Skip to page navigation
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

OPM.gov / About / 2024 Agency Financial Report / Management’s Discussion and Analysis – Section 1 / Analysis of Systems, Controls, and Legal Compliance
Skip to main content

Analysis of Systems, Controls, and Legal Compliance

Former Director Ahuja stood alongside 4 individuals on a platform with a large crowd behind them.
Former Director Ahuja joined with other government leaders
at a fireside chat at the White House Initiative
on Asian Americans, Native Hawaiians, and Pacific Islanders’
Federal Employee Leadership Development Conference.

This section provides information on OPM’s compliance with the following legislative mandates:

  • Federal Managers’ Financial Integrity Act (FMFIA)
  • Federal Financial Management Improvement Act (FFMIA)
  • Federal Information Security Modernization Act (FISMA)
  • Prompt Payment Act
  • Debt Collection Improvement Act (DCIA)
  • Payment Integrity Information Act (PIIA)
  • Inspector General Act, as amended
  • Civil Monetary Penalty Act
  • Compliance with Other Key Legal and Regulatory Requirements

Management Assurances

Office of Personnel Management

FY 2024 Statement of Assurance

Compliance with the Federal Managers’ Financial Integrity Act (FMFIA)

The FMFIA requires agencies to establish internal control and financial systems that provide reasonable assurance that the following objectives are achieved:

  • Effective and efficient operations,
  • Reliable financial reporting, and
  • Compliance with applicable laws and regulations.

FMFIA requires that agencies conduct evaluations of their systems of internal control and annually provide reasonable assurance to the President and the Congress on the adequacy of those systems. OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, provides the implementing guidance for FMFIA and provides guidance to Federal managers on improving accountability and effectiveness of Federal programs as well as mission-support operations through implementation of Enterprise Risk Management (ERM) practices and by establishing, maintaining, and assessing internal control effectiveness. The OMB Circular A-123 emphasizes the need to integrate and coordinate risk management and strong and effective internal control into existing business activities and as an integral part of managing an agency. In addition, OMB Circular A-123, Appendix A, Management of Reporting and Data Integrity Risk (Appendix A), contains specific requirements for agencies to assess internal control over reporting. OPM’s Risk Management Council (RMC) oversees the agency’s internal control program. The RMC is chaired by the Chief Management Officer and includes senior representatives from all major OPM organizations. The Risk Management and Internal Control group (RMIC) within the OCFO has primary responsibility for coordinating the annual assessment of internal control.

OPM employs a multi-pronged approach to evaluating its systems of internal control over agency operations, reporting, and compliance with applicable laws and regulations. Under the oversight of the RMC, office heads conducted self-assessments of the internal controls under their purview. They provided an assurance statement detailing whether their internal control systems met the requirements of FMFIA. This included an assessment of entity-level controls. Each business unit assessed its controls against the 17 internal control principles from the GAO Standards for Internal Control in the Federal Government. As part of the overall assessment, RMIC reviewed these submissions along with applicable reports of audits performed by the OIG and GAO throughout the reporting period to determine if there were other material weaknesses that should be reported in the assurance statement. Finally, in accordance with Appendix A, OPM assessed the effectiveness of its key internal controls to support reliable reporting.

Appendix A also requires that agencies develop and maintain a Data Quality Plan (DQP) that considers the incremental risks to data quality in Federal spending data and any controls that would manage such risks in accordance with OMB Circular A-123. As part of our assessment of internal control over reporting objectives, RMIC tested the operating effectiveness of key controls contained in OPM’s DQP.

Enterprise Risk Management

OPM’s ERM program provides a framework for proactively identifying, managing, and treating risks to achieving OPM’s strategic objectives and mission; and seeks to integrate risk management into operations to improve decision making and overall organizational effectiveness. OPM’s ERM policy sets forth a consistent approach to risk management throughout OPM in accordance with OMB Circulars A-123 and A-11. The Risk Management Council develops, implements, and leads OPM’s ERM program, including the strategies, policies, procedures, and systems established by management to identify, assess, measure, and manage the major risks facing the agency. The Risk Management Council is also responsible for ensuring the establishment and maintenance of an effective system of internal control.

Compliance with the Federal Financial Management Improvement Act (FFMIA)

Financial Management Systems

The FFMIA of 1996 was established to ensure that Federal financial management systems provide accurate, reliable, and timely financial management information to Federal Government managers and leaders. Further, FFMIA required this disclosure be done on a basis that is uniform across the Federal Government from year to year by consistently using professionally accepted accounting standards.

Specifically, FFMIA requires each agency to implement and maintain systems that comply substantially with:

  • Federal Government financial management systems requirements.
  • Applicable Federal Government accounting standards.
  • The United States Standard General Ledger (USSGL) at the transaction level.

OPM completed an assessment of the systems of internal control against the FFMIA guidelines. OPM determined that for FY 2024, OPM complies with Federal Government financial management systems requirements, Federal financial accounting standards, and application of the USSGL. The objectives of the assessment were to ensure that our financial systems achieve their intended results. In May 2021, OPM migrated its administrative core accounting system to the Department of Transportation (DOT), Federal Aviation Administration’s (FAA) Enterprise Service Center (ESC) Delphi platform. In FY 2023, OPM also migrated its trust fund accounting system to Treasury’s Bureau of the Fiscal Service (BFS), Administrative Resource Center (ARC) Integrated Oracle Solution (AIOS). The migration of OPM’s core accounting systems from legacy systems to third-party service provider platforms allows OPM to leverage the latest technology and adhere to Federal financial management system requirements.

Based on OPM’s FY 2024 FFMIA compliance assessment, OPM reported substantial compliance with FFMIA. OPM’s resources were used consistent with OPM’s mission and are in compliance with applicable laws; funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation; and revenues and expenditures are properly recorded and accounted for to maintain accountability over the assets; and reliable and timely information was maintained, reported, and used for decision making. Financial information systems continue to support OPM’s strategic goal to exceed the Government-wide average satisfaction score for each agency mission support service through identifying, building, and managing financial management solutions that sustains OPM’s mission, objectives, and overall Government requirements.

FFMIA requires management to ensure OPM’s financial management systems consistently provide reliable data that comply with Federal financial management system requirements, applicable Federal accounting standards, and the USSGL at the transaction level. Appendix D to OMB Circular A-123, compliance with the FFMIA, and OMB Circular A-130, Managing Information as a Strategic Resource, provides specific guidance to agency managers when assessing conformance to FFMIA requirements.

OPM’s vision for its financial systems is to provide accurate financial management information to internal and external stakeholders to support data-driven decision making, promote sound financial management, and enhance financial reporting and compliance activities. This vision aligns with the agency’s strategic priority to “provide innovative and data-driven solutions” that enable the agency to deliver on our mission. The agency uses the following core financial management applications:

  • AIOS, the financial system platform provided by the Treasury, BFS, ARC, is used for trust funds accounting and financial management activities related to the Federal earned benefits programs.
  • Delphi, the financial system platform provided by the DOT, FAA, ESC is used for financial transaction processing as well as reporting and analysis to support management of OPM’s Other Programs, which include the Salaries and Expense (S&E) and Revolving Fund.

In FY 2024, OPM, through an effective partnership with Treasury ARC, managed implementation efforts for the following system enhancements:

  • Deployed system enhancements to automate calculations and postings for year-end closing schedules. This effort reduced extensive manual work by bringing in data sources, validating calculations, and producing general ledger entries in the accounting system.
  • Enhanced existing debt collection business processes leveraging Treasury’s BFS Cross-Servicing Next Generation (CSNG) system to better align the balances between CSNG and OPM’s AIOS, including automating adjustments to close out debt cases.
  • Prepared for the PSRA implementation by enhancing financial systems and business processes to accurately process the new PSHBP premiums and withholdings, carrier payments, and investment activities.

OPM leverages Delphi for accounting and financial management activities related to the agency’s S&E and Revolving Funds. In FY 2024, OPM supported ESC in the deployment of automated Accounts Payable approval invoice workflow to eliminate manual approval activities, reduce transaction posting time, risks, and interest penalties. Additionally, OPM continued to collaborate with both ESC and Treasury on G-Invoicing process improvements and functionalities to better meet agency program’s business goals. This included deployment of the 7600EZ process in Delphi to support expediting transaction settlements between trading partners by combining Order and Performance phases.

In FY 2025, OPM aims to deploy updates to insurance benefits financial management processes, trust funds reporting capabilities, and financial systems and processes to support the PSRA implementation, which mandates OPM to establish and manage a separate health benefit program for postal employees, retirees, and eligible family members. OPM’s partnership with Treasury continues in the first quarter of FY 2025 with expected completion of the design, configurations, development, testing, and training activities for these added functionalities. Upon completion of the implementation, OPM will then focus efforts on closing the Trust Fund Modernization Program, an OPM Strategic Priority, which has served as the OCFO’s initiative on transforming on how OPM delivers trust fund management services. 

Compliance with the Inspector General Act

The Inspector General Act, as amended, requires agencies to report on the final action taken with regard to audits by its OIG. OPM is reporting on audit follow-up activities for the period October 1, 2023 through September 30, 2024 in Table 9 – Inspector General Audit Findings provides a summary of OIG’s audit findings and actions taken in response by OPM management during this period.

Table 9 – Inspector General Audit Findings FY 2024
Inspector General Audit Findings FY 2024 Number of Reports Questioned Costs
(In Millions)
Reports with No Management Decision on October 1, 2023 11 $50.4
New Reports Requiring Management Decisions 81 310.9
Management Decisions Made During the Year 6 57.6
Net Disallowed Costs 55.52
Net Allowed Costs 2.13
Reports with No Management Decision on September 30, 2024 13 303.7

Source: Audit Reports Issued with Questioned Costs for reporting periods October 1, 2023, through March 31, 2024, and April 1, 2024, through September 30, 2024.

Purpose: To provide data to the OCFO to be included in the FY 2024 Management Discussion and Analysis for OPM’s AFR.

Footnote 1

The number of new reports (one report was previously issued in FY 2023 without questioned cost, but questioned costs were added to this report in FY 2024) requiring a management decision represents reports with monetary recommendations. This year, 29 reports were issued and 7 of them had monetary recommendations (not including the previously issued report in FY 2023), and 22 reports, which are not reflected in the table, had no monetary recommendations.

Footnote 2

Represents the net of disallowed costs, which includes disallowed costs during this reporting period less costs originally disallowed but subsequently allowed during this reporting period.

Footnote 3

Represents the net of allowed costs, which includes allowed costs during this reporting period plus costs originally disallowed but subsequently allowed during this reporting period.

Federal Information Security Modernization Act (FISMA)

The FISMA requires the OCIO to conduct an annual agency security program review in coordination with agency program officials. OPM is pleased to provide the results of this review conducted for the FY 2024.

In FY 2024, OPM continued maturing and enhancing its cybersecurity capabilities. The agency focused on the incremental implementation of the Zero Trust Strategy, formalizing the Cyber Supply Chain Risk Management (C-SCRM) program, increasing enforcement of phishing-resistant multi-factor authentication, and increasing enterprise event log collection and correlation.

The agency is reviewing the results of the FISMA audit recommendations and cybersecurity maturity level ratings reported by the OIG. In FY 2024, OPM took corrective actions and closed 73 FISMA recommendations (i.e., 28 unique, 45 non-unique). OPM is committed to working with the OIG to continually improve IT operations and services.

OPM is making steady progress in outcome-based cybersecurity capabilities across the agency’s IT ecosystem while maintaining a positive and smooth customer experience. Progress is supported by independent evaluations by OPM’s Inspector General. OPM’s annual FISMA audit recommendations decreased by 60 percent from FY 2022 to FY 2024, while OPM’s IG maturity increased by 38 percent over the same three-year period.

Additionally, the agency successfully closed 18 cybersecurity recommendations (i.e., 6 related to GAO audits and 12 related to OIG audits) from other audit engagements. OPM is committed to continued collaboration to reduce the number of open IT audit recommendations.

Compliance with Other Key Legal and Regulatory Requirements

OPM is required to comply with other legal and regulatory financial requirements. Information concerning these regulatory requirements can be found in the Other Information, Section 3, of this report.

By the authority of 31 U.S.C. 3512(b) and 3513, the Secretary of the Treasury mandated all Federal program agencies (FPAs) must use G-Invoicing, the long-term solution for FPAs to manage their intragovernmental Buy/Sell transactions, by October 1, 2022, for new orders. G‑Invoicing is intended to help agencies, and their trading partners negotiate and accept General Terms and Conditions (GT&C) agreements, broker orders, exchange performance information, and validate settlement requests through Intra-Governmental Payment and Collection (IPAC). OPM implemented G-Invoicing on October 1, 2022, in accordance with Treasury’s mandate. However, OPM still has some intragovernmental transactions that use ‘legacy’ processes (i.e. using BFS’ FS forms 7600As & Bs) to accommodate trading partners who have not yet implemented G-Invoicing for themselves. Nevertheless, as a requesting agency, OPM’s Other Programs completed 115 GT&Cs with an estimated total value of $604.2 million and 170 open orders totaling $140.1 million. As a servicing agency, OPM’s Other Programs completed 588 GT&Cs with an estimated total value of $962.7 million and 525 open orders totaling $275.3 million. Finally, OPM and its shared service provider, the FAA ESC, continue to work with Treasury and Oracle to improve the G-Invoicing system for both OPM and its trading partners as G-Invoicing usage is expected to increase as Buy/Sell IPAC transactions will no longer be supported as of October 1, 2025.

5 individuals sat at the table sharing pioneering journeys at OPM’s American Trailblazers Panel. Acting Director Shriver sat on the far left-hand side.
Acting Director Shriver and other government leaders shared
their pioneering career journeys at the American Trailblazers Panel hosted
by OPM as part of the Federal Internship

Forward-Looking Information

OPM is dedicated to achieving agency strategic goals and continuing to lead and serve the Federal Government in enterprise HR management by delivering policies and services to achieve a trusted, effective, civilian workforce. In meeting this goal, OPM faces a Government-wide challenge in strategic human capital management. OPM continues efforts to address skill gaps within the Federal workforce adequately.

In addition, OPM is responsible for administering Government-wide benefits for Federal employees and their eligible dependents, annuitants, and survivors. A continued OPM challenge is protecting the financial integrity and providing effective stewardship of these benefit programs.

Lastly, OPM continues to work on improving and modernizing the technology environment and organizational structure. OPM has faced challenges with dedicated and consistent funding for IT modernization to ensure that goals are met.

In looking forward, OPM continues to work on addressing these top management challenges and more information on these can be found in the Other Information – Section 3.

Goals and Strategies

OPM is firmly committed to improving financial and operational performance and has received an unmodified audit opinion on OPM’s financial statements for 25 consecutive years. OPM will continue to strengthen its enterprise-wide managerial cost accounting system across the agency; provide financial and other reports to financial and program managers; integrate financial and performance information; use such information to formulate our annual budget requests; as well as for day-to-day management and program analysis. OPM established and has followed the strategy below to achieve the goals for improved financial-management performance:

  • Ensure that critical financial performance indicators are objective, understandable, meaningful, fair, and fully measurable;
  • Improve internal controls over financial reporting through improved systems and processes;
  • Re-affirm processes, controls, and procedures to ensure that continuing the Independent Public Accountant’s unmodified audit opinions will be achieved;
  • Continue to implement a financial management system fully compliant with Federal standards providing sound, effective, support to all customers;
  • Strengthen stewardship, accountability, and internal controls over financial reporting, as stipulated by revised OMB Circular A-123; and
  • Reduce improper payments to target levels.

Limitations of the OPM's Financial Statements

  • The principal financial statements have been prepared to report OPM’s financial position and results of operations, pursuant to the requirements of 31 USC 3515(b).
  • The statements have been prepared from OPM’s records in accordance with U.S. Generally Accepted Accounting Principles (GAAP) for Federal entities and the formats prescribed by OMB. They are in addition to the financial reports used to monitor and control OPM’s budgetary resources, which are prepared from the same books and records.
  • The statements should be read with the realization that they are for a component of the U.S. Government, a sovereign entity.

Back to Top

Control Panel