printable banner

U.S. Department of State - Great Seal

U.S. Department of State

Diplomacy in Action

Management Assurances and Other Financial Compliances


Bureau of the Comptroller and Global Financial Services
Report
December 16, 2013

Share



Management Assurances

T he Department's Management Control policy is comprehensive and requires all Department managers to establish cost-effective systems of management controls to ensure U.S. Government activities are managed effectively, efficiently, economically, and with integrity. All levels of management are responsible for ensuring adequate controls over all Department operations.

Federal Managers' Financial Integrity Act

The Department of State's management is responsible for establishing and maintaining effective internal control and financial management systems that meet the objectives of the Federal Managers' Financial Integrity Act of 1982 (FMFIA). The Department conducted its assessment of the effectiveness of internal control over the efficiency and effectiveness of operations and compliance with applicable laws and regulations in accordance with OMB Circular A-123, Management's Responsibility for Internal Control. Based on the results of this evaluation, the Department can provide reasonable assurance that its internal control over the effectiveness and efficiency of operations and compliance with applicable laws and regulations and financial management systems met the objectives of FMFIA as of September 30.

In addition, management is responsible for establishing and maintaining effective internal control over financial reporting, which includes safeguarding of assets and compliance with applicable laws and regulations. The Department conducted its assessment of the effectiveness of internal control over financial reporting in accordance with Appendix A of OMB Circular A-123. Based on the results of this assessment, the Department can provide reasonable assurance that its internal control over financial reporting as of June 30 was operating effectively and the Department found no material weaknesses in the design or operation of the internal control over financial reporting. Further, subsequent procedures and testing through September 30 did not identify any material changes in key financial reporting internal controls.

As a result of its inherent limitations, internal control over financial reporting, no matter how well designed, cannot provide absolute assurance of achieving financial reporting objectives and may not prevent or detect misstatements. Therefore, even if the internal control over financial reporting is determined to be effective, it can provide only reasonable assurance with respect to the preparation and presentation of financial statements. Projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate.

These systems of internal controls are also being used to support our stewardship over the American Recovery and Reinvestment Act (Recovery Act) spending by the Department. Our assessments of internal controls, along with senior managers' assurance statements and our review for improper payments for Recovery Act activities, allow the Department to provide reasonable assurance that the key accountability objectives of the Recovery Act are being met and that significant risks to meeting Recovery Act accountability objectives are being mitigated.

Signature of John F. Kerry.
John F. Kerry
Secretary of State
December 16, 2013

Departmental Governance

Management Control Program

The Federal Managers' Financial Integrity Act (FMFIA) requires agencies to establish internal control and financial systems that provide reasonable assurance that the following objectives are achieved:

  • Effective and efficient operations,
  • Compliance with applicable laws and regulations, and
  • Financial reporting reliability.

It also requires that the head of the agency, based on an evaluation, provide an annual Statement of Assurance on whether the agency has met this requirement. OMB Circular A-123, Management's Responsibility for Internal Control, implements the FMFIA and defines management's responsibility for internal control in Federal agencies.

The Circular A-123 also requires that the agency head provide a separate assurance statement on the effectiveness of internal control over financial reporting (ICOFR). This is an addition to and a component of the overall FMFIA assurance statement. Appendix A of Circular A-123 was added to improve governance and accountability for internal control over financial reporting in Federal entities similar to the internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002.

The Secretary of State's 2013 Annual Assurance Statement for FMFIA and ICOFR is provided above. We have also provided a Summary of Financial Statement Audits and Management Assurances as required by OMB Circular A-136, Financial Reporting Requirements, revised, later in this report's Other Information section.

The Department's Management Control Steering Committee (MCSC) oversees the Department's management control program. The MCSC is chaired by the Comptroller, and is comprised of ten Assistant Secretaries [including the Inspector General (non-voting)], the Chief Information Officer, the Deputy Chief Financial Officer, the Deputy Legal Adviser, the Director for the Office of Budget and Planning, and the Director for the Office of Overseas Buildings Operations. Individual assurance statements from Ambassadors assigned overseas and Assistant Secretaries in Washington, D.C. serve as the primary basis for the Department's FMFIA assurance issued by the Secretary. The assurance statements are based on information gathered from various sources including the managers' personal knowledge of day-to-day operations and existing controls, management program reviews, and other management-initiated evaluations. In addition, the Office of Inspector General, the Special Inspector General for Iraq Reconstruction, the Special Inspector General for Afghanistan Reconstruction, and the Government Accountability Office conduct reviews, audits, inspections, and investigations that are considered by management.

At the close of FY 2012, the Department reported a material weakness in internal controls related to the Educational and Cultural Affairs Summer Work Travel (SWT) program. Particularly, the Department had insufficient oversight to fully ensure the health, safety, and welfare of the SWT program participants. Prior to and throughout FY 2013, the Department took extensive action to address the weaknesses in the SWT program. Some of the FY 2013 accomplishments in improving the SWT program included the Department significantly increasing staff to provide greater supervision of the program, conducting 542 on-site visits in 39 States, providing robust monitoring and surveying to participants, and taking other administrative and substantive actions to ensure compliance. Completion of these accomplishments, in conjunction with the significant improvements made to the program prior to FY 2013, has demonstrated the Department's commitment to remediating issues with the program. For this reason, the Department elected to downgrade the material weakness to a significant deficiency.

The Senior Assessment Team (SAT) provided oversight during FY 2013 for the ICOFR program in place to meet Appendix A requirements. The SAT reports to the MCSC and is comprised of 15 senior executives from bureaus that have significant responsibilities relative to the Department's financial resources, processes, and reporting, and the Office of the Legal Adviser. An executive from the Office of Inspector General is a also non-voting member of the SAT. In addition, the Department's Office of Management Controls employs an integrated process to perform the work necessary to meet the requirements of Appendix A, Appendix C (regarding the Improper Payments Information Act), and the FMFIA. The Department employs a risk-based approach in evaluating internal controls over financial reporting on a multi-year rotating basis, which has proven to be efficient. Due to the broad knowledge of management involved with the Appendix A assessment, along with the extensive work performed by the Office of Management Controls, the Department evaluated issues on a detailed level. The FY 2013 Appendix A assessment did not identify any material weaknesses in the design or operation of the internal control over financial reporting. The assessment did identify several significant deficiencies in internal control over financial reporting.

The Department's management controls program is designed to ensure full compliance with the goals, objectives, and requirements of the FMFIA and various Federal laws and regulations. To that end, the Department has dedicated considerable resources to administer a successful management control program. It is the Department's policy that any organization with a material weakness or significant deficiency must prepare and implement a corrective action plan to fix the weakness. The plan, combined with the individual assurance statements and Appendix A assessments, provide the framework for monitoring and improving the Department's management controls on a continuous basis. Management will continue to direct focused efforts to resolve issues for all significant deficiencies in internal control identified by management and auditors.

Federal Financial Management Improvement Act

The Federal Financial Management Improvement Act of 1996 (FFMIA) requires that Federal agencies' financial management systems provide reliable financial data that complies with Federal system requirements, the standards promulgated by the Federal Accounting Standards Advisory Board, and the U.S. Government Standard General Ledger (USSGL) at the transaction level.

To assess conformance with FFMIA, the Department uses FFMIA implementation guidance issued by OMB (January 2009 Memorandum to Executive Department Heads, Chief Financial Officers, and Inspectors General), results of OIG and GAO audit reports, annual financial statement audits, the Department's annual Federal Information Security Management Act (FISMA) Report, and other relevant information. The Department's assessment also relies upon evaluations and assurances under the Federal Managers' Financial Integrity Act of 1982 (FMFIA), including assessments performed to meet the requirements of OMB Circular A-123 Appendix A. Particular importance is given to any reported material weakness and material non-conformance identified during these internal control assessments. The Department has made it a priority to meet the objectives of the FFMIA.

Photo showing, with USAID power meters above them, Pakistani Minister of Power and Water Khawaja Asif explaining to U.S. Secretary of State in Islamabad how the equipment saves power for utilities and the government, August 1, 2013.

With USAID power meters above them, Pakistani Minister of Power and Water Khawaja Asif explains to U.S. Secretary of State in Islamabad how the equipment saves power for utilities and the government, August 1, 2013. Department of State

In its Report on Compliance and Other Matters, the Independent Auditor reported that the Department's financial management systems did not substantially comply with certain Federal financial management systems requirements, standards promulgated by the Federal Accounting Standards Advisory Board, and the USSGL at the transaction level. The Department appreciates that the Independent Auditor has noted certain weaknesses in our financial management systems. In our assessments and evaluations, the Department identified similar weaknesses but consider them deficiencies versus substantial non-conformances relative to substantial compliance with the requirements of the FFMIA. The Department will work with the Independent Auditor in FY 2014 and beyond to resolve these issues, and to assess compliance based upon the recently issued Appendix D to OMB Circular A-123. Appendix D provides a revised compliance model that entails an outcome-based approach to assess FFMIA compliance.

Federal Information Security Management Act

The Federal Information Security Management Act of 2002 (FISMA) requires Federal agencies to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency. The Office of Inspector General (OIG) performs an annual evaluation of the Department's compliance with FISMA requirements. The Department of State's 2013 FISMA and Privacy Management Report highlights how the Department continues to apply a layered approach of security risk management through the application of multiple levels of protection in a manner that is commensurate with the risk and impact facing the Department's information and information systems. It also notes the improvements based on earlier recommendations from the OIG.

During FY 2013, the Department continued to enhance its comprehensive risk-based and cost effective information security program through extensive engagement with stakeholders throughout the Department and the implementation of specific and tangible efforts that have enhanced the maturity level of a number of programs and procedures including:

  • Continuous Monitoring Program:
    • At our annual PortfolioStat review meeting, the Federal Chief Information Officer (CIO) stated that due to the Department of State's leadership in the implementation of continuous monitoring, the Department should play a key role in integrating the National Institute of Standards and Technology's Risk Management Framework and the Department of Homeland Security's (DHS) Continuous Diagnostics and Mitigation (CDM) methodologies for the entire Federal Government.
    • The Department's CIO signed the Memorandum of Understanding with DHS to allow the Department to be an "early adopter" of new CDM software tools that will be provided through the DHS contract awarded in August 2013. These tools will allow the Department to monitor our network and react to threats and active attacks in real time.
    • The Bureau of Information Resource Management, Office of Information Assurance (IRM/IA) implemented a contract to determine the Department's CDM requirements to accelerate the procurement and implementation of the tools being provided by DHS.
    • The Bureau of Diplomatic Security (DS) acquired a database scanning tool. The installation and integration of the tool is ongoing.
  • Security Configuration Management:
    • The Bureau of Information Resource Management (IRM) and DS are working closely to further the Department's cybersecurity posture.
    • IRM and DS have synchronized the process of updating the applicable sections of Department policy to remove conflicts and inconsistent guidance.
    • DS has purchased and is installing a database monitoring tool which focuses on database security rather than just network security.
    • IRM has completed a Continuity of Operations Plan that is inclusive of the financial systems.
    • IRM/IA is in the process of hiring a full-time bureau emergency action coordinator for IRM.
    • DS has provided three seats at the DS Foreign Affairs Cybersecurity Center to the Deputy CIO for Operations to allow for improved cybersecurity cooperation. IRM is working to staff these seats in the near future.
  • Risk Management and Security Authorization:
    • During the past year, $1.8 million was spent to complete an Assessment and Authorization (A&A) of the OpenNet general support systems. OpenNet is the Department's unclassified computer network. OpenNet evaluation was divided into high and moderate impact enclaves. Common controls were introduced for the first time allowing security controls to be properly inherited by the major systems residing on OpenNet. Documentation was provided to the OIG at the end of May 2013. Accreditation teams are reviewing documents with the planned signing of the letter of authorization by the CIO in February 2014.
    • Major emphasis this year has been placed on the Bureau of the Comptroller and Global Financial Services' A&A.
    • An additional $1.5 million of FY 2013 funds are being applied to accelerate the Department's A&A effort.
  • Plans of Action and Milestones:
    • Following the lead by Consular Affairs, IRM/IA is purchasing an enterprise license of ComplyVision. This tool will provide the Department with a data repository for accreditation and authorization documentation and Plans of Action and Milestones (POA&M). All Department of State security documents and POA&Ms will be managed through this software tool. This tool will be integrated with the Department's information technology asset management tracking system to provide a seamless view of the Department's security portfolio.
    • The Department expended extraordinary resources to address two issues the OIG noted earlier: Assessment and Authorization (A&A) and Contingency Planning. A&A efforts are currently underway and an additional Government FTE will be hired to address the OIG's concerns regarding Contingency Planning and Continuity of Operations.
    • Plans of Action and Milestones now include the estimated funding resources required to resolve the weakness.

In the FISMA report and the Inspector General's Assessment of Management and Performance Challenges (located in the Other Information section of this AFR), the OIG cites weaknesses to enterprise-wide security they consider to be a significant deficiency in accordance with OMB memorandum M-14-04. While the Department acknowledges the weaknesses identified by the OIG, it does not agree that any of the findings, either individually or collectively, rises to the level of a significant deficiency that would require treating the matter as an additional material weakness in accordance with OMB M-14-04. The OMB memorandum defines a "significant deficiency...as a weakness in an agency's overall information systems security program...that significantly restricts the capability of the agency to carry out its mission or compromises the security of its information, information systems, personnel, or other resources, operations, or assets. In this context, the risk is great enough that the agency head and other agencies must be notified and immediate or near-immediate action must be taken." The Department's management has defined corrective actions for the applicable weaknesses cited by the OIG, and will address each in a prioritized manner based upon the risk and impact posed to the Department's security posture. Through these activities, the Department continues to improve its information system documentation, policies, and procedures and to mitigate information security risks and weaknesses.

Other Regulatory Requirements

The Department is required to comply with a number of other legal and regulatory financial requirements, including the Improper Payment Elimination and Recovery Act, the Debt Collection Improvement Act, and the Prompt Pay Act. The Department determined that none of its programs are risk-susceptible for making significant improper payments at or above the threshold levels set by OMB, and collected 100 percent of amounts identified for recovery during the past two fiscal years. In addition, the Department does not refer a substantial amount of debts to Treasury for collection, and has successfully paid vendors timely 98 percent of the time for the past three fiscal years. A detailed description of these compliance results and improvements is presented in the Other Information section of this report.

American Recovery and Reinvestment Act

American Recovery and Reinvestment Act logo.

Of the $787 billion appropriated for the American Recovery and Reinvestment Act (ARRA) of 2009, the Department of State received $562 million for projects and $2 million for Office of Inspector General oversight. The Department used ARRA funds to create and save jobs, repair and modernize domestic infrastructure crucial to the safety of American citizens, and expand consular services offered to American taxpayers. Details of the Department's ARRA implementation are posted on the website at http://www.state.gov/recovery/.

Construction Projects. In prior years, the Department completed a number of construction projects using ARRA funds. For example, the Department expanded its network of passport facilities to address public demand in previously underserved areas of the country ($15 million); opened new classrooms and installed new signage at the National Foreign Affairs Training Center ($5 million); and completed a domestic Enterprise Server Operations Center to provide for high availability, redundancy, disaster recovery, and capacity for the Department to achieve its goals in support of the Federal Data Center Consolidation Initiative ($120 million).

In FY 2013, environmental studies and master planning are near completion for the site identified as the preferred potential location of the Diplomatic Security Foreign Affairs Security Training Center ($70 million). This will provide a centralized location that supports security-related training for Department and other U.S. Government staff posted at U.S. embassies. Per OMB's direction, the Department is also conducting an alternate site analysis.

International Boundary and Water Commission (IBWC). ARRA funding ($220 million) accelerated the IBWC's modernization program by 20 years, remediating risks identified by geo-physical analysis suggesting that 60 percent of the levee system in high-priority areas was deficient. The IBWC projects are raising or making structural improvements to 237 miles of levees to ensure adequate protection and meet the Federal Emergency Management Agency's standards. At September 30, 2013, the construction is reported at 95 percent complete. The remaining IBWC work is expected to be fully completed by mid-year 2014.

Information Technology and Cybersecurity. In prior years, ARRA funding ($132 million) was used to deploy cybersecurity, information technology, and advanced telecommunications equipment. This equipment increased the integrity and resiliency of the Department's network, improved its ability to counter emerging threats, and significantly expanded its unclassified remote access and telework capabilities. No new activities took place during FY 2013.

Office of Inspector General. In prior years, funding ($2 million) permitted the Department's OIG to initiate 26 projects to assess Department and IBWC activities funded by ARRA. All OIG activities related to this funding concluded in July 2012 and no new activities took place during FY 2013.

 




Back to Top
Sign-in

Do you already have an account on one of these sites? Click the logo to sign in and create your own customized State Department page. Want to learn more? Check out our FAQ!

OpenID is a service that allows you to sign in to many different websites using a single identity. Find out more about OpenID and how to get an OpenID-enabled account.