The Department's Management Control policy is comprehensive and requires all Department managers to establish cost-effective systems of management controls to ensure U.S. Government activities are managed effectively, efficiently, economically, and with integrity. All levels of management are responsible for ensuring adequate controls over all Department operations.
Federal Managers' Financial Integrity Act
The Department of State's management is responsible for establishing and maintaining effective internal control and financial management systems that meet the objectives of the Federal Managers' Financial Integrity Act of 1982 (FMFIA). The Department conducted its assessment of the effectiveness of internal control over the efficiency and effectiveness of operations and compliance with applicable laws and regulations in accordance with OMB Circular A-123, Management's Responsibility for Internal Control. Based on the results of this evaluation, the Department can provide reasonable assurance that its internal control over the effectiveness and efficiency of operations and compliance with applicable laws and regulations and financial management systems met the objectives of FMFIA as of September 30, 2008.
In addition, management is also responsible for establishing and maintaining effective internal control over financial reporting, which includes safeguarding of assets and compliance with applicable laws and regulations. The Department conducted its assessment of the effectiveness of internal control over financial reporting in accordance with Appendix A of OMB Circular A-123. Based on the results of this assessment, the Department can provide reasonable assurance that its internal control over financial reporting as of June 30, 2008 was operating effectively and no material weaknesses were found in the design or operation of the internal control over financial reporting. Further, subsequent testing through September 30, 2008 did not identify any reportable changes to our assessment of internal control over financial reporting.
Because of its inherent limitations, internal control over financial reporting, no matter how well designed, cannot provide absolute assurance of achieving financial reporting objectives and may not prevent or detect misstatements. Therefore, even if the internal control over financial reporting is determined to be effective, it can provide only reasonable assurance with respect to financial statement preparation and presentation. Projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate.
The Federal Managers' Financial Integrity Act (FMFIA) requires agencies to establish internal control and financial systems that provide reasonable assurance that the following objectives are achieved:
It also requires that the head of the agency, based on an evaluation, provide an annual Statement of Assurance on whether the agency has met this requirement. OMB Circular A-123, Management's Responsibility for Internal Control, implements the FMFIA and defines management's responsibility for internal control in Federal agencies.
In 2004, Appendix A of Circular A-123 was added to improve governance and accountability for internal control over financial reporting in Federal entities similar to the internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002. The Circular A-123 requires that the agency head provide a separate assurance statement on the effectiveness of internal control over financial reporting (ICOFR), which is an addition to and also a component of the overall FMFIA assurance statement.
The Secretary of State's 2008 Annual Assurance Statement for FMFIA and ICOFR is provided on the preceding page. We have also provided a Summary of Financial Statement Audits and Management Assurances as required by OMB Circular A-136 later in this report's section called Other Accompanying Information.
The Department's Management Control Steering Committee (MCSC) oversees the Department's management control program. The MCSC is chaired by the Chief Financial Officer, and is composed of eleven other Assistant Secretaries [including the Chief Information Officer and the Inspector General (non-voting)], the Deputy Chief Financial Officer, the Deputy Legal Adviser, the Deputy Assistant Secretary for Global Financial Services, and the Director for the Office of Overseas Buildings Operations. Individual assurance statements from Ambassadors assigned overseas and Assistant Secretaries in Washington, D.C. serve as the primary basis for the Department's FMFIA assurance issued by the Secretary. The assurance statements are based on information gathered from various sources including the managers' personal knowledge of day-to-day operations and existing controls, management program reviews, and other management-initiated evaluations. In addition, the Office of Inspector General and the Government Accountability Office conduct reviews, audits, inspections, and investigations that are considered by management.
The Senior Assessment Team (SAT) provided oversight during 2008 for the internal control program in place to meet Appendix A requirements. The SAT reports to the MCSC and is comprised of 15 senior executives from bureaus that have significant responsibilities relative to the Department's financial resources, processes, and reporting.
It is the Department's policy that any organization with a material weakness or significant deficiency must prepare and implement a corrective action plan to fix the weakness. The plan, combined with the individual assurance statements and Appendix A assessments, provide the framework for monitoring and improving the Department's management controls on a continuous basis.
The Department's management controls program is designed to ensure full compliance with the goals, objectives, and requirements of the FMFIA and various Federal regulations. To that end, the Department has dedicated considerable resources to administer a successful management control program. The Department worked closely with the Independent Auditor to address the reported material weakness related to the management of unliquidated obligations. As a result of the improvements made, the SAT and MCSC voted to downgrade this item to a significant deficiency. During fiscal year 2008, the Office of Management Controls initiated efforts to integrate the work performed in meeting requirements of Appendix A, and Appendix C regarding the Improper Payments Information Act, with the FMFIA program. The Department employs a risk-based approach in evaluating internal controls over financial reporting on a multi-year rotating basis, which has proven to be efficient. The Department is working to expand the use of risk-based assessments in an integrated approach to the entire FMFIA program.
The Federal Financial Management Improvement Act of 1996 (FFMIA) requires that agencies' financial management systems provide reliable financial data in accordance with generally accepted accounting principles and standards. Under FFMIA, financial management systems must substantially comply with three requirements — Federal financial management system requirements, applicable Federal accounting standards, and the U.S. Government Standard General Ledger (SGL).
To assess conformance with FFMIA, the Department uses FFMIA implementation guidance issued by OMB (January 2001 Memorandum to Executive Department Heads, Chief Financial Officers, and Inspectors General), results of OIG and GAO audit reports, annual financial statement audits, the Department's annual Federal Information Security Management Act (FISMA) Report, and other relevant information. The Department's assessment also relies a great deal upon evaluations and assurances under the FMFIA including assessments performed to meet the requirements of OMB Circular A-123 Appendix A. Particular importance is given to any reported material weakness and material non-conformance identified during these internal control assessments.
The Department has made it a priority to meet the objectives of the FFMIA. Based on assessment results, along with information contained in the Department's FY 2008 FISMA Report and evaluations and assurances provided under FMFIA, the Department affirmed its determination of substantial compliance with FFMIA in its FY 2008 Management Representation Letter provided to the Independent Auditor. Further reinforcing FFMIA substantial compliance, the Department's Management Control Steering Committee voted to classify the Department's Financial and Accounting Systems as a financial system deficiency (versus significant or material non-conformance).
During the prior fiscal year the Department completed a major upgrade of its core financial management system, the Central Financial Management System (CFMS) to the Global Financial Management System (GFMS). GFMS establishes a common, uniform platform based on a commercial off-the-shelf (COTS) financial system. The COTS product has been tested and certified through the CFO Council software certification process as meeting Office of Federal Financial Management financial system requirements.
Jordanian deminers observe land mine destruction at the Jordan - Syrian border in August 2008. Women and children bear the brunt of these devices. The U.S. continues to contribute tens of millions of dollars annually to help rid the world of the "hidden killers" that remain from past conflicts, the overwhelming preponderance of which have been manufactured and employed by other countries and foreign combatants. The United States remains the world's top contributor to humanitarian mine action, having spent well over $1.2 billion since 1993. In FY 2006, the United States dedicated $76 million to mine action, and in FY 2007, the U.S. spent $82 million more.
The Office of Weapons Removal and Abatement in the U.S. Department of State's Bureau of Political-Military Affairs has released the Seventh Edition of "To Walk the Earth in Safety," summarizing the 2006-2007 accomplishments of the U.S. Humanitarian Mine Action Program, the world's largest such operation. Milestones in 2007 include the reduction in annual reported casualties from landmines and explosive remnants of war worldwide to 5,751, down from about 26,000 just four years before. The interagency U.S. Humanitarian Mine Action Program is the largest and one of the world's oldest such programs. It is comprised of the Department of State, the Department of Defense, the U.S. Agency for International Development's Leahy War Victims Fund, and the Centers for Disease Control and Prevention. AFP Photo/Awad Awad
The Department of State 2008 Federal Information Security Management Act (FISMA) and Privacy Management Report presented continued improvement in IT security within the Department, as well as a framework for 2009 efforts. The Department is dedicated to protecting information and information systems with a comprehensive Information Security Program integrating operational security and information assurance programs monitored by performance metrics that are continually improving.
Since last year, the Department has taken significant steps to improve management controls, including conducting a comprehensive data call of all its domestic bureaus and overseas posts in an effort to accurately identify its FISMA reportable inventory. The Department exercised a focused effort and markedly improved its Plan of Action and Milestones (POA&M) process since last year's FISMA review, developing databases to manage the POA&M process and posting a toolkit on its website that assisted system owners with certification and accreditation (C&A) requirements to better manage the POA&M process. The Department's C&A process and quality also improved overall, as well as in addressing privacy responsibilities. During 2008 the Privacy Protection Governance Board continued to meet under the Chairmanship of the Assistant Secretary for Administration, who is the designated Senior Agency Official for Privacy, and the Department finalized its Personally Identifiable Information Breach Response Policy.
The Department documented its agency-wide requirements for configuration management within policy established by the Bureaus of Diplomatic Security and Information Resource Management. Further, the Department implemented several new initiatives during FY 2008 to improve its incident reporting services and analyses. Finally, the Department made significant progress in providing security awareness to employees, and established a plan to ensure that non-system overseas employees receive security training as well.
In FY 2008, the Department achieved measurable progress throughout the agency-wide information security program. These accomplishments are key indicators the Department gained forward momentum for FY 2009 focusing attention on security concerns and designed processes and procedures to sustain that momentum. The Department begins FY 2009 with renewed confidence that the constant security challenges facing any global enterprise will be considered, identified, and resolved in a timely and comprehensive manner and substantial progress on all the initiatives started in FY 2008 will be maintained.