T he Department’s Management Control policy is comprehensive and requires all Department managers to establish cost-effective systems of management controls to ensure U.S. Government activities are managed effectively, efficiently, economically, and with integrity. All levels of management are responsible for ensuring adequate controls over all Department operations.
The Department of State’s management is responsible for establishing and maintaining effective internal control and financial management systems that meet the objectives of the Federal Managers’ Financial Integrity Act of 1982 (FMFIA). The Department conducted its assessment of the effectiveness of internal control over the efficiency and effectiveness of operations and compliance with applicable laws and regulations in accordance with OMB Circular A-123, Management’s Responsibility for Internal Control. Based on the results of this evaluation, the Department can provide reasonable assurance that its internal control over the effectiveness and efficiency of operations and compliance with applicable laws and regulations and financial management systems met the objectives of FMFIA as of September 30, 2010.
In addition, management is responsible for establishing and maintaining effective internal control over financial reporting, which includes safeguarding of assets and compliance with applicable laws and regulations. The Department conducted its assessment of the effectiveness of internal control over financial reporting in accordance with Appendix A of OMB Circular A-123. Based on the results of this assessment, the Department can provide reasonable assurance that its internal control over financial reporting as of June 30, 2010 was operating effectively and the Department found no material weaknesses in the design or operation of the internal control over financial reporting.
As a result of its inherent limitations, internal control over financial reporting, no matter how well designed, cannot provide absolute assurance of achieving financial reporting objectives and may not prevent or detect misstatements. Therefore, even if the internal control over financial reporting is determined to be effective, it can provide only reasonable assurance with respect to the preparation and presentation of financial statements. Projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate.
These systems of internal controls are also being used to support our stewardship over the American Recovery and Reinvestment Act (Recovery Act) spending by the Department. Our assessments of internal controls, along with senior managers’ assurance statements and our review for improper payments for Recovery Act activities, allow the Department to provide reasonable assurance that the key accountability objectives of the Recovery Act are being met and that significant risks to meeting Recovery Act accountability objectives are being mitigated.
The Federal Managers’ Financial Integrity Act (FMFIA) requires agencies to establish internal control and financial systems that provide reasonable assurance that the following objectives are achieved:
It also requires that the head of the agency, based on an evaluation, provide an annual Statement of Assurance on whether the agency has met this requirement. OMB Circular A-123, Management’s Responsibility for Internal Control, implements the FMFIA and defines management’s responsibility for internal control in federal agencies.
In 2004, Appendix A of Circular A-123 was added to improve governance and accountability for internal control over financial reporting in federal entities similar to the internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002. The Circular A-123 requires that the agency head provide a separate assurance statement on the effectiveness of internal control over financial reporting (ICOFR), which is an addition to and also a component of the overall FMFIA assurance statement.
The Secretary of State’s 2010 Annual Assurance Statement for FMFIA and ICOFR is provided above. We have also provided a Summary of Financial Statement Audits and Management Assurances as required by OMB Circular A-136 later in this report’s section called Other Accompanying Information.
The Department’s Management Control Steering Committee (MCSC) oversees the Department’s management control program. The MCSC is chaired by the Chief Financial Officer, and is composed of eleven other Assistant Secretaries [including the Chief Information Officer and the Inspector General (non-voting)], the Deputy Chief Financial Officer, the Deputy Legal Adviser, the Deputy Assistant Secretary for Global Financial Services, and the Director for the Office of Overseas Buildings Operations. Individual assurance statements from Ambassadors assigned overseas and Assistant Secretaries in Washington, D.C. serve as the primary basis for the Department’s FMFIA assurance issued by the Secretary. The assurance statements are based on information gathered from various sources including the managers’ personal knowledge of day-to-day operations and existing controls, management program reviews, and other management-initiated evaluations. In addition, the Office of Inspector General and the Government Accountability Office conduct reviews, audits, inspections, and investigations that are considered by management. At the close of FY 2010, the Department reported three program-related significant deficiencies. The table below is a summary of the FY 2010 results.
|Program Issue||Significant Deficiency Description||Beginning||New||Resolved||Ending|
|Federal financial assistance systems||Lack of comprehensive and reliable information on Federal financial assistance available due to the Department’s use of disparate information systems.||1||0||0||1|
|PIERS||Unauthorized access to the Passport Information Electronic Records System.||1||0||0||1|
|ECA Visitor Program Oversight||Insufficient oversight to ensure these programs (which bring foreign nationals to the U.S.) are operated in accordance with regulatory requirements.||1||0||1||0|
|ECA Youth Program Oversight||Insufficient oversight to ensure these programs (which bring foreign nationals to the U.S.) are operated in accordance with regulatory requirements.||1||0||0||1|
|Total Program Significant Deficiencies||4||0||1||3|
The Senior Assessment Team (SAT) provided oversight during 2010 for the internal control program in place to meet Appendix A requirements. The SAT reports to the MCSC and is comprised of 15 senior executives from bureaus that have significant responsibilities relative to the Department’s financial resources, processes, and reporting. Due to the broad knowledge of management involved with the Appendix A assessment, the Department evaluated issues on a detailed level. The findings that resulted from the FY 2010 Appendix A assessment included several significant deficiencies in internal control financial reporting. At the close of FY 2010, the Department reported five financial reporting-related significant deficiencies. The table below is a summary of the FY 2010 results.
|Financial Reporting Issue||Significant Deficiency Description||Beginning||New||Resolved||Ending|
|Unliquidated obligations (ULOs)||ULOs were not consistently and systematically evaluated for validity during the year, as routine reviews were not conducted by all offices throughout the Department.||1||0||0||1|
|Personal Property||Various conditions existed including insufficient supporting documentation, delays in recording acquisitions and dispositions of assets, and inaccurate contractor held property inventories.||1||0||1||0|
|Intragovernmental financial reporting||Various conditions existed including transactions not accurately classified as Federal versus Public, inaccurate trading partner classification, accruals lacked a formal validation methodology, and variances between our amounts compared to those recorded by our trading partners.||1||0||0||1|
|Budgetary financial reporting – Statement of Budgetary Resources (SBR)||The Department compiles its financial statements through a combination of manual and automated procedures. Significant manual adjustments are required to prepare the quarterly SF-133s and SBR, that increase the risk of the likelihood of errors.||1||0||0||1|
|Liabilities to International Organizations||Liabilities were not supported by adequate documentation and are calculated and reviewed in a manual process that is susceptible to error.||0||1||0||1|
|Real Property||Various conditions existed including transactions not capitalized accurately for domestic construction-in-process projects, incomplete lease analysis documentation, and reconciliation discrepancies.||0||1||0||1|
|Total Financial Reporting Significant Deficiencies||4||2||1||5|
It is the Department’s policy that any organization with a material weakness or significant deficiency must prepare and implement a corrective action plan to fix the weakness. The plan, combined with the individual assurance statements and Appendix A assessments, provide the framework for monitoring and improving the Department’s management controls on a continuous basis.
The Office of Management Controls employs an integrated process to perform the work necessary to meet the requirements of Appendix A, and Appendix C regarding the Improper Payments Information Act, and the FMFIA. The Department employs a risk-based approach in evaluating internal controls over financial reporting on a multi-year rotating basis, which has proven to be efficient. The Department is working to expand the use of risk-based assessments in an integrated approach to the entire FMFIA program.
The Department’s management controls program is designed to ensure full compliance with the goals, objectives, and requirements of the FMFIA and various Federal regulations. To that end, the Department has dedicated considerable resources to administer a successful management control program. Management will continue to channel focused efforts to resolve issues for all significant deficiencies in internal control over financial reporting that were identified by management and auditors.
The Federal Financial Management Improvement Act of 1996 (FFMIA) requires that agencies’ financial management systems provide reliable financial data that complies with Federal system requirements, Federal accounting standards, and the U.S. Government Standard General Ledger (SGL).
To assess conformance with FFMIA, the Department uses FFMIA implementation guidance issued by OMB (January 2001 Memorandum to Executive Department Heads, Chief Financial Officers, and Inspectors General), results of OIG and GAO audit reports, annual financial statement audits, the Department’s annual Federal Information Security Management Act (FISMA) Report, and other relevant information. The Department’s assessment also relies upon evaluations and assurances under the FMFIA including assessments performed to meet the requirements of OMB Circular A-123 Appendix A. Particular importance is given to any reported material weakness and material non-conformance identified during these internal control assessments. The Department has made it a priority to meet the objectives of the FFMIA.
In its Report on Compliance and Other Matters, the Independent Auditor reported that the Department’s financial management systems did not substantially comply with certain Federal system requirements, Federal accounting standards, and the USSGL at the transaction level. The Department appreciates that the Independent Auditor has noted certain weaknesses in our financial management systems. In our assessments and evaluations, the Department identified similar weaknesses but consider them as deficiencies versus significant relative to substantial compliance with the requirements of the FFMIA. The Department will work with the Independent Auditor in FY 2011 and beyond to resolve these issues.
The Department of State’s 2010 Federal Information Security Management Act (FISMA) and Privacy Management Report effectively and efficiently responded to the Administration’s call for new outcome-focused metrics for information security performance. Through incorporating multiple proactive cyber defensive measures, the Department has further enhanced its comprehensive risk-based information security program.
The Department’s comprehensive risk-based information program includes a robust cyber response activity, a cutting edge threat analysis capability and a forward leaning revamped certification and accreditation (C&A) process.
During FY 2010, based upon the tireless efforts of officials from across the Department, the Site Risk Scoring (SRS) program reached new levels of positive maturity and provided tangible results. In April 2009, when multiple public and private systems were targeted, commonly referred to as the Google attacks, the Department was able to patch systems in 84 percent of its 260 embassies and 140 other organizations worldwide in just seven days. When Microsoft Security Bulletin MS10-042 was released, 93 percent of the offices installed the patch within 30 days. In short, the SRS program evaluates every embassy and office on how well they are able to resolve security risks overall. Each office is assigned a letter grade, from A through F, and those results are shared with not only IT staff but with each manager. Making the grades public motivates one to do better and promotes collaboration.
The proactive capabilities empower the Department with the ability to pivot and adjust to the rapidly changing cyber threat dynamic and thereby ensuring the appropriate amount of resources are utilized in a prioritized manner to respond accordingly.
In FY 2011, the Department plans to speed data collection for the SRS program to every 36 to 72 hours. The Department is also starting work to expand near-real-time monitoring to the rest of the IT infrastructure, including wireless, mobile devices, software applications, firewalls and routers.
In January 2010, Secretary Clinton delivered a major foreign policy address on Internet freedom which emphasized a commitment to defending the freedom of expression and the free flow of information in the 21st Century. The free flow of information and ideas over digital technologies is in our national and global interests: it is important for economic growth and U.S. diplomatic relationships; for building sustainable democratic societies; and for meeting global challenges in the years and decades ahead.
The State Department is working with a wide range of partners outside of government to support these principles. Together, they are pursuing an active agenda to promote Internet freedom, to boost online access across the developing world, and to train civil society activists in online organizing.
Many U.S. Government development and public diplomacy programs emphasize to our partners the communication benefits of new technologies. In addition, the State Department began planning and implementing the following initiatives in FY 2010: