The Department’s Management Control policy is comprehensive and requires all Department managers to establish cost-effective systems of management controls to ensure U.S. Government activities are managed effectively, efficiently, economically, and with integrity. All levels of management are responsible for ensuring adequate controls over all Department operations.
Federal Managers' Financial Integrity Act
The Department of State’s management is responsible for establishing and maintaining effective internal control and financial management systems that meet the objectives of the Federal Managers’ Financial Integrity Act of 1982 (FMFIA). The Department conducted its assessment of the effectiveness of internal control over the efficiency and effectiveness of operations and compliance with applicable laws and regulations in accordance with OMB Circular A-123, Management’s Responsibility for Internal Control. Based on the results of this evaluation, the Department can provide reasonable assurance that its internal control over the effectiveness and efficiency of operations and compliance with applicable laws and regulations and financial management systems met the objectives of FMFIA as of September 30, 2009.
In addition, management is responsible for establishing and maintaining effective internal control over financial reporting, which includes safeguarding of assets and compliance with applicable laws and regulations. The Department conducted its assessment of the effectiveness of internal control over financial reporting in accordance with Appendix A of OMB Circular A-123. Based on the results of this assessment, the Department can provide reasonable assurance that its internal control over financial reporting as of June 30, 2009, was operating effectively and the Department found no material weaknesses in the design or operation of the internal control over financial reporting. The Department appreciates that the independent auditors reported material weaknesses related to the accounting for property and financial reporting. The Department, in our assessments and evaluations of internal controls, identified similar weaknesses but classified them as significant deficiencies versus material weaknesses. We will continue to work with them to resolve these issues.
Because of its inherent limitations, internal control over financial reporting, no matter how well designed, cannot provide absolute assurance of achieving financial reporting objectives and may not prevent or detect misstatements. Therefore, even if the internal control over financial reporting is determined to be effective, it can provide only reasonable assurance with respect to the preparation and presentation of financial statements. Projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate.
These systems of internal controls are also being used to support our stewardship over the American Recovery and Reinvestment Act (Recovery Act) spending made by the Department. Our assessments of internal controls, along with senior managers’ assurance statements and our review for improper payments for Recovery Act activities, allow the Department to provide reasonable assurance that the key accountability objectives of the Recovery Act are being met and that significant risks to meeting Recovery Act accountability objectives are being mitigated.
The Federal Managers’ Financial Integrity Act (FMFIA) requires agencies to establish internal control and financial systems that provide reasonable assurance that the following objectives are achieved:
It also requires that the head of the agency, based on an evaluation, provide an annual Statement of Assurance on whether the agency has met this requirement. OMB Circular A-123, Management’s Responsibility for Internal Control, implements the FMFIA and defines management’s responsibility for internal control in federal agencies.
In 2004, Appendix A of Circular A-123 was added to improve governance and accountability for internal control over financial reporting in federal entities similar to the internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002. The Circular A-123 requires that the agency head provide a separate assurance statement on the effectiveness of internal control over financial reporting (ICOFR), which is an addition to and also a component of the overall FMFIA assurance statement.
The Secretary of State’s 2009 Annual Assurance Statement for FMFIA and ICOFR is provided on the preceding page. We have also provided a Summary of Financial Statement Audits and Management Assurances as required by OMB Circular A-136 later in this report’s section called Other Accompanying Information.
The Department’s Management Control Steering Committee (MCSC) oversees the Department’s management control program. The MCSC is chaired by the Chief Financial Officer, and is composed of eleven other Assistant Secretaries [including the Chief Information Officer and the Inspector General (non-voting)], the Deputy Chief Financial Officer, the Deputy Legal Adviser, the Deputy Assistant Secretary for Global Financial Services, and the Director for the Office of Overseas Buildings Operations. Individual assurance statements from Ambassadors assigned overseas and Assistant Secretaries in Washington, D.C. serve as the primary basis for the Department’s FMFIA assurance issued by the Secretary. The assurance statements are based on information gathered from various sources including the managers’ personal knowledge of day-to-day operations and existing controls, management program reviews, and other management-initiated evaluations. In addition, the Office of Inspector General and the Government Accountability Office conduct reviews, audits, inspections, and investigations that are considered by management. At the close of FY 2009, the Department reported four program-related significant deficiencies. Following is a summary of the FY 2009 results.
|Program Issue||Significant Deficiency Description||Beginning||New||Resolved||Ending|
|Federal financial assistance leadership, policy and training||Lack of coordinated Department leadership, policy framework, and training on Federal financial assistance.||1||0||1||0|
|Federal financial assistance systems||Lack of comprehensive and reliable information on Federal financial assistance available due to the Department’s use of disparate information systems.||1||0||0||1|
|PIERS||Unauthorized access to the Passport Information Electronic Records System.||1||0||0||1|
|ECA Visitor Program Oversight||Insufficient oversight to ensure these programs (which bring foreign nationals to the U.S.) are operated in accordance with regulatory requirements.||1||0||0||1|
|ECA Youth Program Oversight||Insufficient oversight to ensure these programs (which bring foreign nationals to the U.S.) are operated in accordance with regulatory requirements.||0||1||0||1|
|Total Program Significant Deficiencies||4||1||1||4|
The Senior Assessment Team (SAT) provided oversight during 2009 for the internal control program in place to meet Appendix A requirements. The SAT reports to the MCSC and is comprised of 15 senior executives from bureaus that have significant responsibilities relative to the Department’s financial resources, processes, and reporting. Due to the extensive knowledge of management involved with the Appendix A assessment, the Department evaluated issues on a detailed level. The findings that resulted from the FY 2009 Appendix A assessment included several significant deficiencies in internal control financial reporting. At the close of FY 2009, the Department reported four financial reporting-related significant deficiencies. Following is a summary of the FY 2009 results.
|Financial Reporting Issue||Significant Deficiency Description||Beginning||New||Resolved||Ending|
|Unliquidated obligations (ULOs)||ULOs were not timely de-obligated during the year, as routine reviews were not conducted by all offices throughout the Department.||1||0||0||1|
|Personal Property||Various conditions existed including insufficient supporting documentation, data integrity issues, delays in recording acquisitions and dispositions of assets, and cut-off issues.||1||0||0||1|
|Intragovernmental financial reporting||Various conditions existed including transactions not accurately classified as Federal versus Public, inaccurate trading partner classification, accruals not adequately supported, and variances between our amounts compared to those recorded by our trading partners.||1||0||0||1|
|Budgetary financial reporting – Statement of Budgetary Resources (SBR)||Significant summary level adjustments were required to prepare the quarterly SF-133s and SBR.||1||0||0||1|
|Deferred revenues||Earned revenue recognized at the time the reimbursable agreement is approved, rather than at the time the services or goods are provided.||1||0||1||0|
|Total Financial Reporting Significant Deficiencies||5||0||1||4|
The Independent Auditors Report on Internal Controls cites three material weaknesses. The material weaknesses relate to 1) the accounting for property, which includes issues related to both real and personal property; 2) financial reporting, primarily (but not solely) relating to the statement of budgetary resources; and 3) the need to restate previously reported amounts for the International Boundary and Water Commission. In regards to the material weaknesses, we agree to the issues identified. However, the Department disagrees with the severity at which they are categorized. With the exception of the IBWC Restatement, the Department reports similar weaknesses in our A-123 Appendix A program but classify them as significant deficiencies versus material weaknesses. While identifying and reporting significant deficiencies of our own, management recognizes the issues identified and reported as material weaknesses by the auditors, but believes the internal control over these areas provided reasonable (but not absolute) assurance that the objectives of internal control were met during FY 2009. The Department will work with the OIG and the Independent Auditors in FY 2010 to ensure we include their recommendations for improvements for these areas in our corrective action plans.
It is the Department’s policy that any organization with a material weakness or significant deficiency must prepare and implement a corrective action plan to fix the weakness. The plan, combined with the individual assurance statements and Appendix A assessments, provide the framework for monitoring and improving the Department’s management controls on a continuous basis.
The Department’s management controls program is designed to ensure full compliance with the goals, objectives, and requirements of the FMFIA and various Federal regulations. To that end, the Department has dedicated considerable resources to administer a successful management control program. Management will continue to channel focused efforts to resolve issues with property, financial reporting, and matters related to IBWC that the auditor identified as material weaknesses, as well as for all other significant deficiencies in internal control over financial reporting that were identified by management.
During fiscal year 2009, the Office of Management Controls successfully integrated the work performed in meeting requirements of Appendix A, and Appendix C regarding the Improper Payments Information Act, with the FMFIA program. The Department employs a risk-based approach in evaluating internal controls over financial reporting on a multi-year rotating basis, which has proven to be efficient. The Department is working to expand the use of risk-based assessments in an integrated approach to the entire FMFIA program.
The Federal Financial Management Improvement Act of 1996 (FFMIA) requires that agencies’ financial management systems provide reliable financial data that complies with Federal system requirements, Federal accounting standards, and the U.S. Government Standard General Ledger (SGL).
To assess conformance with FFMIA, the Department uses FFMIA implementation guidance issued by OMB (January 2001 Memorandum to Executive Department Heads, Chief Financial Officers, and Inspectors General), results of OIG and GAO audit reports, annual financial statement audits, the Department’s annual Federal Information Security Management Act (FISMA) Report, and other relevant information. The Department’s assessment also relies a great deal upon evaluations and assurances under the FMFIA including assessments performed to meet the requirements of OMB Circular A-123 Appendix A. Particular importance is given to any reported material weakness and material non-conformance identified during these internal control assessments. The Department has made it a priority to meet the objectives of the FFMIA.
The Department of State 2009 Federal Information Security Management Act (FISMA) and Privacy Management Report reflects a continuation of the Department’s endeavor to advance and improve IT security. The Department has sustained its effort to integrate and leverage people, processes, and technology to promote an effective, comprehensive, risk-based information security program. This comprehensive information security program encourages a collaborative approach to protecting information, information systems and other critical assets through prioritizing security initiatives, standardizing processes, and making streamlined security tools available to our diplomats operating around the world. In doing so, the Department is soundly positioned to engage in vital continuous monitoring activities which will further strengthen its security posture.
Building on significant progress made in FY 2008 through identifying, categorizing, and assessing systems, the Department has institutionalized the certification and accreditation (C&A) process and has graduated to a more vigorous, risk-based, continuous monitoring methodology. To facilitate in this effort, the Department’s Information Assurance and Enterprise Network Management offices collaborated with Diplomatic Security’s Computer Security office to establish new metrics for measuring Information Technology (IT) security vulnerabilities and risks at the site level. During FY 2009, the iPost application, which provides sites with the ability to monitor aspects of their entire Information Technology infrastructure, was enhanced to provide the Department with an improved way of measuring risk through the Site Risk Scoring (SRS) program. The SRS program analyzes the data collected during the automated verification of the 20 most important controls also known as the Consensus Audit Guidelines (CAG) and measures the total risk present. This information aids both technicians and managers with identifying and implementing plausible cost-effective solutions and prioritizing resources.
In FY 2009, the Department continued to strengthen its IT security program through improving and concentrating resources on risk management internal processes, effectively leveraging network monitoring and compliance tools and furthering continuous monitoring efforts. With the continuous evolution of security threats, the Department’s emphasis on identifying new methods and approaches such as the SRS program for targeting vulnerabilities that have an enterprise-wide impact has resulted in a 90% reduction in overall risk during the past year.