Federal Managers' Financial Integrity Act
The Department of State's management is responsible for establishing and maintaining effective internal control and financial management systems that meet the objectives of the Federal Managers' Financial Integrity Act (FMFIA). The Department conducted its assessment of the effectiveness of internal control over the efficiency and effectiveness of operation and compliance with applicable laws and regulations in accordance with OMB Circular A-123, Management's Responsibility for Internal Control. Based on the results of this evaluation, the Department can provide reasonable assurance that its internal control over the effectiveness and efficiency of operations and compliance with applicable laws and regulations and financial management systems meet the objectives of FMFIA as of September 30, 2006.
In addition, the Department of State's management is also responsible for establishing and maintaining effective internal control over financial reporting, which includes safeguarding of assets and compliance with applicable laws and regulations. The Department of State conducted its assessment of the effectiveness of the Department's internal control over financial reporting in accordance with Appendix A of OMB Circular A-123. Based on the results of this assessment, the Department of State is reporting material weaknesses concerning the accounting for personal property and real property in its internal control over financial reporting as of June 30, 2006. Deficiencies existed in the controls over accounting for contractor-held property, aircraft and vehicles and controls over accounting for real property - specifically Construction-in-Progress. However, corrective actions were taken, and the material weaknesses have been resolved as of September 30, 2006 as described in the exhibit on page 31. Other than the exceptions noted, the internal controls were operating effectively and no other material weaknesses were found in the design or operation of the internal control over financial reporting.
Because of its inherent limitation, internal control over financial reporting, no matter how well designed, cannot provide absolute assurance of achieving financial reporting objectives and may not prevent or detect misstatements. Therefore, even if the internal control over financial reporting is determined to be effective, it can provide only reasonable assurance with respect to financial statement preparation and presentation. Projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate.
The Federal Managers' Financial Integrity Act (FMFIA) requires agencies to establish internal control and financial systems that provide reasonable assurance that the integrity of federal programs and operations are protected. It also requires that the head of the agency, based on an evaluation, provide an annual Statement of Assurance on whether the agency has met this requirement. Additionally, OMB Circular A-123, Management's Responsibility for Internal Control, defines management's responsibility for internal control in Federal agencies.
In December 2004, OMB revised A-123 in light of the internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002. The new Appendix A, Internal Control Over Financial Reporting, of the revised A-123 serves to improve governance and accountability for internal controls over financial reporting. The revised circular is effective for FY 2006 and requires that the agency head also provide an assurance statement on the effectiveness of internal control over financial reporting, which is an addition to and also a component of the overall FMFIA assurance statement. The Secretary of State's 2006 Annual Assurance Statement is provided on the preceding page.
The Department's Management Control Steering Committee (MCSC) oversees the Department's management control program. The MCSC is chaired by the Chief Financial Officer, and is composed of eleven other Assistant Secretaries [including the Chief Information Officer and the Inspector General (non-voting)], the Deputy Chief Financial Officer, the Deputy Legal Adviser, the Deputy Assistant Secretary for Global Financial Services and the Director for the Office of Overseas Buildings Operations. Individual assurance statements from Ambassadors assigned overseas and Assistant Secretaries in Washington, D.C. serve as the primary basis for the Department's FMFIA assurance that management controls are adequate. The assurance statements are based on information gathered from various sources including the managers' personal knowledge of day-to-day operations and existing controls, management program reviews, and other management-initiated evaluations. In addition, the Office of Inspector General and the Government Accountability Office conduct reviews, audits, inspections, and investigations.
It is the Department's policy that any organization with a material weakness or reportable condition is required to submit a plan to correct the weakness to the MCSC or the senior assessment team (SAT) for review and approval (see description of the SAT's role in the Appendix A section). The plan, combined with the individual assurance statements, provide the framework for monitoring and improving the Department's management controls on a continuous basis.
The Department evaluated its management controls and financial management systems for the fiscal year ending September 30, 2006. This evaluation provided reasonable assurance that as of September 30, 2006, the objectives of the FMFIA were achieved. As a result, the Secretary has provided an unqualified Statement of Assurance. In addition, there are no items specific to the Department on the Government Accountability Office's High Risk List, and there have not been any since 1995. Additional information concerning the controls over financial reporting is contained in the next section..
The Department's management control program expanded during 2006 to address the new requirement for management's assessment of the effectiveness of internal control over financial reporting, contained in Appendix A of the revised OMB Circular A-123. The MCSC voted to expand its membership to include offices with material impact on the Department's financial resources and to establish a senior assessment team (SAT) to oversee the implementation of Appendix A, as recommended in the revised Circular. The senior assessment team (SAT) reports to the Management Control Steering Committee and is comprised of 11 senior executives from bureaus that have significant impact on the Department's financial statements and financial processes. To ensure a successful implementation of Appendix A and to encourage department-wide participation, other bureaus participated on issues of relevance to their operations. To effectively communicate the Appendix A initiative, the Department held a training workshop on the revised Circular A-123 and the Department's plans for implementation.
The Department performed the Appendix A implementation in three phases: planning, assessment and testing, and conclusion and reporting. The Department defined the scope of financial reporting as the financial statements, identified thirteen significant financial processes, and determined the materiality threshold. The Department documented the key financial processes and controls as well as evaluated and tested the controls. By the completion of the Appendix A implementation, the SAT confirmed that significant control deficiencies existed relating to personal property, which was identified as a material weakness in the FY 2005 financial statement audit. The Department also identified a significant deficiency in the accounting for construction-in-progress for real property. As a result, the Department is reporting both property issues as a material weakness as of June 30, 2006 with regard to the assessment of the effectiveness of internal controls over financial reporting. However, the SAT monitored the progress of corrective actions for both of these issues, which were undertaken in 2006, and as of September 30, 2006, reported to the MCSC that corrective actions were taken and the material weaknesses were resolved. The SAT recommended to MCSC that the Secretary provide a qualified assurance as of June 30, 2006 and an unqualified assurance as of September 30, 2006.
|Material Weaknesses Resolved as of September 30, 2006||Corrective Actions Taken|
|Accounting for Personal Property
As of June 30, 2006, deficiencies existed in the controls over accounting for personal property. Specifically, the Department did not have a system to identify and record property in the hands of contractors. The controls over accounting for aircraft, vehicles, and other personal property were not fully effective.
The Department implemented procedures to provide for the reporting of contractor-held property. It also tightened controls over the existing processes for accounting for aircraft, vehicles and other personal property.
|Accounting for Real Property - Construction-in-Progress
As of June 30, 2006, controls over accounting for real property - construction in progress were ineffective. Not all projects that should have been capitalized were capitalized, and there was a failure to report project completions on a timely basis.
Controls were implemented and/or strengthened to ensure the proper identification of capitalized projects in the accounting system and timely reporting of project completion.
1 The material weaknesses were downgraded to reportable conditions as of September 30, 2006. In accordance with Appendix A to OMB Circular A-123, a material weakness in internal control over financial reporting, is a reportable condition, or combination of reportable conditions, that results in a reasonable possibility that a material misstatement of the financial statements, or other significant financial reports, will not be prevented or detected. A reportable condition for financial reporting is a control deficiency, or combination of control deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report external financial data reliably in accordance with Generally Accepted Accounting Principles such that there is a reasonable possibility that a misstatement of the entity's financial statements, or other significant financial reports, that is more than inconsequential will not be prevented or detected. (back to text)
The Federal Financial Management Improvement Act of 1996 (FFMIA) requires that agencies' financial management systems provide reliable financial data in accordance with generally accepted accounting principles and standards. Under FFMIA, financial management systems must substantially comply with three requirements — Federal financial management system requirements, applicable Federal accounting standards, and the U.S. Government Standard General Ledger (SGL).
To assess conformance with FFMIA, the Department uses OMB Circular A-127 survey results, FFMIA implementation guidance issued by OMB (January 2001 Memorandum to Executive Department Heads, Chief Financial Officers, and Inspectors General), results of OIG and GAO audit reports, annual financial statement audits, the Department's annual Federal Information Security Management Act (FISMA) Report, and other relevant information. The Department's assessment also relies a great deal upon evaluations and assurances under the FMFIA, with particular importance attached to any reported material weaknesses and material non-conformances.
The Department has made it a priority to meet the objectives of the FFMIA. In November 2004, the Department conducted a comprehensive OMB Circular A-127 assessment. The assessment included (among other things) a collection of the various background materials, reference documents, and supporting details that document how the Department meets the applicable A-127 requirements and OMB FFMIA implementation guidance. Based on the results of this assessment, along with information contained in the Department's FY 2005 FISMA Report and evaluations and assurances provided under FMFIA, the Department affirmed its determination of substantial compliance with FFMIA in its FY 2005 Management Representation Letter provided to the Independent Auditor. Further reinforcing FFMIA substantial compliance, the Department's Management Control Steering Committee voted in September 2006 to classify the Department's Financial and Accounting Systems as a financial system deficiency (versus reportable condition or material non-conformance). Since the financial management systems substantially comply with the requirements of the FFMIA, the Department has provided an unqualified assurance with regard to Section 4 of the Federal Manager's Financial Integrity Act.
The Department of State 2006 Federal Information Security Management Act (FISMA) and Privacy Management Report presented continued improvement in IT security, as well as a road map for 2007 initiatives. The Department is dedicated to protecting information and information systems with a comprehensive Information Security Program that continues to integrate operational security and information assurance programs monitored by performance metrics that are continually improving.
Over the past year, the Department streamlined processes, eliminated duplicative initiatives, focusing on its Agency-wide Information Security Program, Configuration Management, Risk Management, and Plans of Actions & Milestones (POA&Ms). To further accelerate the integration of IT security within the Department, the Under Secretary of Management officially established the Information Systems Security Committee (ISSC). This past year, the CIO reassigned governance of the Department's IT systems and applications inventory (Information Technology Asset Baseline - ITAB) to the Enterprise Architecture and Planning office that is charged with responsibility for eGovernment and Capital Planning, thus strengthening the connections between these essential business processes.
The recategorization of the unclassified systems in the Department's inventory was completed bringing the Department into full compliance with the FIPS 199 / NIST SP 800-60 standard. Furthermore, a comprehensive strategy to establish a methodology for compliance with FIPS Pub 200 by March 2007 will be instituted to ensure sustained compliance. The Department instituted a Bureau-level scorecard measuring the level of success with annual Contingency Plan testing, monthly patch management monitoring, Enhanced Validation and Verification testing (E&V), and capturing an expanded set of information in the Department's POA&M and Inventory system including official Privacy Impact Assessments (PIA).
The Department, issued "The Plan to Capture Contractor Systems in the Department of State's Inventory of Information Systems" to the OIG and OMB with an implementation plan for ensuring the appropriate level of security of all contractor connections, extensions and systems. A Procurement Information Bulletin (PIB) concerning information security imposed upon contractor services and products was also finalized and issued.
These aforementioned accomplishments are key indicators of the Department's forward momentum. The Department begins fiscal year 2007 with renewed confidence that the constant security challenges facing any global enterprise will be planned for, addressed and resolved in a timely and comprehensive manner and realize substantial progress on all the initiatives started in FY 2006.
There are no significant deficiencies under FISMA. In the 2006 audit of the Department's financial statements the independent auditor concluded that the Information system security material weakness identified in the FY 2005 audit was considered resolved and downgraded to a reportable condition.
The Improper Payments Information Act of 2002 (IPIA), Public Law No. 107-300, requires agencies to annually review their programs and activities to identify those susceptible to significant improper payments. OMB Circular A-123, Appendix C, defines significant improper payments as annual improper payments in a program that exceed both 2.5 percent of program annual payments and $10 million. Once those highly susceptible programs and activities are identified, agencies are required to estimate and report the annual amount of improper payments. Generally, an improper payment is any payment that should not have been made or that was made in an incorrect amount under statutory, contractual, and administrative or other legally applicable requirement.
Summarized below are the Department's IPIA accomplishments and future plans for identifying improper payments as provided for in OMB Circular A-136, Financial Reporting Requirements. Additional IPIA reporting details are provided in the Supplemental Information and Other Reporting Requirement section of this report.
In FY 2005, the Department reviewed the high-risk programs that were not reviewed in FY 2004 and performed a reassessment of risk for all payment categories (i.e., Federal Financial Assistance, Vendor Pay and Employee Pay). The FY 2005 results reflected in the table below, show that the programs reviewed were of low risk of being susceptible to significant improper payments.
|FY 2005 Moderate Risk Programs||FY 2005 Error Rate|
|Federal Financial Assistance|
|Population, Refugee and Migration (PRM) - Refugee Assistance||0%|
|Educational and Cultural Affairs (ECA) - Fulbright Program||0%|
|INL - Law Enforcement, Eradication, Aviation Support and Support to the Military Programs1||Completed in FY 2006|
|International Organizations (IO) - Voluntary Contributions and Peacekeeping||0%|
|1 INL testing was started in FY 2005 and completed in FY 2006. (back to text)|
In FY 2006, a random sample of the detailed payment transaction data was selected for the International Narcotics and Law Enforcement (INL) - Law Enforcement, Eradication, Aviation and Support to the Military and International Information Program-U.S. Speaker and Specialist Program (IIP). Both programs were identified as high-risk and tested in FY 2004. In the table below, the FY 2006 test results found improper payments in both programs. The projected error rate and dollar amount of improper payments in the population sampled range from approximately 3.97% and $180,340 thousand to 23.81% and $348,567 thousand. The projected improper payment amount is a result of the average dollar amount per improper item multiplied by the projected number of improper items in the population. The information in the table below is a statistically valid projection with a confidence level of +/-2.5%. Testing for INL started in FY 2005 and was completed in FY2006 covering the last quarter of FY 2004 and first three quarters of FY 2005 and IIP testing covered the last three quarters of FY 2006.
|Number of Transactions||Total Dollars||Projected|
|Program||Population||Sample||Population||Sample||Error Rate||Improper Payments|
|International Narcotics and Law Enforcement||4315||126||$313,078,592||$2,366,056||3.97%||$180,340|
|International Information Program- U.S. Speaker and Specialist Program||741||126||$28,822,489||$288,548||23.81%||$348,567|
|Calculation of error rate and payment amounts based on sample results.|
Future plans provide for expanding the IPIA program to include programs assessed as having a low susceptibility to significant improper payments. We do not expect to find significant improper payments in these programs; however, we will seek to identify opportunities to strengthen internal control.