printable banner

U.S. Department of State - Great Seal

U.S. Department of State

Diplomacy in Action

Internal Controls, Financial Management Systems and Compliance with Laws and Regulations


Bureau of Resource Management
Report
November 15, 2011

Share



Management Assurances

The Department’s Management Control policy is comprehensive and requires all Department managers to establish cost-effective systems of management controls to ensure U.S. Government activities are managed effectively, efficiently, economically, and with integrity. All levels of management are responsible for ensuring adequate controls over all Department operations.

Federal Managers' Financial Integrity Act

The Department of State’s management is responsible for establishing and maintaining effective internal control and financial management systems that meet the objectives of the Federal Managers’ Financial Integrity Act of 1982 (FMFIA). The Department conducted its assessment of the effectiveness of internal control over the efficiency and effectiveness of operations and compliance with applicable laws and regulations in accordance with OMB Circular A-123, Management’s Responsibility for Internal Control. Based on the results of this evaluation, the Department identified a material weakness in internal control related to the Educational and Cultural Affairs (ECA) Summer Work Travel Program as of September 30. Other than the ECA exception described in the Departmental Governance section of this report, the Department can provide reasonable assurance that its internal control over the effectiveness and efficiency of operations and compliance with applicable laws and regulations and financial management systems met the objectives of FMFIA as of September 30.

In addition, management is responsible for establishing and maintaining effective internal control over financial reporting, which includes safeguarding of assets and compliance with applicable laws and regulations. The Department conducted its assessment of the effectiveness of internal control over financial reporting in accordance with Appendix A of OMB Circular A-123. Based on the results of this assessment, the Department identified a material weakness in internal control related to financial reporting of Foreign Service Nationals’ After-Employment Benefits (FSNAEB) as of June 30. Other than the FSNAEB exception described in the Departmental Governance section of this report, the Department can provide reasonable assurance that its internal control over financial reporting as of June 30 was operating effectively and the Department found no other material weaknesses in the design or operation of the internal control over financial reporting.

As a result of its inherent limitations, internal control over financial reporting, no matter how well designed, cannot provide absolute assurance of achieving financial reporting objectives and may not prevent or detect misstatements. Therefore, even if the internal control over financial reporting is determined to be effective, it can provide only reasonable assurance with respect to the preparation and presentation of financial statements. Projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate.

These systems of internal controls are also being used to support our stewardship over the American Recovery and Reinvestment Act (Recovery Act) spending by the Department. Our assessments of internal controls, along with senior managers’ assurance statements and our review for improper payments for Recovery Act activities, allow the Department to provide reasonable assurance that the key accountability objectives of the Recovery Act are being met and that significant risks to meeting Recovery Act accountability objectives are being mitigated.

Signature of Secretary Hillary Rodham Clinton
Hillary Rodham Clinton
Secretary of State
November 15, 2011

 

Departmental Governance

Management Control Program

Diagram showing the FMFIA Annual Assurance Process.
D

The Federal Managers’ Financial Integrity Act (FMFIA) requires agencies to establish internal control and financial systems that provide reasonable assurance that the following objectives are achieved:

  • Effectiveness and efficiency of operations,
  • Compliance with applicable laws and regulations, and
  • Reliability of financial reporting.

It also requires that the head of the agency, based on an evaluation, provide an annual Statement of Assurance on whether the agency has met this requirement. OMB Circular A-123, Management’s Responsibility for Internal Control, implements the FMFIA and defines management’s responsibility for internal control in Federal agencies.

Appendix A of Circular A-123 was added to improve governance and accountability for internal control over financial reporting in Federal entities similar to the internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002. The Circular A-123 requires that the agency head provide a separate assurance statement on the effectiveness of internal control over financial reporting (ICOFR), which is an addition to and also a component of the overall FMFIA assurance statement.

The Secretary of State’s 2011 Annual Assurance Statement for FMFIA and ICOFR is provided on the preceding page. We have also provided a Summary of Financial Statement Audits and Management Assurances as required by OMB Circular A-136, Financial Reporting Requirements, revised, later in this report’s section called Other Accompanying Information.

The Department’s Management Control Steering Committee (MCSC) oversees the Department’s management control program. The MCSC is chaired by the Chief Financial Officer, and is composed of eleven other Assistant Secretaries [including the Chief Information Officer and the Inspector General (non-voting)], the Deputy Chief Financial Officer, the Deputy Legal Adviser, the Deputy Assistant Secretary for Global Financial Services, and the Director for the Office of Overseas Buildings Operations. Individual assurance statements from Ambassadors assigned overseas and Assistant Secretaries in Washington, D.C. serve as the primary basis for the Department’s FMFIA assurance issued by the Secretary. The assurance statements are based on information gathered from various sources including the managers’ personal knowledge of day-to-day operations and existing controls, management program reviews, and other management-initiated evaluations. In addition, the Office of Inspector General, the Special Inspector General for Iraq Reconstruction, the Special Inspector General for Afghanistan Reconstruction, and the Government Accountability Office conduct reviews, audits, inspections, and investigations that are considered by management. At the close of FY 2011, the Department reported a material weakness in internal controls related to the Educational and Cultural Affairs (ECA) Summer Work Travel Program. The Department had insufficient oversight to ensure the students participating in the ECA Summer Work Travel Program who are traveling to the United States through temporary, seasonal employment during their academic break were adequately supervised. The Department has already developed a full corrective action plan and is taking swift action to remediate issues with the program.

The Senior Assessment Team (SAT) provided oversight during 2011 for the internal control program in place to meet Appendix A requirements. The SAT reports to the MCSC and is comprised of 15 senior executives from bureaus that have significant responsibilities relative to the Department’s financial resources, processes, and reporting. Due to the broad knowledge of management involved with the Appendix A assessment, the Department evaluated issues on a detailed level. The findings that resulted from the FY 2011 Appendix A assessment included several significant deficiencies in internal control over financial reporting as well as a material weakness related to Foreign Service Nationals’ After-Employment Benefits (FSNAEB). By statute, the Department establishes compensation plans for FSNs we employ in foreign countries based upon prevailing laws and practices in the host country. Accounting for the financial aspects of these complex compensation plans throughout the world presents unique challenges, especially in regards to reporting the future liability for defined benefit, lump-sum retirement, and severance benefits. The Department has taken actions since September 30, 2011 to moderate the most serious aspects of the financial reporting issues for FSNAEB and recorded adjustments to the financial statements as of September 30, 2011. The Department will complete actions in FY 2012 to strengthen and refine the financial reporting and internal controls over FSNAEB.

It is the Department’s policy that any organization with a material weakness or significant deficiency must prepare and implement a corrective action plan to fix the weakness. The plan, combined with the individual assurance statements and Appendix A assessments, provide the framework for monitoring and improving the Department’s management controls on a continuous basis.

The Office of Management Controls employs an integrated process to perform the work necessary to meet the requirements of Appendix A, and Appendix C regarding the Improper Payments Information Act, and the FMFIA. The Department employs a risk-based approach in evaluating internal controls over financial reporting on a multi-year rotating basis, which has proven to be efficient. The Department is working to expand the use of risk-based assessments in an integrated approach to the entire FMFIA program.

The Department’s management controls program is designed to ensure full compliance with the goals, objectives, and requirements of the FMFIA and various Federal regulations. To that end, the Department has dedicated considerable resources to administer a successful management control program. Management will continue to channel focused efforts to resolve issues for all significant deficiencies in internal control over financial reporting that were identified by management and auditors.

Federal Financial Management Improvement Act

The Federal Financial Management Improvement Act of 1996 (FFMIA) requires that agencies’ financial management systems provide reliable financial data that complies with Federal system requirements, Federal accounting standards, and the U.S. Government Standard General Ledger (SGL).

To assess conformance with FFMIA, the Department uses FFMIA implementation guidance issued by OMB (January 2001 Memorandum to Executive Department Heads, Chief Financial Officers, and Inspectors General), results of OIG and GAO audit reports, annual financial statement audits, the Department’s annual Federal Information Security Management Act (FISMA) Report, and other relevant information. The Department’s assessment also relies upon evaluations and assurances under the Federal Managers’ Financial Integrity Act (FMFIA), including assessments performed to meet the requirements of OMB Circular A-123 Appendix A. Particular importance is given to any reported material weakness and material non-conformance identified during these internal control assessments. The Department has made it a priority to meet the objectives of the FFMIA.

In its Report on Compliance and Other Matters, the Independent Auditor reported that the Department’s financial management systems did not substantially comply with certain Federal system requirements, Federal accounting standards, and the USSGL at the transaction level. The Department appreciates that the Independent Auditor has noted certain weaknesses in our financial management systems. In our assessments and evaluations, the Department identified similar weaknesses but consider them as deficiencies versus substantial non-conformances relative to substantial compliance with the requirements of the FFMIA. The Department will work with the Independent Auditor in FY 2012 and beyond to resolve these issues.

Federal Information Security Management Act

The Department of State’s 2011 Federal Information Security Management Act (FISMA) and Privacy Management Report highlighted the Department’s layered approach to security risk management by employing multiple levels of protection. This protection is accomplished by implementing a matrix of technical, operational, and management security controls designed to thwart network threats, detect and mitigate vulnerabilities, and strengthen business operations.

The Department’s comprehensive risk-based and cost effective information security program includes a myriad of programs and procedures including a robust threat assessment program, a proven continuous monitoring effort and a well-recognized awareness program.

During FY 2011, based upon the coordinated efforts of the individuals and offices throughout the Department, the maturity level of a number of programs was substantively enhanced. Systems have been put in place that increases the frequency and accuracy of reporting. Specific examples include:

  • The Department’s continuous monitoring program scans both 3-4 times more complete and 20 times timelier than traditional certification and accreditation activities (checking vulnerability and configurations settings on 100,000 personal computers and servers every 72 hours);
  • In 11 months, the Department reduced measured risk to known attacks on computer settings and vulnerability for personal computers and servers by 89%;
  • Patched three critical weaknesses from 0% to 84% in one week across the entire Department;
  • Routers and switches are scanned weekly, 150 times more frequently than required by FISMA;
  • Firewalls are tightly managed by a centralized interagency Department body that holds meetings three times a week where evaluations and determinations are the normal course of business;
  • DHS annually inspects the Departments DMZ and provided the Department a 92% grade for FY 2011;
  • The Department has extensive forensics capabilities to detect acive network penetrations; and
  • Penetration testing is routinely performed.

In FY 2012, the Department will support Department of Homeland Security efforts on establishing continuous monitoring performance measurements by continuing to serve as the lead for of the interagency Continuous Monitoring Working Group. Within the Department, the continuous monitoring program will be expanded with the goal of enhancing the Department’s security posture and serving as a test bed for the rest of the community by focusing upon removing unauthorized devices and software; better manage firewalls and other non-windows devices, and better manage training, credentials, and accounts.

In the FISMA report, the Office of Inspector General will cite weaknesses to enterprise-wide security they consider to be a significant deficiency in accordance with OMB M-11-33. The Department acknowledges the weaknesses identified by the OIG, but does not agree that any of the findings, either individually or collectively, rise to the level of a significant deficiency that would require treating the matter as an additional material weakness in accordance with OMB M-11-33 which states “a significant deficiency is defined as a weakness in an agency’s overall information systems security program… that significantly restricts the capability of the agency to carry out its mission or compromises the security of its information, information systems, personnel, or other resources, operations, or assets. In this context, the risk is great enough that the agency head and other agencies must be notified and immediate or near-immediate action must be taken.” Management has defined corrective actions for the applicable weaknesses cited by the OIG, and will address each in a prioritized manner based upon the risk and impact posed to the Department’s security posture.

 




Back to Top
Sign-in

Do you already have an account on one of these sites? Click the logo to sign in and create your own customized State Department page. Want to learn more? Check out our FAQ!

OpenID is a service that allows you to sign in to many different websites using a single identity. Find out more about OpenID and how to get an OpenID-enabled account.