Download:
pdf |
pdfSignificant Revisions to OMB Circular A-127
Section
Revision to A-127
Purpose of Revision
Section 1.
Purpose
Changed to “concerning” from
“developing, operation, evaluating, and
reporting”
To demonstrate that this Circular addresses all
aspects of managing financial management
systems
Section 5.
Definitions
Revised various definitions
To update terminologies and definitions
Section 6.
Policy
Removed the agency-wide financial
information classification structure and
integrated financial management systems
sub-sections
To eliminate areas that duplicate the core
financial system requirements
Section 7.
Service
Provider
Requirements
Added a new section on service provider
requirements
To incorporate recent policy changes, i.e.,
agencies are no longer developing their own
systems, but instead relying on service
providers to help manage their systems
Section 8.
FFMIA
compliance
Added a new section on FFMIA
compliance
To clarify the definition of FFMIA substantial
compliance
New Requirements
New Section
Section 6.E Standard
Configuration
New Requirement
Agencies must utilize the certified configurations
Section 6.G Adoption of Agencies are required to adopt the standard government business processes
established by the Financial Systems Integration Office (FSIO)
Standard Business
Processes
Section 7. Service
Provider Requirements
Agencies must use an external provider when upgrading or modernizing their
core financial systems and should conduct a public-private competition to
procure a provider
Section 8. FFMIA
Compliance
Agencies should determine its FFMIA compliance by considering FFMIA risk
categories
�Circular No. A-127 – Revised
TO THE HEADS OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS
SUBJECT: Financial Management Systems
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Purpose
Rescission
Authorities
Applicability/Scope
Definitions
Policy
Service Provider Requirements
FFMIA Compliance
Assignment of Responsibilities
Information Contact
Review Date
Effective Date
1. Purpose
The Office of Management and Budget (OMB) Circular No. A-127 (hereafter referred to as Circular A127) prescribes policies and standards for executive departments and agencies to follow concerning
their financial management systems.
2. Rescission
This Circular supersedes all previously issued versions dated July 23, 1993, June 10, 1999, and
December 1, 2004.
3. Authorities
This Circular is issued pursuant to the Chief Financial Officers Act (CFO Act) of 1990, P.L. 101-576;
the Federal Managers' Financial Integrity Act (FMFIA) of 1982, P.L. 97-255 (31 U.S.C. 3512 et seq.);
31 U.S.C. Chapter 11; and the Federal Financial Management Improvement Act (FFMIA) of 1996,
P.L. 104-208 (31 U.S.C. 3512 et seq.).
4. Applicability/Scope
A. The policies in this Circular apply to the financial management systems of all agencies in the
executive branch of the government, including any executive department, military department,
independent agency, government corporation, government controlled corporation, or other
establishment. Agencies not included in the CFO Act are exempted from certain requirements as
noted in Section 8 and Section 9.
B. The financial management systems identified in Section 5 are subject to the policies contained in
OMB Circular No. A-130, "Management of Federal Information Resources" (hereafter referred to
as Circular A-130).
C. The financial management systems identified in Section 5 must adhere to the policies and
procedures contained in OMB Circular No. A-123, "Management’s Responsibility for Internal
Control" (hereafter referred to as Circular A-123).
1
�5. Definitions
For the purposes of this Circular, the following definitions apply:
A financial system, hereafter referred to as a core financial system, is an information system that may
perform all financial functions 1 including general ledger management, funds management, payment
management, receivable management, and cost management. The core financial system is the
system of record that maintains all transactions resulting from financial events. It may be integrated
through a common database or interfaced electronically to meet defined data and processing
requirements. The core financial system is specifically used for collecting, processing, maintaining,
transmitting, and reporting data regarding financial events. Other uses include supporting financial
planning, budgeting activities, and preparing financial statements. Any data transfers to the core
financial system must be: traceable to the transaction source; posted to the core financial system in
accordance with applicable guidance from the Federal Accounting Standards Advisory Board
(FASAB); and in the data format of the core financial system.
2
A mixed system is an information system that can support both financial and non-financial functions.
A financial management system includes the core financial systems and the financial portions of
mixed systems necessary to support financial management, including automated and manual
processes, procedures, and controls, data, hardware, software, and support personnel dedicated to
the operation and maintenance of system functions. The following are examples of financial
management systems: core financial systems, procurement systems, loan systems, grants systems,
payroll systems, budget formulation systems, billing systems, and travel systems.
A financial event is any activity having financial consequences to the Federal government related to
the receipt of appropriations or other financial resources; acquisition of goods or services; payments
or collections; recognition of guarantees, benefits to be provided, or other potential liabilities;
distribution of grants; or other reportable financial activities.
6. Policy
A. FSIO Certified Commercial System
Agencies must use a core financial system that is a commercial off-the-shelf (COTS) system and
has been certified by the Financial Systems Integration Office (FSIO) as meeting the core
financial system requirements. If the core financial system is not up-to-date with FSIO
certification, agencies should consider upgrading to a certified version of the same COTS product
or implement a different certified product.
B. FSIO Testing
FSIO will establish processes for testing COTS software products supporting core financial
system requirements. The test will verify that the COTS products meet the core financial system
requirements. The product configuration used in the test will become the certified configuration
for that software product.
C. Frequency of FSIO Testing
The FSIO certification tests are to be conducted as prescribed in the Core Federal Financial
System Software Qualification Testing Policy issued by FSIO.
D. Policy Exceptions
1
See Core Systems Functions from the Financial Systems Integration Office (FSIO) Core Financial System
Requirements.
2
Often referred to as a feeder system.
2
�In general, agencies will not be exempt from any part of the policy. However, there may be two
exceptions given a legitimate need: (1) deviation from the standard configurations (see Section
6.E; and (2) exception to competition when upgrading or modernizing core financial systems (see
Section 7.D).
E. Standard Configuration
Agencies must utilize the certified configurations as defined, tested and certified by FSIO as they
become available. However, exceptions may be granted if there is a legitimate and valid need for
them. To obtain an exception to deviate from the certified configurations, OMB must first be
provided with a justification for approval. Agencies will be required to register any approved
configuration changes with FSIO. FSIO will issue guidance, as needed, with respect to
implementing the certified configurations and requesting and reporting deviations.
F. Periodic Review of Standard Configuration
Agencies that have implemented core financial systems with the certified configurations will
undergo periodic reviews which will be performed by FSIO. The reviews will assess whether
deviations occurred from the certified version. FSIO will issue guidance with respect to these
periodic reviews.
G. Adoption of Standard Business Processes
3
Agencies are required to adopt the standard government business processes as established by
FSIO. These standards will be included in the FSIO’s core financial system requirements
documentation. The standards should be adopted as agencies upgrade to the next major release
of their current core financial system or migrate to a different core financial system.
H. Implementation
During implementation, agencies must monitor the project’s progress and institute performance
measures 4 to ensure that it is on schedule and within budget. Agencies must also assess risks
regularly and mitigate them in a timely manner. To do so, agencies must provide periodic
briefings to OMB, at its request, that detail the project’s progress.
I.
Maintenance
Agencies must ensure that their service provider periodically performs on-going maintenance of
the core financial system to support the most current Federal business practices and systems
requirements. Agencies must also verify whether their service provider is continuing to meet its
Service Level Agreement.
3
The standard business processes are defined by FSIO in the Standard Federal Financial Business Processes
(SFFBP) Document.
4
See OMB Memorandum M-05-23, Improving Information Technology (IT) Project Planning and Execution.
3
�J. Continuity of Operation Plan (COOP) and Disaster Recover (DR) Plan
Agencies must continually evaluate that their core financial systems’ Continuity of Operation Plan
and Disaster Recovery Plan are both adequate and feasible. The plan shall be tested on an
annual basis.
K. Documentation
Core financial systems’ processing instructions shall be clearly documented in hard copy or
electronically in accordance with (a) the requirements contained in the core financial system
requirements document issued by FSIO or (b) other applicable requirements. All documentation
(e.g., software, system, operations, user manuals, and operating procedures) shall be kept up-todate and be readily available for examination. System user documentation shall be in sufficient
detail to permit a person with knowledge of the agency's programs and of systems generally, to
obtain a comprehensive understanding of the entire operation of each system. Technical
systems documentation such as systems specifications and operating instructions shall be
adequate to enable technical personnel to operate the system in an effective and efficient
manner.
L. Training and User Support
Adequate training and appropriate user support shall be provided to the users of the core
financial systems, based on the level, responsibility, and roles of individual users. Training shall
enable the users of the systems at all levels to understand, operate, and maintain the system.
M. Core Financial System Requirements Title Change
The core financial system requirements document previously issued under the Office of Federal
Financial Management (OFFM) will be considered to have been issued under the Financial
Systems Integration Office (FSIO).
N. Non-Core Financial System Requirements
Specific non-core financial system requirements, previously published by the Joint Financial
Management Improvement Program (JFMIP) and known as the JFMIP Federal Financial
Management System Requirements (FFMSR) series, should be regarded as guidance when
defining system requirements for acquisition. The FFMSR requirements are not part of the
Federal financial management systems requirements for FFMIA and therefore should not be used
to determine substantial compliance.
7. Service Provider Requirements
A. Use of External Providers
When upgrading to the next major release of its current core financial system or modernizing to a
different core financial system, an agency must use an external provider which is either a Federal
shared service provider that has been designated by OMB or a commercial vendor. The
implemented system must also be maintained by the external provider. If agencies cannot
migrate to an external provider immediately, then they should take incremental steps by moving
their hosting or application management support to a provider.
4
�B. Minimum Requirements of External Providers
The external provider must demonstrate to the Federal agency its ability to:
1) meet applicable Federal requirements, (e.g., the Federal Information Security Management
Act of 2002 (FISMA) and compliance with Section 508 of the Rehabilitation Act and FFMIA);
2) operate and maintain a COTS software package that complies with FSIO’s core financial
system requirements;
3) meet the requirements of the Financial Management Due Diligence Checklist; and
4) provide a SAS 70 audit report to its customers or allow customer auditors to perform
appropriate tests of internal controls at its organization.
FSIO will maintain and publish the most current list of OMB designated Federal service providers
and the Due Diligence Checklist.
C. Competitive Process
Agencies are required to hold a competition among the OMB designated Federal providers and
commercial vendors when upgrading their current core financial system or modernizing to a
different core financial system.
D. Competition Exemption
Agencies may be allowed to conduct a non-competitive migration or a competitive migration
involving only commercial providers (if authorized by law) or OMB designated providers if they
prepare a full justification, generally including the type of information called for by section 6.303-2
of the Federal Acquisition Regulation (FAR). The justification shall be approved by the agency’s
Chief Financial Officer, Chief Information Officer, and Chief Acquisition officer. Agencies shall
confer with OMB prior to proceeding with a migration that is noncompetitive or is otherwise limited
in accordance with this paragraph.
An agency may rely on its in-house operations if the agency demonstrates to OMB that its
internal operations represent a best value and lower risk alternative. This demonstration shall be
made through the establishment of a most efficient organization and public-private competition,
unless there is a justified basis for foregoing competition or for using a limited form of competition,
such as public-public competition. The justification shall be documented in the same general
manner prescribed in Part 6 of the FAR for the use of other than full and open competition.
E. Tracking Results
Agencies shall monitor performance, regardless of the selected service provider, for all
performance periods stated in the solicitation. Performance measurement and reporting shall be
consistent with OMB guidance on earned value management. See OMB Memorandum M-05-23.
5
�8. FFMIA Compliance
A. Definition of Substantial Compliance
Substantial compliance is achieved when an agency’s financial management systems routinely
provide reliable and timely financial information for managing day-to-day operations as well as to
produce reliable financial statements, maintain effective internal control, and comply with legal
and regulatory requirements. FFMIA substantial compliance will be determined annually at the
department-wide or agency-wide level for the 24 major CFO Act agencies. 5 Agencies can
determine whether the requirements are being met by applying the FFMIA risk model, which
ranks risks from nominal to significant (See Figure 1). The risk indicators in the model assist
agencies in determining whether reliable and consistent information is available for decision
making. The higher the risk, the more likely the agency is non-compliant.
Figure 1. FFMIA Compliance Risk Model
If agencies fall under a nominal risk category, then the risk of noncompliance is low. Meeting the
indicators for nominal risk signals that substantial compliance is adequately supported and additional
supporting information should not be necessary. However, during the course of its financial
statements audit, the financial statement auditor may request additional information to support
compliance or, at its discretion, perform further testing. If agencies are under a significant risk
category, then they are not in compliance with FFMIA and must identify remediation plans and
resolve them. Agencies under moderate risk may need to provide further information to support
compliance. Specific guidance may be found in the FFMIA Implementation Guide of 2008. 6
5
The 24 CFO Act agencies are defined in Appendix A of the OMB Bulletin No. 07-04, Audit Requirements for Federal
Financial Statements, as amended.
6
http://www.whitehouse.gov/omb/financial/ffmia_implementation_guidance.pdf
6
�B. FFMIA Risk Indicators
Table 1 provides key indicators within each of the three risk categories for determining the level of
risk for each agency. The indicators represent the major criteria for determining FFMIA
compliance, but may not reflect indicators that would be unique to specific agency missions.
Risk
FFMIA
Indicators
Category
Determination
1. FSIO certified system;
2. No internal control findings reported under Section 2 FMFIA over
financial reporting and Section 4;
3. No FISMA significant deficiencies impacting financial management
systems;
Nominal
Risk
4. Unqualified audit opinion;
Substantial
compliance may be
determined without
additional
5. No auditor-reported material weakness;
supporting
6. No persistent 7 auditor-reported significant deficiencies related to
information
financial management systems; and
7. No significant manual year-end adjustments both in number of
entries and value of transactions.
1. Non-FSIO certified system;
2. Internal control findings reported under Section 2 FMFIA
3. Qualified audit opinion;
Moderate
Risk
Substantial
compliance only if
agencies provide
4. Auditor-reported material weakness;
5. Persistent auditor-reported significant deficiencies related to financial
management systems; or
6. Significant manual year-end adjustments both in number of entries
additional
information to
demonstrate
compliance
and value of transactions.
1. Findings reported under FMFIA Section 4;
Significant
Risk
2. FISMA significant deficiencies impacting financial management
systems; or
Noncompliance
3. Disclaimer or adverse opinion.
Table 1
7
Refers to auditor-reported significant deficiencies lasting 3 or more years
7
�C. Section 803(a) Requirements
1) Federal Financial Management System Requirements
The Federal Financial management system requirements consist of three parts: (1) computer
security requirements; (2) internal controls; and (3) FSIO core financial system requirements.
a. Computer Security Requirements
The security controls requirements are defined by FISMA and Circular A-130 and/or
successor documents.
b. Internal Controls
The internal controls requirements are internal control objectives of Circular A-123
(including the body of the A-123 and Appendix A), which ensure resource use is
consistent with laws, regulations, and policies; resources are safeguarded against waste,
loss, and misuse; and reliable data are obtained, maintained, and disclosed in reports.
c. FSIO Core Financial System Requirements
The core financial system requirements are defined by FSIO’s core financial system
requirements.
2) Federal Accounting Standards
When applicable, agency financial management systems shall maintain accounting data to
permit reporting in accordance with Federal accounting standards, and reporting
requirements issued by the Director of OMB and/or the Secretary of the Treasury. Where no
accounting standards have been recommended by FASAB and issued by the Director of
OMB, the systems shall maintain data in accordance with the applicable accounting
standards used by the agency for preparation of its financial statements.
3) Application of the U.S. Government Standard General Ledger at the Transaction Level
Financial events shall be recorded applying the requirements of the U.S. Government
Standard General Ledger (USSGL). Application of the USSGL at the transaction level means
that each time an approved transaction is recorded in the system, it will generate appropriate
general ledger accounts for posting the transaction according to the rules defined in the
USSGL guidance.
D. Applicability of FFMIA
Agencies covered by the CFO Act must comply with the FFMIA Section 803(a) requirements.
Agencies not covered under the Act are not required to comply with the FFMIA requirements, but
are still encouraged to adhere to them.
The FFMIA law requires all financial management systems to adhere to FFMIA Section 803(a)
requirements. However, certain Section 803(a) requirements will only be applicable to the core
financial system. All systems must be in compliance with computer security and internal controls
requirements. However, only core financial systems must be compliant with FSIO core financial
system requirements and accounting standards as well as apply the USSGL at the transaction
level. The core system requirements do not apply to mixed systems unless the systems perform
the core system function. Additionally, mixed systems should only adhere to the specific
accounting standards that are applicable to mixed systems (e.g., loans). Finally, mixed systems
8
�do not have to record transactions using USSGL accounts. Nonetheless, data coming from the
mixed system must be posted to the core financial system using proper USSGL accounts and
accounting standards.
E. Review of Financial Management Systems
Agencies should perform an annual review of their financial management systems to verify
compliance with computer security and internal controls. When reviewing their systems,
agencies should leverage the results of related reviews such as those required by FISMA and
Circular A-123. In general, agencies using the latest FSIO certified financial system are not
required to perform a separate review of their core financial system to verity compliance with the
FSIO core financial systems requirements, accounting standards, or USSGL. Agencies that do
not use the latest version of the FSIO certified system may be required to perform self
assessments of their core financial system.
9. Assignment of Responsibilities
A. Agency Responsibilities
Agencies shall perform the financial management system responsibilities prescribed by legislation
referenced in Section 3 "Authorities" of this Circular. In addition, each agency shall take the
following actions:
1) Oversight of Financial Management Systems
Agencies are responsible for managing their financial management systems even when they
utilize a service provider to implement, operate and maintain the systems. Agencies must
also ensure that their financial management systems meet applicable Federal requirements
and are adequately supported throughout the systems’ life cycle. All agreement and
contracts with service providers must clearly outline the goals necessary to achieve sound
financial management. Furthermore, agencies must monitor the service providers’
performance and ensure that service failures are resolved promptly.
2) Develop and Maintain Agency-wide Financial Management System Plans
Agencies must prepare a plan for their financial management systems, which incorporates
their strategic plan, financial management plan, enterprise architecture, and budget request.
Once a plan is established, it must be updated at least annually or earlier when a significant
event occurs (e.g., reorganization).
In establishing a plan, an agency must consider its own financial management systems’ life
cycle. Specifically, it must project a reasonable useful life of the investment and plan the next
system upgrade accordingly. Technology trends and product support schedules should be
considered when projecting the useful life. The plan must also identify existing problems
related to the current system.
Each financial management system plan must:
a. describe the existing financial management system architecture and any changes
needed to implement a targeted architecture;
b. be consistent with the enterprise architecture, information resource management plan,
and IT capital plan;
c. provide a strategy for maintaining adequacy, consistency, and timeliness of financial
information;
9
�d. identify projects necessary to achieve FFMIA substantial compliance within three years
from the date of noncompliance;
e. contain milestones for correcting any material weaknesses;
f.
identify and make proposals to eliminate duplicative and unnecessary systems;
g. include a strategy to migrate to an external provider;
h. contain milestones for equipment acquisitions and other actions necessary to implement
the plan;
i.
identify financial management personnel needs and actions to ensure those needs are
met; and
j.
estimate the costs of implementing the plan.
Once a plan is established, an agency must obtain approval from its Investment Review
Board (IRB) if major changes are needed. The approved financial management systems
plan will provide a basis for the agency’s business case. The business case must include an
estimate of the full cost necessary to complete the upgrade, and have considered different
alternatives in measuring the risks and costs for the plan. The business case will be used to
justify funding and, therefore, must be clearly stated in the agency’s budget request.
Agencies should communicate progress against the approved business case and financial
management systems plan with OMB throughout the financial management system lifecycle.
A summary of the plan should be included in the agency’s annual financial report as
instructed in OMB Circular No A-136, “Financial Reporting Requirements.” For agencies not
covered under the CFO Act, they need to prepare the plans but are not required to report
them in their annual financial reports.
3) Develop and Maintain an Agency-wide Inventory of Financial Management Systems
Agencies are required to maintain an inventory of their existing and proposed financial
management systems. Annually, agencies will provide FSIO with an annual inventory of their
financial management systems.
4) Develop and Maintain Agency Financial Management System Directives
Agencies shall issue, update, and maintain agency-wide financial management system
directives to reflect policies defined in this Circular.
B. FSIO Responsibilities
FSIO will issue and maintain all financial management business processes standards, core
financial system requirements documents and all software certifications. Additionally, FSIO will
develop and administer the certification test; notify the public and agencies when a software
package successfully completes the certification test; and provide interested parties with
information on the results of the certification tests for certified software products.
10
�C. GSA Responsibilities
GSA will make procurement vehicles available to agencies for acquiring software that has been
certified according to the processes in Section 6.B.
10. Information Contact
All questions or inquiries should be referred to the OFFM Financial Analysis and Systems Branch at
(202) 395-3993.
11. Review Date
This Circular shall be reviewed three years from its issuance date to ascertain its effectiveness.
12. Effective Date
This Circular is effective as of October 1, 2009. However, early implementation, where applicable, is
encouraged.
11
�
| File Type | application/pdf |
| File Title | Circular A-127-- Financial Management Systems (Attachment) |
| Author | OMB |
| File Modified | 2009-01-09 |
| File Created | 2009-01-09 |