U.S. Department of State

Management Assurances

The Department's Management Control policy is comprehensive and requires all Department managers to establish cost-effective systems of management controls to ensure U.S. Government activities are managed effectively, efficiently, economically, and with integrity. All levels of management are responsible for ensuring adequate controls over all Department operations.

Federal Managers' Financial Integrity Act The Department of State's management is responsible for establishing and maintaining effective internal control and financial management systems that meet the objectives of the Federal Managers' Financial Integrity Act of 1982 (FMFIA). The Department conducted its assessment of the effectiveness of internal control over the efficiency and effectiveness of operations and compliance with applicable laws and regulations in accordance with OMB Circular A-123, Management's Responsibility for Internal Control. Based on the results of this evaluation, the Department identified a material weakness in internal control related to the Educational and Cultural Affairs (ECA) Summer Work Travel Program as of September 30, 2012. Except for this ECA weakness (described in the Departmental Governance section of this report), the Department can provide reasonable assurance that its internal control over the effectiveness and efficiency of operations and compliance with applicable laws and regulations and financial management systems met the objectives of FMFIA as of September 30. In addition, management is responsible for establishing and maintaining effective internal control over financial reporting, which includes safeguarding of assets and compliance with applicable laws and regulations. The Department conducted its assessment of the effectiveness of internal control over financial reporting in accordance with Appendix A of OMB Circular A-123. Based on the results of this assessment, the Department identified a material weakness in internal control related to financial reporting of Foreign Service Nationals' After-Employment Benefits as of June 30, 2012. However, the Department diligently worked to take corrective actions and the material weakness has been resolved as of September 30. Therefore, the Department can provide reasonable assurance that its internal control over financial reporting as of September 30 was operating effectively and the Department found no material weaknesses in the design or operation of the internal control over financial reporting. As a result of its inherent limitations, internal control over financial reporting, no matter how well designed, cannot provide absolute assurance of achieving financial reporting objectives and may not prevent or detect misstatements. Therefore, even if the internal control over financial reporting is determined to be effective, it can provide only reasonable assurance with respect to the preparation and presentation of financial statements. Projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate. These systems of internal controls are also being used to support our stewardship over the American Recovery and Reinvestment Act (Recovery Act) spending by the Department. Our assessments of internal controls, along with senior managers' assurance statements and our review for improper payments for Recovery Act activities, allow the Department to provide reasonable assurance that the key accountability objectives of the Recovery Act are being met and that significant risks to meeting Recovery Act accountability objectives are being mitigated. Hillary Rodham Clinton Secretary of State November 15, 2012

Departmental Governance

Management Control Program

D

The Federal Managers' Financial Integrity Act (FMFIA) requires agencies to establish internal control and financial systems that provide reasonable assurance that the following objectives are achieved:

• Effectiveness and efficiency of operations,
• Compliance with applicable laws and regulations, and
• Reliability of financial reporting.

It also requires that the head of the agency, based on an evaluation, provide an annual Statement of Assurance on whether the agency has met this requirement. OMB Circular A-123, Management's Responsibility for Internal Control, implements the FMFIA and defines management's responsibility for internal control in Federal agencies.

Appendix A of Circular A-123 was added to improve governance and accountability for internal control over financial reporting in Federal entities similar to the internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002. The Circular A-123 requires that the agency head provide a separate assurance statement on the effectiveness of internal control over financial reporting (ICOFR), which is an addition to and also a component of the overall FMFIA assurance statement.

The Secretary of State's 2012 Annual Assurance Statement for FMFIA and ICOFR is provided above. We have also provided a Summary of Financial Statement Audits and Management Assurances as required by OMB Circular A-136, Financial Reporting Requirements, revised, later in this report's section called Other Accompanying Information.

The Department's Management Control Steering Committee (MCSC) oversees the Department's management control program. The MCSC is chaired by the Comptroller, and is comprised of ten Assistant Secretaries [including the Inspector General (non-voting)], the Chief Information Officer, the Deputy Chief Financial Officer, the Deputy Legal Adviser, the Director for the Office of Budget and Planning, and the Director for the Office of Overseas Buildings Operations. Individual assurance statements from Ambassadors assigned overseas and Assistant Secretaries in Washington, D.C. serve as the primary basis for the Department's FMFIA assurance issued by the Secretary. The assurance statements are based on information gathered from various sources including the managers' personal knowledge of day-to-day operations and existing controls, management program reviews, and other management-initiated evaluations. In addition, the Office of Inspector General, the Special Inspector General for Iraq Reconstruction, the Special Inspector General for Afghanistan Reconstruction, and the Government Accountability Office conduct reviews, audits, inspections, and investigations that are considered by management. At the close of FY 2011, the Department reported a material weakness in internal controls related to the Educational and Cultural Affairs (ECA) Summer Work Travel (SWT) program. The Department had insufficient oversight to ensure the health, safety, and welfare of the SWT program. Throughout FY 2012, the Department took unprecedented action to address the weaknesses in the program.

Through the issuance of two Interim Final Rules in 2011 and 2012, the Department institutionalized new policies, safeguards, and procedures which prohibited certain categories of work, refocused the core cultural purpose of the program and mandated stricter employer vetting. In concert with the new rules, the Department conducted extensive and unprecedented on-site workplace and housing monitoring to ensure compliance. The Department has also removed several problematic sponsors from the program and experienced reductions in program participant numbers. While great strides have been made to strengthen the oversight of the program, there is more to do, including a spring 2013 Notice of Proposed Rule Making and a spring 2013 OIG compliance follow-on review. Completion of these additional steps will demonstrate that the significant improvements already made to the program have been successfully institutionalized. For this reason, the Department elected to continue to report the matter as a material weakness instead of a significant deficiency. The Department will continue taking swift action to remediate issues with the program.

The Senior Assessment Team (SAT) provided oversight during 2012 for the internal control program in place to meet Appendix A requirements. The SAT reports to the MCSC and is comprised of 15 senior executives from bureaus that have significant responsibilities relative to the Department's financial resources, processes, and reporting. Due to the broad knowledge of management involved with the Appendix A assessment, the Department evaluated issues on a detailed level. The findings that resulted from the FY 2012 Appendix A assessment included several significant deficiencies in internal control over financial reporting. By statute, the Department establishes compensation plans for FSNs we employ in foreign countries based upon prevailing laws and practices in the host country. The Department worked diligently to address the issues identified in the Foreign Service Nationals' After-Employment Benefits (FSNAEB) that were reported as a material weakness in the prior year. Remediation efforts were undertaken throughout the fiscal year, although the issues were still considered a material weakness as of June 30. However, as a result of the progress made in the fourth quarter, the MCSC voted to downgrade this item to a significant deficiency as of September 30. Below is a table illustrating actions taken to resolve the FSNAEB material weakness.

Appendix A Material Weakness Resolved
as of September 30, 2012

Material Weakness Resolved	Corrective Actions Taken
As of June 30, 2012, deficiencies existed in the controls over accounting for FSNAEB. Specifically, the Department did not have a complete inventory of plans with reported balances for the future liability for defined benefits, lump-sum retirement, and severance benefits for each plan.	The Department implemented procedures to verify the completeness of our inventory of benefit plans, and accounting for the financial aspects of these complex compensation plans for FSNs we employ in foreign countries based upon prevailing laws and practices in the host country.

It is the Department's policy that any organization with a material weakness or significant deficiency must prepare and implement a corrective action plan to fix the weakness. The plan, combined with the individual assurance statements and Appendix A assessments, provide the framework for monitoring and improving the Department's management controls on a continuous basis.

The Office of Management Controls employs an integrated process to perform the work necessary to meet the requirements of Appendix A, and Appendix C regarding the Improper Payments Information Act, and the FMFIA. The Department employs a risk-based approach in evaluating internal controls over financial reporting on a multi-year rotating basis, which has proven to be efficient. The Department is working to expand the use of risk-based assessments in an integrated approach to the entire FMFIA program.

The Department's management controls program is designed to ensure full compliance with the goals, objectives, and requirements of the FMFIA and various Federal regulations. To that end, the Department has dedicated considerable resources to administer a successful management control program. Management will continue to channel focused efforts to resolve issues for all significant deficiencies in internal control over financial reporting that were identified by management and auditors.

Federal Financial Management Improvement Act

The Federal Financial Management Improvement Act of 1996 (FFMIA) requires that agencies' financial management systems provide reliable financial data that complies with Federal system requirements, Federal accounting standards, and the U.S. Government Standard General Ledger (SGL).

To assess conformance with FFMIA, the Department uses FFMIA implementation guidance issued by OMB (January 2001 Memorandum to Executive Department Heads, Chief Financial Officers, and Inspectors General), results of OIG and GAO audit reports, annual financial statement audits, the Department's annual Federal Information Security Management Act (FISMA) Report, and other relevant information. The Department's assessment also relies upon evaluations and assurances under the Federal Managers' Financial Integrity Act (FMFIA), including assessments performed to meet the requirements of OMB Circular A-123 Appendix A. Particular importance is given to any reported material weakness and material non-conformance identified during these internal control assessments. The Department has made it a priority to meet the objectives of the FFMIA.

In its Report on Compliance and Other Matters, the Independent Auditor reported that the Department's financial management systems did not substantially comply with certain Federal system requirements, Federal accounting standards, and the USSGL at the transaction level. The Department appreciates that the Independent Auditor has noted certain weaknesses in our financial management systems. In our assessments and evaluations, the Department identified similar weaknesses but consider them as deficiencies versus substantial non-conformances relative to substantial compliance with the requirements of the FFMIA. The Department will work with the Independent Auditor in FY 2013 and beyond to resolve these issues.

Federal Information Security Management Act

The Department of State's 2012 Federal Information Security Management Act (FISMA) and Privacy Management Report will highlight how the Department continues to apply a layered approach of security risk management through the application of multiple levels of protection in a manner that is commensurate with the risk and impact facing the Department's information and information systems. It should also note the improvements based on earlier recommendations.

During FY 2012, the Department continued to enhance its comprehensive risk-based and cost effective information security program through extensive engagement with stakeholders throughout the Department and the implementation of specific and tangible efforts that have enhanced the maturity level of a number of programs and procedures including:

• The maturity of the continuous monitoring program through:
  • Certain Active Directory account attributes now require accounts to have compliant descriptions, including the manager field to ensure accountability.
  • New scanning allows for the discovery of routers and switches and these discovery results are provided in iPost.
  • Passwords with longer ages than 60 days are negatively scored.
  • Piloting scoring is underway for important Active Directory account qualities such as "no password required" and "no account expiration date".
• The mandatory nature of the yearly cyber-security awareness briefing for all employees is now tracked with automatic mechanisms that disable the accounts of personnel who have not taken the course within a year of their last course.
• Diplomatic Security is performing an engineering analysis of available database scanning tools to determine which tool is most appropriate, useful and cost effective with respect to a likelihood of threat against the Department's databases. An early examination of appropriate scanning tools concludes that the initial cost to the Department will exceed $1.5 million. The tool is anticipated to be purchased in calendar year 2013.
• Plans of Action and Milestones now include the estimated funding resources required to resolve the weakness, as well as the being linked to source of funding.
• The Department is currently expending extraordinary resources to address two issues the OIG earlier noted: Certification and Accreditation (C&A) and Contingency Planning. $1.8 million has been allocated for C&A efforts currently underway and additional staff has been hired to address the OIG's concerns regarding Contingency Planning and Continuity of Operations.

In the FISMA report, the Office of Inspector General will cite weaknesses to enterprise-wide security they consider to be a significant deficiency in accordance with OMB M-11-33. The Department acknowledges the weaknesses identified by the OIG, but does not agree that any of the findings, either individually or collectively, rise to the level of a significant deficiency that would require treating the matter as an additional material weakness in accordance with OMB M-11-33 which states "a significant deficiency is defined as a weakness in an agency's overall information systems security program...that significantly restricts the capability of the agency to carry out its mission or compromises the security of its information, information systems, personnel, or other resources, operations, or assets. In this context, the risk is great enough that the agency head and other agencies must be notified and immediate or near-immediate action must be taken." Management has defined corrective actions for the applicable weaknesses cited by the OIG, and will address each in a prioritized manner based upon the risk and impact posed to the Department's security posture.

Modernizing U.S. Diplomacy to Better Support Development The Quadrennial Diplomacy and Development Review, in support of the Presidential Policy Directive on Global Development, lays out initial steps the Department and USAID will take to transform U.S. development programs to deliver results. The Department of State is uniquely positioned to use diplomacy to amplify development outcomes. Secretary Clinton's Fifth Policy Guidance Cable: Modernizing U.S. Diplomacy to Better Support Development (July 2012) provided policy guidance for Department of State officials in the field and in Washington on modernizing U.S. diplomacy and leadership to better support development priorities and outcomes. This guidance requires using high-level government-to-government access to more systematically engage in policy dialogue and advocacy, and using broad relationships with local communities, civil society, and the private sector to mobilize demand for change. It requires using global leadership to promote international norms and performance standards and U.S. convening power to create powerful incentive regimes that encourage developing countries to pursue reforms. It requires using U.S. aid as a catalyst to promote the conditions for self-sustaining progress and employing all aspects of our foreign policy apparatus to promote systemic reform. Fundamentally, it requires a broadening from service delivery and traditional development aid to a strategy of influence, engagement, partnership, and reform mobilization. Integrated Country Strategies (ICSs) are being prepared and will each provide a Mission's single, multi-year strategy encapsulating U.S. Government policy priorities and objectives, and the means by which diplomatic engagement, foreign assistance, and other tools will be used to achieve them. The ICS builds on the Joint Department of State-USAID Strategic Plan and serves as the basis for the annual budget request and project design. The Economic Statecraft Taskforce set specific targets, announced in August 2012 by Deputy Secretary Nides to update U.S. foreign policy priorities, tap market-minded solutions to strategic challenges, build "jobs diplomacy," and improve organization and communication. Several programs are underway through the Bureau of Economic and Business Affairs to further Economic Statecraft toward those goals, including the Global Infrastructure Conference, Bilateral Investment Treaty negotiations, and the Fiscal Transparency Fund. With such strengthened applications of diplomacy tools, U.S. assistance will better reflect U.S. priorities and raise the level of accomplishment in development assistance.

 

---