FINANCIAL MANAGEMENT SYSTEMS:

Report to Congressional Requesters

May 2026

GAO-26-107863

United States Government Accountability Office

A report to congressional requesters

Contact: Paula M. Rascona at rasconap@gao.gov

What GAO Found

The Department of Homeland Security (DHS) is modernizing its financial management systems for the U.S. Coast Guard, Federal Emergency Management Agency (FEMA), and U.S. Immigration and Customs Enforcement (ICE) through three financial systems modernization programs.

Reliable cost estimates and schedule assessments are essential to managing major system modernization efforts. GAO’s review of cost estimates for two of the system modernizations found that one substantially met all four characteristics of a reliable cost estimate; the other substantially met three of four characteristics.

Regarding schedule, GAO determined that two program schedules were unreliable. Without a reliable schedule estimate that follows best practices, DHS increases the risk that management will lack key information for making decisions about its programs, including the impact on future program costs.

DHS’s guidance and financial systems modernization plans varied in consistency with leading practices for data migration, organizational change management, and lessons learned.

Leading practice area	GAO assessment of DHS and program office guidance	GAO assessment of component planning documents
Data migration	Partially consistent	Mostly consistent
Organizational change management	Consistent	Mostly consistent
Lessons learned process	Mostly consistent	–a

Legend: Consistent = DHS provided evidence that sufficiently satisfied all relevant criterion; Mostly consistent = DHS provided evidence that sufficiently satisfied more than half of the relevant criterion; Partially consistent = DHS provided sufficient evidence that satisfied less than half of the relevant criterion; Not consistent = DHS did not provide sufficient evidence that satisfied the relevant criterion.

Source: GAO analysis of Department of Homeland Security (DHS) documentation.  |  GAO-26-107863

^aFinancial systems modernization programs use guidance to help execute their lessons learned process and apply the lessons in future relevant documentation. Therefore, lessons learned planning documents are not expected.

DHS guidance used for financial systems modernization data migration is partially consistent with leading practices, while component planning documents were mostly consistent. Further, for organizational change management some component planning documents lacked details. For example, both Coast Guard and ICE plans incorporated steps to perform a readiness assessment, but neither included analysis of this assessment or metrics to measure change readiness.

By not fully incorporating leading practices in both guidance and component planning documentation, DHS increases the risk of data errors, time needed to resolve those errors, potential delays in achieving full operational capability, and limiting users’ ability to effectively operate the system.

Why GAO Did This Study

In 2003, GAO designated DHS as high risk. In 2023, GAO narrowed this high-risk area to focus on DHS’s IT and financial management. To address its financial management issues, DHS is executing a multiyear plan to implement new financial management systems through acquisition programs. In 2025, GAO reported that much work remains for DHS to complete these modernization efforts.

GAO was asked to review DHS’s modernization of financial management systems. This report addresses (1) the extent to which DHS ensured a reliable cost estimate and schedule assessment for two key major modernization efforts; (2) whether DHS’s plans and guidance are consistent with leading practices for data migration, organizational change management, and lessons learned; and (3) whether its plans and guidance describe how DHS used the Coast Guard’s implementation experience to inform plans for FEMA’s and ICE’s efforts.

Applying its previously issued guidance, GAO evaluated the cost estimates and schedule assessments for two major DHS system modernizations. GAO also identified applicable criteria and leading practices for data migration, organizational change management, and lessons learned. Using these criteria, GAO evaluated numerous guidance and planning documents. GAO also interviewed numerous DHS officials and Coast Guard, FEMA, and ICE officials.

What GAO Recommends

GAO is making five recommendations, including that DHS develop reliable program schedule estimates for two programs and update guidance and planning documentation to be consistent with leading practices. DHS concurred with the recommendations.

 

 

 

 

DHS         Department of Homeland Security

FEMA      Federal Emergency Management Agency

FFMIA      Federal Financial Management Improvement Act of 1996

FSM         financial systems modernization

GSA         General Services Administration

ICE          U.S. Immigration and Customs Enforcement

ICOFR     internal controls over financial reporting

JFMIP      Joint Financial Management Improvement Program

JPMO      Joint Program Management Office

M3            Modernization and Migration Management

SME         subject matter expert

SOP         standard operating procedure

May 18, 2026

The Honorable Bennie G. Thompson
Ranking Member
Committee on Homeland Security
House of Representatives

The Honorable Shri Thanedar
Ranking Member
Subcommittee on Oversight, Investigations, and Accountability
Committee on Homeland Security
House of Representatives

The Honorable Glenn F. Ivey
House of Representatives

Since its creation in 2003, the Department of Homeland Security (DHS) has faced significant internal control and financial management system deficiencies. After its creation, DHS started initiatives to develop a department-wide integrated and comprehensive financial management system. However, these attempts were unsuccessful.[1]

In fiscal year 2014, DHS revised its modernization approach to implement decentralized, component-level financial management systems. One of those modernizations is known as financial systems modernization (FSM)-Trio. DHS recently declared the U.S. Coast Guard, the final component of FSM-Trio, to be at full operational capability. Accordingly, the FSM-Trio acquisition was moved from the development phase into sustainment. DHS now has two remaining major FSM programs:

·       FSM-Federal Emergency Management Agency (FEMA), as FEMA’s modernization efforts are under its own program, and

·       the FSM-Cube program, which includes U.S. Immigration and Customs Enforcement (ICE) and its financial management customers: the Cybersecurity and Infrastructure Security Agency, Departmental Management and Operations, Science and Technology Directorate, and U.S. Citizenship and Immigration Services.

In our 2025 high-risk update, we reported that much work remains to complete the modernization of DHS components’ financial management systems and business processes.[2] We also reported that without integrated financial management systems that have fully effective controls, DHS increases the risk that its financial information will be inconsistent, incomplete, and incorrect.[3]

Given DHS’s long-standing financial management systems issues, you asked us to provide oversight of the agency’s FSM efforts. Our objectives were to determine (1) the extent to which DHS ensured a reliable cost estimate and schedule assessment for its FSM programs; (2) whether its plans and guidance are consistent with leading practices for data migration, organizational change management, and lessons learned for its FSM programs; and (3) whether its plans and guidance describe how DHS used the Coast Guard’s FSM implementation experience to inform plans for FSM efforts at FEMA and ICE.

To address our first objective, we met with DHS officials to gain an understanding of DHS’s and the FSM Joint Program Management Office’s (JPMO) cost and schedule estimates for FSM-Trio and FSM-FEMA.[4] We obtained and reviewed cost and schedule estimates for FSM-Trio and initial cost and schedule estimates for FSM-FEMA and assessed these estimates against GAO’s best practices to determine their reliability.[5] At the time of our engagement, cost and schedule estimates were not available for ICE; as such we did not obtain and review them. The financial management customers from the FSM-Cube program were not included in the scope of our review.

To address our second objective, we met with DHS officials to gain an understanding of DHS’s data migration and organizational change management processes. We obtained and reviewed DHS’s guidance for FSM programs and implementation plans for selected components within the FSM programs, specifically, the Coast Guard; FEMA; and, to the extent available, ICE. Our scope focused on the Coast Guard, FEMA and ICE and did not include the four DHS components that receive financial management services from ICE. We compared the guidance and plans with leading practices and selected criteria to determine the extent to which they were consistent with key elements.[6]

To address our third objective, we met with DHS officials and reviewed planning documentation for FEMA and ICE to understand how the Coast Guard’s efforts informed those plans. Appendix I provides additional details on our scope and methodology.

We conducted this performance audit from October 2024 to May 2026 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Background

In 2003, we added DHS to our High-Risk List to help focus greater attention on the implementation and transformation of DHS from 22 agencies—several with major management challenges—into one department.[7] In 2023, we reported that DHS had demonstrated substantial progress in some of its management functions, but critical additional work remains in two areas that continue to experience significant challenges: IT and financial management.[8]

To address its financial management issues, DHS is executing a multiyear plan to implement new financial management systems at its remaining components through FSM acquisition programs—FSM-FEMA and FSM-Cube. DHS’s August 2024 estimated total cost for FSM-FEMA’s new financial management system is $853 million. The modernization program FSM-Cube, which includes ICE, is in the initial stages of procuring financial management software and has not yet drafted a cost estimate.[9]

These modernized systems are intended to help DHS financial management systems comply substantially with key requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA).[10] Further, during our engagement the President issued Executive Order 14249, Protecting America’s Bank Account Against Fraud, Waste, and Abuse, which may affect future financial system modernizations across the federal government. See appendix II for more detail.

Recent GAO Work on DHS Financial Management

Since we initially designated DHS as high risk, we have issued several in-depth reports and made numerous recommendations to help the agency reduce risk in its financial management systems modernization efforts. DHS has generally agreed with our recommendations and implemented changes in response to many of them. See appendix III for the DHS high-risk financial management actions and our assessment of the related corrective measures or outcomes status as of March 2026.

In our February 2023 report, we found that the Coast Guard had not fully realized the expected capabilities of its newly implemented financial management system because of serious unresolved issues identified in its system testing.[11] We made four recommendations to help improve DHS’s financial management system efforts. As of February 2026, DHS fully addressed two of these recommendations. The two recommendations that remain open are for DHS to ensure that it remediates issues as they arise from user testing prior to moving forward with system modernization efforts at both FEMA and ICE. While DHS has taken steps to respond to these recommendations, such as updating guidance and procedures for several key areas, FEMA’s and ICE’s efforts have not progressed far enough in their acquisition to conduct user testing of their new systems.

In our July 2024 report, we found that DHS’s strategy documents did not constitute a comprehensive strategy for addressing its high-risk financial management area, and that DHS’s cost and schedule estimation guidance generally incorporated GAO’s leading practices.[12] As of February 2026, DHS had fully addressed one of the two recommendations we made in this report. The remaining recommendation calls for DHS to fully incorporate performance management leading practices in its high-risk financial management strategies and guidance. Without a comprehensive strategy and guidance, DHS diminishes its ability to adequately address challenges or set priorities that help to successfully implement its efforts.

Leading Practices

Financial management system modernization includes a broad array of activities, such as leading practices related to cost estimating, program scheduling, data migration, organizational change management, and lessons learned processes. Appendix I provides further details on these leading practices.

Cost estimating: A reliable cost estimate is critical to successfully delivering large-scale IT systems. Such an estimate provides the basis for informed investment decision-making, realistic budget formulation, meaningful progress measurement, and accountability for results. According to our Cost Estimating and Assessment Guide, a reliable cost estimate is one that is comprehensive, well-documented, accurate, and credible.[13]

Program scheduling: The success of a program depends in part on having an integrated and reliable master schedule that defines when and how long work will occur and how each activity relates to the others. This not only provides a road map for systematic project execution but is also a way to gauge progress, identify and resolve potential problems, and promote accountability at all levels. Our Schedule Assessment Guide defines a reliable schedule as one that is comprehensive, well-constructed, credible, and controlled.[14]

Data migration: Financial systems data conversion and migration are complex and difficult tasks. Further, converting data incorrectly can have long-term repercussions. A Joint Financial Management Improvement Program (JFMIP) white paper provides financial systems data conversion considerations for financial management executives and project managers to address when planning and implementing a new financial management system.[15] In addition, the General Services Administration’s (GSA) Modernization and Migration Management (M3) Playbook includes leading practices for data cleansing, conversion, and migration.[16]

Organizational change management: According to federal guidance and other leading practices, change management practices are intended to apply an organized and structured framework to the often chaotic and perplexing world of organizational change.[17] Effective change management techniques help managers to plan, organize, and negotiate successful changes in the organization. The objective of managing organizational change is to maximize the likelihood of successfully implementing organizational change quickly and with reduced risk.

Lessons learned: The use of lessons learned is a principal component of an organizational culture committed to continuous improvement. The leading practices for a lessons learned process that we and others previously identified are collecting, analyzing, validating, archiving, and sharing information and knowledge gained on positive and negative experiences.[18] The lessons learned processes are generally documented in guidance documents.

Financial System Modernization Programs Generally Met GAO’s Cost and Partially Met GAO’s Schedule Best Practices

We assessed FSM-Trio’s and FSM-FEMA’s cost and schedule estimates against GAO’s best practices and found that the cost estimates generally met best practices and the schedule estimates partially met best practices.

Cost Estimates Generally Met Characteristics of a Reliable Cost Estimate

A reliable cost estimate is one that addresses the four characteristics of comprehensive, well-documented, accurate, and credible. Such an estimate provides the basis for informed investment decision-making, realistic budget formulation and program resourcing, meaningful progress measurement, proactive course correction when warranted, and accountability for results. Further, a reliable cost estimate can help management minimize the risk of cost overruns and unmet performance targets. GAO’s Cost Estimating and Assessment Guide identifies 18 best practices associated with developing and managing program costs across the four characteristics.

We found that the FSM-FEMA cost estimates substantially met all four cost characteristics and that FSM-Trio’s cost estimates met three of the cost characteristics; they partially met the credible characteristic. Table 1 presents the results of our analysis.

Cost characteristic and related best practices	GAO assessment of FSM-Trio	GAO assessment of FSM-FEMA
Comprehensive – Cost estimates completely define the program and reflect the current schedule and technical baseline. They are structured with appropriate detail to ensure that cost elements are neither omitted nor double-counted.	◕	◕
Well-documented – Cost estimates can easily be repeated or updated and can be traced to original sources through auditing.	●	◕
Accurate – Cost estimates are developed by estimating each cost element using the best methodology from the data collected. Accurate estimates are based on appropriate adjustments for inflation.	◕	◕
Credible – Cost estimates discuss and document any limitations of the analysis, including uncertainty or bias surrounding source data and assumptions.	◑	◕

Legend:

DHS = Department of Homeland Security

FEMA = Federal Emergency Management Agency

FSM = financial systems modernization

● Met = DHS provided complete evidence that satisfies the entire criterion

◕ Substantially met = DHS provided evidence that satisfies a large portion of the criterion

◑ Partially met = DHS provided evidence that satisfies about one-half of the criterion

◔ Minimally met = DHS provided evidence that satisfies a small portion of the criterion

○ Not met = DHS provided no evidence that satisfies the criterion

Source: GAO assessment of FSM-Trio (March 2024) and FSM-FEMA (August 2024) program documentation.  |  GAO‑26‑107863

Note: Characteristics and best practices are from GAO, Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Program Costs, GAO‑20‑195G (Washington, D.C.: March 2020).

A cost estimate is considered reliable if the overall assessment ratings for each of the four characteristics are substantially or fully met. If any of the characteristics are not met, minimally met, or partially met, then this increases the risk of an unreliable cost estimate for operations and sustainment.

Our analysis found that FSM-FEMA’s cost estimate substantially met all four characteristics and is considered reliable. FSM-Trio substantially or fully met three of the four characteristics; the credible characteristic for FSM-Trio was partially met. However, in August 2025, DHS declared full operational capability for FSM-Trio, which moves this program to sustainment (i.e., operations and support phase). For modernization efforts reaching sustainment, DHS does not require an updated cost estimate. Accordingly, we are not making a recommendation regarding FSM-Trio’s cost estimate.

Schedules Partially Met Three of the Four Characteristics

We determined that FSM-Trio and FSM-FEMA’s schedules are unreliable. FSM-Trio’s schedule substantially met one of the four characteristics of a reliable schedule, and FSM-FEMA’s schedule did not substantially meet any characteristic.

A schedule is considered “reliable” if it substantially meets or fully meets the overall assessment ratings for each characteristic. If a schedule does not meet, minimally meets, or partially meets any characteristic, this increases the risk of an unreliable schedule estimate.

GAO’s Schedule Assessment Guide identifies 10 best practices associated with effective scheduling, summarized in four characteristics: comprehensive, well-constructed, credible, and controlled.[19] We compared FSM-Trio’s December 2024 and FSM-FEMA’s November 2024 schedules against the four characteristics and their associated best practices. Table 2 presents the results of our analysis.

Schedule characteristic and related best practices	GAO assessment of FSM-Trio	GAO assessment of FSM-FEMA
Comprehensive – A comprehensive schedule includes all activities for both the government and its contractors necessary to accomplish a program’s objectives as defined in the program’s work breakdown structure.	◑	◑
Well-constructed – A schedule is well-constructed if all its activities are logically sequenced with the most straightforward logic possible. Unusual or complicated logic techniques are used judiciously and justified in the schedule documentation.	◑	◑
Credible – A schedule is credible if it is horizontally traceable—that is, it reflects the order of events necessary to achieve aggregated products or outcomes. It is also vertically traceable: activities in varying levels of the schedule map to one another, and key dates presented to management in periodic briefings are in sync with the schedule.	◔	◔
Controlled – A schedule is controlled if trained schedulers update it regularly using actual progress and logic—based on information provided by activity owners—to realistically forecast dates for program activities.	◕	◑

Legend:

DHS = Department of Homeland Security

FEMA = Federal Emergency Management Agency

FSM = financial systems modernization

● Met = DHS provided complete evidence that satisfies the entire criterion

◕ Substantially met = DHS provided evidence that satisfies a large portion of the criterion

◑ Partially met = DHS provided evidence that satisfies about one-half of the criterion

◔ Minimally met = DHS provided evidence that satisfies a small portion of the criterion

○ Not met = DHS provided no evidence that satisfies the criterion

Source: GAO analysis of FSM-Trio (December 2024) and FSM-FEMA (November 2024) program documentation.  |  GAO‑26‑107863

Note: Characteristics and best practices are from GAO, Schedule Assessment Guide: Best Practices for Project Schedules, GAO‑16‑89G (Washington, D.C.: December 2015).

Further detail on the extent to which FSM-Trio and FSM-FEMA complied with characteristics and associated best practices is provided below.

·       Comprehensive. For the comprehensive characteristic, the three associated best practices are capturing all activities, assigning resources to all activities, and establishing the duration of all activities.

·       FSM-Trio. FSM-Trio partially met this characteristic. Specifically, FSM-Trio partially met both capturing all activities and establishing the durations of all activities’ best practices. However, FSM-Trio minimally met assigning resources to all activities.

For example, FSM-Trio’s schedule appeared to incorporate the appropriate effort required to execute a project. However, we found that the schedule did not contain any specific resources assigned to activities that would enable appropriate management of resources. Instead, FSM-Trio’s schedule activities only list a point of contact for each activity.

·       FSM-FEMA. FSM-FEMA partially met this characteristic. Specifically, FSM-FEMA partially met capturing all activities, substantially met establishing the duties of the duration of all activities, and minimally met assigning resources to all activities. FSM-FEMA’s schedule captured government, system integrator, and subcontractor work and was defined at an appropriate level. However, there was no clear mapping of activities to a work breakdown structure. Additionally, the program included resources in the schedule, but the resources did not appear to be assigned.

According to GAO best practices, unless a schedule includes all activities necessary to accomplish a program’s objectives, for both the government and its contractors, as defined in the program’s work breakdown structure, it cannot be an appropriate basis for analyzing or measuring technical work accomplished and may result in unreliable completion dates. Additionally, a schedule without assigned resources implies an unlimited number of resources and their unlimited availability. The program increases the risk of schedule delays if the current schedule does not allow insight into the current or projected allocation of resources.

·       Well-constructed. The three best practices for the well-constructed characteristic are sequencing all activities, confirming that the critical path is valid, and ensuring total reasonable float (the amount of time an activity can be delayed).

·       FSM-Trio. We found the FSM-Trio schedule partially met both sequencing all activities and ensuring reasonable total float best practices. However, FSM-Trio minimally met confirming a valid critical path. According to GAO’s Schedule Assessment Guide, a schedule should be planned so that program dates can be met. As part of the best practice for sequencing all activities, FSM-Trio’s schedule was missing predecessor and successor logic at 30 percent of the schedule’s remaining activities.

·       FSM-FEMA. We found that FSM-FEMA’s schedule partially met sequencing all activities and confirming a valid critical path, and it minimally met ensuring reasonable total float best practice. We found (1) a relatively small number of activities missing sequencing logic, but among those activities and milestones missing logic are key milestones and activities; (2) FSM-FEMA’s schedule did not have a clear critical path; and (3) the schedule does not exhibit reasonable amounts of total float.

Similarly, FSM-FEMA’s schedule included a significant number of lags in the schedule that forced events to occur on specific dates.

Without ensuring all activities are properly sequenced, FSM-Trio and FSM-FEMA face the risk of not meeting critical program dates in the schedule.

According to GAO’s Schedule Assessment Guide, a schedule should be planned so that critical program dates can be met. This helps ensure that the interdependence of activities that collectively lead to the completion of activities or milestones can be established and used to guide work and measure progress. Additionally, a schedule should identify a reasonable amount of float, or the amount of time a predecessor activity can be delayed before it affects the program’s estimated finish date.

·       Credible. The two best practices for the credible characteristic are verifying that the schedule can be traced horizontally (i.e., has been planned in a logical sequence) and vertically, and conducting a schedule risk assessment.

·       FSM-Trio and FSM-FEMA. FSM-Trio and FSM-FEMA minimally met the credible characteristic because they had not conducted a schedule risk analysis and could not demonstrate that the schedule was horizontally traceable. At the time of our information request, FSM-Trio officials stated that they believed it was too late in the acquisition cycle for a schedule risk analysis, and they already had a risk register that would identify schedule-related risks. Additionally, FSM-FEMA officials stated that they had not conducted a risk analysis on the schedule. FSM-FEMA officials said they intend to perform such analysis; however, we did not find evidence of plans for a schedule risk analysis in any planning documents.

We also found that both FSM-Trio and FSM-FEMA’s schedules were not horizontally traceable, meaning products and outcomes were not associated with sequenced activities. For example, significant delays in scheduled activities do not appropriately affect the dates of key milestones.

According to GAO’s Schedule Assessment Guide, without conducting a schedule risk analysis, an organization cannot reasonably determine: the likelihood of the program’s completion date; how much schedule contingency (or buffer) is needed to provide an acceptable level of certainty for completion by a specific date; the risks most likely to delay the program; and the paths or activities that are most likely to delay the program. Additionally, schedules that do not respond to changes in activity duration may not properly depict relationships between different program elements, increasing the risk of less effective program management.

·       Controlled. The two best practices for the controlled characteristic are updating the schedule using actual progress and logic and maintaining a baseline schedule.

·       FSM-Trio. FSM-Trio’s schedule substantially met the controlled characteristic. Specifically, FSM-Trio partially met updating the schedule using actual progress and logic and substantially met maintaining a baseline schedule. The schedule had a “current status” date and activities in progress, but we found a number of date anomalies.

·       FSM-FEMA. FSM-FEMA’s schedule partially met the controlled characteristic. In particular, the FSM-FEMA schedule substantially met updating the schedule using actual progress and logic and minimally met the maintaining a baseline schedule. Specifically, FSM-FEMA did not provide sufficient evidence that it maintained a baseline schedule, although over 30 percent of the project duration had passed at the time of our review.

According to GAO’s Schedule Assessment Guide, a baseline schedule is the basis for managing the program scope, the time period for accomplishing it, and the required resources. The baseline should be set promptly after a program begins, because establishing a baseline schedule is essential to effective management. Without a formally established baseline schedule to measure performance against, management lacks the ability to identify and mitigate the effects of schedule delays.

FSM-Trio and FSM-FEMA’s schedules are unreliable because DHS did not follow the best practices discussed above. A well-planned schedule is a fundamental management tool that can help government programs use public funds effectively by specifying when work will be performed in the future and measuring program performance against an approved plan. Further, a reliable schedule can contribute to an understanding of the cost impact if the program does not finish on time. The success of a program depends, in part, on having an integrated and reliable master schedule that defines when and how long work will take and how each activity is related to the others. Without such schedule DHS may not have information necessary to make informed decisions about its FSM programs, including the potential impact on future program costs.

Data Migration, Organizational Change Management, and Lessons Learned Varied in Consistency

The consistency of both DHS-wide and JPMO guidance for FSM programs and plans for selected components varied compared with leading practices in the following areas: data migration, organizational change management, and lessons learned. Guidance provides a framework that FSM programs can use to design their approaches to the relevant areas. FSM programs document their planned implementation of the guidance in various planning documents. Specifically, we found the following:

·       Data migration. Department-wide guidance was partially consistent with leading practices, but component-specific data migration planning documentation for the Coast Guard and FEMA was mostly consistent with selected leading practices.

·       Organizational change management. FSM program guidance was generally consistent and plans were partially consistent with selected leading practices.

·       Lessons learned. Processes department-wide and FSM program guidance were mostly consistent with selected leading practices.

Our overall assessment of guidance and planning documents for DHS and the FSM programs in data migration, organizational change management, and lessons learned against leading practices is presented in table 3.

Leading practice area	GAO assessment of DHS guidance used for FSM	GAO assessment of planning documents for FSM
Data migration	Partially consistent	Mostly consistent
Organizational change management	Consistent	Mostly consistent
Lessons learned process	Mostly consistent	─a

Legend:

DHS = Department of Homeland Security

FSM = financial systems modernization

Consistent = DHS provided evidence that sufficiently satisfied the entire relevant criterion

Mostly consistent = DHS provided evidence that sufficiently satisfied more than half of the relevant criterion

Partially consistent = DHS provided sufficient evidence that satisfied less than half of the relevant criterion

Not consistent = DHS did not provide sufficient evidence that satisfied the relevant criterion

Source: GAO analysis of DHS documentation.  |  GAO‑26‑107863

^aFSM programs use guidance to help execute their lessons learned processes and apply the lessons learned in future relevant documentation. Therefore, lessons learned planning documents are not expected.

DHS’s Guidance Was Partially Consistent with Data Migration Leading Practices

We assessed DHS’s guidance that included elements of data migration using industry and government leading practices and found that it was partially consistent.[20] Specifically, we used both the JFMIP white paper on financial systems data conversion and GSA’s Modernization and Migration Management (M3) Playbook. The data conversion leading practices in both of these documents overlap substantially. For example, the JFMIP white paper provides data conversion leading practices for financial management executives and project managers to follow when planning and implementing a new financial management system. The M3 Playbook includes leading practices that correlate with many of the leading practices in JFMIP’s white paper.[21]

JFMIP leading practices establish three different phases for data conversion activities: pre-conversion, cutover, and post-installation. The M3 Playbook further describes leading practices for data cleansing, conversion, and migration, among other modernization activities. We included the M3 Playbook leading practice that does not directly overlap with JFMIP in table 4—gaining agreement on data governance.

We compared DHS’s guidance for data migration against these applicable leading practices. We found that DHS’s guidance was partially consistent with pre-conversion and cutover activities but not consistent with post-installation activities. Table 4 shows the leading practices relevant to key data migration and conversion phases and our assessment of DHS-wide guidance.

Leading practice	GAO assessment of DHS guidance
Pre-conversion activities
Conduct general pre-conversion activities	Partially consistent. DHS’s data migration guidance contained details for conducting general pre-conversion activities, such as detailing legacy system data and conversion requirements. However, the guidance did not account for risk management processes, such as the probability and consequences of failing to achieve an outcome.
Perform data-cleansing activities	Partially consistent. DHS’s data migration guidance discussed some aspects of data cleansing, such as using subject matter expert assistance throughout the process. However, it did not discuss other key points, such as establishing criteria for cleansing data and determining what data would need to be cleansed.
Establish test data and configurations	Partially consistent. DHS’s data migration guidance discussed some aspects of establishing test data and configurations, such as testing data for accuracy and consistency. However, it did not include other areas, such as testing data through mock conversions and testing that data and validation tables are accurate.
Gain agreement on data governance, including metadata management and data quality management	Partially consistent. DHS’s data migration guidance discussed some aspects of gaining agreement on data governance, such as metadata management and data quality management. However, the guidance did not disclose information about a data governance model where this information should be documented.
Cutover activities
Develop cutover plan	Not consistent. DHS’s data migration guidance did not include topics such as developing cutover plans and establishing backup plans in case the new system fails to operate as expected.
Determine go/no-go decision	Partially consistent. DHS’s data migration guidance discussed some aspects of determining a go/no-go decision, such as outlining how the determination will be made to move forward with launching the new system. However, the guidance did not discuss the metrics used to determine the threshold for clean data.
Execute cutover tasks	Not consistent. DHS’s data migration guidance did not include topics such as creating a conversion/migration plan that details converting legacy data into the new system and stopping processing in the legacy system or routing inputs and interfaces to the new system.
Reconcile converted data	Not consistent. DHS’s data migration guidance did not include topics such as reconciling data in the legacy system to the new system and documenting where adjustments are made to converted data.
Post-installation/operations
Confirm that converted data are functioning as designed	Not consistent. DHS’s data migration guidance did not include topics such as reviewing how manual entries were handled, assessing abnormalities, and verifying that edits function as designed.
Perform post-conversion data cleanse	Not consistent. DHS’s data migration guidance did not include topics such as performing and documenting a post-conversion data cleanse, as well as post-cutover actions, comprising data cleanse items and post-go-live actions.
Archive master and transactional files and close account data	Not consistent. DHS’s data migration guidance did not include topics such as determining how data is to be archived, the determination of when subsequent activity associated with a closed transaction occurs, and whether that new data will be established in the new system or the legacy system.

Legend:

Consistent = DHS provided evidence that it incorporated data migration activities consistent with leading practices and that it sufficiently satisfied all relevant criteria

Partially consistent = DHS provided evidence that it incorporated data migration activities consistent with some of the leading practice criteria but it did not incorporate some of the key parts

Not consistent = DHS did not provide sufficient evidence that it incorporated data migration activities consistent with leading practices.

Source: GAO analysis of DHS data.  |  GAO‑26‑107863

Note: Characteristics and leading practices are from Joint Financial Management Improvement Program, White Paper: Financial Systems Data Conversion – Considerations (December 2002), and General Services Administration, Modernization and Migration Management (M3) Playbook, and M3 Playbook Guidance, accessed February 6, 2025, https://www.ussm.gov/m3.

Without guidance that fully discusses requirements for all activities related to the three phases of data migration—pre-conversion, cutover, and post-installation/operations—programs lack comprehensive tools for navigating migrations. For example, without guidance for key post-installation/operations activities, FSM programs may not fully confirm that converted data are functioning as designed, perform post-conversion data cleanse, or archive master data files appropriately. As a result, DHS’s FSM programs using DHS guidance to develop data migration plans are at increased risk of data errors, time needed to resolve errors, potential delays, and potential increased costs.

Coast Guard and FEMA Plans Were Mostly Consistent with Data Migration Leading Practices

The Coast Guard’s planning documentation was consistent with about half of the data migration leading practices, and FEMA’s planning documentation was consistent with most of the leading practices. Table 5 shows our evaluation of Coast Guard and FEMA planning documents.[22]

Leading practice	GAO assessment of planning documents
	Coast Guard	FEMA
Pre-conversion activities
Conduct general pre-conversion activities	◑	●
Perform data-cleansing activities	◑	●
Establish test data and configurations	●	●
Gain agreement on data governance, including metadata management and data quality management	○	○
Cutover activities
Develop cutover plan	●	●
Determine go/no-go decision	●	●
Execute cutover tasks	●	●
Reconcile converted data	●	●
Post-installation/operations
Confirm that converted data are functioning as designed	◑	●
Perform post-conversion data cleanse	◑	◑
Archive master and transactional files and close account data	◑	○

Legend:

DHS = Department of Homeland Security

FEMA = Federal Emergency Management Agency

FSM = financial systems modernization

● Consistent = DHS component provided evidence that it incorporated data migration activities consistent with leading practices and that it sufficiently satisfied all relevant criteria

◑ Partially consistent = DHS component provided evidence that it incorporated data migration activities consistent with some of the leading practices, but it did not incorporate some of the key parts

○ Not consistent = DHS component did not provide sufficient evidence that it incorporated data migration activities consistent with leading practices

Source: GAO analysis of DHS data.  |  GAO‑26‑107863

Note: Characteristics and best practices are from Joint Financial Management Improvement Program, White Paper: Financial Systems Data Conversion – Considerations (December 2002).

Coast Guard and FEMA plans faced challenges in areas such as pre-conversion activities, data cleansing, and confirming data functioned as designed, among others. According to a Coast Guard official, its go-live date for the new system was primarily schedule and calendar driven. For example, Coast Guard officials stated that they used older data for their mock testing, due to the compressed JPMO schedule, which did not allow for use of the most appropriate data. We focus the discussion below on areas that are partially consistent or not consistent with leading practices.

·       Conduct general pre-conversion activities. We found that FEMA’s plan was consistent with this leading practice and the Coast Guard’s planning documentation was partially consistent. General pre-conversion activities consist of a number of activities, including creating a detailed conversion plan, document the legacy system function and data, determine security roles and access to the system, and establish a risk management process. The Coast Guard’s planning documents did not provide sufficient evidence of a documented risk management process nor did they detail security roles for the new system.

·       Perform data-cleansing activities. We found that FEMA’s plan was consistent with this leading practice and the Coast Guard’s planning documentation was partially consistent. Performing data-cleansing activities consists of two activities: (1) developing an overall data cleansing plan to establish criteria for cleansing data and (2) using subject matter expertise to conduct data-cleansing activities prior to cutover, including gathering and determining what data need to be cleansed, correcting source system data when necessary, and documenting the process. The Coast Guard’s planning documentation did not provide sufficient evidence to show that it established what qualifies as clean data.

·       Gain agreement on data governance. Both the Coast Guard and FEMA plans were not consistent with this leading practice. Both the Coast Guard’s and FEMA’s planning documentation did not provide sufficient evidence that they gained agreement on data governance, including metadata management and data quality management. Gaining agreement on data governance consists of documenting an agreement in a data governance model, which includes metadata management and data quality management activities. The Coast Guard’s and FEMA’s plans did not provide sufficient information about an established data governance model.

·       Confirm that converted data are functioning as designed. We found FEMA’s plan was consistent with this leading practice and the Coast Guard’s planning documentation was partially consistent. Confirming that converted data are functioning as designed consists of three activities: reviewing how manual entries were handled, assessing abnormalities that appear, and verifying that edits function as designed. The Coast Guard’s planning documentation did not provide sufficient evidence that it documented procedures to review how manual entries were handled nor did the Coast Guard document verifying that edits functioned as designed.

·       Perform post-conversion data cleansing. Both the Coast Guard and FEMA planning documentation were partially consistent with this leading practice. Performing post-conversion data cleansing consists of two activities: perform post-conversion data cleanup and document the post-cutover actions, to include data cleanse items required and post go-live actions. The Coast Guard’s planning documents discussed post-conversion activities but did not specifically document performing post-conversion data cleansing.

Similarly, FEMA’s planning documents do not sufficiently account for how post-conversion data cleansing will take place. A FEMA official stated that the agency is not planning a post-conversion data cleanse because it believes the pre-conversion activities are sufficient and that it will have most data ready for cutover. However, without planning for all stages of data migration, there is an increased risk of encountering errors and lacking sufficient plans to successfully address those errors in a timely manner.

·       Archive master and transactional files and close account data. The Coast Guard’s plan was partially consistent with this leading practice, while FEMA planning documentation was not consistent with it. Archiving master and transactional files and closing account data consist of three activities: determine how funds of closed accounts (expired for over 5 years) are to be converted into the new system or archived, determine how legacy data are to be archived, and determine when subsequent activity associated with a closed transaction will be processed. The Coast Guard’s planning documentation did not provide sufficient evidence of how subsequent activities in a closed account would be handled. For example, the Coast Guard’s planning documentation discussed archiving legacy data files and converting closed transaction files, but it did not provide sufficient evidence of plans for how subsequent activities of a closed transaction file would be treated. FEMA’s planning documentation did not provide sufficient evidence of consideration for archiving master and transactional files and closing account data.[23]

According to a Coast Guard official, the Coast Guard’s go-live date for the new system was primarily schedule and calendar driven. For example, Coast Guard officials stated that they used older data for their mock testing, because the updated data were not yet ready. Additionally, a FEMA official stated that the agency is not planning a post-conversion data cleanse because it believes the pre-conversion activities are sufficient and that it will have most data ready for cutover. By not fully incorporating leading practices to cleanse, convert, and migrate data in its FSM plans, DHS increases the risk of delays to current FSM efforts because of potential increases in data errors and additional time needed to resolve these errors. This ultimately increases the risk of potential delays in achieving full operational capability.

JPMO’s Organizational Change Management Guidance Was Consistent with Leading Practices

We found that JPMO’s guidance specifically for FSM programs was consistent with selected organizational change management leading practices. DHS’s JPMO provides an organizational change management framework that FSM components can use as a strategy to design and implement customized approaches when migrating to a new financial management system. DHS officials stated that the mission(s) for each FSM program and their respective component(s) are different. JPMO provides high-level guidance as well as collaborative support to the components throughout their FSM efforts.[24] DHS officials stated that JPMO provides guidance but does not require components to strictly follow the guidance. Rather, JPMO sees itself as serving components and customers and assisting in coordination for all involved. JPMO recommends that components involved in implementing a new financial management system use the guidance for developing and implementing organizational change management tools and activities to support that transition.

We compared JPMO’s organizational change management guidance against common organizational change management activities. Table 6 shows the results of our analysis of the organizational change management guidance for the FSM efforts.

Leading practice	GAO assessment of JPMO FSM guidance
Developing a vision for change	Consistent. JPMO guidance highlighted the benefits of the FSM efforts and discussed developing strategies and plans for the transition. For example, through FSM efforts, DHS should be better able to manage its resources, reduce costs, and provide department-level information efficiently to support critical decision-making.
Identifying stakeholders	Consistent. JPMO guidance included steps for conducting stakeholder analysis. These included identifying stakeholder groups and assessing the effect of the transition on each group.
Effectively communicating with stakeholders to manage commitment	Consistent. JPMO incorporated communication strategies and plans to demonstrate management’s commitments and understanding of the change investment from stakeholders, including establishing a group tasked to sustain and enhance the collaborative efforts of the DHS FSM stakeholder community in accelerating the design, development, and deployment of modernized financial systems across FSM programs.
Identifying and addressing stakeholders’ potential barriers to change	Consistent. JPMO incorporated steps to identify and understand potential resistance barriers or roadblocks throughout the change efforts and actions to address them. This included recommendations to create an assessment to understand the potential effects the new system may have on the relevant stakeholder groups.
Increasing workforce skills and competencies	Consistent. JPMO incorporated steps to support stakeholders with the knowledge to change and gain the benefits from it by training them in the new processes, skills, and competencies needed throughout the transition. This included JPMO establishing a training working group with representation from JPMO and FSM program representatives tasked to develop, deliver, and support training to provide the requisite knowledge and ability to operate the new financial management system and maximize the expected benefits.
Assessing the readiness for change	Consistent. JPMO outlined organizational and workforce readiness plans to gauge staff’s capacity and receptivity to the change. For example, the guidance specified that FSM programs should conduct change readiness assessments at multiple time points, beginning with an initial assessment, supplemented with follow-ups, to monitor progress throughout the FSM effort.
Assessing the results of change	Consistent. JPMO incorporated steps to measure adoption and performance results after FSM programs implemented the FSM solution and activities to obtain stakeholder feedback. For example, the guidance stated that the business process reengineering working group should collect process-related metrics for use in measuring and evaluating migration to a commercial off-the-shelf system from an operational perspective.

Legend:

DHS = Department of Homeland Security

FSM = financial systems modernization

JPMO = Joint Program Management Office

Consistent = JPMO provided evidence that it incorporated organizational change management activities consistent with leading practices and that it sufficiently satisfied all relevant criteria

Partially consistent = JPMO provided evidence that it incorporated organizational change management activities consistent with some of the leading practice criteria, but it did not incorporate some of the key parts

Not consistent = JPMO did not provide sufficient evidence that it incorporated leading practices

Source: GAO analysis of DHS data.  |  GAO‑26‑107863

Note: Leading practices are from (1) Project Management Institute, Managing Change in Organizations: A Practice Guide (Newtown Square, Pa.: 2013); (2) Office of Personnel Management, Migration Planning Guidance Information Documents, Change Management Best Practices (Oct. 7, 2011); (3) Prosci, The Prosci ADKAR® Model, A Goal-Oriented Change Management Model to Guide Individual and Organizational Change; (4) ISACA, Control Objectives for Information and Related Technologies 2019 Framework (2019); (5) Kotter, The 8-Step Process for Leading Change; and (6) prior GAO reports.

We previously reported that according to federal guidance and other leading practices, change management practices are intended to apply an organized and structured framework to the often chaotic and perplexing world of organizational change.[25] Effective change management techniques help managers to plan, organize, and negotiate successful changes in the organization. The objective of managing organizational change is to maximize the likelihood of successfully implementing organizational change quickly and with reduced risk.

Coast Guard, FEMA, and ICE Organizational Change Management Plans Varied in Consistency with Leading Practices

While JPMO’s guidance is consistent with leading practices, some component-planning documents lacked certain details, and overall were partially consistent with organizational change management leading practices. Specifically, FEMA’s organizational change management planning documentation was consistent with six of seven leading practices, Coast Guard documentation was consistent with three, and ICE documentation was consistent with four. Table 7 shows the results of our evaluation of Coast Guard, FEMA, and ICE organizational change management planning documents compared with leading practices.

Leading practice	GAO assessment of planning documents
	Coast Guard	FEMA	ICEa
Developing a vision for change	●	●	●
Identifying stakeholders	◑	●	◑
Effectively communicating with stakeholders to manage commitment	●	●	●
Identifying and addressing stakeholders’ potential barriers to change	◑	●	●
Increasing workforce skills and competencies	●	●	●
Assessing the readiness for change	◑	●	◑
Assessing the results of change	◑	◑	◑

Legend:

DHS = Department of Homeland Security

FEMA = Federal Emergency Management Agency

FSM = financial systems modernization

ICE = U.S. Immigration and Customs Enforcement

● Consistent = DHS component provided evidence that it incorporated organizational change management activities consistent with leading practices and that it sufficiently satisfied all relevant criteria

◑ Partially consistent = DHS component provided evidence that it incorporated organizational change management activities consistent with some of the leading practices, but it did not incorporate some of the key parts

○ Not consistent = DHS component did not provide sufficient evidence that it incorporated leading practices

Source: GAO analysis of DHS data.  |  GAO‑26‑107863

Note: Leading practices are from (1) Project Management Institute, Managing Change in Organizations: A Practice Guide (Newtown Square, Pa.: 2013); (2) Office of Personnel Management, Migration Planning Guidance Information Documents, Change Management Best Practices (Oct. 7, 2011); (3) Prosci, The Prosci ADKAR® Model, A Goal-Oriented Change Management Model to Guide Individual and Organizational Change; (4) ISACA, Control Objectives for Information and Related Technologies 2019 Framework (2019); (5) Kotter, The 8-Step Process for Leading Change; and (6) prior GAO reports.

^aICE completed the discovery phase in February 2026. As such, ICE has not yet fully developed all the planning documentation related to this acquisition program.

As shown in the table above, the plans were partially consistent with leading practices. This is because FSM components create their own respective plans based on JPMO guidance, resulting in varying levels of detail that affect the consistency of each component’s plans with the leading practices. Our discussion below focuses on the leading practices that were partially consistent.

Identifying stakeholders. Coast Guard and ICE FSM organizational change management plans included steps for conducting stakeholder analysis. Program plans for both components discussed identifying individuals or groups and assessing the effect of the FSM efforts on stakeholders. However, these organizational change management plans provided minimal details to identify and address stakeholders’ concerns.

Identifying and addressing stakeholders’ potential barriers to change. Coast Guard FSM organizational change management plans incorporated steps to identify and understand potential resistance barriers or roadblocks throughout the change efforts, but they did not fully specify actions to address barriers that might derail change efforts when they arise. For example, the Coast Guard’s plans include an organizational change management activity to perform stakeholder analysis to segment and analyze stakeholder groups to determine change impacts and required communication and engagement levels and methods for each stakeholder group. However, the plans minimally detail actions to address barriers to change.

Assessing the readiness for change. Coast Guard and ICE FSM organizational change management plans incorporated steps to perform a readiness assessment to measure stakeholder readiness for change. However, the plans do not provide further detail on the analysis or metrics for this measurement. For example, the Coast Guard’s plans include an organizational change management activity for the Coast Guard to conduct a stakeholder readiness assessment. However, the plans do not discuss the details of this assessment, the metrics to follow, or the frequency of this assessment. For ICE, its plans detail the information it expects to collect from a change readiness assessment but do not mention the frequency of this assessment or steps to resolve identified potential problems.

Assessing the results of change. Coast Guard, ICE, and FEMA FSM organizational change management planning documentation incorporated steps to measure adoption and performance results after the FSM solution implementation. For example, planning documents from all three components incorporated steps to assess the effect of changes to the component from FSM efforts. However, these planning documents did not discuss activities to obtain stakeholder feedback to help determine how successful the change was and identify actions needed to ensure that each program sustains the change.

FSM components may tailor JPMO’s guidance when creating their plans to support program and component mission needs. However, by not fully incorporating organizational change management leading practices into their FSM plans, programs increase the risk of facing resistance to change from stakeholders and inaccurate assessments of the programs’ states of readiness for change. Further, without consistent organizational change management planning documentation for the transition to new financial management systems, FSM programs increase the risks of hindering users’ ability to effectively operate the systems, potentially hampering users’ proficiency with new workflows, and limiting the utility of system improvements.

DHS and JPMO Guidance Documents Were Mostly Consistent with Leading Practices for Lessons Learned Processes

DHS and JPMO guidance documents were mostly consistent with the five leading practices for lessons learned but lacked steps for a full validation of lessons to help ensure that programs identify the appropriate lessons. We previously reported that JPMO established a process and continued to document and consider lessons learned from both current and past FSM efforts. The lessons learned process starts after completing a major program event, which includes when a system goes live or when programs implement significant system updates.

The use of lessons learned is a principal component of an organizational culture committed to continuous improvement and can increase communication and coordination. Collecting and sharing lessons learned serves to communicate knowledge more effectively and helps ensure that programs factor beneficial information into planning, work processes, and activities. The five leading practices for a lessons learned process that GAO and others identified include (1) collecting, (2) analyzing, (3) validating, (4) saving or archiving, and (5) disseminating and sharing information and knowledge gained on positive and negative experiences. Figure 1 illustrates these leading practices.

These leading practices generally build upon each other. For example, an organization with a consistent, coordinated archiving mechanism, such as an electronic database, is better able to demonstrate the leading practice for sharing lessons learned—through access to such an archive. We reviewed DHS’s and JPMO’s lessons learned guidance used for FSM against these five leading practices. Table 8 summarizes our assessment of DHS-wide and JPMO FSM-specific lessons learned guidance.

Leading practice	GAO assessment of DHS and JPMO guidance
Collect: Capture information through activities like project reviews, interviews, reports, or surveys	Consistent. The JPMO’s FSM Lessons Learned SOP discusses general time frames and identifies people responsible for collecting information/lessons learned during reviews and other designated parts of the project. The SOP also discusses lessons learned meetings and that programs may use a Lessons Learned Questions List to assist in collecting information.
Analyze: Evaluate the information collected to determine root causes that led to positive or negative outcomes and identify appropriate actions	Consistent. The Lessons Learned SOP identifies steps and people responsible for determining the root cause(s) and appropriate actions for lessons learned. Further, the Systems Engineering Life Cycle Guidebook and related instruction both discuss analyzing information to determine the root cause at a high level, and that stakeholders are to make recommendations for improvements (e.g., the appropriate actions to take).
Validate: Confirm that the right lessons are identified and determine the breadth of their applicability	Partially consistent. The Lessons Learned SOP discusses stakeholders’ review of the lessons learned but does not discuss ensuring that programs have identified the right lessons or their scope and applicability.
Archive: Use an archiving mechanism for lessons identified, such as in an electronic database, so that lessons can be used by existing and future activities	Consistent. The Lessons Learned SOP discusses archiving lessons in a database. Specifically, programs capture lessons learned and track them in a lessons learned register.
Share: Pass on knowledge gained from the lessons to others, such as through briefings, reports, emails, websites, database entries, revision of work processes or procedures, and training	Consistent. The Lessons Learned SOP discusses using the lessons learned register to facilitate sharing lessons learned through lessons learned meetings and other communications.

Legend:

DHS = Department of Homeland Security

FSM = financial systems modernization

JPMO = Joint Program Management Office

SOP = Standard Operating Procedure

Consistent = All aspects of the leading practice are present in the lessons learned process

Partially consistent = Some but not all aspects of the leading practice are present in the lessons learned process

Not consistent = No aspects of the leading practice are present in the lessons learned process

Source: GAO analysis of DHS data.  |  GAO‑26‑107863

Note: Leading practices are from (1) Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide) (Newtown Square, Pa.: 2021); (2) Project Management Institute, The Standard for Organizational Project Management (Newtown Square, Pa.: 2018); (3) Center for Army Lessons Learned, Establishing a Lessons Learned Program: Observations, Insights, and Lessons (Fort Leavenworth, Kans.: June 2011); and (4) prior GAO reports.

We found that DHS and JPMO guidance is consistent with all the leading practices except for the validate leading practice. Validation of leading practices helps ensure that the right lessons have been identified and determine the scope of their applicability. Subject matter experts (SME), or other stakeholders, may be involved in this step. The text below summarizes where we found DHS guidance lacking.

Validate applicability of lessons. According to DHS officials, branch chiefs and SMEs review the lessons learned. This allows the branch chief or SMEs to state whether a lesson is appropriate and valid, as well as an opportunity to provide feedback. However, while DHS’s guidance discussed stakeholders’ review of lessons learned, it did not discuss ensuring that programs identified the right lessons and determining the scope. For example, JPMO’s Lessons Learned standard operating procedures (SOP), the Systems Engineering Lifecycle Guidebook, Acquisition Management Directive, and related instruction documents, address stakeholders’ reviewing the lessons learned and providing feedback.[26] However, these documents do not discuss ensuring that programs have identified the right lessons or the extent of each lesson’s applicability. Specifically, the current version of the Lessons Learned SOP does not include a section discussing validation of lessons.

According to DHS officials, JPMO continually reviews and evaluates SOP for improvements and will assess if it should reinclude the verification and validation section. The lack of clear validation practices for lessons learned limits JPMO’s ability to determine their applicability to support future decision-making and increases the risk that other FSM programs may not fully benefit from prior lessons.

FEMA and ICE Plans Using Experiences from the Coast Guard’s FSM Efforts

After DHS declared a breach of program baselines for the Coast Guard’s FSM efforts, it identified several lessons learned in three areas: stakeholder involvement, data migration, and system testing. We found that JPMO is using the Coast Guard’s experiences to improve planning for FEMA’s and ICE’s efforts.

Stakeholder Involvement

Stakeholder involvement consists of ensuring that components have dedicated SMEs assigned to the modernization effort throughout system design, development, testing, and deployment. DHS officials stated that JPMO revised the program system integrator statements of work for FSM-FEMA and FSM-Cube to increase technical oversight throughout modernization efforts. JPMO continues to collaborate with FEMA and ICE to identify the right SMEs and make them available throughout implementation to assist with key design decisions and incremental testing events.

FEMA. According to FSM-FEMA’s Initial Migration Project Plan, FEMA is to provide SMEs and backups to support implementation processes, including design, testing, and cutover.[27] Additionally, the statement of work for FEMA’s system integrator includes a requirement that the contractor continually interacts with SMEs during the development and user testing to provide transparent communications and feedback.

ICE. The statement of work for ICE’s system integrator states that the contractor should continually coordinate with SMEs during development and user testing and provide transparent communications and feedback. Further, according to DHS officials, the contractor incorporates iterative testing into the development of the new system, and some of these steps must include continuous coordination with SMEs.

Data Migration

DHS JPMO data migration plans note the need to begin data cleanup early, conduct regular status reporting and quality checks, and plan for cutover that does not overlap with the fiscal year-end. DHS officials stated that JPMO will work with FEMA and ICE to ensure that they put contingency plans in place to ensure that system conversions do not affect the ability to make critical payments. This includes ensuring that FEMA and ICE keep legacy systems available during cutover to the new system.

FEMA. According to FEMA’s Data Migration Strategy, FEMA is planning a midyear conversion to the new system (also called a cutover) to reduce the effect on operations during emergency management season cycles, and to help DHS detect errors in the system and correct them before the year-end.[28] FEMA’s Initial Migration Project Plan lists several key considerations of migration planning, which include the ability to

·       provide support during natural disasters or emergencies during the cutover window,

·       roll back and restore systems in case FEMA stops the migration during cutover,

·       continue assistance payments during the cutover period, and

·       minimize brownout[29] and blackout[30] durations for cutover.[31]

According to FEMA officials, FEMA also plans to start migration early and plans to conduct three mock conversions. FEMA anticipates that the first mock conversion will be in the second quarter of calendar year 2026.

ICE. The statement of work for the system integrator requires the contractor to coordinate with FSM-Cube components to create plans and strategies for data migration and to conduct mock conversions. This documentation is to include

·       alternative approaches and timing,

·       approaches to minimizing financial audit risk and component operational risk,

·       mock data conversions, and

·       fallback plans.

According to DHS officials, in addition to the planning requirements above, the system integrator is required to perform mock migrations with each component to identify and correct data migration errors prior to the migration of data into the live environment.

System Testing

System testing lessons learned include the need to conduct incremental testing so that programs sufficiently involve users in the design of the system throughout the implementation. Future test plans are to include a progressive approach to performance testing and demonstrate achievement of key performance indicators.

FEMA and ICE. DHS officials stated that FEMA’s and ICE’s efforts will include early and consistent hands-on testing throughout implementation. The programs expect the system integrators to facilitate user acceptance testing incrementally during development rather than wait for completion to solve defects as they appear. For example, the statements of work for both system integrators include a section titled Iterative Configuration and Development that states the contractor is to

·       provide continuous interaction with SMEs during development and user testing for transparent communications and feedback;

·       use an iterative testing process to provide test and evaluation expertise to support developmental and functional aspects of software development and configuration;

·       create and maintain a standard set of test scripts that it will use to test every release; and

·       ensure that component SMEs test newly developed or integrated software with existing system components, including full end-to-end testing of business processes.

We previously reported that DHS risked not fully achieving its goal of deploying systems that produce reliable data for management decision-making and financial reporting if it did not remediate serious issues identified by testing.[32] In that report, we recommended that DHS’s Under Secretary for Management should ensure that JPMO work with the Coast Guard to remediate known issues identified from testing, prior to declaring full operational capability for the ongoing financial systems modernization efforts. At the time of issuing this report, similar recommendations are still open for FEMA and ICE. Resolving deficiencies identified by testing before proceeding to the next phase in the acquisition process can help reduce the risk that future system modernization efforts will not meet mission needs or expected capabilities.

Conclusions

DHS’s FSM programs do not have reliable schedule estimates that follow best practices defined in GAO’s Schedule Assessment Guide. This increases the risk that management will lack key information for making informed decisions related to investing resources, accurately measuring progress, and making realistic budget and scheduling decisions for the remaining two FSM programs—FSM-FEMA and FSM-Cube.[33]

Several of DHS and JPMO’s plans and guidance documents for the FSM efforts do not fully incorporate relevant leading practices for data migration, organizational change management, and lessons learned processes. Without fully incorporating data migration leading practices for planning post-installation and operations, DHS increases the risk of data errors, which could result in potential schedule delays and increased costs. Additionally, without fully incorporating organizational change management leading practices into FSM planning documentation, DHS increases the risk of resistance to change.

Further, the lack of clear validation practices for lessons learned limits DHS and JPMO’s ability to determine the applicability of lessons to support current and future FSM program efforts. Incorporating such relevant leading practices in both guidance and plans for data migration, organizational change management, and lessons learned would enhance DHS and JPMO’s ability to effectively and efficiently implement DHS’s FSM programs to deliver new financial management systems.

Recommendations for Executive Action

We are making the following five recommendations to DHS:

The Secretary of Homeland Security should ensure that DHS’s Under Secretary for Management works with the Joint Program Management Office to develop reliable FSM program schedule estimates for FSM-FEMA and FSM-Cube, using best practices defined in GAO’s Schedule Assessment Guide to include the schedules being comprehensive, well-constructed, credible, and controlled. (Recommendation 1)

The Secretary of Homeland Security should ensure that DHS’s Under Secretary for Management works with the Joint Program Management Office and relevant offices to update department-wide data migration guidance used for the DHS’s FSM efforts to be consistent with data migration leading practices by incorporating planning for post-installation and operations planning. (Recommendation 2)

The Secretary of Homeland Security should ensure that DHS’s Under Secretary for Management works with the Joint Program Management Office to update data migration planning documentation for its FSM-FEMA program to be consistent with data migration leading practices by improving planning for post-installation and operations planning. (Recommendation 3)

The Secretary of Homeland Security should ensure that DHS’s Under Secretary for Management works with the Joint Program Management Office to verify that programs fully apply its guidance in FSM organizational change management plans. (Recommendation 4)

The Secretary of Homeland Security should ensure that DHS’s Under Secretary for Management works with the Joint Program Management Office and other relevant offices to update lessons learned guidance to be consistent with all leading practices by including steps to validate the applicability of lessons identified. (Recommendation 5)

Agency Comments

We provided a draft of this report to DHS for review and comment. In its written comments, reproduced in appendix IV, the department concurred with our five recommendations and described actions it has taken and will take to address the issues we identified with its FSM schedule estimates, as well as its guidance and planning documentation. For example, for schedule estimates, DHS stated that, among other things, it will conduct an audit of active and future tasks that will map to appropriate work breakdown structure items and resource allocation. Regarding our recommendation related to data migration guidance, DHS stated that it is developing guidance for data management topics, including data quality, data conversions, data security and access control, and responsibilities. In response to our recommendation related to validating lessons learned, DHS stated that it is strengthening this process to address gaps in validation and consistency. Those actions, if implemented as described, should address our recommendations. The department also provided technical comments on our report that we incorporated as appropriate.

We are sending copies of this report to the appropriate congressional committees, the Secretary of Homeland Security, and other interested parties. In addition, the report is available at no charge on the GAO website at https://www.gao.gov.

If you or your staff have any questions about this report, please contact me at rasconap@gao.gov. Contact points for our Offices of Congressional Relations and Media Relations may be found on the last page of this report. GAO staff members who made key contributions to this report are listed in appendix V.

Paula M. Rascona
Director
Financial Management and Assurance

Our objectives were to (1) determine the extent to which the Department of Homeland Security (DHS) ensured a reliable cost estimate and schedule assessment for its financial systems modernization (FSM) programs; (2) determine the extent to which DHS’s plans and guidance are consistent with leading practices for data migration, organizational change management, and lessons learned for its FSM programs; and (3) describe how DHS used the U.S. Coast Guard’s FSM implementation experience to inform plans for FSM efforts at the Federal Emergency Management Agency (FEMA) and U.S. Immigration and Customs Enforcement (ICE).[34]

Up until August 2025, DHS had three FSM acquisition programs—FSM-Trio, FSM-FEMA, and FSM-Cube. The FSM-Trio program includes three DHS components, including the Coast Guard. In August 2025, DHS declared full operational capability for FSM-Trio, which moves this program to sustainment (i.e., operations and support phase). FEMA’s modernization efforts are under its own FSM-FEMA program. The FSM-Cube program includes ICE and its customer agencies.[35] While ICE is one part of the FSM-Cube acquisition program, ICE was the only component included in the scope of our review. Specifically, for FSM-Cube, our scope focused on ICE and did not include the four DHS components that are ICE financial management services customers. At the time of our engagement, cost and schedule estimates were not available for FSM-Cube. As such we did not obtain and review these estimates.

To address our first objective, we met with DHS officials to gain an understanding of DHS’s and the FSM Joint Program Management Office’s (JPMO) cost and schedule estimates.[36] We obtained FSM-Trio’s March 2024 and FSM-FEMA’s August 2024 cost estimates and assessed them against GAO’s Cost Estimating and Assessment Guide to determine their reliability.[37] We also obtained FSM-Trio’s December 2024 and FSM-FEMA’s November 2024 schedule estimates and assessed them against GAO’s Schedule Assessment Guide to determine their reliability.[38] Additionally, we received and analyzed additional support in July 2025 for cost and schedule estimates and updated our findings as appropriate.

For cost estimates, GAO’s Cost Estimate and Assessment Guide has four key characteristics: comprehensive, well-documented, accurate, and credible, with 18 best practices spread among these characteristics. Similarly, schedule estimates consist of four characteristics: comprehensive, well-constructed, credible, and controlled, with 10 associated best practices among the characteristics.

For both the cost and schedule estimates, we assessed each against best practices using the following scale:

·       Met: DHS provided complete evidence that satisfies the entire criterion.

·       Substantially met: DHS provided evidence that satisfies a large portion of the criterion.

·       Partially met: DHS provided evidence that satisfies about one-half of the criterion.

·       Minimally met: DHS provided evidence that satisfies a small portion of the criterion.

·       Not met: DHS provided no evidence that satisfies any of the criterion.

Then, to determine the overall assessment for each of the four characteristics, we assigned each best practice assessment for the related characteristics a score based on a five-point scale: not met = 1, minimally met = 2, partially met = 3, substantially met = 4, and met = 5. We calculated the average of the individual best practice assessment scores to determine the overall assessment rating for each of the four characteristics.

Finally, we provided DHS with draft versions of our detailed analyses of the FSM programs’ cost and schedule estimates so that DHS officials could verify the information on which we based our findings.[39]

To address our second objective, we met with DHS officials, including Coast Guard, FEMA, and ICE officials, to gain an understanding of DHS’s data migration, organizational change management, and lessons learned processes. We obtained and reviewed DHS’s guidance for FSM programs, as well as FSM planning documents for the Coast Guard and FEMA and, to the extent available, for ICE. Guidance provides a framework that FSM programs can use to design their approaches to the relevant areas. FSM programs document their planned implementation of the guidance in various planning documents. We compared these plans and DHS guidance with selected criteria below to determine the extent to which they were consistent with leading practices. Table 9 summarizes the type of documentation we reviewed for data migration, organizational change management, and lessons learned along with the organizational level (e.g., DHS-wide, FSM program, or component specific) to which each document relates.[40]

Leading practice area	DHS-wide level	FSM program level, including FSM JPMO	Component-specific documentation
Data migration	Guidance	Plans	Plans
Organizational change management	n/a	Guidance and plansa	Plans
Lessons learned process	Guidance	Guidance	─b

Legend: DHS = Department of Homeland Security; FSM = financial systems modernization; JPMO = Joint Program Management Office; n/a = not applicable.

Source: GAO analysis of DHS documentation.  |  GAO‑26‑107863

^aOrganizational change management includes plans that are written at the FSM program level and applicable to all the components in that program.

^bFSM programs use guidance to help execute their lessons learned process and apply the lessons learned in future relevant documentation. Therefore, lessons learned process-specific planning documents are not expected.

Data migration. We met with DHS officials to gain an understanding of DHS’s data migration process and guidance for its FSM efforts. We reviewed key guidance and planning documentation from JPMO, the Coast Guard, and FEMA detailing their data migration processes and plans. At the time of our review DHS had not drafted the planning documentation for ICE.

·       The key DHS guidance documentation included the (1) Systems Engineering Lifecycle Guidebook, dated May 2021 and June 2025; (2) Chief Financial Officer Financial Data Strategy, dated January 2021; and (3) Data Quality Guide, dated February 2019.

·       Key planning documentation for the Coast Guard included the (1) Financial Systems Modernization Solution Data Management Plan, dated July 2020, and (2) Financial Systems Modernization Solution Coast Guard Deployment Plan, dated July 2021.

·       Key planning documentation for FEMA included the (1) Financial Data Cleansing Strategy, dated February 2019, and (2) Data Migration Strategy, dated May 2024.

To identify relevant criteria, we conducted a literature search for data migration leading practices and reviewed prior GAO reports, federal guidance, and nonfederal guidance and identified leading practices that related to data cleansing, conversion, and migration to ensure that we considered the relevant data migration leading practices. These included (1) the Joint Financial Management Improvement Plan’s (JFMIP) White Paper on Financial Systems Data Conversion[41] and (2) the General Services Administration’s (GSA) Modernization and Migration Management (M3) Playbook.[42] GSA’s M3 Playbook is a framework designed to help agencies achieve successful outcomes and reduce risk during system modernizations and migrations. The M3 Playbook reflects leading practices and lessons learned from prior migrations. It is a compilation of leading project management practices, including data conversion and migration, for agencies seeking to modernize their systems that GSA developed using feedback from more than 100 government and industry experts.

Due to the overlap between JFMIP and M3 leading practices, we grouped the JFMIP and M3 activities into the three data conversion phases.

Pre-conversion phase includes the activities leading up to conversion, such as the following:

·       Conduct general pre-conversion activities. The pre-conversion activities involve a number of activities, including a detailed conversion plan that identifies the scope of the conversion and time frames for various tasks in the phase; a risk management process that categorizes risks as low, moderate, or high; and a process that determines the probability of not achieving an outcome and the resulting consequences.

·       Perform data-cleansing activities. An agency should develop an overall data-cleansing plan to establish criteria for cleansing data and using subject matter expertise to conduct data-cleansing activities prior to cutover, which includes gathering and determining what data need to be cleansed (e.g., need corrective action), correcting source system data when necessary, and documenting the process.

·       Establish test data and configurations. An agency should test the data conversion through mock conversions. A mock conversion is a dress rehearsal of the conversion activities required when converting data into a new system. A conversion plan includes testing to ensure that required data edit and validation tables are accurate.

·       Gain agreement on data governance. This agreement should be documented in a data governance model, which includes metadata management and data quality management activities.

Cutover phase includes the activities in the process of converting data into the new system such as the following:

·       Develop cutover plan. An agency should develop cutover plans, including pre-cutover, cutover, and post-cutover steps, and establish a backup plan in case the new system fails to operate as expected.

·       Determine go/no-go decision. Management makes a go/no-go decision before go-live occurs and establishes criteria and metrics for the threshold for determining clean data.

·       Execute cutover tasks. The agency should stop processing in the legacy system and route inputs and interfaces to the new system, convert legacy data and load them into the new system following a predetermined sequence of entry, and ensure automated inputs and interfaces are rerouted to the new system.

·       Reconcile converted data. Agency staff should reconcile data in the legacy system to the new system and document where adjustments are made to converted data.

Post-installation phase is the final phase, wherein programs verify data integrity. It includes activities such as the following:

·       Confirm that converted data are functioning as designed. The agency should confirm that converted data function as designed, including reviewing how manual entries were handled; assess abnormalities that appear; and verify that edits function as designed.

·       Perform post-conversion data cleanse. Agency staff should perform post-conversion data cleanup and document post-cutover actions, including data cleanse items required and post go-live actions.

·       Archive master and transaction files and close account data. The agency should determine how funds of closed (expired for over 5 years) accounts are to be converted into the new system or archived; determine how legacy data are to be archived; and determine when subsequent activity associated with a closed transaction occurs, whether the new data will be established in the new system as a new transaction against prior year or processed in the legacy system.

We used the JFMIP and M3 leading practices to assess DHS guidance, and Coast Guard and FEMA component planning documents for data migration activities. For our analysis, we used the following rating scale:

·       Consistent: DHS provided evidence that it incorporated data migration activities consistent with all relevant criteria.

·       Partially consistent: DHS provided evidence that it incorporated data migration activities consistent with some, but not all, of the relevant criterion.

·       Not consistent: DHS did not provide sufficient evidence that it incorporated data migration activities that followed criteria.

Organizational change management. We met with DHS officials to gain an understanding of JPMO’s organizational change management process for its FSM efforts. We reviewed key JPMO guidance for FSM efforts to the extent available. The key guidance documentation included the (1) DHS FSM Organizational Change Management Strategy, dated November 2024, and (2) Financial System Modernization Communications Strategy, dated October 2023.

To further our understanding of DHS’s organizational change management, we reviewed key planning documentation for FSM-Trio (focused on the Coast Guard); FSM-FEMA; and, to the extent available, FSM-Cube (focused on ICE). Specifically, the key planning documentation we reviewed for FSM-Trio included the Financial Systems Modernization Solutions Change Management Plan for FSM-Trio, dated August 2023. The key planning documentation for FSM-FEMA included the (1) FSM-FEMA Contractor’s Organizational Change Management Plan, dated January 2024; (2) FEMA Stakeholder Management Plan, dated July 2023; and (3) FEMA Communications Plan, dated July 2023. Finally, the key planning documentation for FSM-Cube included the (1) ICE FSM Organizational Change Management Plan, dated May 2024, and (2) ICE FSM Communications Plan, dated July 2024.

To identify relevant criteria, we conducted a literature search for organizational change management leading practices and reviewed prior GAO reports to identify discussions of leading practices to ensure that we considered the relevant organizational change management leading practices. These included (1) Project Management Institute, Managing Change in Organizations: A Practice Guide;[43] (2) Office of Personnel Management, Migration Planning Guidance Information Documents, Change Management Best Practices;[44] (3) Prosci Inc., The Prosci ADKAR® Model, A Goal-Oriented Change Management Model to Guide Individual and Organizational Change;[45] (4) ISACA, Control Objectives for Information and Related Technologies (COBIT) 2019 Framework;[46] (5) Kotter, The 8-Step Process for Leading Change;[47] and (6) prior GAO reports.[48] We identified and selected common organizational change management activities that would be applicable to DHS’s FSM efforts. Leading practices for change management activities include the following:

·       Developing a vision for change. The vision for change effectively identifies the compelling need for change and benefits of the desired change that can motivate stakeholders to accept and willingly participate to make the change successful.

·       Identifying stakeholders. Stakeholders are those individuals, groups, departments, and organizations that have a direct interest in the change effort and are directly affected, have influence over it, or both. Given their power to sustain or derail a change initiative, programs should make efforts to identify and understand stakeholders and their concerns.

·       Effectively communicating with stakeholders to manage commitment. Communication of the what, when, why, and how of the change must be frequent, targeted, and compelling, and should demonstrate management’s commitment and understanding of the change investment from stakeholders.

·       Identifying and addressing stakeholders’ potential barriers to change. Programs should take steps to identify and understand potential resistance barriers or roadblocks throughout the change efforts and take actions to address barriers that might derail change efforts when they arise.

·       Increasing workforce skills and competencies. Programs should empower stakeholders with the knowledge of how to successfully change and gain the full benefits from the change by training them in the new processes, skills, and competencies needed throughout the transition.

·       Assessing the readiness for change. Programs should use periodic checkpoints, analysis, and metrics to measure the state of readiness and resolve any potential problems in a timely fashion.

·       Assessing the results of change. Once a program has implemented change, it is important to measure adoption and obtain feedback from stakeholders to help determine how successful the change was and actions needed to ensure that the program reinforces and sustains the change.

We assessed DHS-wide guidance and FSM program plans to determine their consistency with these selected leading practices. For our analysis we used the following rating scale:

·       Consistent: DHS provided evidence that it incorporated organizational change management activities consistent with leading practices criteria.

·       Partially consistent: DHS provided evidence that it incorporated organizational change management activities consistent with some of the leading practice criteria, but it did not incorporate some key parts.

·       Not consistent: DHS did not provide sufficient evidence that it incorporated leading practices.

Lessons learned. We met with DHS officials to further our understanding of DHS and JPMO’s lessons learned processes for its FSM efforts. We reviewed key DHS and JPMO guidance documentation which included (1) DHS’s Systems Engineering Lifecycle Guidebook, dated May 2021 and June 2025, and (2) JPMO’s FSM Lessons Learned Standard Operating Procedure (SOP), dated November 2021 and November 2024.

To identify relevant criteria, we reviewed leading practices related to lessons learned previously identified by GAO and others when executing acquisition programs. These documents included (1) Project Management Institute, Inc., A Guide to the Project Management Body of Knowledge (PMBOK Guide);[49] (2) Project Management Institute, Inc., The Standard for Organizational Project Management;[50] (3) Center for Army Lessons Learned, Establishing a Lessons Learned Program: Observations, Insights, and Lessons;[51] and (4) prior GAO reports.[52]

We used the five leading practices identified in prior GAO reports to assess DHS’s FSM program lessons learned guidance documents.[53] The five leading practices for a lessons learned process that GAO and others identified are (1) collecting, (2) analyzing, (3) validating, (4) saving or archiving, and (5) disseminating and sharing information and knowledge gained on positive and negative experiences.[54] These leading practices provide a means to assess DHS and JPMO’s lessons learned process. We assessed DHS and JPMO’s guidance documentation to determine the extent to which DHS and JPMO’s lessons learned process was consistent with the leading practices based on the following rating scale:

·       Consistent: All aspects of the leading practice are present in the lessons learned process.

·       Partially consistent: Some but not all aspects of the leading practice are present in the lessons learned process.

·       Not consistent: No aspects of the leading practice are present in the lessons learned process.

To address our third objective, we met with DHS officials to further our understanding of DHS’s JPMO lessons learned processes, including how lessons are applied to both FEMA’s and ICE’s plans. To identify the lessons learned from prior FSM efforts and the current implementation of the new financial management system at the Coast Guard, we reviewed key planning documentation, including (1) the FSM JPMO Lessons Learned Standard Operating Procedure, dated November 2021 and November 2024; (2) DHS’s Breach Remediation Plan for FSM-Trio, dated April 2023; and (3) the JPMO lessons learned registers for both June 2022 and June 2025. We obtained and reviewed planning documentation for both FEMA and ICE to determine how these lessons were incorporated into this planning documentation.

DHS’s JPMO identified lessons from the implementation of a new system at the Coast Guard, including those in the following three JPMO defined areas: stakeholder involvement, data migration, and system testing. We focused on the high-level categories of lessons learned noted in DHS’s breach remediation plan for FSM-Trio. Specifically, we used these three areas of lessons learned from the Coast Guard’s efforts to determine how DHS incorporated them into the plans for FEMA and ICE.

To determine how FSM programs plan to apply lessons learned from previous FSM efforts at the Coast Guard into future efforts at FEMA and ICE, we reviewed key planning documentation, including (1) FSM-FEMA Migration Management Strategy, dated May 2024; (2) FSM-FEMA’s Initial Migration Project Plan, dated October 2024; (3) the results of system testing documented in the System Evaluation Report, issued September 28, 2022; and (4) contracts for both FSM-FEMA and FSM-Cube’s system integrators. We also obtained written responses from DHS officials regarding how JPMO is applying these lessons to the planning for both FEMA and ICE.[55]

As part of this engagement, we met with DHS to discuss its ongoing FSM efforts at the Coast Guard, FEMA, and ICE, which are three of the remaining high-risk financial management outcomes. We reviewed relevant FSM planning documentation noted above as well as the March 2025 and September 2025 Integrated Strategy for High-Risk Management reports. These reports provide DHS’s current and future plans to fully address the remaining outcomes to resolve its high-risk area. See appendix III for the DHS high-risk financial management actions and outcomes and their status as of March 2026.

We conducted this performance audit from October 2024 to May 2026 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

On March 25, 2025, the President issued Executive Order 14249, Protecting America’s Bank Account Against Fraud, Waste, and Abuse, to promote financial integrity and operational efficiency. The executive order directs, among other things,

·       the Director of the Office of Management and Budget to issue guidance within 180 days of the executive order, directing Chief Financial Officers Act agencies (which include the Department of Homeland Security (DHS)) to consolidate their core financial systems,

·       agency heads for Chief Financial Officers Act agencies to use standard financial management solutions available through the Financial Management Marketplace, and

·       agency heads of all agencies to ensure that their core financial systems comply with applicable standards and to submit compliance plans within 90 days of the executive order.[56]

DHS provided its compliance plan to us on July 22, 2025, affirming that it invested in, and remains deeply committed to, modernizing its financial systems. DHS also stated that its current modernization initiatives should result in several components implementing enhanced and consolidated financial systems within the next 3 to 5 years. DHS has plans to incorporate other components as well, pending future funding and resources. According to DHS, in alignment with the executive order, DHS’s financial system modernization efforts intend to use solutions expected to be available through the Financial Management Marketplace, which the Department of the Treasury’s Financial Management Quality Service Management Office administers.

The DHS compliance plan describes several potential barriers to the effective implementation of this executive order, including the loss of employees with specialized skill sets needed to fully implement necessary changes effectively and within required time frames. DHS also states that reductions or uncertainty in available operational funding could affect its ability to allocate necessary resources identified in its compliance plan. Further, according to DHS officials, DHS is currently developing an updated implementation strategy to consolidate the financial systems for the U.S. Customs and Border Protection, Federal Emergency Management Agency, and U.S. Immigration and Customs Enforcement into one financial system. DHS plans on consolidating all DHS components into the same system as these three components over the next several years. According to DHS’s September 2025 Integrated Strategy for High-Risk Management, this consolidation strategy aligns with the objectives of this executive order and is still under review.

Since the Department of Homeland Security’s (DHS) creation, we have included DHS in our biennial high-risk update because of significant deficiencies in its internal control and financial management systems that have hampered the agency’s ability to effectively manage its financial operations, among other management function areas.[57] In 2010, we identified (and DHS agreed with) 30 corrective measures or outcomes that the agency could take to address its high-risk management areas.[58] Of these 30 outcomes, eight relate to financial management. Of these eight, DHS has fully addressed two: obtaining a clean audit opinion on its financial statements and (2) doing so for 2 consecutive years (see table 10).

To address the remaining six outcomes, DHS is acquiring and implementing modern financial management systems through three financial systems modernization (FSM) acquisition programs: FSM-Trio, FSM-Federal Emergency Management Agency (FEMA), and FSM-Cube.[59] By modernizing its financial management systems, DHS can go a long way toward addressing its long-standing material weaknesses reported by DHS’s financial statement auditors and related financial management outcomes.[60] In addition, financial systems modernization would help DHS address the financial management outcome related to Federal Financial Management Improvement Act of 1996 (FFMIA) compliance.[61] To support our work related to monitoring DHS’s efforts to address its high-risk financial management area, we obtained updated information to determine DHS’s status. Table 10 summarizes our assessment of DHS’s progress toward addressing high-risk financial management outcomes as of March 2026.

DHS financial management outcome number and description	GAO assessment of high-risk financial management actions to address outcome
(1) Obtain an unmodified (clean) audit opinion on all financial statements.	Fully addressed. DHS obtained its first clean opinion on its fiscal year 2013 financial statements.
(2) Obtain an unmodified (clean) audit opinion on internal controls over financial reporting (ICOFR) to demonstrate effective internal controls.	Partially addressed. DHS is executing a multiyear plan to achieve a clean ICOFR opinion, which includes reducing one of the outstanding areas of material weaknesses to a significant deficiency. DHS’s current target date for obtaining a clean ICOFR opinion is November 2028 (i.e., its fiscal year 2027 audit) and depends on DHS’s financial system modernization efforts.
(3) Sustain unmodified opinions on financial statements for at least 2 consecutive years.	Fully addressed. DHS has received a clean audit opinion on its financial statements for 13 consecutive years—fiscal years 2013 through 2025.
(4) Sustain clean ICOFR opinions for at least 2 consecutive years.	Initiated. DHS stated that it remains focused on obtaining its first clean ICOFR opinion for fiscal year 2027 and the second for fiscal year 2028.
(5) Achieve substantial compliance with the Federal Financial Management Improvement Act of 1996 (FFMIA).	Initiated. Since inception, DHS has been noncompliant with FFMIA. We previously rated this outcome as partially addressed based on DHS’s fiscal year 2021 independent auditor’s report that DHS complied substantially with two of the three FFMIA requirements. However, in fiscal year 2022 through fiscal year 2024, DHS’s auditor reported substantial noncompliance with all three FFMIA requirements. In fiscal year 2025, DHS’s auditor reported substantial noncompliance with two of the three FFMIA requirements. DHS’s estimated date for achieving substantial compliance is fiscal year 2028.
(6) Effectively manage the implementation of a financial management system solution or modernization of existing systems for the U.S. Coast Guard.	Mostly addressed. The Coast Guard implemented its new system in December 2021. However, DHS declared a breach of program baselines, postponing the declaration of full operational capability. In August 2025, DHS declared full operational capability with limitations. For this outcome to be considered fully addressed, the Coast Guard’s system needs to be in sustainment (operations and support phase) and not included in auditor-reported material weaknesses. DHS’s estimated date for fully addressing this outcome is September 2027, at which time DHS stated the new financial management system will not contribute to an auditor-reported material weakness.
(7) Effectively manage the implementation of a financial management system solution or modernization of existing systems for FEMA.	Initiated. After FEMA awarded the system integrator contract in September 2023, FEMA completed discovery workshops with subject matter experts to gather information for its modernization system in June 2024. In September 2024, FEMA initiated work to obtain and implement its new financial management system, which includes initial system design and initial build activities, both of which were initiated in October 2024 and January 2025, respectively. According to DHS, will go-live in fiscal year 2027 with a minimum viable product, and will have future releases leading up to full operational capability.
(8) Effectively manage the implementation of a financial management system solution or modernization of existing systems for ICE.	Initiated. ICE’s financial system modernization program exercised the task order for the system integrator in September 2024. DHS completed the discovery process for ICE in February 2026. DHS’s planned go-live date for ICE is October 2028.

Legend:

DHS: Department of Homeland Security

FEMA: Federal Emergency Management Agency

ICE: Immigration and Customs Enforcement

Fully addressed: Outcome is fully addressed

Mostly addressed: Progress is significant, and a small amount of work remains

Partially addressed: Progress is measurable, but significant work remains

Initiated: Activities have been initiated to address the outcome, but it is too early to report progress

Not initiated: Activities have not been initiated to address this outcome

Source: GAO analysis of DHS data.  |  GAO‑26‑107863

GAO Contact

Paula M. Rascona, rasconap@gao.gov

Staff Acknowledgments

In addition to the contact named above, Michael LaForge (Assistant Director), Heather Rasmussen (Analyst in Charge), Matthew Assad, Frances Dagohoy, Emile Ettedgui, Lauren Stacy Fassler, Jason Lee, Mary Weiland, and Steven Wright made key contributions to this report. Other contributors include Marcia Carlsen, Jason Kelly, Jason Kirwan, Anne Rhodes-Kline, Alexa Young, and Kimberly Young.

Financial Management Systems: DHS Should Improve Plans for Addressing Its High-Risk Area and Guidance for Independent Reviews. GAO‑24‑106895. Washington, D.C.: July 30, 2024.

DHS Financial Management: Actions Needed to Improve Systems Modernization and Address Coast Guard Audit Issues. GAO‑23‑105194. Washington, D.C.: February 28, 2023.

DHS Financial Management: Better Use of Best Practices Could Help Manage System Modernization Project Risks. GAO‑17‑799. Washington, D.C.: September 26, 2017.

DHS Financial Management: Continued Effort Needed to Address Internal Control and System Challenges. GAO‑14‑106T. Washington, D.C.: November 15, 2013.

DHS Financial Management: Additional Efforts Needed to Resolve Deficiencies in Internal Controls and Financial Management Systems. GAO‑13‑561. Washington, D.C.: September 30, 2013.

Financial Management Systems: Experience with Prior Migration and Modernization Efforts Provides Lessons Learned for New Approach. GAO‑10‑808. Washington, D.C.: September 8, 2010.

Financial Management Systems: DHS Faces Challenges to Successfully Consolidating Its Existing Disparate Systems. GAO‑10‑76. Washington, D.C.: December 4, 2009.

Financial Management Systems: DHS Faces Challenges to Successfully Consolidate Its Existing Disparate Systems. GAO‑10‑210T. Washington, D.C.: October 29, 2009.

Homeland Security: Responses to Posthearing Questions Related to the Department of Homeland Security’s Integrated Financial Management Systems Challenges. GAO‑07‑1157R. Washington, D.C.: August 10, 2007.

Homeland Security: Transforming Departmentwide Financial Management Systems Remains a Challenge. GAO‑07‑1041T. Washington, D.C.: June 28, 2007.

Homeland Security: Departmentwide Integrated Financial Management Systems Remain a Challenge. GAO‑07‑536. Washington, D.C.: June 21, 2007.

Financial Management Systems: DHS Has an Opportunity to Incorporate Best Practices in Modernization Efforts. GAO‑06‑553T. Washington, D.C.: March 29, 2006.

Financial Management: Department of Homeland Security Faces Significant Financial Management Challenges. GAO‑04‑774. Washington, D.C.: July 19, 2004.

Department of Homeland Security: Financial Management Challenges. GAO‑04‑945T. Washington, D.C.: July 8, 2004.

Department of Homeland Security: Challenges and Steps in Establishing Sound Financial Management. GAO‑03‑1134T. Washington, D.C.: September 10, 2003.

GAO’s Mission

The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.

Order by Phone

The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm.

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.

Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.

Connect with GAO

Connect with GAO on X, LinkedIn, Instagram, and YouTube.
Subscribe to our Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.

To Report Fraud, Waste, and Abuse in Federal Programs

Contact FraudNet:

Website: https://www.gao.gov/about/what-gao-does/fraudnet

Automated answering system: (800) 424-5454

Media Relations

Sarah Kaczmarek, Managing Director, Media@gao.gov

Congressional Relations

David A. Powner, Acting Managing Director, CongRel@gao.gov

General Inquiries

https://www.gao.gov/about/contact-us