Skip to page navigation
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

OPM.gov / About / 2023 Agency Financial Report / Management’s Discussion and Analysis – Section 1 / Analysis of OPMs Systems Controls and Legal Compliance
Skip to main content

Analysis of OPMs Systems Controls and Legal Compliance

Director Ahuja, far left, poses on stage with four other speakers at the Milken Institute’s Health Summit.
Director Ahuja spoke at the Milken Institute’s
Health Summit and discussed how the Federal
government is supporting employee mental health
and well-being.

This section provides information on OPM’s compliance with the following legislative mandates:

  • Federal Managers’ Financial
    Integrity Act (FMFIA)
  • Federal Financial Management Improvement Act (FFMIA)
  • Federal Information Security Modernization Act (FISMA)
  • Prompt Payment Act
  • Debt Collection Improvement Act (DCIA)
  • Payment Integrity Information Act (PIIA)
  • Inspector General Act, as amended
  • Civil Monetary Penalty Act
  • Compliance with Other Key Legal and Regulatory Requirements

Management Assurances Office of Personnel Management FY 2023

Statement of Assurance

OPM is responsible for managing risks and maintaining effective internal control to meet the objectives of Sections 2 and 4 of the Federal Managers’ Financial Integrity Act (FMFIA). OPM conducted its assessment of risk and internal control in accordance with OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control. Based on the results of the assessment, the Agency can provide reasonable assurance that internal control over operations, reporting, and compliance was operating effectively as of September 30, 2023, except for the material weakness described in Exhibit A.

The Federal Financial Management Improvement Act (FFMIA) requires agencies to implement and maintain financial management systems that are in substantial compliance with Federal financial management system requirements, applicable Federal accounting standards, and the U.S. Government Standard General Ledger at the transaction level. Based on the results of OPM’s FFMIA compliance assessment, the Agency can provide reasonable assurance that it substantially complies with FFMIA.

Signature of Kiran Ahuja

Kiran A. Ahuja
Director 
11/13/2023

Compliance with the Federal Managers’ Financial Integrity Act (FMFIA)

The FMFIA requires agencies to establish internal control and financial systems that provide reasonable assurance that the following objectives are achieved:

  • Effective and efficient operations,
  • Reliable financial reporting, and
  • Compliance with applicable laws and regulations.

FMFIA requires that agencies conduct evaluations of their systems of internal control and annually provide reasonable assurance to the President and the Congress on the adequacy of those systems. OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, provides the implementing guidance for FMFIA and provides guidance to federal managers on improving accountability and effectiveness of federal programs as well as mission-support operations through implementation of Enterprise Risk Management (ERM) practices and by establishing, maintaining, and assessing internal control effectiveness. The OMB Circular A-123 emphasizes the need to integrate and coordinate risk management and strong and effective internal control into existing business activities and as an integral part of managing an Agency. In addition, OMB Circular A-123, Appendix A, Management of Reporting and Data Integrity Risk (Appendix A), contains specific requirements for agencies to assess internal control over reporting. OPM’s Risk Management Council (RMC) oversees the Agency’s internal control program. The RMC is chaired by the Chief Management Officer and includes senior representatives from all major OPM organizations. The Risk Management and Internal Control group (RMIC) within the OCFO has primary responsibility for coordinating the annual assessment of internal control.

OPM employs a multi-pronged approach to evaluating its systems of internal control over Agency operations, reporting, and compliance with applicable laws and regulations. Under the oversight of the RMC, office heads conducted self-assessments of the internal controls under their purview. They provided an assurance statement detailing whether their internal control systems met the requirements of FMFIA. This included an assessment of entity-level controls. Each business unit assessed its controls against the 17 internal control principles from the GAO Standards for Internal Control in the Federal Government. As part of the overall assessment, RMIC reviewed these submissions along with applicable reports of audits performed by the OIG and GAO throughout the reporting period to determine if there were other material weaknesses that should be reported in the assurance statement. Finally, in accordance with Appendix A, OPM assessed the effectiveness of its key internal controls to support reliable reporting.

Appendix A also requires that agencies develop and maintain a Data Quality Plan (DQP) that considers the incremental risks to data quality in federal spending data and any controls that would manage such risks in accordance with OMB Circular A-123. As part of our assessment of internal control over reporting objectives, RMIC tested the operating effectiveness of key controls contained in OPM’s DQP.

Enterprise Risk Management

To assist the OPM senior leaders in meeting the requirements of OMB Circulars A-123 and A-11, OPM’s RMC focuses on risk management at an enterprise level, an organization-level, and a program-level. The RMC is responsible for implementing, directing, and overseeing the implementation of OMB Circular A-123 and all the provisions of a robust process of risk management and internal control.

The RMC develops, implements, and leads the strategies, policies, procedures, and systems established by management to identify, assess, measure, and mitigate the major risks facing the agency.

The RMC provides input and oversight for all risk management-related activities concerning the overall mission and strategic goals and objectives, enhancing understanding of the overall risk in accomplishing the agency’s strategic goals and objectives, and reviewing the agency’s risk assessment methodologies to obtain reasonable assurance of the completeness and accuracy of mitigation strategies and their effectiveness in reducing the risk. The RMC is also responsible for ensuring the establishment and maintenance of an effective system of internal control.

Exhibit A – Summary of Material Weakness

Information System Control Environment

In FY 2023, OPM’s Independent Auditor reported deficiencies in various aspects of OPM’s information systems control environment, including in the areas of Security Management, Logical Access, Configuration Management and Interface / Data Transmission Controls. The information system issues identified in FY 2023 included repetitive conditions consistent with prior years, as well as new deficiencies. OPM OCIO has made significant progress to remediate the remaining issues that contribute to the material weakness. OPM OCIO closed 13 IT Notice of Findings and Recommendations during FY 2023 financial audit, and an additional 11 IT-related recommendations issued separately by the OIG for the financial statement audit. Due to the continued existence of these deficiencies, they are reported collectively as a material weakness in OPM’s internal control over operations.

OPM is committed to assessing each condition contributing to the material weakness and will develop an appropriately risk-based, cost-effective plan to address each condition within the OCIO.

Compliance with the Federal Financial Management Improvement Act (FFMIA)

Financial Management Systems

The Federal Financial Management Improvement Act of 1996 (FFMIA) was established to ensure that Federal financial management systems provide accurate, reliable, and timely financial management information to the Federal Government managers and leaders. Further, the Act required this disclosure be done on a basis that is uniform across the Federal Government from year to year by consistently using professionally accepted accounting standards. Specifically, FFMIA requires each agency to implement and maintain systems that comply substantially with:

  • Federal Government financial management systems requirements.
  • Applicable Federal Government accounting standards.
  • The United States Standard General Ledger (USSGL) at the transaction level.

OPM completed an assessment of the systems of internal control against the FFMIA guidelines. OPM determined that for FY 2023, OPM complies with Federal Government financial management systems requirements, Federal Financial Accounting Standards, and application of the USSGL. The objectives of our assessment were to ensure that our financial systems achieve their intended results. The Agency reported a non-conformance with the Federal financial management system requirements in FY 2022 due to the material weakness reported in the information system control environment. In May 2021, OPM migrated its core accounting system, Consolidated Business Information System (CBIS), to the Department of Transportation, Federal Aviation Administration’s (FAA) Enterprise Service Center (ESC) Delphi platform. During FY 2023, OPM also migrated its Trust Fund accounting system, Federal Financial System (FFS), to the Federal shared service provider Administrative Resource Center (ARC) Integrated Oracle Solution (AIOS). The migration of OPM’s core accounting systems from legacy systems to third-party service provider platforms allows OPM to leverage the latest technology and adhere to Federal financial management system requirements. Based on OPM’s FY 2023 FFMIA compliance assessment, the Agency has reported substantial compliance with FFMIA and closed the material weakness. The results also indicated that OCFO was consistent with FFMIA guidelines and OPM’s mission to provide reliable and timely information for agency decision-making.

In addition, OPM’s resources were used consistent with OPM’s mission and are in compliance with applicable laws; funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation; and revenues and expenditures are properly recorded and accounted for to maintain accountability over the assets; and reliable and timely information was maintained, reported, and used for decision making. CFO financial information systems continue to support OPM’s strategic goal to “Exceed the Government-wide average satisfaction score for each agency mission support service” through identifying, building, and managing financial management solutions that sustains OPM’s mission, objectives, and overall government requirements.

FFMIA requires management to ensure OPM’s financial management systems consistently provide reliable data that comply with federal financial management system requirements, applicable federal accounting standards, and the USSGL at the transaction level. Appendix D to OMB Circular A-123, Compliance with the FFMIA, and OMB Circular A-130, Managing Federal Information as a Strategic Resource, provides specific guidance to agency managers when assessing conformance to FFMIA requirements.

OPM’s vision for its financial systems is to provide accurate financial management information to internal and external stakeholders to support data-driven decision making, promote sound financial management, and enhance financial reporting and compliance activities. This vision aligns with the agency’s strategic priority to “provide innovative and data-driven solutions” that enable the agency to deliver our mission. The agency uses the following core financial management applications:

  • ARC Integrated Oracle Solution (AIOS), the financial system platform provided by the Department of the Treasury, Bureau of the Fiscal Service (BFS), Administrative Resource Center (ARC), is used for trust funds accounting and financial management activities.
  • DELPHI, the financial system platform provided by the Department of Transportation (DOT), Federal Aviation Administration, Enterprise Service Center (ESC), is used for financial transaction processing as well as reporting and analysis to support management of the agency’s Salaries & Expense and Revolving Funds.

In FY 2023, OPM, through an effective partnership with ESC, managed implementation efforts for the following system enhancements:

  • Deployed an integrated solution with the Department of the Treasury, BFS G-Invoicing application to DELPHI users to meet the governmentwide mandate deadline of October 1, 2022. This solution allows OPM to better manage interagency agreements (IAAs) with a common data standard and the expectation that intragovernmental financial differences will significantly decrease. Continue to update G-Invoicing on process improvements and functionalities to better meet business goals in FY 2024.
  • Implemented Splash Business Intelligence (BI), which provides users with a new reporting tool with modernized ad hoc functionality and data visualization capabilities for faster and deeper insights into financial activity.
  • Completed development and testing for automated AP approval invoices workflow to eliminate manual approval activities, reduce transaction posting time, risks, and interest penalties. This automation is targeted to be in production in FY 2024.
  • Configured and tested a Miscellaneous Expense module that will eliminate manual processing of miscellaneous expenses (e.g., parking fees, mailing fees, etc.) while allowing a mechanism to provide quick processing of expense reports for payment. This module is targeted to be implemented in FY 2024.

OPM leverages AIOS for accounting and financial management activities related to the trust funds for the federal earned benefit programs. In FY 2023, OPM migrated trust funds accounting functionality including core financial management and investment management capabilities from the legacy mainframe Federal Financial System (FFS) to AIOS, the shared service provider platform provided by the Department of the Treasury ARC.

With this transition, OPM financial accounting platform is now operated under a shared services model, leveraging a modernized financial management system and streamlined business processes. As a customer of Treasury ARC, OPM’s financial system for Trust Funds is Oracle E-Business Suite is a FFMIA system and is compliant, with no internal findings on FMFIA financial reporting, and no FISMA related findings. The Treasury ARC financial solution allows OPM to leverage the latest technology and adhere to standardized Federal accounting standards. The Treasury ARC solution also includes the Oracle Business Intelligence (OBI) reporting tool, which offers standard financial management reports that comply with Federal accounting standards.

In FY 2024, OPM aims to enhance insurance benefits financial management processes, improve trust funds reporting capabilities, and prepare financial systems and processes for the Postal Reform Act implementation, which mandates OPM to establish and manage a separate health benefit program for postal employees, retirees, and eligible family members. Requirements for these efforts have been documented, and OPM’s partnership with Treasury continues in FY 2024 with design, configurations, development, testing, and training activities for these added functionalities.

Compliance with the Inspector General Act

The Inspector General Act, as amended, requires agencies to report on the final action taken with regard to audits by its Office of the Inspector General. OPM is reporting on audit follow-up activities for the period October 1, 2022 through September 30, 2023 in Table 14 – Inspector General Audit Findings provides a summary of OIG’s audit findings and actions taken in response by OPM management during this period.

Table 14 – Inspector General Audit Findings
FY 2023 Number of Reports Questioned Costs
($ in Millions)
Reports with no management decision on October 1, 2022 7 $17.3
New reports requiring management decisions 121 54.7
Management decisions made during the year 8 21.5
Net disallowed costs 20.72
Net allowed costs 0.83
Reports with no management decision on September 30, 2023 11 50.4

Source: Audit Reports Issued with Questioned Costs for reporting periods October 1, 2022, through March 31, 2023, and April 1, 2023, through September 30, 2023.

Purpose: To provide data to the OCFO to be included in the fiscal year 2023 Management Discussion and Analysis for OPM’s Performance and Accountability Report.

Footnote 1

The number of new reports requiring a management decision represents reports with monetary recommendations. This year, 34 reports were issued and 12 of them had monetary recommendations, and 22 reports, which are not reflected in the table, had no monetary recommendations.

Footnote 2

Represents the net of disallowed costs, which includes disallowed costs during this reporting period less costs originally disallowed but subsequently allowed during this reporting period.

Footnote 3

Represents the net of allowed costs, which includes allowed costs during this reporting period plus costs originally disallowed but subsequently allowed during this reporting period.

Federal Information Security Modernization Act (FISMA)

The FISMA requires the Office of the Chief Information Officer (OCIO) to conduct an annual Agency security program review in coordination with Agency program officials. OPM is pleased to provide the results of this review conducted for the FY 2023.

In FY 2023, OPM’s cybersecurity maturity level is measured as “3 - Consistently Implemented”.

Before the kick-off of the FY 2023 FISMA audit, the agency completed self-assessment of the FISMA metrics to determine our current maturity level status and future metric goals for the next two fiscal years. This self-assessment allowed the agency and the OIG to focus discussions, goals, fieldwork and audit recommendations on the current maturity level status and achievable targets specific to our operating environment and priorities established by the Chief Information Officer (CIO).

The resulting FISMA audit recommendations and cybersecurity maturity level ratings established by the OIG are under review by the Agency. In FY 2023, OPM took corrective actions that resulted in the closure of 74 FISMA recommendations (i.e., 25 unique, 49 non-unique). OPM is committed to working with the OIG to continually improve IT operations and services.

OPM is pleased to report that we have improved our Council of the Inspectors General on Integrity and Efficiency (CIGIE) maturity model score overall, with specific improvements in the Identify function area. Specifically, OPM improved our metric scores in the Identify domain including hardware and software inventories, enterprise architecture, risk governance and supply chain risk management strategy, policies and procedures. These improvements accounted for a 42% increase from Fiscal Year 2022. The agency also made marked improvements in Detect and Recover function areas, improving our scores by 25% and 33%, respectively. The increase in score reflects the work dedicated to Information System Continuous Monitoring (ISCM) and Contingency Planning domain metrics to increased ongoing system authorizations, and to contingency planning. Through our metric improvements, the number of Level 1 ad hoc maturity level ratings reduced from 16 to 3, a reduction of 81%.

In FY 2023, OPM closed 74 FISMA recommendations. Additionally, the agency successfully closed 26 cybersecurity recommendations (i.e., 7 GAO, 19 OIG) from other audit engagements. OPM is committed to continuing the trend of collaboration to reduce the number of open IT audit recommendations.

Compliance with Other Key Legal and Regulatory Requirements

OPM is required to comply with other legal and regulatory financial requirements. Information concerning these regulatory requirements can be found in the Other Information, Section 3, of this report.

OPM continues to work towards improving its procedures and controls, since transitioning to the new Trust Funds financial accounting platform to support the reporting objectives of the Digital Accountability and Transparency Act (DATA Act) of 2014, P.L. No. 113-101, as implemented by OMB and the Treasury Department. Among other requirements, it requires a federal agency to notify the Treasury of any legally enforceable non-tax debt owed to such agency that is over 120 days delinquent so that Treasury can offset such debt administratively; previously, it was 180 days per the Debt Collection Improvement Act (DCIA). In FY 2015, OMB Memorandum M-15-12 was issued for reporting requirements pursuant to the DATA Act.

By the authority of 31 U.S.C. 3512(b) and 3513, the Secretary of the Treasury mandated all federal program agencies (FPAs) must use G-Invoicing, the long-term solution for FPAs to manage their intragovernmental (IGT) Buy/Sell transactions, by October 1, 2022, for new orders. G Invoicing is intended to help agencies and their trading partners negotiate and accept General Terms and Conditions (GT&C) agreements, broker orders, exchange performance information, and validate settlement requests through Intra-Governmental Payment and Collection (IPAC). OPM implemented G-Invoicing on October 1, 2022, in accordance with Treasury’s mandate. However, OPM still has a few IGT transactions that use ‘legacy’ processes (using PDF 7600As & Bs) in order to accommodate trading partners that have not yet implemented G-Invoicing for themselves. Nevertheless, as a requesting agency, OPM completed 120 GT&Cs with an estimated total value of $182.6 million and 109 open orders totaling $103.8 million. As a servicing agency, OPM completed 610 GT&Cs with an estimated total value of $529.9 million and 525 open orders totaling $202.8 million. Finally, OPM and its shared service provider, the Federal Aviation Administration (FAA) Enterprise Services Center (ESC), continue to work with Treasury and Oracle to improve the G-Invoicing system for both OPM and its trading partners as G-Invoicing usage is expected to increase in coming years.

OPM Deputy Director Shriver speaks at a podium during the CFC closing ceremony. Four OPM staff stand nearby. Three of them hold a sign with the letters C, F, and C indicating the Combined Federal Campaign.
Deputy Director Shriver spoke at the Combined
Federal Campaign closing ceremony.

Forward-Looking Information

OPM is dedicated to achieving agency strategic goals and continuing to lead and serve the Federal Government in enterprise human resources management by delivering policies and services to achieve a trusted, effective, civilian workforce. In meeting this goal, OPM faces a governmentwide challenge in strategic human capital management. OPM continues efforts to address skill gaps within the Federal workforce adequately.

In addition, OPM is responsible for administering Government-wide benefits for Federal employees and their eligible dependents, annuitants, and survivors. A continued OPM challenge is protecting the financial integrity and providing effective stewardship of these benefit programs.

Lastly, OPM continues to work on improving and modernizing the technology environment and organizational structure. OPM has faced challenges with dedicated funding for IT modernization to ensure that goals are met.

In looking forward OPM continues to work on addressing these top management challenges and more information on these can be found in the Other Information – Section 3.

Goals and Strategies

OPM is firmly committed to improving financial and operational performance and has received an unmodified audit opinion on OPM’s financial statements for 24 consecutive years. OPM will continue to strengthen its enterprise-wide managerial cost accounting system across the Agency; provide financial and other reports to financial and program managers; integrate financial and performance information; use such information to formulate our annual budget requests; as well as for day-to-day management and program analysis. OPM established and has followed the strategy below to achieve the goals for improved financial-management performance:

  • Ensure that critical financial performance indicators are objective, understandable, meaningful, fair, and fully measurable;
  • Improve internal controls over financial reporting through improved systems and processes;
  • Re-affirm processes, controls, and procedures to ensure that continuing Independent Public Accountant (IPA) unmodified audit opinions will be achieved;
  • Continue to implement a financial management system fully compliant with Federal standards providing sound, effective, support to all customers;
  • Strengthen stewardship, accountability, and internal controls over financial reporting, as stipulated by revised OMB Circular A-123; and
  • Reduce improper payments to target levels.

Limitations of the Consolidated Financial Statements

  • The principal financial statements have been prepared to report OPM’s financial position and results of operations, pursuant to the requirements of 31 United States Code 3515(b).
  • The statements have been prepared from OPM’s records in accordance with U.S. generally accepted accounting principles for Federal entities and the formats prescribed by the OMB. They are in addition to the financial reports used to monitor and control OPM’s budgetary resources, which are prepared from the same books and records.
  • The statements should be read with the realization that they are for a component of the United States Government, a sovereign entity.

Back to Top

Control Panel