T he Department’s Management Control policy is comprehensive and requires all Department managers to establish cost-effective systems of management controls to ensure U.S. Government activities are managed effectively, efficiently, economically, and with integrity. All levels of management are responsible for ensuring adequate controls over all Department operations.
 D |
The Federal Managers’ Financial Integrity Act (FMFIA) requires agencies to establish internal control and financial systems that provide reasonable assurance that the following objectives are achieved:
It also requires that the head of the agency, based on an evaluation, provide an annual Statement of Assurance on whether the agency has met this requirement. OMB Circular A-123, Management’s Responsibility for Internal Control, implements the FMFIA and defines management’s responsibility for internal control in federal agencies.
In 2004, Appendix A of Circular A-123 was added to improve governance and accountability for internal control over financial reporting in federal entities similar to the internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002. The Circular A-123 requires that the agency head provide a separate assurance statement on the effectiveness of internal control over financial reporting (ICOFR), which is an addition to and also a component of the overall FMFIA assurance statement.
The Secretary of State’s 2010 Annual Assurance Statement for FMFIA and ICOFR is provided above. We have also provided a Summary of Financial Statement Audits and Management Assurances as required by OMB Circular A-136 later in this report’s section called Other Accompanying Information.
The Department’s Management Control Steering Committee (MCSC) oversees the Department’s management control program. The MCSC is chaired by the Chief Financial Officer, and is composed of eleven other Assistant Secretaries [including the Chief Information Officer and the Inspector General (non-voting)], the Deputy Chief Financial Officer, the Deputy Legal Adviser, the Deputy Assistant Secretary for Global Financial Services, and the Director for the Office of Overseas Buildings Operations. Individual assurance statements from Ambassadors assigned overseas and Assistant Secretaries in Washington, D.C. serve as the primary basis for the Department’s FMFIA assurance issued by the Secretary. The assurance statements are based on information gathered from various sources including the managers’ personal knowledge of day-to-day operations and existing controls, management program reviews, and other management-initiated evaluations. In addition, the Office of Inspector General and the Government Accountability Office conduct reviews, audits, inspections, and investigations that are considered by management. At the close of FY 2010, the Department reported three program-related significant deficiencies. The table below is a summary of the FY 2010 results.
| Program Issue | Significant Deficiency Description | Beginning | New | Resolved | Ending |
|---|---|---|---|---|---|
| Federal financial assistance systems | Lack of comprehensive and reliable information on Federal financial assistance available due to the Department’s use of disparate information systems. | 1 | 0 | 0 | 1 |
| PIERS | Unauthorized access to the Passport Information Electronic Records System. | 1 | 0 | 0 | 1 |
| ECA Visitor Program Oversight | Insufficient oversight to ensure these programs (which bring foreign nationals to the U.S.) are operated in accordance with regulatory requirements. | 1 | 0 | 1 | 0 |
| ECA Youth Program Oversight | Insufficient oversight to ensure these programs (which bring foreign nationals to the U.S.) are operated in accordance with regulatory requirements. | 1 | 0 | 0 | 1 |
| Total Program Significant Deficiencies | 4 | 0 | 1 | 3 | |
The Senior Assessment Team (SAT) provided oversight during 2010 for the internal control program in place to meet Appendix A requirements. The SAT reports to the MCSC and is comprised of 15 senior executives from bureaus that have significant responsibilities relative to the Department’s financial resources, processes, and reporting. Due to the broad knowledge of management involved with the Appendix A assessment, the Department evaluated issues on a detailed level. The findings that resulted from the FY 2010 Appendix A assessment included several significant deficiencies in internal control financial reporting. At the close of FY 2010, the Department reported five financial reporting-related significant deficiencies. The table below is a summary of the FY 2010 results.
| Financial Reporting Issue | Significant Deficiency Description | Beginning | New | Resolved | Ending |
|---|---|---|---|---|---|
| Unliquidated obligations (ULOs) | ULOs were not consistently and systematically evaluated for validity during the year, as routine reviews were not conducted by all offices throughout the Department. | 1 | 0 | 0 | 1 |
| Personal Property | Various conditions existed including insufficient supporting documentation, delays in recording acquisitions and dispositions of assets, and inaccurate contractor held property inventories. | 1 | 0 | 1 | 0 |
| Intragovernmental financial reporting | Various conditions existed including transactions not accurately classified as Federal versus Public, inaccurate trading partner classification, accruals lacked a formal validation methodology, and variances between our amounts compared to those recorded by our trading partners. | 1 | 0 | 0 | 1 |
| Budgetary financial reporting – Statement of Budgetary Resources (SBR) | The Department compiles its financial statements through a combination of manual and automated procedures. Significant manual adjustments are required to prepare the quarterly SF-133s and SBR, that increase the risk of the likelihood of errors. | 1 | 0 | 0 | 1 |
| Liabilities to International Organizations | Liabilities were not supported by adequate documentation and are calculated and reviewed in a manual process that is susceptible to error. | 0 | 1 | 0 | 1 |
| Real Property | Various conditions existed including transactions not capitalized accurately for domestic construction-in-process projects, incomplete lease analysis documentation, and reconciliation discrepancies. | 0 | 1 | 0 | 1 |
| Total Financial Reporting Significant Deficiencies | 4 | 2 | 1 | 5 | |
It is the Department’s policy that any organization with a material weakness or significant deficiency must prepare and implement a corrective action plan to fix the weakness. The plan, combined with the individual assurance statements and Appendix A assessments, provide the framework for monitoring and improving the Department’s management controls on a continuous basis.
The Office of Management Controls employs an integrated process to perform the work necessary to meet the requirements of Appendix A, and Appendix C regarding the Improper Payments Information Act, and the FMFIA. The Department employs a risk-based approach in evaluating internal controls over financial reporting on a multi-year rotating basis, which has proven to be efficient. The Department is working to expand the use of risk-based assessments in an integrated approach to the entire FMFIA program.
The Department’s management controls program is designed to ensure full compliance with the goals, objectives, and requirements of the FMFIA and various Federal regulations. To that end, the Department has dedicated considerable resources to administer a successful management control program. Management will continue to channel focused efforts to resolve issues for all significant deficiencies in internal control over financial reporting that were identified by management and auditors.
The Federal Financial Management Improvement Act of 1996 (FFMIA) requires that agencies’ financial management systems provide reliable financial data that complies with Federal system requirements, Federal accounting standards, and the U.S. Government Standard General Ledger (SGL).
To assess conformance with FFMIA, the Department uses FFMIA implementation guidance issued by OMB (January 2001 Memorandum to Executive Department Heads, Chief Financial Officers, and Inspectors General), results of OIG and GAO audit reports, annual financial statement audits, the Department’s annual Federal Information Security Management Act (FISMA) Report, and other relevant information. The Department’s assessment also relies upon evaluations and assurances under the FMFIA including assessments performed to meet the requirements of OMB Circular A-123 Appendix A. Particular importance is given to any reported material weakness and material non-conformance identified during these internal control assessments. The Department has made it a priority to meet the objectives of the FFMIA.
In its Report on Compliance and Other Matters, the Independent Auditor reported that the Department’s financial management systems did not substantially comply with certain Federal system requirements, Federal accounting standards, and the USSGL at the transaction level. The Department appreciates that the Independent Auditor has noted certain weaknesses in our financial management systems. In our assessments and evaluations, the Department identified similar weaknesses but consider them as deficiencies versus significant relative to substantial compliance with the requirements of the FFMIA. The Department will work with the Independent Auditor in FY 2011 and beyond to resolve these issues.
The Department of State’s 2010 Federal Information Security Management Act (FISMA) and Privacy Management Report effectively and efficiently responded to the Administration’s call for new outcome-focused metrics for information security performance. Through incorporating multiple proactive cyber defensive measures, the Department has further enhanced its comprehensive risk-based information security program.
The Department’s comprehensive risk-based information program includes a robust cyber response activity, a cutting edge threat analysis capability and a forward leaning revamped certification and accreditation (C&A) process.
During FY 2010, based upon the tireless efforts of officials from across the Department, the Site Risk Scoring (SRS) program reached new levels of positive maturity and provided tangible results. In April 2009, when multiple public and private systems were targeted, commonly referred to as the Google attacks, the Department was able to patch systems in 84 percent of its 260 embassies and 140 other organizations worldwide in just seven days. When Microsoft Security Bulletin MS10-042 was released, 93 percent of the offices installed the patch within 30 days. In short, the SRS program evaluates every embassy and office on how well they are able to resolve security risks overall. Each office is assigned a letter grade, from A through F, and those results are shared with not only IT staff but with each manager. Making the grades public motivates one to do better and promotes collaboration.
The proactive capabilities empower the Department with the ability to pivot and adjust to the rapidly changing cyber threat dynamic and thereby ensuring the appropriate amount of resources are utilized in a prioritized manner to respond accordingly.
In FY 2011, the Department plans to speed data collection for the SRS program to every 36 to 72 hours. The Department is also starting work to expand near-real-time monitoring to the rest of the IT infrastructure, including wireless, mobile devices, software applications, firewalls and routers.
