February 2, 2003
TO: The Secretary
FROM: OIG - Richard N. Reback, Acting
SUBJECT: Audit of the U.S. Department of State 2002 and 2001 Principal Financial Statements - Audit Report AUD/FM-03-18
In compliance with the Chief Financial Officers Act, the Office of Inspector General (OIG) contracted with Leonard G. Birnbaum and Company, LLP (LGB), an independent certified public accounting firm, to audit the Department's principal financial statements as of September 30, 2002, and for the year then ended.
During its audit, LGB found:
The internal control and noncompliance issues underscore the need for the Department to improve its financial management systems. The auditor's unqualified opinion was achieved for the most part through the extensive efforts of financial management staff to overcome those weaknesses and produce auditable information, and LGB's efforts to complete its audit under onerous conditions. Although these efforts ultimately resulted in an unqualified opinion, reliable information was not readily available during the year. The risk of materially misstating financial information is high under the current conditions.
LGB's report, dated February 1, 2003, is attached for your review. LGB is responsible for this report and the opinions and conclusions expressed therein. OIG is responsible for technical and administrative oversight regarding performance under the terms of the contract, including assuring the audit was performed in accordance with Government Auditing Standards and Office of Management and Budget Bulletin 01-02, Audit Requirements for Federal Financial Statements. OIG made appropriate inquiries of LGB representatives and monitored the audit by:
OIG's review, as differentiated from an audit in accordance with Government Auditing Standards, was not intended to enable OIG to express, and OIG does not express, an opinion on the Department's financial statements or conclusions about the effectiveness of internal control and compliance with certain laws and regulations. However, OIG's review disclosed no instances where LGB did not comply, in all material respects, with Government Auditing Standards.
The Bureau of Resource Management (RM) agreed with the findings and conclusions, and its comments are included as Appendix A to the report. In addition to this report, OIG will send a separate management letter to RM discussing several other matters that were identified during the audit.
OIG appreciates the cooperation extended to it by the Department's managers and staff during the audit.
Leonard G. Birnbaum and Company
Certified Public Accountants
6285 Franconia Road
Alexandria, VA 22310-2510
FAX: (703) 922-8256
INDEPENDENT AUDITOR'S REPORT
To the Secretary, Department of State:
We have audited the Department of State's (Department) Consolidated Balance Sheet and Consolidated Statement of Net Cost as of, and for the years ended, September 30, 2002 and 2001 and the Consolidated Statement of Changes in Net Position, Combined Statement of Budgetary Resources, and Combined Statement of Financing as of and for the year ended, September 30, 2002 (collectively the Principal Financial Statements); we have examined internal control over financial reporting in place as of September 30, 2002; and we have examined compliance with laws and regulations.
In our opinion, the Department's 2002 and 2001 Principal Financial Statements are presented fairly in all material respects.
Each of these conclusions is discussed in more detail below. This report also discusses the scope of our work.
PRINCIPAL FINANCIAL STATEMENTS
In our opinion, the Department's 2002 and 2001 Consolidated Balance Sheets, and Consolidated Statements of Net Cost, including the notes thereto, present fairly, in all material respects, the Department's financial position as of September 30, 2002 and 2001, and the net cost of operations, for the years then ended and that the Consolidated Statement of Changes in Net Position, Combined Statement of Budgetary Resources and Combined Statement of Financing for the year ended September 30, 2002, present the changes in net position, the use of budgetary resources, and the use of financing resources for that year, in conformity with accounting principles generally accepted in the United States of America.
In 2002, the Department implemented revised financial statement reporting requirements and Statements of Federal Financial Accounting Standards that became effective for those years. The details of these changes are presented in Note 2 to the Principal Financial Statements.
We considered the Department's internal control over financial reporting in order to determine our auditing procedures for the purpose of expressing our opinion on the Principal Financial Statements. We limited our internal control testing to those controls necessary to achieve the objectives described in the Office of Management and Budget's (OMB) Bulletin 01-02, Audit Requirements for Federal Financial Statements. We did not test all internal controls relevant to operating objectives as broadly defined by FMFIA, such as those controls relevant to ensuring efficient operations. The objective of our audit was not to provide assurance on internal control. Consequently, we do not provide an opinion on internal control.
The objectives of internal control are to provide management with reasonable, but not absolute, assurance that the following objectives are met:
Our consideration of the internal control over financial reporting would not necessarily disclose all matters of internal control over financial reporting that might be reportable conditions. Under standards issued by the American Institute of Certified Public Accountants, reportable conditions are matters coming to our attention relating to significant deficiencies in the design or operation of internal control that, in our judgment, could adversely affect the Department's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements. Material weaknesses are reportable conditions in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that errors or irregularities in amounts, which would be material in relation to the financial statements being audited, may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.
We noted the following matter that we considered to be a material weakness as defined above.
We have identified significant weaknesses related to information system security that we believe could be exploited to have a detrimental effect on the information used to prepare the financial statements. We believe that the information system networks for domestic operations are vulnerable to unauthorized access. Consequently, systems, including the Department's financial management system, which process data using these networks, may also be vulnerable. This weakness was first reported in Computer Security: Pervasive, Serious Weaknesses Jeopardize State Department Operations (GAO/AIMD-98-145) based on penetration tests performed by the General Accounting Office (GAO) and was then reported in our opinion on the 1997 financial statements.
The Department was able to close the recommendations related to this GAO report in FY 2000. However, we did not believe that the closure of the GAO recommendations demonstrated that the previously cited material weakness had necessarily been corrected. Therefore, the Department performed tests of access controls in this area, which identified significant weaknesses. The Department has initiated a program to assess its information systems security on a comprehensive basis. However, this work was not sufficiently advanced before our field work ended to assure ourselves that this condition no longer existed.
In addition, we identified significant weaknesses with the Paris Financial Service Center's Accounting and Disbursing System. These included access vulnerabilities, issues with the internal control environment, concerns with physical security, and environmental issues. We first reported these weaknesses in our opinion on the 1998 financial statements. A separate report detailed these concerns and recommended action (Computer Security Reviews of Paris Accounting & Disbursement System and Consolidated American Payroll Processing System, 00-FM-014, issued June 2000). The Department has made significant progress in addressing these weaknesses. It is also in the process of consolidating the Paris Financial Service Center's financial system into the Charleston Financial Service Center's system.
We are required to review the Department's current FMFIA report and disclose differences with the material weaknesses in our report. The Department's 2000 FMFIA report indicated that a previously reported material weakness in information security had been closed. That material weakness focused primarily on organization structure and procedures that, if implemented as intended, should provide adequate access controls. Currently, the Department is undertaking a comprehensive assessment of the security of its information systems. Until such time as the Department can demonstrate the effectiveness of its revised structure and procedures, this matter will be considered to be a material weakness as defined above.
We noted three matters, discussed in the following paragraphs, involving internal control that we consider to be reportable conditions.
The above two reportable conditions were cited in our audits of the Department's 1997 Principal Financial Statements and subsequent audits.
These deficiencies in internal control may adversely affect any decision by management that is based, in whole or in part, on information that is inaccurate because of the deficiencies. Unaudited financial information reported by the Department, including budget information, also may contain misstatements resulting from these deficiencies.
We are not aware of any other known but uncorrected material findings or recommendations from prior audits that affect the current audit objectives.
In addition, we considered the Department's internal control over Required Supplementary Stewardship Information and Required Supplementary Information by obtaining an understanding of the Department's internal control, determined whether those internal controls had been placed in operation, assessed control risk, and performed tests of controls as required by OMB Bulletin 01-02, and not to provide assurance on those internal controls. Accordingly, we do not provide an opinion on those controls.
Finally, with respect to internal control related to performance measures reported in Management's Discussion and Analysis, we obtained an understanding of the design of significant controls relating to the existence and completeness assertions and determined whether those controls had been placed in operation as required by OMB Bulletin 01-02. Our procedures were not designed to provide assurance on internal control over reported performance measures, and, accordingly, we do not provide an opinion on such controls.
We noted certain other internal control issues that we have reported to the Department's management in a separate letter dated February 1, 2003.
COMPLIANCE WITH LAWS AND REGULATIONS
The Department's management is responsible for complying with laws and regulations applicable to the Department. As part of obtaining reasonable assurance about whether the financial statements are free of material misstatement, we performed tests of the Department's compliance with certain provisions of laws and regulations, noncompliance with which could have a direct and material effect on the determination of financial statement amounts, and certain other laws and regulations specified in OMB Bulletin 01-02, including the requirements referred to in the Federal Financial Management Improvement Act (FFMIA) of 1996. We limited our tests of compliance to these provisions, and we did not test compliance with all laws and regulations applicable to the Department. The objective of our audit of the Principal Financial Statements, including our tests of compliance with selected provisions of applicable laws and regulations, was not to provide an opinion on overall compliance with such provisions. Accordingly, we do not express such an opinion.
Material instances of noncompliance are failures to follow requirements, or violations of prohibitions in statutes and regulations, that cause us to conclude that the aggregation of the misstatements resulting from those failures or violations is material to the financial statements or that sensitivity warrants disclosure thereof.
The results of our tests of compliance with the laws and regulations described in the preceding paragraph, exclusive of FFMIA, disclosed the following instances of noncompliance with laws and regulations that are required to be reported under Government Auditing Standards issued by the Comptroller General of the United States and OMB Bulletin 01-02.
Overall, we found that the Department's financial management system did not comply with a number of laws and regulations, as follows:
The above areas of noncompliance were cited in our audits of the Department's 1997 Principal Financial Statements and subsequent audits.
The results of our tests of compliance with other laws and regulations disclosed no material instances of noncompliance. Compliance with FFMIA is discussed below.
Under FFMIA, we are required to report whether the Department's financial management systems substantially comply with federal financial management system requirements, applicable accounting standards, and the U.S. Standard General Ledger at the transaction level. To meet this requirement, we performed tests of compliance, using the implementation guidance for FFMIA issued by OMB on January 4, 2001.
The results of our tests disclosed instances, described below, where the Department's financial management systems did not substantially comply with the requirement to follow the federal financial management system requirements. OMB implementation guidance states that, to be in substantial compliance with this requirement, the Department must meet specific requirements of OMB Circular A-127, including the computer security controls required by OMB Circular A-130, Management of Federal Information Resources. We found instances of substantial noncompliance with these two requirements.
The Department's Bureau of Resource Management (RM) has overall responsibility for the Department's financial management systems. The foregoing noncompliance has its roots in the lack of organization and integration of the Department's financial management systems. This issue has been highlighted in the Department's annual FMFIA report since 1983. In our audits of the Department's Principal Financial Statements since 1997, we observed that the Department's financial management systems were not in compliance with FFMIA and recommended, in connection with our audits of the Department's 1997 and 1998 Principal Financial Statements, that a remediation plan be prepared. RM submitted its plan to remediate noncompliance with FFMIA to OMB on March 16, 2000. The plan projects achieving substantial compliance with FFMIA during FY 2003. Although RM has completed several phases of its plan and indicates that the remainder of the plan is on schedule, the plan needs to specifically address systems security and management of grants and other types of federal assistance.
We noted certain other instances of noncompliance that we reported to the Department's management in a separate letter dated February 1, 2003.
RESPONSIBILITIES AND METHODOLOGY
Department management has the responsibility for:
Our responsibility is to express an opinion on the Principal Financial Statements based on our audit. Auditing standards generally accepted in the United States of America require that we plan and perform the audit to obtain reasonable assurance about whether the Principal Financial Statements are free of material misrepresentation and presented fairly in accordance with accounting principles generally accepted in the United States of America. We considered the Department's internal control for the purpose of expressing our opinion on the Principal Financial Statements referred to above and not to provide an opinion on internal control. We are also responsible for testing compliance with selected provisions of applicable laws and regulations that may materially affect the financial statements.
In order to fulfill these responsibilities, we:
Our audits were conducted in accordance with auditing standards generally accepted in the United States of America, the standards applicable to financial audits contained in Government Auditing Standards and OMB Bulletin 01-02. We believe that our audits provide a reasonable basis for our opinion.
The Management's Discussion and Analysis, Required Supplementary Stewardship Information, and Required Supplementary Information are not a required part of the Principal Financial Statements, but are supplementary information required by OMB Bulletin 01-09, Form and Content of Agency Financial Statements, and the Federal Accounting Standards Advisory Board. We have applied certain limited procedures, which consisted principally of inquiries of management regarding the methods of measurement and presentation of the supplementary information. However, we did not audit the information and express no opinion on it.
This report is intended for the information of the Inspector General of the U.S. Department of State and the Department's management. This restriction is not intended to limit the distribution of this report, which is a matter of public record.
Comments by the Department's management on this report are presented as Appendix A.
Leonard G. Birnbaum and Company, LLP
February 1, 2003
United States Department of State
Chief Financial Officer
Washington, D.C. 20520-7427
February 1, 2003
TO: OIG - Mr. Clark Kent Ervin
FROM: RM - Christopher B. Burnham
SUBJECT: Draft Audit Report on the Department of State's 2002 and 2001 Principal Financial Statements
This is in response to your request for comments on the draft report titled "Audit of the U.S. Department of State 2002 and 2001 Principal Financial Statements" (Report). For the sixth consecutive year, the independent CPA firm selected by the Office of Inspector General (OIG) will issue an unqualified ("clean") opinion on the Department's consolidated financial statements. Achieving an unqualified opinion by the February 1 due date is an important accomplishment for both of our offices. We would like to extend our appreciation to your staff and to your contractor, Leonard G Birmbaum and Company, for the professional and cooperative manner in which they conducted the audit for FY 2002 and prior years.
In relation to internal control, the Report cites the Department's security for information systems networks as a material weakness. In addition, the Report cites three reportable conditions: (1) the inadequacy of the Department's financial management systems, (2) the management of unliquidated obligations, and (3) the implementation of Managerial Cost Accounting Standards. The Department's financial management systems are also reported as noncompliant with laws and regulations, including the Federal Financial Management Improvement Act of 1996 (FFMIA).
The Department has improved the security of our mainframe and other information systems since the General Accounting Office's (GAO) review of the Department's computer security. The Department's Management Control Steering Committee (MCSC), with the concurrence of the Inspector General, approved the closure of the material weakness for Information Systems Security for the Fiscal Year (FY) 2000 Federal Managers' Financial Integrity Act (FMFIA) Report. This was based on the fact that the processes, controls and administration of the security program had been significantly enhanced since this problem was identified.
In 2001 and 2002 the Department continued to improve the information systems security program. The Department is currently working on a comprehensive plan that will have systems certified and accredited by the end fiscal year 2004. The Department is installing a comprehensive framework and process for lifecycle management of IT security. The framework and process will provide for continual evaluation and improvement.
Our efforts to address this weakness include periodic meetings with staff from your Office of Audits, Leonard G. Birnbaum and Company, senior managers in IRM and our office. The purpose is to identify and coordinate actions needed to resolve the weakness and monitor progress. We will continue to provide a status of these efforts to the Office of Management and Budget (OMB) as part of our reporting on the President's Management Agenda. Also, we have included this initiative in our FFMIA Remediation Plan. We anticipate that our collaborative efforts will result in the status of this weakness being downgraded to a reportable condition for the FY 2003 Report.
The weaknesses in the Department's financial management systems are a long-standing problem. Substantial compliance with FFMIA is a top priority of the Department, and improvement initiatives to achieve that goal are well underway. As required by FFMIA, the Department submitted our initial Remediation Plan (Plan) to OMB in March 2000, and an updated Plan in 2001. As noted in your report RM has completed several phases of the plan. The Plan, which includes the installation of the worldwide RFMS to replace our overseas financial systems, calls for the Department to achieve substantial compliance with FFMIA by the end of FY 2003. We continue to be on schedule for completion of RFMS by September of this year.
Strengthening the management of unliquidated obligations (ULO) is an important financial management initiative. As mentioned in the Report, the Department has made significant improvements in this area over the past two years. The Unliquidated Obligation System was implemented in FY 2000. We use this system facilitate the reconciliation, monitoring, reporting and oversight of unliquidated obligations worldwide. Data in the system is analyzed in various strata and reports to facilitate the review and management of open items. These processes will be repeated and expanded upon during FY 2003. We continue to develop reports and procedures to use in working with offices to improve the management of unliquidated obligations.
Implementation of Managerial Cost Accounting Standards (MCAS) is an important financial management initiative. The Department is making reasonable progress in implementing MCAS, but acknowledges that additional work is needed to fully comply with these standards. To address MCAS requirements and account for expenditure information necessary for budgeting information and performance measurement, the Department is developing a Central Financial Planning System (CFPS). Phase 4 of CFPS, scheduled for September of 2003 and is included in our FFMIA Remediation Plan, will enable the timely and accurate reporting of cost information and associate that information with budget and strategic goals. .
We thank you for the opportunity to comment on the draft report and for working with us in a collaborative manner on the FY 2002 financial statements. We believe that our offices have made considerable progress over the past several years. The Department is committed to continuing its efforts to improve management of its programs and the quality of its financial reporting. If you have any questions concerning our response to the Report, please contact Christopher H. Flaggs, Managing Director, Financial Policy, Reporting and Analysis, on (202) 261-8625.