringing together 22 diverse agencies. This transformation poses significant management and leadership challenges, including integrating a myriad of redundant financial management systems and addressing the existing weaknesses in the inherited components, as well as newly identified weaknesses. This review was performed to (1) identify the financial management systems’ weaknesses DHS inherited from the 22 component agencies, (2) assess DHS’s progress in addressing those weaknesses, (3) identify plans DHS has to integrate its financial management systems, and (4) review whether the planned systems DHS is developing will meet the requirements of relevant financial management improvement laws. What GAO Found: DHS inherited 30 reportable internal control weaknesses identified in prior component financial audits with 18 so severe they were considered material weaknesses. These weaknesses include insufficient internal controls, system security deficiencies, and incomplete policies and procedures necessary to complete basic financial information. Of the four inherited component agencies that had previously been subject to stand-alone audits, all four agencies’ systems were found not to be in substantial compliance with the requirements of the Federal Financial Management Improvement Act (FFMIA), an indicator of whether a federal entity can produce reliable data for management and reporting purposes. Component agencies took varied actions to resolve 9 of the 30 inherited internal control weaknesses. The remaining 21 weaknesses were combined and reported as material weaknesses or reportable conditions in DHS’s first Performance and Accountability Report, or were reclassified by independent auditors as lower-level observations and recommendations. Combining or reclassifying weaknesses does not resolve the underlying internal control weakness, or mean that challenges to address them are less than they would have been prior to the establishment of DHS. The following table summarizes the current status of the weaknesses DHS inherited from component agencies. Status of 30 Inherited Weaknesses in 2003 Audit [See PDF for image] [End table] DHS is in the early stages of acquiring a financial enterprise solution to consolidate and integrate its business functions. Initiated in August 2003, DHS expects the financial enterprise solution to be fully deployed and operational in 2006 at an estimated cost of $146 million. Other agencies have failed in attempts to develop financial management systems with fewer diverse operations. Success will depend on a number of variables, including having an effective strategic management framework, sustained management oversight, and user acceptance of the efforts. It is too early to tell whether DHS’s planned financial enterprise solution will be able to meet the requirements of relevant financial management improvement laws. As of June 2004, DHS is not subject to the CFO Act and thus FFMIA, which is applicable only to agencies subject to the CFO Act. While DHS is currently not required to report on compliance with FFMIA, its auditors disclosed systems deficiencies that would have likely resulted in noncompliance issues. What GAO Recommends: GAO is making eight recommendations to improve financial management at DHS, including recommendations to give continued attention to resolving all previously reported internal control weaknesses and adhere to FFMIA requirements even though not statutorily required to do so. GAO also believes Congress should enact legislation to designate DHS as a Chief Financial Officers Act (CFO Act) agency. DHS generally agreed with the overall findings and recommendations. www.gao.gov/cgi-bin/getrpt?GAO-04-774. To view the full product, including the scope and methodology, click on the link above. For more information, contact McCoy Williams at (202) 512-6906 or williamsm1@gao.gov. [End section] Contents: Letter: Results in Brief: Background: DHS Inherited Significant Weaknesses from Its Component Agencies: Some Progress Made in Addressing Inherited Weaknesses: DHS Is in the Early Stages of Integrating Its Financial Management Systems: It Is Not Known Whether DHS's Planned Financial Management Systems Will Be Able to Meet the Requirements of Relevant Financial Management Improvement Laws: Conclusions: Matter for Congressional Consideration: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendixes: Appendix I: Scope and Methodology: Appendix II: Material Weaknesses and Reportable Conditions at DHS for Fiscal Year 2003: Appendix III: Disposition of Reported Internal Control Weaknesses by Component: Appendix IV: Comments from the Department of Homeland Security: Tables: Table 1: Status of 30 Inherited Weaknesses in 2003 Audit: Table 2: Decreases in Service Providers from March 2003 to May 2004: Table 3: Key Financial Management Improvement Laws: Figure: Figure 1: Phase I Timeline: Letter July 19, 2004: The Honorable Joseph I. Lieberman: Ranking Minority Member: Committee on Governmental Affairs: United States Senate: Dear Senator Lieberman: When the Department of Homeland Security (DHS) began operations in March 2003, it faced the daunting task of bringing together 22 diverse agencies. Not since the creation of the Department of Defense had the federal government undertaken a transformation of this magnitude. As we previously reported,[Footnote 1] such a consolidation poses significant management and leadership challenges, including integrating a myriad of redundant financial management systems and addressing the existing and newly identified weaknesses in the inherited components. You asked us to review DHS's progress in addressing financial management weaknesses and integrating its financial systems. This report (1) identifies the financial management systems' weaknesses DHS inherited from the 22 component agencies, (2) assesses DHS's progress in addressing those weaknesses, (3) identifies plans DHS has to integrate its financial management systems, and (4) reviews whether the planned systems DHS is developing will meet the requirements of relevant financial management improvement laws.[Footnote 2] Our work is based primarily on reviews of DHS's Performance and Accountability Report for fiscal year 2003 and prior period component agency annual financial reports, when available. We interviewed DHS officials and obtained documents related to DHS's financial management systems integration project. In addition, we reviewed our and Office of Inspector General (OIG) previously issued reports and relevant laws and regulations. A more detailed discussion of our scope and methodology can be found in appendix I. We conducted our work from October 2003 through June 2004 in accordance with U.S. generally accepted government auditing standards. Results in Brief: When DHS began operating in March 2003, it inherited 22 component agencies, approximately 180,000 employees, about 100 resource management systems, and 30 reportable internal control conditions[Footnote 3] identified in prior component financial audits. Of the 30 reportable conditions, 18 were so severe they were considered material weaknesses.[Footnote 4] Among these weaknesses were insufficient internal controls or processes to reliably report financial information such as revenue, accounts receivable, and accounts payable; significant system security deficiencies; financial systems that required extensive manual processes to prepare financial statements; and incomplete policies and procedures necessary to complete basic financial management activities. Further, of the four component agencies that had previously been subject to stand-alone audits, all four agencies' systems were found not to be in substantial compliance with the requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA),[Footnote 5] an indicator of whether a federal entity can produce reliable data for management and reporting purposes. Because most of the components that transferred to DHS were comparatively small components of their former department, they had not been subjected to significant financial statement audit scrutiny prior to transfer. Thus, it was unknown at the time of transfer whether additional internal control weaknesses existed in those components. Component agencies took action to resolve 9 of the 30 internal control weaknesses DHS inherited from component agencies. These actions included reinstating procedures to accurately estimate financial data, performing risk assessments of major systems, and instituting processes to ensure accounts receivable and fixed assets are properly recorded. Another 9 of the inherited weaknesses were combined and reported as material weaknesses in DHS's first Performance and Accountability Report, while 5 were combined and reported as reportable conditions. Although combining or reclassifying weaknesses reduces the overall number of weaknesses, it does not resolve the underlying internal control weakness or reduce the level of effort that will be needed to mitigate the weakness. The remaining 7 weaknesses were classified by the department's independent auditors as observations and recommendations.[Footnote 6] Finally, auditors reported 6 additional weaknesses as of September 30, 2003, bringing the total number of DHS reportable conditions to 14 for fiscal year 2003, 7 of which were considered to be material weaknesses. DHS has developed or begun to develop corrective action plans to address 10 of the 14 internal control weaknesses identified in the 2003 financial audit. Sustained attention must be given to resolving all previously reported weaknesses, regardless of their current designation at DHS. DHS is in the early stages of acquiring a financial enterprise solution to consolidate and integrate the department's financial accounting and reporting systems, including budget, accounting and reporting, cost management, asset management, and acquisition and grants functions. According to DHS, the department initiated a financial management systems integration project in August 2003. The completed project is expected to be fully deployed and operational in 2006 at an estimated cost of approximately $146 million. Other agencies have failed in attempts to develop financial management systems with fewer diverse operations. An effective strategic management framework, sustained management oversight, and user acceptance of the efforts, among other things, will be keys to DHS's success. As an interim effort, DHS is working to consolidate the number of legacy financial systems, and reports that it has reduced the overall number of financial service providers. We plan to monitor DHS's efforts as part of our consolidated financial statement audit of the U.S. government. It is too early to tell whether DHS's planned financial enterprise solution will be able to meet the requirements of relevant financial management improvement laws it is currently subject to. As of June 2004, DHS is not subject to the Chief Financial Officers Act of 1990[Footnote 7] (CFO Act) and thus is exempt from FFMIA, which is only applicable to CFO Act agencies. The CFO Act requires major agencies to have a qualified, presidentially appointed, Senate-confirmed Chief Financial Officer (CFO) who reports to the head of the agency. Currently, the CFO at DHS reports to the Under Secretary for Management while directorate CFOs report to the head of their respective directorates, not to DHS's CFO. In addition, while DHS is currently not required to report on its systems' compliance with FFMIA, its auditors disclosed systems deficiencies that indicate that DHS's systems would not have been in substantial compliance with the requirements of FFMIA during its first 7 months of operation. We obtained written comments on a draft of this report from DHS's Chief Financial Officer. In commenting on a draft of this report, DHS generally agreed with the overall findings and recommendations. The comments DHS provided to us are reprinted in appendix IV. Background: In the aftermath of the terrorist attacks of September 11, 2001, responding to potential and real threats to homeland security became one of the federal government's most significant challenges. To address this challenge, the Congress passed, and the President signed, the Homeland Security Act of 2002,[Footnote 8] which merged 22 federal agencies and organizations into DHS, making it the department with the third largest budget in the federal government, about $40 billion for fiscal year 2005.[Footnote 9] In January 2003, we designated implementation and transformation of the new Department of Homeland Security as high risk based on three factors: (1) the implementation and transformation of DHS is an enormous undertaking that will take time to achieve in an effective and efficient manner, (2) components to be merged into DHS already face a wide array of existing challenges, and (3) failure to effectively carry out its mission would potentially expose the nation to very serious consequences.[Footnote 10] As we previously reported,[Footnote 11] one of the department's key challenges is integrating the components' respective financial management systems, many of which were outdated and had limited functionality, as well as addressing weaknesses from the inherited components. The Homeland Security Act of 2002 states that DHS's missions include, among other things, preventing terrorist attacks within the United States, reducing America's vulnerability to terrorism, minimizing subsequent damage, and assisting in the recovery from attacks that do occur. To help accomplish this integrated homeland security mission, the various mission areas and associated programs of 22 federal agencies were merged, in whole or in part, into DHS. The department's organizational structure consists of eight major components--the U.S. Coast Guard (Coast Guard), the U.S. Secret Service, the Bureau of Citizenship and Immigration Services (CIS), and five directorates, each of which is headed by an Under Secretary: Information Analysis and Infrastructure Protection, Science and Technology, Border and Transportation Security, Emergency Preparedness and Response, and Management. Within the Management Directorate is DHS's Office of the Chief Financial Officer (OCFO), which is assigned primary responsibility for functions, such as budget, finance and accounting, strategic planning and evaluation, and financial systems for the department. OCFO is also charged with ongoing integration of these functions within the department. The CFO Act requires the agency's CFO to develop and maintain an integrated accounting and financial management system that provides for complete, reliable, and timely financial information that facilitates the systematic measurement of performance at the agency, the development and reporting of cost information, and the integration of accounting and budget information. The act also requires that the agency's CFO be qualified, presidentially appointed, approved by the Senate, and report to the head of the agency. FFMIA requires that CFO Act agencies implement and maintain financial management systems that substantially comply with federal financial management systems requirements, applicable accounting standards, and the U.S. Government Standard General Ledger at the transaction level. It also requires auditors to report whether the agency's financial management systems substantially comply with the three requirements of FFMIA. While not required to comply with provisions of the CFO Act or FFMIA, the Accountability of Tax Dollars Act of 2002,[Footnote 12] requires DHS to prepare and have audited financial statements annually.[Footnote 13] The Accountability of Tax Dollars Act of 2002, however, does not require compliance with the CFO Act or FFMIA. In identifying improved financial performance as one of its five governmentwide initiatives, the President's Management Agenda recognized that an unqualified financial audit opinion[Footnote 14] is a basic prescription for any well-managed organization and that without sound internal control and accurate and timely financial information, it is not possible to accomplish the agenda and secure the best performance and highest measure of accountability for the American people. In addition, the Joint Financial Management Improvement Program (JFMIP) Principals[Footnote 15] have defined certain measures, in addition to receiving an unqualified financial statement opinion, for achieving financial management success. These additional measures include being able to routinely provide timely, accurate, and useful financial and performance information, having neither material internal control weaknesses nor material noncompliance with laws and regulations, and meeting the requirements of FFMIA. DHS obtained a consolidated financial audit for the 7-month period from March 1, 2003, to September 30, 2003, and received a qualified opinion from its independent auditors on its consolidated balance sheet as of September 30, 2003, and the related statement of custodial activity for the 7 months ending September 30, 2003. Auditors were unable to opine on the consolidated statements of net costs and changes in net position, combined statement of budgetary resources, and consolidated statement of financing. The auditors reported 14 reportable conditions on internal control, 7 of which were considered to be material weaknesses. DHS Inherited Significant Weaknesses from Its Component Agencies: When DHS was created in March 2003 and merged with 22 diverse agencies, there were many known financial management weaknesses and vulnerabilities in the inherited agencies. For 5 of the agencies that transferred to DHS--Customs Service (Customs), Transportation Security Administration (TSA), Immigration and Naturalization Service (INS), Federal Emergency Management Agency (FEMA), and Federal Law Enforcement Training Center (FLETC)--auditors had reported 30 reportable conditions, 18 of which were considered material internal control weaknesses. Further, of the four component agencies--Customs, TSA, INS, and FEMA--that had previously been subject to stand-alone audits, all four agencies' systems were found not to be in substantial compliance with the requirements of FFMIA. Most of the 22 components that transferred to DHS had not been subjected to significant financial statement audit scrutiny prior to their transfer, so the extent to which additional significant internal control deficiencies existed was unknown. For example, conditions at the Coast Guard have surfaced because of its greater relative size and increased audit scrutiny at DHS as compared to its former legacy agency, the Department of Transportation (DOT). As part of DOT's financial statement audit, the Coast Guard had no specifically attributable reported weaknesses identified. However, newly identified weaknesses related to the Coast Guard were one of the main reasons that independent auditors issued a qualified opinion on DHS's consolidated balance sheet and why they were unable to provide an opinion on other financial statements for the 7 months ending September 30, 2003. For fiscal year 2002 and prior to its transfer to DHS, Customs' auditors reported[Footnote 16] nine internal control weaknesses, including weaknesses in its ability to monitor the effectiveness of its internal controls over entry duties and taxes, controls over drawback claims,[Footnote 17] security issues in information technology (IT) systems, and issues concerning the strength of its core financial systems. These weaknesses can result in inaccurate reporting of certain material elements of Customs' financial situation, system security weaknesses that could leave Customs' information vulnerable to unauthorized access, and the necessity of extensive manual procedures and analyses to process routine transactions. Finally, these weaknesses contributed to Customs' systems inability to substantially comply with the requirements of FFMIA. Although TSA is a relatively new agency formed after the September 11, 2001, terror attacks, its auditors reported six internal control weaknesses, including weaknesses in the hiring of qualified personnel, financial reporting and systems, property accounting and financial reporting, financial management policies, administration of screener contracts, and maintenance of adequate information in its personnel files. These weaknesses can result in uncontrolled spending of taxpayer dollars, misplaced or unaccounted for property, and challenges in producing financial statements. In its first year audit ending September 30, 2002, TSA obtained an unqualified audit opinion on its financial statements. However, TSA's systems did not substantially comply with the requirements of FFMIA. INS's auditors reported four internal control weaknesses as of February 28, 2003,[Footnote 18] including weaknesses in the functionality of its financial systems; recording accounts payable and related accruals; financial reporting; and controls over its financial management system. Weaknesses such as these have existed for several years and contribute to INS's systems continuing inability to substantially comply with the requirements of FFMIA. Although the weaknesses did not interfere with the agency's ability to obtain an unqualified opinion on its financial statement audit, they did result in the need for extensive manual effort to prepare reliable financial information and record basic financial transactions to aid management in decision making. FEMA's auditors reported seven internal control weaknesses for fiscal year 2002, including weaknesses in information security controls over its financial systems environment; financial system functionality; financial reporting process; real and personal property system processes; account reconciliation processes; accounts receivable processes; and the lack of a process to evaluate the accuracy of a new claims estimation methodology. These weaknesses resulted in the need for extensive manual effort to compile financial information because FEMA's financial systems were unable to perform certain basic accounting functions efficiently. Further, FEMA's systems were unable to accurately track basic accounting information, such as real and personal property and accounts receivable. Many of these weaknesses specifically contributed to FEMA's systems' failure to substantially comply with the requirements of FFMIA. Finally, FLETC's auditors reported four internal control weaknesses for fiscal year 2002. These weaknesses resulted from FLETC not having adequate policies and procedures in place to ensure that funds obligated were proper and that costs for construction in progress were recorded properly. Further, auditors found that FLETC was not taking the steps necessary to be in compliance with certain Office of Management and Budget requirements. Many of these weaknesses lead to FLETC's systems' inability to substantially comply with the requirements of FFMIA. Some Progress Made in Addressing Inherited Weaknesses: DHS has made some progress in addressing the internal control weaknesses it inherited from component agencies. Nine of the 30 internal control weaknesses identified in prior component financial statement audits have been closed as of September 30, 2003. The remaining 21 issues represent continuing weaknesses that have been reported in DHS's first Performance and Accountability Report. Nine of these were combined and reported as 3 material weaknesses, while 5 were reported as reportable conditions. The department's independent auditors classified the remaining 7 weaknesses as lower level observations and recommendations. Table 1 summarizes the status of the 30 weaknesses DHS inherited from component agencies as of September 30, 2003. Table 1: Status of 30 Inherited Weaknesses in 2003 Audit: Closed: 9. Classified as material weaknesses for 2003: 9. Classified as reportable conditions for 2003: 5. Classified as observation and recommendation for 2003: 7. Total: 30. Source: GAO based on DHS's fiscal year 2003 Performance and Accountability Report. [End of table] Auditors reported 6 additional weaknesses as of September 30, 2003, bringing the total number of reportable conditions for DHS to 14 for fiscal year 2003, 7 of which were considered to be material weaknesses. A description of these weaknesses can be found in appendix II. As mentioned previously, several of the departmentwide weaknesses resulted from combining previously identified weaknesses or reclassifying them, rather than from resolving the underlying internal control weaknesses. For example, in fiscal year 2003, DHS's auditors reported a departmentwide material weakness related to financial systems functionality and technology. This weakness resulted from combining what accounted for 7 of the inherited weaknesses--3 from Customs, 2 from FEMA, 1 from INS, and 1 from TSA. Appendix III provides detailed information on the status of each of the 30 inherited weaknesses, including how they were reported in DHS's Performance and Accountability Report. Component agencies took various steps to resolve nine of the previously identified weaknesses inherited from component agencies. For example, Customs had a previously identified weakness related to the effectiveness of its internal controls over accurate reporting of entry duties and taxes. This weakness was resolved by reinstituting a program that Customs had in place prior to the terrorist attacks of September 11, 2001, which allows for more accurate reporting of these taxes and duties. Another weakness DHS inherited relates to FEMA's inability to identify and record certain accounts receivable in a timely manner. FEMA's accounts receivable processes were strengthened to ensure that accounts receivable are determined and recorded on a timely basis. In order to resolve several weaknesses at FLETC and TSA, various policies and procedures were implemented at these components to ensure that financial information was recorded and properly approved. Further, TSA has hired additional staff, thereby resolving its weaknesses of not having a sufficient number of qualified accounting personnel. In addition to the 7 material weaknesses and 7 reportable conditions reported in DHS's 2003 financial statement audit, DHS reported 12 additional weaknesses that affect the department's full compliance with certain objectives of 31 U.S.C. 3512(c), (d) (commonly known as the Federal Managers' Financial Integrity Act of 1982 (FMFIA)). FMFIA requires that management ensure that it has an organizational structure that supports the planning, directing, and controlling of operations to meet agency objectives; clearly defines key areas of authority and responsibility; and provides for appropriate lines of reporting. The standards also define internal control as a key component necessary to ensure that financial reporting information is reliable. Examples of the FMFIA weaknesses reported by DHS included deficient controls over laws and regulations regarding the border entry process, nonconformance related to system security, and lack of oversight and administration of major contracts at TSA. Of the seven departmentwide material weaknesses reported by DHS's auditors for fiscal year 2003, four were newly identified and contributed to the auditors' inability to render an opinion on all of DHS's financial statements. Newly identified weaknesses included the lack of procedures at DHS to verify the accuracy and completeness of balances transferred on March 1, 2003, and significant weaknesses with the number of qualified financial management personnel employed by the department. DHS's auditors also found significant deficiencies at the Coast Guard and Secret Service, preventing them from being able to express an opinion on certain financial statements. In addition to the internal control weaknesses cited in its 2003 financial statement audit, there were other weaknesses that, while not material to DHS on a departmentwide basis, are still important weaknesses that need to be addressed. FEMA, Customs, and TSA each had weaknesses at the time of their transfer to DHS. However, in the 2003 audit report, these weaknesses were classified as observations and recommendations, a much less serious classification. Lower classification within DHS does not mean that the issues are now somehow less severe, it merely refers to the materiality of a component within DHS. Considered against operations or assets of the stand-alone entity, these issues by themselves were relatively more significant than when considered in the context of the much larger consolidated operations of DHS as a whole. Resolving all previously reported internal control weaknesses, regardless of the current designation at DHS, is key to DHS's ability to produce relevant and reliable financial information. DHS's CFO testified that the department is committed to resolving the remaining weaknesses and has developed a plan to do so. According to the CFO's plans, corrective actions will be developed by each applicable bureau or directorate and submitted to the OCFO. Currently, DHS's OCFO has compiled a summary document with the corrective action plans as submitted by the applicable bureau or directorate. According to this document, corrective action plans of varying levels of detail are in place to address 12 of the 14 internal control weaknesses, some of which are scheduled to be completed by the end of fiscal year 2004. However, 2 material internal control weaknesses--Financial Systems Functionality and Technology and Transfer of Funds, Assets, and Liabilities to DHS--do not currently have any planned corrective actions in place. Along with developing corrective action plans, the CFO testified that DHS plans to implement a departmentwide tracking system to monitor the status of corrective actions. DHS has begun working with a contractor to design and implement a tracking system for outstanding weaknesses identified during the department's independent financial audits. While this system is still being developed by the OCFO, with assistance from contractors, it is not yet fully functional and does not include information on all reported weaknesses. Until such time that it does, it will provide limited oversight and information on the status of corrective actions to address weaknesses at DHS. While progress has been made to address the known material weaknesses, much work still remains. Follow-through with planned corrective actions is paramount. The support of top officials at the department will be key in ensuring that the necessary resources are available to address the weaknesses and to ensure that they are resolved in a timely manner. DHS Is in the Early Stages of Integrating Its Financial Management Systems: DHS intends to acquire and deploy an integrated financial enterprise solution and reports that it has reduced the number of its legacy financial systems. DHS has established the Resource Management Transformation Office (RMTO) within the Management Directorate to manage its financial enterprise solution project. However, the acquisition is in the early stages, and continued focus and follow through, among other things, will be necessary for it to be successful. RMTO has termed its financial enterprise solution project "electronically Managing enterprise resources for government effectiveness and efficiency" (eMerge2), which according to the RMTO's Strategic Framework, "establishes the strategic direction for migration, modernization, and integration of DHS financial, accounting, procurement, personnel, asset management and travel systems, processes, and policies." DHS expects the acquisition and implementation of the financial enterprise solution to take place over a 3-year time period and cost approximately $146 million. According to the strategic framework DHS provided to us, the development of an integrated financial enterprise solution will be accomplished in three phases. Phase I includes defining, acquiring, and testing the planned solution. Phase II involves implementing the solution throughout DHS, and Phase III is ongoing maintenance of the solution. According to DHS, the eMerge2 initiative is currently in Phase I, which is to be executed in three stages and is expected to be completed in late 2004. Figure 1 represents the three stages of Phase I and the timelines as of August 2003 and May 2004, according to the DHS RMTO Strategic Frameworks provided to us. Figure 1: Phase I Timeline: [See PDF for image] [End of figure] According to plans DHS's RMTO developed early in Phase I, completion of core requirements development was to have been completed between September 2003 and mid-February 2004. However, in updated plans dated May 2004, the core requirements development actually began in January 2004 and was to be completed in May 2004. The earlier plans' timeline also called for requesting vendor solution proposals in October 2003, with final vendor selection to occur in April or May of 2004. However, vendor proposal requests were issued in June 2004 and selection is to be completed in July 2004. Concurrent with eMerge2, DHS has issued a request for quotation (RFQ) for an interim project--the Business Automation Initiative--to be developed by contractors during 2004. The RFQ requested system proposals to automate purchase requests for the department and to streamline the employee entry/exit process. Another interim initiative was considered by the department to integrate data mining and warehousing, improve grants visibility (beginning with first responder grants), and streamline financial statement consolidation. However, instead of pursuing this interim solution, DHS plans to include it in the requirements of the eMerge2 initiative. Of key importance in the development of any DHS system solution acquisition, interim or not, is how the acquisition fits within the future overall plans of DHS as outlined in its enterprise architecture, which is still being developed. It would be duplicative and wasteful to implement a short- term solution that is not part of the long-term integration plans at DHS. According to DHS officials, the RMTO recently completed the requirements definition phase for the eMerge2 initiative and obtained approval of the requirements from various high-level DHS officials. Additionally, a request for proposal (RFP) was issued by DHS for the eMerge2 initiative in June 2004. The RFP is scheduled to be open for approximately 1 month and then a vendor will be chosen. DHS has developed various planning documents for the eMerge2 initiative. However, these documents were not provided to us until after we completed our fieldwork. Thus, we are not providing description, analysis, or evaluation of such information in this report, and we are unable to determine if DHS, through the RMTO, is developing a financial enterprise solution that will be in alignment with departmentwide information technology plans, many of which are still under development. Nevertheless, we have found that similar projects have proven challenging and costly for other federal agencies. For example, we have reported on the efforts of National Aeronautics and Space Administration[Footnote 19] (NASA), and the District of Columbia Courts[Footnote 20] (DC Courts) to acquire new information systems. NASA is on its third attempt in 12 years to modernize its financial management process and systems, and has spent about $180 million on its two prior failed efforts. DC Courts began its system acquisition in 1998 and has struggled in its implementation. One of the key impediments to the success of integration efforts at NASA was the failure to involve key stakeholders in the implementation or evaluation of system improvements. As a result, new systems failed to meet the needs of key stakeholders. DC Courts struggled in developing requirements that contained the necessary specificity to ensure the system developed would meet its users' needs. To avoid similar problems, it is important, among other things, that DHS ensure commitment and extensive involvement from top management and users in eMerge2. Over the past year, DHS has reported that it has reduced the number of financial management service providers for the department from the 19 providers at the time DHS was formed to the 10 it currently uses. DHS has plans to further consolidate to 7 providers. A DHS official estimated approximately $5 million in savings through the reduction of the number of financial management service centers. Table 2 shows the decreases that have occurred in service providers from March 2003 to May 2004. Table 2: Decreases in Service Providers from March 2003 to May 2004: Service provider type: Financial management service centers; March 2003: 19; May 2004: 10; Decrease: 9. Service provider type: Contracting offices; March 2003: 13; May 2004: 8; Decrease: 5. Service provider type: Human resource offices; March 2003: 22; May 2004: 7; Decrease: 15. Service provider type: Payroll offices; March 2003: 7; May 2004: 3; Decrease: 4. Service provider type: Property management offices; March 2003: 22; May 2004: 3; Decrease: 19. Service provider type: Total; March 2003: 83; May 2004: 31; Decrease: 52. Source: GAO based on DHS-provided information. [End of table] This continued focus on consolidation and integration of services and service providers, if implemented properly, could aid the department in realizing further savings and efficiencies in support of its overall mission. Although we did not perform audit procedures to determine the impact of these reductions, reduction of service providers prematurely, without considering the provider's reliability, or without an overall consolidation plan, could be negative if it interferes with the enterprise approach or causes significant short-term inefficiencies for agencies that must quickly adapt to other systems. It Is Not Known Whether DHS's Planned Financial Management Systems Will Be Able to Meet the Requirements of Relevant Financial Management Improvement Laws: It is too early to tell whether DHS's planned financial enterprise solution will be able to meet the requirements of relevant financial management improvement laws--those currently applicable to DHS (such as FMFIA), as well as some not applicable that are subject to pending legislation. DHS is currently subject to most financial management improvement laws except for the CFO Act and FFMIA. The goals of the CFO Act and FFMIA are to provide the Congress and agency management with reliable financial information for managing and making day-to-day decisions and to improve financial management systems and controls to properly safeguard the government's assets. Further, the CFO Act requires certain agencies to have a qualified, presidentially appointed, Senate-confirmed CFO who reports to the head of the agency.[Footnote 21] FFMIA requires major departments and agencies covered by the CFO Act to implement and maintain financial management systems that comply substantially with (1) federal financial management systems requirements, (2) applicable federal accounting standards, and (3) the U.S. Government Standard General Ledger at the transaction level. Although DHS is not currently subject to FFMIA, its auditors disclosed systems deficiencies in its financial management information systems, the application of accounting standards, and recording of financial transactions, all of which relate to the requirements of FFMIA. Based on these weaknesses it is likely that DHS's systems would not have been in substantial compliance with the requirements of FFMIA. Table 3 lists relevant financial management laws and describes their relationship to DHS. Table 3: Key Financial Management Improvement Laws: Law: Chief Financial Officers Act of 1990; DHS covered? No; Requirement: Requires agencies to develop and maintain an integrated accounting and financial management system that provides for (1) complete, reliable, consistent, and timely information that is responsive to the financial information of the agency and facilitates the systematic measurement of performance; (2) the development and reporting of cost management information; (3) the integration of accounting and budget information; and (4) requires that the agency's CFO be qualified, presidentially appointed, approved by the Senate, and report to the head of the agency; Impact of legislation on DHS: H.R. 4259 and S. 1567, which are now under consideration before the Congress, would make DHS a CFO Act agency; The current CFO of DHS reports to the Under Secretary for Management. Each directorate has separate CFOs who report to their respective directorate head. Law: Federal Financial Management Improvement Act of 1996; DHS covered? No; Requirement: Requires the major departments and agencies covered by the CFO Act to implement and maintain financial management systems that comply substantially with (1) federal financial management systems requirements, (2) applicable federal accounting standards, and (3) the U.S. Government Standard General Ledger at the transaction level. Requires auditors to include in their CFO Act audit reports whether the agency's financial management systems comply with FFMIA's requirements; Impact of legislation on DHS: DHS is not currently required to comply with FFMIA standards. Auditors did disclose systems deficiencies in its financial management information systems, the application of accounting standards, and recording of financial transactions, all of which relate to the requirements of FFMIA. Law: Accountability of Tax Dollars Act of 2002; DHS covered? Yes; Requirement: Requires non-CFO Act agencies to obtain annual financial statement audits, unless specifically exempted by OMB or already statutorily required to obtain an annual audit; Impact of legislation on DHS: DHS obtained an audit for the 7 months ending September 30, 2003. Law: 31 U.S.C. 3512(c), (d) (commonly known as the Federal Managers' Financial Integrity Act of 1982 (FMFIA)); DHS covered? Yes; Requirement: Requires agency management to ensure that they have effective control over, and accountability for, its assets. To ensure compliance, it requires the agency head to establish internal accounting and administrative controls and report whether the agency's systems comply; Impact of legislation on DHS: In its 2003 financial statement audit, auditors reported 12 weaknesses that would affect DHS's full compliance with FMFIA. Law: Government Performance and Results Act of 1993; DHS covered? Yes; Requirement: Requires each agency to develop strategic plans covering a period of at least 5 years. It also requires each agency to prepare an annual performance plan that includes the performance indicators that will be used to measure "the relevant outputs, service levels, and outcomes of each program activity" in an agency's budget; Impact of legislation on DHS: DHS has prepared a performance budget to comply with this act. Law: Clinger-Cohen Act of 1996; DHS covered? Yes; Requirement: Requires agencies to establish goals for improving efficiency and effectiveness of their operations through the effective use of IT. Performance measurements must be established that assess how well IT supports agency programs. Where comparable processes and organizations exist, agency heads must benchmark agency process performance against comparable processes in terms of cost, speed, productivity, and quality of outputs and outcomes. Agency heads must clearly define agency missions and consider appropriate process changes before making significant investments in IT. Agencies must also report annually on operational improvements achieved through the effective use of IT; Impact of legislation on DHS: DHS is in the process of drafting an IT strategic plan, which will be the driving force in establishing DHS's strategic IT management framework. It will discuss how the department plans to manage and use IT to achieve strategic mission goals. According to the CIO, the department is still in the process of completing the IT strategic plan and expects to make it final in mid- 2004. Law: Federal Information Security Management Act (FISMA) of 2002; DHS covered? Yes; Requirement: FISMA requires the designation and establishment of specific responsibilities for an agency senior information officer, implementation of minimum information security requirements for agency information systems, and required agency reporting to the Congress; Impact of legislation on DHS: DHS has created the office of the Chief Information Officer and the Chief Information Security Officer. The September 2003 FISMA Report issued by DHS OIG indicates that DHS has performed reviews of FISMA IT security and has created positions for component information security officers to ensure that information security is coordinated at all levels of the agency. Source: GAO. [End of table] DHS is currently required to have annual audits under the Accountability of Tax Dollars Act and to report on its internal controls under FMFIA. Although DHS's CFO has testified that DHS complies with the audit provisions of the CFO Act and will continue to do so, we believe DHS should be a CFO Act agency and be subject to the requirements of FFMIA. DHS should not be the only cabinet-level department not covered by what is the cornerstone for pursuing and achieving the requisite financial management systems and capabilities in the federal government.[Footnote 22] Given its early implementation, it is too early to tell whether DHS's planned financial enterprise solution will meet the requirements of financial management laws it is currently not subject to. While DHS systems must meet the requirements of laws they are currently subject to, it is also important that DHS be proactive and incorporate the requirements of the CFO Act and FFMIA. It would certainly make good business sense to do so given DHS's size and mission. DHS has implemented a commercial-off-the-shelf tool called Dynamic Object Oriented Requirements System (DOORS) to track the requirements of various laws, regulations, and circulars place on the development of an integrated financial system. DOORS is intended to be DHS's repository of all applicable system, process, technological, data, or other requirements. DHS estimated that several thousand compliance requirements will be tracked using DOORS once analysis is completed. After the repository is complete, requirements reports are to be printed directly from DOORS and attached to future RFPs to ensure that contractors are aware of the legislative requirements of the systems to be developed. A system to record, track, and link all legislative requirements as a financial management system is being developed is important. Also important is that DHS be statutorily required to comply with the CFO Act and FFMIA and that the systems DHS acquires are capable of meeting the requirements of those laws, as well as ones currently applicable. Meeting these financial management improvement requirements will help produce timely and useful financial and business information. Conclusions: Since its inception in March 2003, DHS has been faced with many challenges, including how to integrate its financial management processes and systems. Steps have been taken to address the 30 internal control weaknesses it inherited from its component agencies. However, to ensure financial accountability and establish an effective financial environment, DHS must address all outstanding inherited weaknesses, as well as address the newly identified department-level weaknesses. Through the eMerge2 initiative, DHS has plans to integrate and consolidate its financial and business systems. But without such things as continued active oversight from top-level management and systematic approaches to this integration, DHS could find itself in the same position as other federal departments--producing an ineffective and costly financial management system that does not provide the information needed by management or meet the requirements of financial management laws. Finally, we believe that it is of critical importance that DHS be statutorily required to comply with the important financial management reforms legislated in the CFO Act and FFMIA. The financial management improvements of FFMIA build on the CFO Act by emphasizing the need for agencies to have systems that can generate reliable, useful, and timely information with which to make fully informed decisions and to ensure accountability on an ongoing basis. This issue is still of foremost importance, especially as DHS continues its financial management system integration and development. Matter for Congressional Consideration: In view of the size of DHS and the importance of the CFO Act and FFMIA in improving financial management and its applicability to all other cabinet departments, the Congress may wish to consider the following action: * Enact legislation to designate DHS as a CFO Act agency. Recommendations for Executive Action: We are making eight recommendations for executive action at DHS that will improve financial management at the department. Specifically, we recommend that the Secretary of Homeland Security direct the Under Secretary for Management to do the following: * Continue to maintain strong involvement of key stakeholders and top management throughout the acquisition and implementation of the eMerge2 initiative. * Assess the impact of further reduction in financial service providers on DHS staff and their ability to produce timely financial information. * Adhere to FFMIA requirements, including JFMIP requirements, even though the department is not statutorily required to do so. * Have independent auditors report annually on compliance with FFMIA. * Continue to give sustained attention to addressing previously reported material weaknesses, reportable conditions, and observations and recommendations. * Complete development of corrective action plans for all material weaknesses, reportable conditions, and observations and recommendations. * Ensure that internal control weaknesses are addressed at the component level if they were combined or reclassified at the departmentwide level. * Maintain a tracking system of all auditor-identified and management- identified control weaknesses. Agency Comments and Our Evaluation: We obtained written comments on a draft of this report from DHS's Chief Financial Officer. The comments DHS provided to us are reprinted in appendix IV. In commenting on a draft of this report, DHS generally agreed with the overall findings and recommendations. However, in response to our recommendation to incorporate all internal control weaknesses in the tracking system DHS is currently developing, DHS felt the recommendation was too broad and suggested that we change the language to reflect tracking of all auditor-identified and management-identified internal control weaknesses. The original intent of our recommendation was to encourage DHS to track and resolve all auditor reported material weaknesses, reportable conditions, and observations and recommendations, similar to those discussed throughout this report. We fully support DHS including all management-identified control weaknesses as well, and have updated our recommendation accordingly. Additionally, DHS commented on its commitment to full adherence to the CFO Act and FFMIA. We applaud the current leadership at DHS for voluntarily complying with some audit provisions of the CFO Act, however, we continue to strongly support passage of legislation that would statutorily make DHS a CFO Act agency, and thus guarantee future requirements to adhere to important financial management legislation. As arranged with your office, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days after the date of this letter. At that time, we will send copies of this report to interested congressional committees and subcommittees. We will also make copies available to others on request. In addition, the report will be available at no charge on GAO's Web site at [Hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report or wish to discuss it further, please contact me at (202) 512-6906 or Casey Keplinger, Assistant Director, at (202) 512-9323. In addition, Heather Dunahoo and Scott Wrightson made key contributions to this report. Sincerely yours, Signed by: McCoy Williams: Director, Financial Management and Assurance: [End of section] Appendixes: Appendix I: Scope and Methodology: To identify what were the existing weaknesses in the Department of Homeland Security's (DHS) component agencies' financial management systems, we reviewed relevant DHS Office of Inspector General (OIG) reports and our January 2003 report on major management challenges at DHS and looked at how such challenges are being addressed. We also reviewed DHS's Performance and Accountability Report for the 7 months ending September 30, 2003. We reviewed prior-period component agency annual financial statement audit reports when available; Immigration and Naturalization Service's (INS) financial statement audit report for the 5 months ending February 28, 2003; and Performance and Accountability Reports for the Federal Emergency Management Agency (FEMA) and the Departments of Transportation, Justice, and Treasury. We reviewed testimony of DHS's current and former Chief Financial Officer (CFO) and DHS's OIG reports related to financial management at the department. Finally, we interviewed officials from the OIG and the Office of the Chief Financial Officer (OCFO). To determine whether DHS was addressing the problems that existed in the financial management systems DHS acquired from its component agencies, we met with officials from the OCFO's Office of Financial Management and OIG staff. In addition to items already mentioned, we reviewed planned corrective actions developed by the department to address its fiscal years 2002 and 2003 material weaknesses and reportable conditions. We also reviewed testimony of DHS's CFO related to this issue. Further, we conducted a walk-through to review the system DHS is developing to track planned corrective actions. To determine what plans DHS has to integrate its financial management systems, we met with the Director of the Resource Management Transformation Office (RMTO) and other staff in this office. We also reviewed testimony of DHS's current and former CFO and DHS's OIG related to financial management at the department. We reviewed documentation detailing the reduction of financial service providers, but we did not complete audit procedures to determine if these reductions were positive or negative for the department. Finally, we reviewed the RMTO's strategic framework. However, substantial documentation related to the eMerge2 initiative was not provided to us until after we completed our fieldwork. Thus, we did not include analysis or evaluation of such information in this report. To determine whether the planned systems that DHS is developing will be able to meet the requirements of relevant financial management improvement laws, we reviewed relevant laws and regulations, and relevant guidance related to financial management, financial reporting, systems implementation, and requirements. We also interviewed the Director of the RMTO and other officials. Further, we reviewed testimony relevant to this issue by DHS's current and former CFO and DHS's OIG. We have not reviewed system requirements or other recently developed plans because these were completed and obtained after our fieldwork was completed. We requested comments on this report from the Secretary of Homeland Security or his designee. Written comments were received from the department's Chief Financial Officer and are reprinted in appendix IV. We performed our review from October 2003 through June 2004 in Washington, D.C., in accordance with U.S. generally accepted government auditing standards. Appendix II: Material Weaknesses and Reportable Conditions at DHS for Fiscal Year 2003: Number: 1; Material weakness: Financial management and personnel: DHS's OCFO needs to establish financial reporting roles and responsibilities, assess critical needs, and establish standard operating procedures (SOP) for the department. These conditions were not unexpected for a newly created organization, especially one as large and complex as DHS. The Coast Guard and the Strategic National Stockpile had weaknesses in financial oversight that have led to reporting problems. Number: 2; Material weakness: Financial reporting: Key controls to ensure reporting integrity were not in place, and inefficiencies made the process more error prone. At the Coast Guard, the financial reporting process was complex and labor-intensive. Several DHS bureaus lacked clearly documented procedures, making them vulnerable if key people leave the organization. Number: 3; Material weakness: Financial systems functionality and technology: The auditors found weaknesses across DHS in its entitywide security program management and in controls over system access, application software development, system software, segregation of duties, and service continuity. Many bureau systems lacked certain functionality to support the financial reporting requirements. Number: 4; Material weakness: Property, plant, and equipment (PP&E): The Coast Guard was unable to support the recorded value of $2.9 billion in PP&E due to insufficient documentation provided prior to the completion of audit procedures, including documentation to support its estimation methodology. The Transportation Security Administration (TSA) lacked a comprehensive property management system and adequate policies and procedures to ensure the accuracy of its PP&E records. Number: 5; Material weakness: Operating materials and supplies (OM&S): Internal controls over physical counts of OM&S were not effective at the Coast Guard. As a result, the auditors were unable to verify the recorded value of $497 million in OM&S. The Coast Guard also had not recently reviewed its OM&S capitalization policy, leading to a material adjustment to its records when an analysis was performed. Number: 6; Material weakness: Actuarial liabilities: The Secret Service did not record the pension liability for certain of its employees and retirees, and when corrected, the auditors had insufficient time to audit the amount recorded. The Coast Guard also was unable to provide, prior to the completion of audit procedures, sufficient documentation to support the recorded value of $201 million in post-service benefit liabilities. Number: 7; Material weakness: Transfers of funds, assets, and liabilities to DHS: DHS lacked controls to verify that monthly financial reports and transferred balances from legacy agencies were accurate and complete. Source: GAO based on DHS Performance and Accountability Report and congressional testimony. [End of table] Number: 1; Reportable condition: Drawback claims on duties, taxes, and fees: The Bureau of Customs and Border Protection's (CBP) accounting system lacked automated controls to detect and prevent excessive drawback claims and payments. Number: 2; Reportable condition: Import entry in-bond: CBP did not have a reliable process of monitoring the movement of "in-bond" shipments-- i.e., merchandise traveling through the U.S. that is not subject to duties, taxes, and fees until it reaches a port of destination. CBP lacked an effective compliance measurement program to compute an estimate of underpayment of related duties, taxes, and fees. Number: 3; Reportable condition: Acceptance and adjudication of immigration and naturalization applications: The Bureau of Citizenship and Immigration Services' (CIS) process for tracking and reporting the status of applications and related information was inconsistent and inefficient. Also, CIS did not perform cycle counts of its work in process that would facilitate the accurate calculation of deferred revenue and reporting of related operational information. Number: 4; Reportable condition: Fund balance with Treasury (FBWT): The Coast Guard did not perform required reconciliations for FBWT accounts and lacked written standard operating procedures (SOP) to guide the process, primarily as the result of a new financial system that substantially increased the number of reconciling differences. Number: 5; Reportable condition: Intragovernmental balances: Several large DHS bureaus had not developed and adopted effective SOPs or established systems to track, confirm, and reconcile intragovernmental balances and transactions with their trading partners. Number: 6; Reportable condition: Strategic National Stockpile (SNS): The SNS accounting process was fragmented and disconnected, largely due to operational challenges caused by the laws governing SNS. A $485 million upwards adjustment had to be made to value SNS in DHS's records properly. Number: 7; Reportable condition: Accounts payable and undelivered orders: CIS and the Bureau of Immigration and Customs Enforcement (ICE), TSA, and the Coast Guard had weaknesses in their processes for accruing accounts payable or reporting accurate balances for undelivered orders. Source: GAO based on DHS Performance and Accountability Report and congressional testimony. [End of table] Appendix III: Disposition of Reported Internal Control Weaknesses by Component: Agency and Condition Reported in 2002: U.S. Customs Service: Material Weaknesses: 1. Entry Duties and Taxes; 2003 Status and Disposition: Closed. Agency and Condition Reported in 2002: U.S. Customs Service: Material Weaknesses: 2. Drawback Claims on Duties and Taxes; 2003 Status and Disposition: Reportable Condition (Drawback Claims on Duties, Taxes, and Fees). Agency and Condition Reported in 2002: U.S. Customs Service: Material Weaknesses: 3. Financial Systems Security; 2003 Status and Disposition: Material Weakness (Financial Systems Functionality and Technology). Agency and Condition Reported in 2002: U.S. Customs Service: Material Weaknesses: 4. Financial Systems Integration; 2003 Status and Disposition: Material Weakness (Financial Systems Functionality and Technology). Agency and Condition Reported in 2002: U.S. Customs Service: Reportable Conditions: 5. Bonded Warehouse and Foreign Trade Zones; 2003 Status and Disposition: Observation & Recommendations to Management. Agency and Condition Reported in 2002: U.S. Customs Service: Reportable Conditions: 6. In-bond Movements; 2003 Status and Disposition: Reportable Condition (In-bond Movement of Imported Goods). Agency and Condition Reported in 2002: U.S. Customs Service: Reportable Conditions: 7. Drawback in New York and Newark; 2003 Status and Disposition: Observation & Recommendations to Management. Agency and Condition Reported in 2002: U.S. Customs Service: Reportable Conditions: 8. Financial Systems Entity-wide Security; 2003 Status and Disposition: Material Weakness (Financial Systems Functionality and Technology). Agency and Condition Reported in 2002: U.S. Customs Service: Reportable Conditions: 9. Internal Control over Laws and Regulations; 2003 Status and Disposition: Closed. Agency and Condition Reported in 2002: Immigration and Naturalization Service (as of February 28, 2003): Material Weaknesses: 10. Financial Systems Functionality; 2003 Status and Disposition: Reportable Condition (Acceptance and Adjudication of Immigration and Naturalization Applications). Agency and Condition Reported in 2002: Immigration and Naturalization Service (as of February 28, 2003): Material Weaknesses: 11. Accounts Payable; 2003 Status and Disposition: Reportable Condition (Accounts Payable and Undelivered Orders). Agency and Condition Reported in 2002: Immigration and Naturalization Service (as of February 28, 2003): Material Weaknesses: 12. Financial Reporting; 2003 Status and Disposition: Observation & Recommendations to Management. Agency and Condition Reported in 2002: Immigration and Naturalization Service (as of February 28, 2003): Reportable Conditions: 13. Information Systems; 2003 Status and Disposition: Material Weakness (Financial Systems Functionality and Technology). Agency and Condition Reported in 2002: Federal Emergency Management Agency: Material Weaknesses: 14. Information Security; 2003 Status and Disposition: Material Weakness (Financial Systems Functionality and Technology). Agency and Condition Reported in 2002: Federal Emergency Management Agency: Material Weaknesses: 15. Financial Systems Functionality; 2003 Status and Disposition: Material Weakness (Financial Systems Functionality and Technology). Agency and Condition Reported in 2002: Federal Emergency Management Agency: Material Weaknesses: 16. Financial Reporting; 2003 Status and Disposition: Material Weakness (Financial Reporting). Agency and Condition Reported in 2002: Federal Emergency Management Agency: Material Weaknesses: 17. Real and Personal Property; 2003 Status and Disposition: Observation & Recommendations to Management. Agency and Condition Reported in 2002: Federal Emergency Management Agency: Material Weaknesses: 18. Account Reconciliation; 2003 Status and Disposition: Reportable Condition (Intragovernmental Balances). Agency and Condition Reported in 2002: Federal Emergency Management Agency: Material Weaknesses: 19. Accounts Receivable; 2003 Status and Disposition: Closed. Agency and Condition Reported in 2002: Federal Emergency Management Agency: Reportable Conditions: 20. Cerro Grande; 2003 Status and Disposition: Closed. Agency and Condition Reported in 2002: Federal Law Enforcement Training Center: Reportable Conditions: 21. Policies and Procedures; 2003 Status and Disposition: Closed. Agency and Condition Reported in 2002: Federal Law Enforcement Training Center: Reportable Conditions: 22. Laws and Regulations (OMB Circular A-127); 2003 Status and Disposition: Closed. Agency and Condition Reported in 2002: Federal Law Enforcement Training Center: Reportable Conditions: 23. Real Property Accounting; 2003 Status and Disposition: Closed. Agency and Condition Reported in 2002: Federal Law Enforcement Training Center: Reportable Conditions: 24. Laws and Regulations (OMB Circular A-11); 2003 Status and Disposition: Observation & Recommendations to Management. Agency and Condition Reported in 2002: Transportation Security Administration: Material Weaknesses: 25. Human Resources; 2003 Status and Disposition: Closed. Agency and Condition Reported in 2002: Transportation Security Administration: Material Weaknesses: 26. Financial Reporting and Systems; 2003 Status and Disposition: Material Weaknesses (Financial Reporting; Financial Systems Functionality and Technology). Agency and Condition Reported in 2002: Transportation Security Administration: Material Weaknesses: 27. Property, Plant, and Equipment; 2003 Status and Disposition: Material Weakness (Property, Plant, and Equipment). Agency and Condition Reported in 2002: Transportation Security Administration: Material Weaknesses: 28. Financial Management Policies; 2003 Status and Disposition: Observation & Recommendations to Management. Agency and Condition Reported in 2002: Transportation Security Administration: Material Weaknesses: 29. Administration of Screener Contracts; 2003 Status and Disposition: Closed. Agency and Condition Reported in 2002: Transportation Security Administration: Reportable Conditions: 30. Personnel Files; 2003 Status and Disposition: Observation & Recommendations to Management. Source: GAO based on DHS Performance and Accountability Report. [End of table] Appendix IV: Comments from the Department of Homeland Security: U.S. Department of Homeland Security Washington, DC 20528: Homeland Security: July 13, 2004: Mr. McCoy Williams: Director, Financial Management and Assurance: U.S. General Accounting Office: Washington, DC 20548: RE: Draft GAO-04-774, FINANCIAL MANAGEMENT. Department of Homeland Security Faces Significant Financial Management Challenges, GAO Engagement 195026: Thank you for the opportunity to review the draft report GAO-04-774, FINANCIAL MANAGEMENT: Department of Homeland Security Faces Significant Financial Management Challenges. The Department of Homeland Security generally agrees with GAO's recommendations. DHS is in the early phase of amalgamating redundant financial management systems associated with 22 discrete entities into an enterprise wide financial system, eMerge2, that will be implemented in 2005 and 2006. eMerge2 is the Department's financial enterprise solution program "electronically Managing enterprise resources for government effectiveness and efficiency." This project establishes the strategic direction for migration, modernization, and integration of DHS financial, accounting, procurement, personnel, asset management and travel systems, and processes. Under the Secretary's leadership, key stakeholder and top management support of eMerge2 has been evident throughout the past year and we have every expectation of their sustained interest through the acquisition and implementation stages. During the interim, we have established processes to ensure that the Department addresses and resolves both identified weaknesses and internal control deficiencies in our legacy financial systems as well as deterring and curtailing future deficiencies. Additionally, DHS wants to provide an update regarding the eMerge2 program. Since the GAO team completed its field work for this GAO review, the eMerge2 final requirements analysis has been completed. The specifications for the eMerge2 system includes adherence to all federal financial system requirements: FFMIA, JFMIP, USSGL, OMB Circulars, etc., indicating our commitment to full adherence to the CFO Act and FFMIA. We also want to take this opportunity to reaffirm the Department's commitment to resolving all identified weaknesses through the development of plans to implement corrective actions. For the most part, we concur with the report's recommendations. However, we suggest a modification to recommendation #8. Currently, the recommendation asks DHS to "Incorporate all types of internal control weaknesses in the tracking system being developed." We believe the recommendation, as written, is overly broad. We suggest that it be changed to read: "Maintain a tracking system of all auditor-identified and management-identified control weaknesses." In conclusion, we thank you for a well balanced report that provides us with an analytical assessment appropriate to the stage we are at in the process of organizational consolidation and moving forward to a unified financial management system. Sincerely, Signed by: Andrew B. Maner Chief Financial Officer Department of Homeland Security: (195026): FOOTNOTES [1] For example, see U.S. General Accounting Office, Major Management Challenges and Program Risk: Department of Homeland Security, GAO-03- 102 (Washington, D.C.: January 2003) and Department of Homeland Security: Challenges and Steps in Establishing Sound Financial Management, GAO-03-1134T (Washington, D.C.: Sept. 10, 2003). [2] Relevant laws include those currently applicable to DHS as well as some not currently applicable that are the subject of pending legislation. [3] Under standards issued by the American Institute of Certified Public Accountants, "reportable conditions" are matters coming to the auditors' attention relating to significant deficiencies in the design or operation of internal controls that, in the auditors' judgment, could adversely affect the department's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements. [4] Material weaknesses are reportable conditions in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. [5] Division A, Section 101(f), Title VIII of Public Law 104-208 is entitled the Federal Financial Management Improvement Act of 1996. FFMIA requires the major departments and agencies covered by the CFO Act to implement and maintain financial management systems that comply substantially with (1) federal financial management systems requirements, (2) applicable federal accounting standards, and (3) the U.S. Government Standard General Ledger at the transaction level. [6] Observations and recommendations are weaknesses that do not meet the criteria for reportable conditions and are typically communicated from the auditor to the appropriate level of entity management in a management letter. [7] Pub. L. No. 101-576, 104 Stat. 2838 (Nov. 15, 1990). [8] Pub. L. 107-296, 116 Stat. 2135 (Nov. 25, 2002). [9] U.S. Department of Homeland Security, Budget in Brief: Fiscal Year 2005. [10] See GAO-03-102. [11] See GAO-03-1134T. [12] Pub. L. No. 107-289, 116 Stat. 2049 (Nov. 7, 2002). [13] An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements, assessing the accounting principles used and significant estimates made by management, and evaluating the overall consolidated financial statement presentation. [14] An unqualified audit opinion indicates that the balances in the financial statements are free of significant errors known as material misstatements. [15] The JFMIP Principals are the Secretary of the Treasury, the Directors of the Office of Management and Budget (OMB) and the Office of Personnel Management (OPM), and the Comptroller General of the United States. [16] Customs' auditors performed an internal control review, not a full scope financial statement audit. [17] Drawback is a remittance, in whole or in part, of duties, taxes, or fees previously paid by an importer. Drawback typically occurs when the imported goods on which duties, taxes, or fees that have previously been paid are subsequently exported from the United States or destroyed prior to entering the commerce of the U.S. Depending on the type of claim, the claimant has up to 8 years from the date of importation to file for drawback. [18] INS obtained an independent financial statement audit for the 5 month period October 1, 2002, to February 28, 2003-prior to its transfer to DHS. [19] U.S. General Accounting Office, Information Technology: Architecture Needed to Guide NASA's Financial Management Modernization, GAO-04-43 (Washington, D.C.: Nov. 21, 2003) and National Aeronautics and Space Administration: Significant Actions Needed to Address Long- standing Financial Management Problems, GAO-04-754T (Washington, D.C.: May 19, 2004). [20] U.S. General Accounting Office, DC Courts: Disciplined Processes Critical to Successful System Acquisition, GAO-02-316 (Washington, D.C.: Feb. 28, 2002). [21] Currently, the CFO at DHS reports to the Under Secretary for Management while directorate CFO's report to the head of the respective directorates, not to DHS's CFO. [22] See GAO-03-1134T. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: