Internal Controls, Financial Management Systems and Compliance with Laws and Regulations
The Department's Management Control policy is comprehensive and requires all Department managers to establish cost-effective systems of management controls to ensure U.S. Government activities are managed effectively, efficiently, economically, and with integrity. All levels of management are responsible for ensuring adequate controls over all Department operations.
Federal Managers' Financial Integrity Act
The Department of State's management is responsible for establishing and maintaining effective internal control and financial management systems that meet the objectives of the Federal Managers' Financial Integrity Act (FMFIA). The Department conducted its assessment of the effectiveness of internal control over the efficiency and effectiveness of operation and compliance with applicable laws and regulations in accordance with OMB Circular A-123, Management's Responsibility for Internal Control. Based on the results of this evaluation, the Department can provide reasonable assurance, except for the material weakness for the management of unliquidated obligations noted below, that its internal control over the effectiveness and efficiency of operations and compliance with applicable laws and regulations and financial management systems meet the objectives of FMFIA as of September 30, 2007.
Management is also responsible for establishing and maintaining effective internal control over financial reporting, which includes safeguarding of assets and compliance with applicable laws and regulations. The Department conducted its assessment of the effectiveness of internal control over financial reporting in accordance with Appendix A of OMB Circular A-123. Based on the results of this assessment, the Department is reporting a material weakness related to the management of unliquidated obligations in its internal control over financial reporting as of June 30, 2007. The details of the material weakness are provided in the Departmental Governance section of this report. Other than the exception noted, the internal controls were operating effectively and no other material weaknesses were found in the design or operation of the internal control over financial reporting.
Because of its inherent limitation, internal control over financial reporting, no matter how well designed, cannot provide absolute assurance of achieving financial reporting objectives and may not prevent or detect misstatements. Therefore, even if the internal control over financial reporting is determined to be effective, it can provide only reasonable assurance with respect to financial statement preparation and presentation. Projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate.
Management Control Program
The Federal Managers' Financial Integrity Act of 1982 (FMFIA) requires agencies to establish internal control and financial systems that provide reasonable assurance that the integrity of federal programs and operations are protected. It also requires that the head of the agency, based on an evaluation, provide an annual Statement of Assurance on whether the agency has met this requirement. OMB Circular A-123, Management's Responsibility for Internal Control, implements the FMFIA and defines management's responsibility for internal control in Federal agencies.
The Sarbanes-Oxley Act of 2002 governs internal control requirements for publicly-traded companies and was the foundation for OMB's amending Circular A-123 by adding Appendix A, Internal Control Over Financial Reporting. Appendix A was designed to improve governance and accountability for internal control over financial reporting in Federal entities. The revised circular became effective in the prior fiscal year and requires that the agency head also provide an assurance statement on the effectiveness of internal control over financial reporting (ICOFR), which is an addition to and also a component of the overall FMFIA assurance statement.
The Secretary of State's 2007 Annual Assurance Statement for FMFIA and ICOFR is provided at the top of this page.
The Department's Management Control Steering Committee (MCSC) oversees the Department's management control program. The MCSC is chaired by the Chief Financial Officer, and is composed of eleven other Assistant Secretaries [including the Chief Information Officer and the Inspector General (non-voting)], the Deputy Chief Financial Officer, the Deputy Legal Adviser, the Deputy Assistant Secretary for Global Financial Services and the Director for the Office of Overseas Buildings Operations. Individual assurance statements from Ambassadors assigned overseas and Assistant Secretaries in Washington, D.C. serve as the primary basis for the Department's FMFIA assurance that management controls are adequate. The assurance statements are based on information gathered from various sources including the managers' personal knowledge of day-to-day operations and existing controls, management program reviews, and other management-initiated evaluations. In addition, the Office of Inspector General and the Government Accountability Office conduct reviews, audits, inspections, and investigations.
The Department's management control program implemented OMB's new requirements contained in Appendix A of the revised OMB Circular A-123, in 2006. The MCSC established a senior assessment team (SAT) in 2006 to oversee the implementation of Appendix A, and continued the SAT oversight throughout our 2007 work. The senior assessment team (SAT) reports to the MCSC and is comprised of 11 senior executives from bureaus that have significant impact on the Department's financial statements and financial processes. For 2007, the Department instituted a risk-based approach in evaluating internal control over financial reporting.
It is the Department's policy that any organization with a material weakness or significant deficiency is required to submit a plan to correct the weakness to the MCSC or the senior assessment team (SAT) for review and approval. The plan, combined with the individual assurance statements, provide the framework for monitoring and improving the Department's management controls on a continuous basis.
To administer a successful management control program, including conducting Appendix A requirements, the Department has dedicated significant resources, encouraged department-wide participation, effectively communicated the Appendix A initiative, and held a training workshop on management's role in maintaining effective internal control. The Department also continued to expand the management control program in 2007 by establishing a new Office of Management Controls to perform the requirements of Appendix A while concurrently expanding its FMFIA program.
Status of Management Controls and Financial Management Systems
The Department evaluated its management controls and financial management systems for the fiscal year ending September 30, 2007. This evaluation provided reasonable assurance that as of September 30, 2007, except for a material weakness in the management of unliquidated obligations in the internal control over financial reporting noted below, the objectives of the FMFIA were achieved and the internal controls over financial reporting were operating effectively.
The Department performed the 2007 Appendix A review in three phases: planning, assessing and testing, and concluding and reporting. While continuously obtaining SAT consultation, the Department defined the scope of financial reporting as the financial statements, updated control documentation for all significant financial processes, determined the materiality threshold, documented the key controls as well as evaluated and tested the controls, and tested corrective actions related to prior year significant deficiencies.
Based on an assessment of the controls over the management of unliquidated obligations, the Department determined there was a lack of consistent review procedures being performed at bureaus and posts. As a result, accounts were not being deobligated on a timely basis as required by Department regulations and procedures. Improvement in the management of unliquidated obligations is a priority for the Department in FY 2008, and corrective actions are already underway including the distribution of aging reports, and using recently developed enhancements to its Global Financial Management System's capabilities to automate deobligations. In addition, actions to improve contract closeout procedures relative to unliquidated obligations will be established, and the Senior Assessment Team will be actively engaged with the implementation and oversight of these corrective actions.
In the prior fiscal year, the Department worked closely with the Independent Auditor to address the reported material weakness related to the accounting for personal property. As a result, and as reflected in the Independent Auditor's Report on the FY 2006 financial statements, the Independent Auditor downgraded this item to a significant deficiency. In FY 2007, management continued efforts to remedy this weakness, making considerable progress. As a result of the improved status by September 30, 2007, the MCSC voted to downgrade this item from a significant deficiency to a deficiency. However, the Independent Auditor did not feel that the pace of progress was sufficient, and has reported the accounting for personal property as a material weakness. In FY 2007, management did complete its assessment of the controls over personal property, noting additional improvements in conducting inventories of vehicles, both held by the Department and by contractors; the successful implementation of tools in Integrated Logistics Management System (ILMS) to manage its vehicle fleet; and improvements in guidance and policy. Further corrective actions are planned for FY 2008, including expanding the capabilities for overseas posts to report acquisitions and disposals in the ILMS.
Federal Financial Management Improvement Act
The Federal Financial Management Improvement Act of 1996 (FFMIA) requires that agencies' financial management systems provide reliable financial data in accordance with generally accepted accounting principles and standards. Under FFMIA, financial management systems must substantially comply with three requirements — Federal financial management system requirements, applicable Federal accounting standards, and the U.S. Government Standard General Ledger (SGL) at the transaction level.
To assess conformance with FFMIA, the Department uses FFMIA implementation guidance issued by OMB (January 2001 Memorandum to Executive Department Heads, Chief Financial Officers, and Inspectors General), results of OIG and GAO audit reports, annual financial statement audits, the Department's annual Federal Information Security Management Act (FISMA) Report and other relevant information. The Department's assessment also relies a great deal upon evaluations and assurances performed to meet the requirements of the FMFIA including assessments performed to meet the requirements of OMB Circular A-123, Appendix A. Particular importance is given to any material weaknesses, significant deficiencies and material non-conformances identified during these internal control assessments.
The Department has made it a priority to meet the objectives of the FFMIA. Based on assessment results, along with information contained in the Department's FY 2007 FISMA Report and evaluations and assurances provided under FMFIA, the Department affirmed its determination of substantial compliance with FFMIA in its FY 2007 Management Representation Letter provided to the Independent Auditor. Further reinforcing FFMIA substantial compliance, the Department's Management Control Steering Committee voted in September 2006 to classify the Department's Financial and Accounting Systems as a financial system deficiency (versus significant deficiency or material non-conformance).
During FY 2007, the Department completed a major system implementation to upgrade its core financial management system, the Central Financial Management System (CFMS), to the Global Financial Management System (GFMS). GFMS establishes a common, uniform platform based on CGI's Momentum� financial system. Momentum� is a COTS product that has been tested and certified through the Chief Financial Officers Council software certification process as meeting Office of Federal Financial Management financial system requirements. The Momentum product complies with federal accounting standards and the U.S. Standard General Ledger. Momentum is also the underlying accounting system for the Department's Regional Financial Management System (RFMS).
The Department set clear objectives for the transition to the new Global Financial Management System (GFMS). Rigorous processes were implemented to completely convert reference and financial information from CFMS to GFMS and ensure the proper accountability of transactions during the transition period. Testing was conducted to confirm that GFMS (1) can effectively process transactions, (2) contains the necessary edit checks and automated controls, and (3) can produce reports needed for accurate financial reporting.
To further ensure continued FFMIA compliance and conformance of the new system to Federal accounting standards and the U.S. Standard General Ledger, the Department included the transition to GFMS in the scope of its FY 2007 A-123, Appendix A review. Specifically, the A-123 team determined (1) if procedures were sufficient to meet transition objectives and (2) identify any significant issues that could potentially impact the accuracy of financial reporting. The A-123 assessment determined that the Department had sufficient procedures in place to ensure the successful transition from CFMS to GFMS and no significant GFMS conversion issues were outstanding at September 30, 2007.
Federal Information Security Management Act
The Department of State 2007 Federal Information Security Management Act (FISMA) and Privacy Management Report presented continued improvement in IT security within the Department, as well as a framework for 2008 efforts. The Department is dedicated to protecting information and information systems with a comprehensive Information Security Program integrating operational security and information assurance programs monitored by performance metrics that are continually improving.
Over the past year, the Department continued streamlining processes, eliminating duplicative initiatives, and focusing on its Annual Testing, Plan of Action & Milestones, Certification and Accreditation, Configuration Management, Incident Detection and Response, Training, and Inventory. To further accelerate the integration of IT security within the Department, the Under Secretary of Management officially established the Information Systems Security Committee (ISSC), jointly chaired by the Chief Information Security Officer and the Senior Coordinator for Security Infrastructure in the Bureau of Diplomatic Security. Also, this past year, the Under Secretary for Management established a Privacy Protection Governance Board charged with directing the formation of personally identifiable information (PII) task forces, committees and/or teams to work collaboratively to address potential Privacy or PII issues with all stakeholders.
Recognizing the significance of an accurate and complete inventory of the Department's major information systems, on March 7, 2007, a telegram from the Under Secretary for Management was sent to all Diplomatic and Consular Posts concerning a Department-wide 90-day push effort. The effort requested Department-wide assistance in focusing on two key FISMA elements: Annual Testing and Inventory. The Department is pleased to announce that 100% of overseas posts and domestic bureaus certified their inventory in the Department asset database as up to date and complete.
In addition to the "scored" FISMA elements of the Department information security program, the Department is pleased to report significant enhancements in the following areas:
- Penetration Testing - This process helps to address vulnerabilities through a series of proactive cyber security measures including reporting and analysis on system assets; potential undesirable events; the motives, intentions, capabilities, and history of adversaries; security weaknesses; and the potential impact of countermeasures.
- Regional Computer Security Officers (RCSOs) - RCSOs perform on-site cyber security assessments, which involve an examination of a site's operational, technical, and management controls. By stationing highly-trained cyber security experts in regional operating positions around the globe, the Department is able to deliver exceptional security support to the field on short notice.
- Threat Detection & Analysis - This capability involves the in-depth analysis of network intrusions; coordinating the Department's response to sophisticated cyber attacks; delivering timely all-source reports on threat issues; and working closely with the law enforcement and Computer Network Defense communities to develop a comprehensive threat picture and devise remediation measures.
The 2007 fiscal year effort achieved measurable progress throughout the agency-wide information security program. These accomplishments are key indicators the Department gained forward momentum for FY2008 focusing attention on security concerns and designed processes and procedures to sustain that momentum. The Department begins fiscal year 2008 with renewed confidence that the constant security challenges facing any global enterprise will be planned for, identified and resolved in a timely and comprehensive manner and substantial progress on all the initiatives started in FY2007 will be maintained.