FY 2021 Department of State Agency Financial Report: Section II: Financial Section

The fiscal year (FY) 2021 Agency Financial Report (AFR) reflects the Department of State’s steadfast commitment to deliver the highest standard of financial accountability and transparency to the American people. The FY 2021 financial statements demonstrate the care taken to manage the finite resources entrusted to the Department to lead America’s global diplomatic and development efforts. The AFR is our principal financial report to the President, Congress, and the American people. The theme of this year’s AFR, Foreign Policy for the American People, underscores the importance of the last of these relationships. We value our role in providing this accountability to the American people, and we take pride in knowing strong financial stewardship furthers the Department’s essential foreign policy mission. We understand the importance of our stewardship responsibilities and the information contained in this AFR represents the diligence and dedication of the Department’s professionals around the world.

The Department operates in more than 270 embassies and consulates around the world. We conduct business on a 24/7 basis in over 135 currencies; account for more than $80 billion in budgetary resources and nearly $112 billion in assets in over 500 separate fiscal accounts; and manage real and personal property assets with historical costs of more than $42 billion. We provide the shared administrative operating platform for more than 45 other U.S. Government entities overseas; and pay more than 100,000 Foreign and Civil Service, Locally Employed Staff, and Foreign Service annuitants. The Department in 2021 continued to confront the challenges of the global pandemic affecting our operations. The partnerships, innovation, and amazing resilience across the Department’s management platform allowed us to continue delivering programs and services while maintaining strong financial management controls.

We continue to implement vital investments in transformative financial systems and operations to improve our global financial operations, reporting, and compliance. These investments provide a cost-effective enterprise-wide financial framework able to generate accurate and timely financial data. Further use of data as a resource, enterprise system integration, and robotic process automation will drive State’s ongoing transformational efforts in ways that improve accountability, improve performance, and foster data-informed decision making.  Our support of these efforts, together with our need to be responsible stewards of data, requires that we continuously enhance our financial systems and data. To that end, as required by the Digital Accountability and Transparency Act of 2014 (DATA Act), the Department reports financial and payment information on the Department’s spending to the public using USASpending.gov, and continues to work to achieve 100 percent accuracy of this data. Our ISO 9001 certified operations and Capability Maturity Model Integration (CMMI) standard for financial systems development help us deliver quality financial services. These quality management programs allow us to continuously improve our services and drive new automation and efficiencies into mission furthering support services.

We know strong and effective internal controls are fundamental to our success, and we embrace our Department-wide leadership role in promoting them. We are pleased to report that the Department maintains a comprehensive, sound internal controls system, which is validated by senior leadership. For 2021, no material weaknesses in internal controls were identified by the Senior Assessment Team or the Management Control Steering Committee. As a result, the Secretary was able to provide reasonable assurance on the effectiveness of the Department’s internal controls in accordance with the Federal Managers’ Financial Integrity Act (FMFIA). The Secretary also provided assurance that the Department’s financial systems were in substantial compliance with the Federal Financial Management Improvement Act (FFMIA). As highlighted in the AFR, the Department does not have any programs at risk for making significant improper payments. We continuously conduct payment risk assessments and recapture audits, as well as verifications against Treasury’s Do Not Pay databases. In its most recent annual assessment, the OIG found the Department’s improper payments program to be in compliance with the Payment Integrity Information Act (PIIA). Finally, I am pleased to report the Association of Government Accountants again awarded the Department the prestigious Certificate of Excellence in Accountability Reporting in recognition of the exceptional quality of our 2020 AFR.

The annual independent audit is another essential element of our commitment to strong corporate governance and effective internal controls. The audited Financial Statements in the following pages represent the culmination of a rigorous process with our partners: the Office of the Inspector General (OIG) and the independent auditor, Kearney & Company. Given the financial complexities and unpredictability of the global operating environment in 2021, there are always opportunities to improve, challenges to address, and issues that require further clarification as we meet Government-wide compliance and accounting standards.

For 2021, the Department received an unmodified (“clean”) audit opinion on its 2021 and 2020 financial statements, with no material weaknesses in internal controls over financial reporting identified by the Independent Auditor. This result is gratifying, and I congratulate the Department’s outstanding team of professionals around the world and in the Bureau of the Comptroller and Global Financial Services. We, nonetheless, recognize there are several items noted in the independent auditor’s report that require our additional focus. I am confident the Department’s financial management team will address these identified matters and continue to deliver for the American people.

Sincerely,

Jeffrey C. Mounts
Comptroller
November 15, 2021

OIG Transmittal

November 15, 2021

UNCLASSIFIED

INFORMATION MEMO FOR THE SECRETARY

FROM:	OIG – Diana R. Shaw
SUBJECT:	Independent Auditor’s Report on the U.S. Department of State FY 2021 and FY 2020 Financial Statements (AUD-FM-22-10)

An independent external auditor, Kearney & Company, P.C., was engaged to audit the financial statements of the U.S. Department of State (Department) as of September 30, 2021 and 2020, and for the years then ended; to provide a report on internal control over financial reporting; to report on whether the Department’s financial management systems substantially complied with the requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA); and to report any reportable noncompliance with laws, regulations, contracts, and grant agreements it tested. The contract required that the audit be performed in accordance with auditing standards generally accepted in the United States of America and Office of Management and Budget audit guidance.

In its audit of the Department’s FY 2021 and FY 2020 financial statements, Kearney & Company found

• the financial statements present fairly, in all material respects, the financial position of the Department as of September 30, 2021 and 2020, and its net cost of operations, changes in net position, and budgetary resources for the years then ended, in accordance with accounting principles generally accepted in the United States of America;
• no material weaknesses¹ in internal control over financial reporting;
• five significant deficiencies² in internal control, specifically related to property and equipment, budgetary accounting, validity and accuracy of unliquidated obligations, financial reporting, and information technology; and
• three instances of reportable noncompliance with certain provisions of laws, regulations, contracts, and grant agreements tested, specifically the Antideficiency Act, the Prompt Payment Act, and FFMIA.

Kearney & Company is responsible for the attached auditor’s report, which includes the Independent Auditor’s Report; the Report on Internal Control Over Financial Reporting; and the Report on Compliance With Laws, Regulations, Contracts, and Grant Agreements, dated November 15, 2021; and the conclusions expressed in the report. The Office of Inspector General (OIG) does not express an opinion on the Department’s financial statements or conclusions on internal control over financial reporting and compliance with laws, regulations, contracts, and grant agreements, including whether the Department’s financial management systems substantially complied with FFMIA.

The Bureau of the Comptroller and Global Financial Services’ response is reprinted in its entirety as an appendix to the auditor’s report.

OIG appreciates the cooperation extended to it and Kearney & Company by Department managers and staff during the conduct of this audit.

Attachment: As stated

¹ A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis. (back to text)

² A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. (back to text)

Office of Inspector General | U.S. Department of State | 1700 North Moore Street | Arlington, Virginia 22209

www.stateoig.gov

UNCLASSIFIED

Report of Independent Auditors

INDEPENDENT AUDITOR’S REPORT
AUD-FM-22-10

To the Secretary of the U.S. Department of State and the Acting Inspector General

Report on the Financial Statements

We have audited the accompanying financial statements of the U.S. Department of State (Department), which comprise the consolidated balance sheets as of September 30, 2021 and 2020; the related consolidated statements of net cost and changes in net position and the combined statements of budgetary resources for the years then ended; and the related notes to the financial statements.

Management’s Responsibility for the Financial Statements

Management is responsible for the preparation and fair presentation of these financial statements in accordance with accounting principles generally accepted in the United States of America; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error. Management is also responsible for preparing, measuring, and presenting the required supplementary information in accordance with accounting principles generally accepted in the United States of America; preparing and presenting other information included in documents containing the audited financial statements and auditor’s report; and ensuring the consistency of that information with the audited financial statements and the required supplementary information.

Auditor’s Responsibility

Our responsibility is to express an opinion on these financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 21-04, “Audit Requirements for Federal Financial Statements.” Those standards and OMB Bulletin No. 21-04 require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.

An audit of financial statements involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate under the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control.

Accordingly, we express no such opinion. An audit of financial statements also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements. Our audits also included performing such other procedures as we considered necessary in the circumstances.

We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion.

Opinion on the Financial Statements

In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of the Department as of September 30, 2021 and 2020, and its net cost of operations, changes in net position, and budgetary resources for the years then ended, in accordance with accounting principles generally accepted in the United States of America.

Other Matters

Required Supplementary Information

Accounting principles generally accepted in the United States of America require that the Management’s Discussion and Analysis, Combining Statement of Budgetary Resources, Condition of Heritage Assets, and Deferred Maintenance and Repairs (hereinafter referred to as “required supplementary information”) be presented to supplement the financial statements. Such information, although not a part of the financial statements, is required by OMB Circular A-136, “Financial Reporting Requirements,” and the Federal Accounting Standards Advisory Board, which consider the information to be an essential part of financial reporting for placing the financial statements in an appropriate operational, economic, or historical context. We have applied certain limited procedures to the required supplementary information in accordance with auditing standards generally accepted in the United States of America, which consisted of making inquiries of management about the methods of preparing the information and comparing the information for consistency with management’s responses to our inquiries, the financial statements, and other knowledge we obtained during our audits of the financial statements. We did not audit and we do not express an opinion or provide any assurance on the information because the limited procedures do not provide us with sufficient evidence to express an opinion or provide any assurance.

Other Information

Our audits were conducted for the purpose of forming an opinion on the financial statements as a whole. The information in the Introduction, Message from the Secretary, Message from the Comptroller, Section III: Other Information, and Appendices as listed in the Table of Contents of the Department’s Agency Financial Report (also known as “other information”), is presented for purposes of additional analysis and is not a required part of the financial statements or the required supplementary information. We read the other information included in the Agency Financial Report to identify material inconsistencies, if any, with the audited financial statements. We did not audit and do not express an opinion or provide any assurance on the other information.

Other Reporting Required by Government Auditing Standards

In accordance with Government Auditing Standards and OMB Bulletin No. 21-04, we have also issued reports, dated November 15, 2021, on our consideration of the Department’s internal control over financial reporting and on our tests of the Department’s compliance with certain provisions of applicable laws, regulations, contracts, and grant agreements for the year ended September 30, 2021. The purpose of those reports is to describe the scope of our testing of internal control over financial reporting and compliance and the results of that testing and not to provide an opinion on internal control over financial reporting or on compliance. Those reports are an integral part of an audit performed in accordance with Government Auditing Standards and OMB Bulletin No. 21-04 and should be considered in assessing the results of our audits.

Alexandria, Virginia
November 15, 2021

Report on Internal Control Over Financial Reporting

INDEPENDENT AUDITOR’S REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING

To the Secretary of the U.S. Department of State and the Acting Inspector General

We have audited, in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 21-04, “Audit Requirements for Federal Financial Statements,” the financial statements and the related notes to the financial statements of the U.S. Department of State (Department) as of and for the year ended September 30, 2021, and we have issued our report thereon dated November 15, 2021.

Internal Control Over Financial Reporting

In planning and performing our audit of the financial statements, we considered the Department’s internal control over financial reporting (internal control) to determine the audit procedures that are appropriate in the circumstances for the purpose of expressing our opinions on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the Department’s internal control. Accordingly, we do not express an opinion on the effectiveness of the Department’s internal control. We limited our internal control testing to those controls necessary to achieve the objectives described in OMB Bulletin No. 21-04. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act of 1982,¹ such as those controls relevant to ensuring efficient operations.

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.

Our consideration of internal control was for the limited purpose described in the first paragraph of this section and was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies and therefore, material weaknesses or significant deficiencies may exist that have not been identified. Given these limitations, during our audit we did not identify any deficiencies in internal control that we consider to be material weaknesses. We identified certain deficiencies in internal control, described below, as items that we consider to be significant deficiencies.

Significant Deficiencies

I.  Property and Equipment

The Department reported more than $27 billion in net property and equipment on its FY 2021 consolidated balance sheet. Real and leased property consisted primarily of residential and functional facilities and capital improvements to these facilities. Personal property consisted of several asset categories, including aircraft, vehicles, security equipment, communication equipment, and software. Weaknesses in property and equipment were initially reported in the report related to the audit of the Department’s FY 2005 financial statements and subsequent audit reports. In FY 2021, the Department’s internal control structure continued to exhibit several deficiencies that negatively affected the Department’s ability to account for real and personal property in a complete, accurate, and timely manner. We concluded that the combination of property-related control deficiencies was a significant deficiency. The individual deficiencies we identified are summarized as follows:

• Overseas Real Property – The Department operates at more than 270 posts in more than 180 countries around the world and is primarily responsible for acquiring and managing real property in foreign countries on behalf of the U.S. Government. We identified real property acquisitions and disposals overseas that were not recorded by the Department in a timely manner. Although the Department implemented certain controls, such as a quarterly data call, to identify acquisitions and disposals related to overseas real property, the controls did not always ensure that all real property transactions were recorded in the proper fiscal year. The untimely processing of property acquisitions and disposals resulted in misstatements in the Department’s asset and expense balances.
• Domestic Construction Projects – The Department currently manages more than $178 million in domestic construction projects² relating to Department-owned properties and properties under capital lease. Construction projects should be tracked as construction-in-progress (CIP), an asset account, until the project reaches substantial completion. Once a construction project is substantially complete, it should be transferred to a different asset account, so it can be depreciated. The Department uses project codes in its accounting system to automatically capture costs associated with construction projects. We identified domestic construction projects that were substantially complete prior to FY 2021 but were continuing to be tracked in the CIP account. The Department did not always use a unique project code to track construction costs for each individual construction project. Because only one project code was used, the Department continued to report construction costs as CIP until construction related to the final asset was complete. The untimely transfer of costs related to domestic construction projects resulted in misstatements in the Department’s asset and expense balances.
  —–
  In addition to construction projects for property that the Department owns or for which it has capital leases, under some circumstances, the Department pays for the renovation or improvement of facilities that are occupied by the Department but that are managed³ by the General Services Administration (GSA). The Department’s policies require the capitalization of major real property renovations or leasehold improvements of $1 million or more. For construction projects in buildings that were occupied by the Department but were managed by other Federal agencies, such as GSA, we found that the Department recorded construction costs as operating expenses rather than CIP, even when the costs exceeded $1 million (the capitalization threshold). The Department does not have sufficient policy and procedures specific to the accounting treatment for improvements to domestic real property managed by other Federal agencies. Without policy and procedures, the Department may not appropriately and consistently account for domestic real property transactions, which would misstate assets and expenses in the Department’s financial statements.
• Leases – The Department manages approximately 17,750 overseas real property leases. The majority of the Department’s leases are short-term operating leases. The Department must disclose the future minimum lease payments (FMLP) related to the Department’s operating lease obligations in the notes related to the financial statements. We found numerous recorded lease terms that did not agree with supporting documentation and errors in the Department’s FMLP calculations. The Department’s processes to record lease information and to ensure the accuracy of FMLP calculations were not always effective. The errors resulted in misstatements in the Department’s notes related to the financial statements.
• Personal Property – The Department uses several nonintegrated systems to track, manage, and record personal property transactions. Information in the property systems is periodically merged or reconciled with the financial management system to centrally account for the acquisition, disposal, and transfer of personal property. We identified a significant number of personal property transactions from prior years that were not recorded in the correct fiscal year. In addition, we found that the acquisition value for numerous tested items could not be supported or was incorrect. Furthermore, we found that the gains or losses recorded for some personal property disposals were not recorded properly. The Department’s internal control structure did not ensure that personal property acquisitions and disposals were recorded in a complete, timely, and accurate manner. In addition, the Department’s monitoring activities were not effective to ensure proper financial reporting for personal property. The errors resulted in misstatements to the Department’s financial statements. The lack of effective control may result in the loss of accountability for asset custodianship, which could lead to undetected theft or waste.
• Software – Federal agencies use various types of software applications, called internal use software, to conduct business. Applications in the development phase are considered software in development (SID). Agencies are required to report software as property in their financial statements. We identified numerous instances in which the data recorded for SID were unsupported. We also identified some instances in which completed projects were not transferred from SID to the internal use software account. Finally, we identified instances in which costs related to software projects that should have been capitalized were improperly reported as expenses. Although the Department performs a quarterly data call to obtain software costs from bureau project managers, this process was not sufficient because it relied on the responsiveness and understanding of individual project managers, not all of whom understood the accounting requirements for reporting SID. Additionally, the Department did not have an effective process to confirm that information provided by project managers was complete or accurate. Finally, the Department lacked an effective process to ensure that software costs that meet the Department’s criteria for capitalization were properly classified upon commencement of the project. The errors resulted in misstatements to the Department’s financial statements. Without an effective process to obtain complete and accurate information pertaining to software applications, the Department may continue to misstate its financial statements.

II.  Budgetary Accounting

The Department lacked sufficient reliable funds control over its accounting and business processes to ensure budgetary transactions were properly recorded, monitored, and reported. Beginning in our report on the Department’s FY 2010 financial statements, we identified budgetary accounting as a significant deficiency. During FY 2021, the audit continued to identify control limitations, and we concluded that the combination of control deficiencies remained a significant deficiency. The individual deficiencies we identified are summarized as follows:

• Support of Obligations – Obligations are definite commitments that create a legal liability of the Government for payment. The Department should record only legitimate obligations, which include a reasonable estimate of potential future outlays. We identified numerous low-value obligations (i.e., obligations that are $5 or less) for which the Department could not provide evidence of a binding agreement. The Department’s financial system is designed to reject payments for invoices without established obligations. As in past years, we found that allotment holders did not always record valid and accurate obligations prior to the receipt of goods and services; therefore, the Department established low-value obligations that allowed invoices to be paid in compliance with the Prompt Payment Act.⁴ This process effectively bypassed system controls. The continued use of this practice could lead to a violation of the Antideficiency Act⁵ and increases the risk of fraud, misuse, and waste.
• Timeliness of Obligations – The Department should record an obligation in its financial management system when it enters into an agreement, such as a contract or a purchase order, to purchase goods and services. During the audit, we identified several obligations that were not recorded within 15 days of executing the obligating document and that were recorded in the financial management system prior to the execution of the obligating document. We also noted instances in which goods and services were received, or periods of performance began, prior to the execution of a proper obligating document. The Department did not have an adequate process in place to ensure that its employees complied with policies and procedures related to the creation, approval, and timely recording of obligations. Obligations that are not recorded in a timely manner increase the risk of violations of the Antideficiency Act⁶ and the Prompt Payment Act.⁷
• Capital Lease Obligations – The Department must obligate funds to cover the net present value of the total estimated legal obligation over the life of a capital lease contract. However, the Department annually obligates funds equal to 1 year of the capital lease cost rather than the entire anticipated lease period. The Department obligates leases on an annual basis rather than for the entire lease agreement period because that is the manner in which funds are budgeted and appropriated. Because of the unrecorded obligation, the Department’s financial statements were misstated.
• Allotment Controls – Federal agencies use allotments to allocate funds in accordance with statutory authority. Allotments provide authority to agency officials to incur obligations as long as those obligations are within the scope and terms of the allotment authority. We identified systemic issues in the Department’s use of overrides that allowed officials to exceed allotments. The Department did not have an automated control to prevent users from recording obligations that exceeded allotment amounts. Department management stated that such an automated control is not reasonable because of instances in which an allotment may need to be exceeded; however, the Department had not formally identified and documented the circumstances under which an allotment override is acceptable. Overriding allotment controls could lead to a violation of the Antideficiency Act.⁸

III.  Validity and Accuracy of Unliquidated Obligations

Unliquidated obligations (ULO) represent the cumulative amount of orders, contracts, and other binding agreements for which the goods and services that were ordered have not been received or the goods and services have been received but payment has not yet been made. The Department’s policies and procedures provide guidance that requires allotment holders to perform at least monthly reviews of ULOs. Weaknesses in controls over ULOs were initially reported during the audit of the Department’s FY 1997 financial statements. We continued to identify a significant number and amount of invalid ULOs based on expired periods of performance, inactivity, lack of supporting documentation, and the inability to support bona fide need.

Additionally, in August 2021, the Department evacuated Embassy Kabul, Afghanistan, based on security concerns. At the time of evacuation, the Department reported a significant amount in open obligations related to the Department’s mission in Afghanistan. Because the Department suspended operations in Afghanistan, there was an increased risk that there was no longer a bona fide need for some of the obligations. We identified a significant number and amount of invalid ULOs related to Afghanistan, based on inquiries with Department officials and supporting documentation regarding the impact of the withdrawal on the continuing bona fide need for the ULOs.

Although the Department takes steps to remediate long-standing ULO validity issues through its annual ULO review, the scope of the review does not include all ULOs. Overseas ULOs and domestic ULOs that do not meet the annual domestic review categories established by the Department continue to be a risk for invalidity. Furthermore, not all allotment holders were performing periodic reviews of ULO balances as required. Finally, the Department did not develop and implement a process to assess how an extraordinary event, such as an evacuation of a large post, impacted financial reporting related to ULOs. As a result of the invalid ULOs that were identified by our audit, the Department adjusted its FY 2021 financial statements. In addition, funds that could have been used for other purposes may have remained open as invalid ULOs, and the risk of duplicate or fraudulent payments increased.

IV.  Financial Reporting

Weaknesses in controls over financial reporting were initially reported during the audit of the Department’s FY 2019 financial statements. During FY 2021, the audit continued to identify control limitations, and we concluded that financial reporting remained a significant deficiency.

In some cases, appropriated funds are required to be transferred to another agency for programmatic execution (referred to as “child funds”). Despite transferring these funds to another agency, the Department is required to report on the use and status of child funds in its financial statements. During FY 2021, the Department made significant child fund transfers to three agencies. To obtain audit coverage of the Department’s most significant child funds, we requested that the financial statements auditors of two of the three agencies perform certain audit steps. Those other auditors identified numerous invalid ULOs. We also requested detailed financial information from the third agency, which received a less significant amount of child funds from the Department. However, the third agency was not able to provide complete and accurate transaction-level data that reconciled to its trial balance data. Therefore, we were unable to validate the information provided. The Department did not have an effective, routine process to ensure that amounts reported by agencies receiving child funds were accurate. For example, the Department did not communicate effectively with child fund agencies to ensure that the validity of ULOs was reviewed periodically. In addition, the Department did not have a routine process to ensure that transaction-level details were readily available from the other agencies and were auditable. The Department adjusted its FY 2021 financial statements to correct the errors identified. However, without an effective process to accurately monitor child funds, there is a risk of errors in the Department’s future financial statements.

V.  Information Technology

The Department’s information systems and electronic data depend on the confidentiality, integrity, and availability of the Department’s comprehensive and interconnected IT infrastructure using various technologies around the globe. Therefore, it is critical that the Department manage information security risks effectively throughout the organization. The Department uses several financial management systems to compile information for financial reporting purposes. The Department’s general support system, a component of its information security program, is the gateway for all the Department’s systems, including its financial management systems. Generally, control deficiencies noted in the information security program are inherited by the systems that reside in it.

On behalf of the Office of Inspector General, we performed an audit of the Department’s FY 2021 information security program, in accordance with the Federal Information Security Modernization Act of 2014 (FISMA).⁹ During that audit,¹⁰ we concluded that the Department did not have an effective organization-wide information security program. Specifically, we determined that eight of nine domains included in the “FY 2021 Inspector General Federal Information Security Modernization Act of 2014 (FISMA) Reporting Metrics, Version 1.1” were operating below an effective level. Some of the deficiencies identified that we determined had an impact on internal controls related to financial reporting were:

• Lack of an effective process to timely authorize and reauthorize the Department’s information systems to operate.¹¹
• Incomplete and ineffective periodic reviews of privileged user accounts.¹²
• Inconsistent and ineffective scanning processes to identify and remediate vulnerabilities.

Without an effective information security program, the Department remains vulnerable to IT-centered attacks and threats to its critical mission-related functions. Information security program weaknesses can affect the integrity of financial applications, which increases the risk that sensitive financial information could be accessed by unauthorized individuals or that financial transactions could be altered, either accidentally or intentionally. Information security program weaknesses and deficiencies increase the risk that the Department will be unable to report financial data accurately.

We considered the weaknesses and deficiencies identified during the FISMA audit to be a significant deficiency within the scope of the FY 2021 financial statements audit. We have reported weaknesses and deficiencies in IT security controls as a significant deficiency in each audit since our audit of the Department’s FY 2009 financial statements.

During the audit, we noted certain additional matters involving internal control over financial reporting that we will report to Department management in a separate letter.

Status of Prior Year Findings

In the Independent Auditor’s Report on Internal Control Over Financial Reporting that was included in the audit report on the Department’s FY 2020 financial statements,¹³ we noted several issues that were related to internal control over financial reporting. The status of the FY 2020 internal control findings is summarized in Table 1.

Department’s Response to Findings

The Department provided its response to our findings in a separate letter included in this report as Appendix A. We did not audit management’s response, and accordingly, we express no opinion on it.

Purpose of This Report

The purpose of this report is solely to describe the scope of our testing of internal control over financial reporting and the results of that testing and not to provide an opinion on the effectiveness of the Department’s internal control. This report is an integral part of an audit performed in accordance with Government Auditing Standards and OMB Bulletin No. 21-04 in considering the entity’s internal control over financial reporting. Accordingly, this report is not suitable for any other purpose.

Alexandria, Virginia
November 15, 2021

¹ Federal Managers’ Financial Integrity Act of 1982, Pub. L. No. 97-255, 96 STAT 814 (September 8, 1982). (back to text)

² The Department currently manages more than $6 billion in overseas construction projects. (back to text)

³ GSA-managed properties include those that are owned or leased by GSA. (back to text)

⁴ 31 U.S. Code § 39, “Prompt Payment.” (back to text)

⁵ Antideficiency Act, Pub. L. No. 97-258, 96 STAT. 923 (September 13, 1982). (back to text)

⁶ Ibid. (back to text)

⁷ 31 U.S. Code § 39. (back to text)

⁸ Pub. L. No. 97-258 (1982). (back to text)

⁹ Pub. L. No. 113-283, 128 STAT. 3079-3080 (December 18, 2014). (back to text)

¹⁰ Office of Inspector General, Audit of the Department of State FY 2021 Information Security Program (AUD-IT-22-06, October 2021). (back to text)

¹¹ According to the National Institute of Standards and Technology (NIST), Special Publication (SP) 800-37, rev. 2, “Risk Management Framework (RMF) for Information Systems and Organizations,” December 2018, at 91, an authorization to operate is “the official management decision given by a senior Federal official or officials to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security and privacy controls.” (back to text)

¹² NIST, SP 800-53, rev. 4, “Security and Privacy Controls for Information Systems and Organizations,” January 2015, at B-17, defines a privileged user as a “user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.” (back to text)

¹³ Office of Inspector General, Independent Auditor’s Report on the U.S. Department of State FY 2020 and FY 2019 Financial Statements (AUD-FM-21-08, November 2020). (back to text)

Report on Compliance With Laws, Regulations, Contracts, and Grant Agreements

INDEPENDENT AUDITOR’S REPORT ON COMPLIANCE WITH LAWS,
REGULATIONS, CONTRACTS, AND GRANT AGREEMENTS

To the Secretary of the U.S. Department of State and the Acting Inspector General

We have audited, in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 21-04, “Audit Requirements for Federal Financial Statements,” the financial statements and the related notes to the financial statements, of the U.S. Department of State (Department) as of and for the year ended September 30, 2021, and we have issued our report thereon dated November 15, 2021.

Compliance

As part of obtaining reasonable assurance about whether the Department’s financial statements are free from material misstatement, we performed tests of the Department’s compliance with certain provisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on the determination of financial statement amounts, including the provisions referred to in Section 803(a) of the Federal Financial Management Improvement Act of 1996 (FFMIA),¹ that we determined were applicable. We limited our tests of compliance to these provisions and did not test compliance with all laws, regulations, contracts, and grant agreements applicable to the Department. However, providing an opinion on compliance with those provisions was not an objective of our audit, and accordingly, we do not express such an opinion.

The results of our tests, exclusive of those related to FFMIA, disclosed instances of noncompliance or potential noncompliance that are required to be reported under Government Auditing Standards and OMB Bulletin No. 21-04 and which are summarized as follows:

• Antideficiency Act.² This Act prohibits the Department from (1) making or authorizing an expenditure from, or creating or authorizing an obligation under, any appropriation or fund in excess of the amount available in the appropriation or fund unless authorized by law; (2) involving the Government in any obligation to pay money before funds have been appropriated for that purpose, unless otherwise allowed by law; or (3) making obligations or expenditures in excess of an apportionment or reapportionment, or in excess of the amount permitted by agency regulations. Our audit procedures identified Department of the Treasury account fund symbols with negative balances that were potentially in violation of the Antideficiency Act. We also identified systemic issues in the Department’s use of allotment overrides to exceed available allotment authority. Establishing obligations that exceed available allotment authority increases the risk of noncompliance with the Antideficiency Act. Conditions impacting the Department’s compliance with the Antideficiency Act have been reported annually since our FY 2009 audit.
• Prompt Payment Act.³ This Act requires Federal agencies to make payments in a timely manner, pay interest penalties when payments are late, and take discounts only when payments are made within the discount period. We found that the Department did not consistently calculate or pay interest penalties for overdue payments to overseas vendors or international organizations. The Department was unable to provide legal justification exempting the Department from paying interest penalties for payments to these types of entities. Conditions impacting the Department’s compliance with the Prompt Payment Act have been reported annually since our FY 2009 audit.

Under FFMIA,⁴ we are required to report whether the Department’s financial management systems substantially comply with Federal financial management systems requirements, applicable Federal accounting standards, and the U.S. Standard General Ledger (USSGL) at the transaction level. Although we did not identify any instances of substantial noncompliance with Federal accounting standards or with the application of the USSGL at the transaction level, we identified instances, when combined, in which the Department’s financial management systems and related controls did not comply substantially with certain Federal financial management system requirements.

Federal Financial Management Systems Requirements

• The Department has long-standing weaknesses in its financial management systems regarding its capacity to account for and record financial information. For instance, the Department had significant deficiencies relating to property and equipment, budgetary accounting, unliquidated obligations, and financial reporting.
• During our audit of the Department’s information security program, as required by the Federal Information Security Modernization Act of 2014 (FISMA), we concluded that the Department did not have an effective organization-wide information security program. Specifically, we determined that eight of nine domains included in the “FY 2021 Inspector General Federal Information Security Modernization Act of 2014 (FISMA) Reporting Metrics, Version 1.1” were operating below an effective level.⁵ The Department’s financial management systems inherit certain controls from the overall information security program. Therefore, several of the control weaknesses identified during the FISMA audit impact the Department’s financial management systems. Examples of deficiencies that we consider to be significant for our determination of FFMIA compliance include:
  • Lack of an effective process to timely authorize and re-authorize the Department’s information systems to operate.⁶
  • Incomplete and ineffective periodic reviews of privileged user⁷ accounts.
  • Inconsistent and ineffective scanning processes to identify and remediate vulnerabilities.
• The Department did not maintain effective administrative control of funds. Specifically, obligations were not created in a timely manner or were recorded in advance of an executed obligating document. In addition, there were systemic issues identified in the Department’s use of allotment overrides that allowed officials to exceed allotments.
• The Department did not always minimize waste, loss, unauthorized use, or misappropriation of Federal funds. For example, the Office of Inspector General reported a significant amount of questioned costs and funds put to better use during FY 2021.
• The previously reported matters related to the Antideficiency Act and the Prompt Payment Act impact the Department’s compliance with FFMIA.

The Department had not implemented and enforced systematic financial management controls to ensure substantial compliance with FFMIA. The Department’s ability to meet Federal financial management systems requirements was hindered by limitations in systems and processes. The Bureau of the Comptroller and Global Financial Services (CGFS) performed an analysis to assess the Department’s compliance with FFMIA but had not developed remediation plans to address instances of noncompliance. Although CGFS generally agreed with the deficiencies that we identified, CGFS did not conclude that the deficiencies rose to the level of substantial noncompliance. Since our FY 2009 audit, we have reported annually that the Department did not substantially comply with all requirements of FFMIA.

During the audit, we noted certain additional matters involving compliance that we will report to Department management in a separate letter.

Department’s Response to Findings

The Department provided its response to our findings in a separate letter included in this report as Appendix A. We did not audit management’s response, and accordingly, we express no opinion on it.

Purpose of This Report

The purpose of this report is solely to describe the scope of our testing of compliance with laws, regulations, contracts, and grant agreements and the results of that testing and not to provide an opinion on the effectiveness of the entity’s compliance. This report is an integral part of an audit performed in accordance with Government Auditing Standards and OMB Bulletin No. 21-04 in considering the entity’s compliance. Accordingly, this report is not suitable for any other purpose.

Alexandria, Virginia
November 15, 2021

¹ Federal Financial Management Improvement Act of 1996, Pub. L. No. 104-208, 110 STAT. 3009 (September 30, 1996). (back to text)

² Antideficiency Act, Pub. L. No. 97-258, 96 STAT. 923 (September 13, 1982). (back to text)

³ 31 U.S. Code § 39, “Prompt Payment.” (back to text)

⁴ Pub. L. No. 104-208 (1996). (back to text)

⁵ Office of Inspector General, Audit of the Department of State FY 2021 Information Security Program (AUD-IT-22-06, October 2021). (back to text)

⁶ According to the National Institute of Standards and Technology (NIST), Special Publication (SP) 800-37, rev. 2, “Risk Management Framework (RMF) for Information Systems and Organizations,” December 2018, at 91, an authorization to operate is “the official management decision given by a senior Federal official or officials to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security and privacy controls.” (back to text)

⁷ NIST, SP 800-53, rev. 4, “Security and Privacy Controls for Information Systems and Organizations,” January 2015, at B-17, defines a privileged user as a “user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.” (back to text)

Comptroller Response to the OIG

Appendix A

UNCLASSIFIED
MEMORANDUM

To:	OIG – Diana Shaw, Deputy Inspector General
FROM:	CGFS – Jeffery C. Mounts, Comptroller
SUBJECT:	Draft Report on the Department of State’s Fiscal Year 2021 Financial Statements

This memo is in response to your request for comments on the Draft Report of the Independent Auditor’s Report on Internal Control Over Financial Reporting, and Report on Compliance with Applicable Provisions of Laws, Regulations, Contracts, and Grant Agreements.

As you are aware, the scale and complexity of Department activities and corresponding financial management operations and requirements are immense. The Department does business in more than 270 locations. The more than 180 countries in which we operate include some extraordinarily challenging environments. These factors are a backdrop as we work diligently to maintain and operate an efficient and transparent financial management platform in support of the Department’s and U.S. Government’s essential foreign affairs mission.

We value accountability in all we do, and the discipline of the annual external audit process and the issuance of the Department’s audited financial statements represents our commitment to this accountability to the American people. I’m sure that few outside the financial management community fully realize the time and effort that go into producing the audit and the Agency Financial Report (AFR). We may not agree on every aspect of the process and findings, however, we extend our sincere thanks for the commitment by all parties, including the OIG and Kearney & Company, to work together constructively and within a concentrated timeframe to complete the comprehensive audit process. We know there always will be new challenges and concerns given our global operating environment and scope of compliance requirements. The ongoing global pandemic and the suspension of embassy operations in Afghanistan have demanded especially dedicated and thoughtful effort this year by all stakeholders. I’m grateful for the resilience and flexibility demonstrated by all parties. The overall results of the audit reflect the continuous improvement and strong performance we strive to achieve in the Bureau of the Comptroller and Global Financial Services (CGFS) and across the Department’s financial management community.

We are pleased to learn the Independent Auditor’s Report concludes the Department has received an unmodified (“clean”) audit opinion on its FY 2020 and FY 2021 principal financial statements. Moreover, the audit reflects no material weaknesses.

We remain committed to strong corporate governance and internal controls as demonstrated by our robust system of internal controls. This framework is overseen by our Senior Assessment Team (SAT) and Management Control Steering Committee (MCSC), with senior leadership providing validation. We appreciate the OIG’s participation in both the SAT and MCSC discussions. For FY 2021, no material management control issues or material weaknesses in internal controls over financial reporting were identified by senior leadership. As a result, the Secretary was able to provide an unmodified Statement of Assurance for the Department’s overall internal controls and internal controls over financial reporting in accordance with the Federal Managers’ Financial Integrity Act.

We recognize there is more to be done, and the items identified in the Draft Report will demand additional action to achieve further improvement. We look forward to working with you, Kearney & Company, and other stakeholders addressing these issues in the coming year.

Introducing the Principal Financial Statements

The Principal Financial Statements (Statements) have bee n prepared to report the financial position and results of operations of the U.S. Department of State (Department). The Statements have been prepared from the books and records of the Department in accordance with formats prescribed by the Office of Management and Budget (OMB) in OMB Circular A-136, Financial Reporting Requirements, revised. The Statements are in addition to financial reports prepared by the Department in accordance with OMB and U.S. Department of the Treasury (Treasury) directives to monitor and control the status and use of budgetary resources, which are prepared from the same books and records. The Statements should be read with the understanding that they are for a component of the U.S. Government, a sovereign entity. The Department has no authority to pay liabilities not covered by budgetary resources. Liquidation of such liabilities requires enactment of an appropriation. Comparative data for 2020 are included.

Unless otherwise designated all use of a year indicates fiscal year, e.g., 2021 equals Fiscal Year 2021.

The Consolidated Balance Sheet provides information on assets, liabilities, and net position similar to balance sheets reported in the private sector. Intra-departmental balances have been eliminated from the amounts presented.

The Consolidated Statement of Net Cost reports the components of the net costs of the Department’s operations for the period. The net cost of operations consists of the gross cost incurred by the Department less any exchange (i.e., earned) revenue from our activities. Intra-departmental balances have been eliminated from the amounts presented.

The Consolidated Statement of Changes in Net Position reports the beginning net position, the transactions that affect net position for the period, and the ending net position. The intra-departmental transactions are eliminated from the combined total amounts presented.

The Combined Statement of Budgetary Resources provides information on how budgetary resources were made available and their status at the end of the year. Information in this statement is reported on the budgetary basis of accounting. Intra-departmental transactions have not been eliminated from the amounts presented.

Required Supplementary Information contains a Combining Statement of Budgetary Resources, the condition of heritage assets held by the Department, and information on deferred maintenance and repairs. The Combining Statement of Budgetary Resources provides additional information on amounts presented in the Combined Statement of Budgetary Resources.

Principal Financial Statements

The accompanying notes are an integral part of this financial statement.

The format of the Balance Sheet has changed to reflect more detail for certain line items, as required for all significant reporting entities by OMB Circular A-136. This change does not affect totals for assets, liabilities, or net position and is intended to allow readers of this Report to see how the amounts shown on the Balance Sheet are reflected on the Government-wide Balance Sheet, thereby supporting the preparation and audit of the Financial Report of the United States Government. The presentation of the fiscal year 2020 Balance Sheet was modified to be consistent with the fiscal year 2021 presentation.

The accompanying notes are an integral part of this financial statement.

The accompanying notes are an integral part of this financial statement.

The accompanying notes are an integral part of this financial statement.

Notes to Principal Financial Statements

Organization

Congress established the U.S. Department of State (Department of State or Department), the senior Executive Branch department of the United States Government in 1789. The Department advises the President in the formulation and execution of U.S. foreign policy. The head of the Department, the Secretary of State, is the President’s principal advisor on foreign affairs.

View the 20 notes to the principal financial statements.

• Note 1: Summary of Significant Accounting Policies
• Note 2: Fund Balance with Treasury
• Note 3: Investments
• Note 4: Accounts Receivable, Net
• Note 5: Cash and Other Monetary Assets
• Note 6: General Property and Equipment, Net
• Note 7: Advances and Prepayments
• Note 8: Other Liabilities
• Note 9: Federal Employee and Veteran Benefits Payable
• Note 10: International Organizations Liability
• Note 11: Leases
• Note 12: Contingencies and Commitments
• Note 13: Funds from Dedicated Collections
• Note 14: Statement of Net Cost
• Note 15: Combined Statement of Budgetary Resources
• Note 16: Custodial Activity
• Note 17: Reconciliation of Net Cost to Net Outlays
• Note 18: Fiduciary Activities
• Note 19: COVID-19 Activity
• Note 20: Reclassification of Statement of Net Cost and Statement of Changes in Net Position

Required Supplementary Information

Heritage Assets

The condition of the Department’s heritage assets is based on professional conservation standards. The Department performs periodic condition surveys to ensure heritage assets are documented and preserved for future generations. Once these objects are conserved, regular follow-up inspections and periodic maintenance treatments are essential for their preservation. The categories of condition are Poor, Good, and Excellent.

Deferred Maintenance and Repairs

Deferred Maintenance and Repairs (DM&R) are maintenance and repairs that were not performed when they should have been, that were scheduled and not performed, or that were delayed for a future period. Maintenance and repairs are activities directed towards keeping General Property and Equipment in acceptable operating condition. These activities include preventive maintenance, normal repairs, replacement of parts and structural components, and other activities needed to preserve the asset so that it can deliver acceptable performance and achieve its expected life. Maintenance and repairs exclude activities aimed at expanding the capacity of an asset or otherwise upgrading it to serve needs different from, or significantly greater, than those originally intended. The Department occupies more than 8,500 Government-owned or long-term leased real properties at more than 270 overseas locations, numerous domestic locations, and at the IBWC.

Deferred Maintenance and Repairs Policy – Measuring, Ranking and Prioritizing

The methodology for calculating DM&R is based on the Facility Condition Index (FCI). This methodology accounts for all facilities globally without the reliance on a response through a manual data call process, allowing for a more complete DM&R estimate. FCI is the ratio of repair needs to the replacement value of a facility as calculated by:

Repair need is defined as the non-recurring costs that reflect the amount necessary to ensure that a constructed asset is restored to a condition substantially equivalent to the originally intended and designed capacity, efficiency, or capability.

In accordance with the Federal Real Property Portfolio definition of repair need, the Department uses repair needs identified by overseas facilities managers. Since this process does not identity repair need costs for all 8,500+ properties, the Department also uses parametric modeling to supplement these results. Based on the ages and expected useful life of individual systems and documented FCI results, the FCI parametric model uses deterioration curves to reflect how systems deteriorate over time.

Replacement value is defined as the cost to design, acquire, and construct an asset to replace an existing asset of the same functionality, size, and in the same location using current costs, building codes and standards. Neither the current condition of the asset nor the future need for the asset is a factor in the replacement value estimate. The Department uses construction “unit rates” determined by its Office of Cost Management for each property use code recorded in its Real Property Application. The Department multiplies these unit rates by the size of each property to determine replacement values.

Deferred Maintenance & Repairs are based on the FCI. An FCI score of 100 percent indicates a facility that is in a condition substantially equivalent to the originally intended and designed capacity, efficiency, or capability. Statements of Federal Financial Accounting Standards (SFFAS) No. 42 defines maintenance and repairs as activities directed toward keeping fixed assets in an “acceptable condition” and specifies management should determine which methods to apply and what condition standards are acceptable.

Applying these definitions, the Department’s management has determined that an FCI score of 70 percent indicates “acceptable condition”.

While the Department’s average FCI for its worldwide asset inventory is 80 percent, the large number of new facilities constructed over the past 20 years greatly influences this result. The proportion of properties with an FCI score below 70 percent increases for those that are older.

The Department’s DM&R is the total repair need to bring all owned and capital leased properties up to an acceptable FCI score of 70 percent.

Factors Considered in Determining Acceptable Condition

The Department’s General Property and Equipment mission is to provide secure, safe, functional, and sustainable facilities that represent the U.S. Government and provide the physical platform for U.S. Government employees at our embassies, consulates and domestic locations as they work to achieve U.S. foreign policy objectives.

The facility management of U.S. diplomatic and consular properties overseas is complex, which impacts the success and failure of properties and infrastructure on human life, welfare, morale, safety, and the provision of essential operations and services. Facility management also has a large impact on the environment and on budgets, requiring a resilient approach that results in buildings and infrastructure that are efficient, reliable, cost effective, and sustainable over their life cycle. This occurs at properties of varying age, configuration, and construction quality in every climate and culture in the world. Some posts have the task of keeping an aging or historic property in good working order; while others must operate a complex new building that may be the most technologically advanced in the country.

The beginning and ending balances in the “Deferred Maintenance and Repairs” table were calculated using the FCI methodology.