Management Assurances and Other Financial Compliances
The Department's Management Control policy is comprehensive and requires all Department managers to establish cost-effective systems of management controls to ensure U.S. Government activities are managed effectively, efficiently, economically, and with integrity. All levels of management are responsible for ensuring adequate controls over all Department operations.
Federal Managers' Financial Integrity Act
The Department of State's (the Department's) management is responsible for establishing and maintaining effective internal control and financial management systems that meet the objectives of the Federal Managers' Financial Integrity Act of 1982 (FMFIA). The Department conducted its assessment of the effectiveness of internal control over the efficiency and effectiveness of operations and compliance with applicable laws and regulations in accordance with OMB Circular A-123, Management's Responsibility for Internal Control. Based on the results of this evaluation, the Department can provide reasonable assurance that its internal control over the effectiveness and efficiency of operations and compliance with applicable laws and regulations and financial management systems met the objectives of FMFIA as of September 30.
In addition, management is responsible for establishing and maintaining effective internal control over financial reporting, which includes safeguarding of assets and compliance with applicable laws and regulations. The Department conducted its assessment of the effectiveness of internal control over financial reporting in accordance with Appendix A of OMB Circular A-123. Based on the results of this assessment, the Department can provide reasonable assurance that its internal control over financial reporting as of June 30 was operating effectively and the Department found no material weaknesses in the design or operation of the internal control over financial reporting. Further, subsequent procedures and testing through September 30 did not identify any material changes in key financial reporting internal controls.
As a result of its inherent limitations, internal control over financial reporting, no matter how well designed, cannot provide absolute assurance of achieving financial reporting objectives and may not prevent or detect misstatements. Therefore, even if the internal control over financial reporting is determined to be effective, it can provide only reasonable assurance with respect to the preparation and presentation of financial statements. Projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate.
John F. Kerry
Secretary of State
November 17, 2014
Management Control Program
The Federal Managers' Financial Integrity Act (FMFIA) requires agencies to establish internal control and financial systems that provide reasonable assurance that the following objectives are achieved:
- Effective and efficient operations,
- Compliance with applicable laws and regulations, and
- Financial reporting reliability.
It also requires that the head of the agency, based on an evaluation, provide an annual Statement of Assurance on whether the agency has met this requirement. OMB Circular A-123, Management's Responsibility for Internal Control, implements the FMFIA and defines management's responsibility for internal control in Federal agencies.
The Circular A-123 also requires that the agency head provide a separate assurance statement on the effectiveness of internal control over financial reporting (ICOFR). This is an addition to and a component of the overall FMFIA assurance statement. Appendix A of Circular A-123 was added to improve governance and accountability for internal control over financial reporting in Federal entities similar to the internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002.
The Secretary of State's 2014 Annual Assurance Statement for FMFIA and ICOFR is provided above. We have also provided a Summary of Financial Statement Audits and Management Assurances as required by OMB Circular A-136, Financial Reporting Requirements, revised, later in this report's Other Information section.
The Department's Management Control Steering Committee (MCSC) oversees the Department's management control program. The MCSC is chaired by the Comptroller, and is comprised of ten Assistant Secretaries [including the Inspector General (non-voting)], the Chief Information Officer, the Deputy Chief Financial Officer, the Deputy Legal Adviser, the Director for the Office of Budget and Planning, and the Director for the Office of Overseas Buildings Operations. Individual assurance statements from Ambassadors assigned overseas and Assistant Secretaries in Washington, D.C. serve as the primary basis for the Department's FMFIA assurance issued by the Secretary. The assurance statements are based on information gathered from various sources including the managers' personal knowledge of day-to-day operations and existing controls, management program reviews, and other management-initiated evaluations. In addition, the Office of Inspector General, the Special Inspector General for Afghanistan Reconstruction, and the Government Accountability Office conduct reviews, audits, inspections, and investigations that are considered by management.
The Senior Assessment Team (SAT) provided oversight during 2014 for the ICOFR program in place to meet Appendix A requirements. The SAT reports to the MCSC and is comprised of 15 senior executives from bureaus that have significant responsibilities relative to the Department's financial resources, processes, and reporting, and the Office of the Legal Adviser. An executive from the Office of Inspector General is also a non-voting member of the SAT. In addition, the Department's Office of Management Controls employs an integrated process to perform the work necessary to meet the requirements of Appendix A, Appendix C (regarding the Improper Payments Information Act), and the FMFIA. The Department employs a risk-based approach in evaluating internal controls over financial reporting on a multi-year rotating basis, which has proven to be efficient. Due to the broad knowledge of management involved with the Appendix A assessment, along with the extensive work performed by the Office of Management Controls, the Department evaluated issues on a detailed level. The 2014 Appendix A assessment did not identify any material weaknesses in the design or operation of the internal control over financial reporting. The assessment did identify several significant deficiencies in internal control over financial reporting that management is closely monitoring.
The Department's management controls program is designed to ensure full compliance with the goals, objectives, and requirements of the FMFIA and various Federal laws and regulations. To that end, the Department has dedicated considerable resources to administer a successful management control program. It is the Department's policy that any organization with a material weakness or significant deficiency must prepare and implement a corrective action plan to fix the weakness. The plan, combined with the individual assurance statements and Appendix A assessments, provide the framework for monitoring and improving the Department's management controls on a continuous basis. Management will continue to direct focused efforts to resolve issues for all significant deficiencies in internal control identified by management and auditors.
Federal Financial Management Improvement Act
The Federal Financial Management Improvement Act of 1996 (FFMIA) requires that Federal agencies' financial management systems provide reliable financial data that complies with Federal financial management system requirements, applicable Federal accounting standards, and the U.S. Government Standard General Ledger (USSGL) at the transaction level.
To assess conformance with FFMIA, the Department uses FFMIA implementation guidance issued by OMB (September 2013 Memorandum to Executive Department Heads), results of OIG and GAO audit reports, annual financial statement audits, the Department's annual Federal Information Security Management Act (FISMA) Report, and other relevant information. The Department's assessment also relies upon evaluations and assurances under the Federal Managers' Financial Integrity Act of 1982 (FMFIA), including assessments performed to meet the requirements of OMB Circular A-123 Appendix A. When applicable, particular importance is given to any reported material weakness and material non-conformance identified during these internal control assessments. The Department has made it a priority to meet the objectives of the FFMIA.
U.S. Secretary of State John Kerry adds a bolt to a clean-diesel engine while touring the Cummins-Foton Joint Venture Plant in Beijing, China, February 15, 2014. Department of State
In its Report on Compliance and Other Matters, the Independent Auditor reported that the Department's financial management systems did not substantially comply with certain Federal systems requirements and the USSGL at the transaction level. The Department acknowledges that the Independent Auditor has noted certain weaknesses in our financial management systems. In our assessments and evaluations, the Department identified similar weaknesses. However, applying the guidance and the assessment framework noted in Appendix D to OMB Circular A-123, the Department considers them deficiencies versus substantial non-conformances relative to substantial compliance with the requirements of the FFMIA. Effective for FY 2014, Appendix D provides a revised compliance model that entails a risk- and outcome-based approach to assess FFMIA compliance. The Department will continue to work with the Independent Auditor in 2015 and beyond to resolve these weaknesses.
Federal Information Security Management Act
The Federal Information Security Management Act of 2002 (FISMA) requires Federal agencies to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency. The Office of the Inspector General (OIG) performs an annual evaluation of the Department's compliance with FISMA requirements. In response to a request from the Management Control Steering Committee, the Department developed a corrective action plan for 2014 addressing six information security goals. As of September 2014, the Department has successfully met the milestones to date. In addition, the Department developed an information security risk management strategy.
During 2014, the Department continued to enhance its comprehensive risk-based and cost effective information security program through implementation of specific and tangible efforts that have enhanced the maturity level of a number of programs and procedures including:
Risk Management and Systems Authorization: The Department completed the authorization of the OpenNet general support system (GSS) in April 2014. OpenNet is the Department's unclassified computer network. In September 2014, the Department completed the authorization of the ClassNet GSS, the Department's classified network. The Department has authorized all but one of the high impact systems and is making notable progress with many of the moderate impact systems that had expired. The Department's Directorate of Information Assurance also set up the Bureau Coordinator program to assist the Bureaus in preparing for and completing authorizations in a timely manner.
Plans of Action and Milestones: In March 2014, the Department implemented an enterprise license of ComplyVision to be used as the repository for assessment and authorization documentation and Plans of Action and Milestones (POA&M). Actions to complete this part of the program are in motion at this time. With the completion of the authorization of OpenNet and ClassNet, a series of common controls were identified and the owners of those controls were made aware of their responsibilities. This action should simplify future authorizations and distribution of POA&M activities. Finally, all OpenNet POA&Ms have been entered into ComplyVision.
Continuous Monitoring Program: The Department has generated the Information Security Continuous Monitoring Strategy which has been approved by the Department's Chief Information Officer. As a part of the 2014 FISMA reporting process in CyberScope, the Department of Homeland Security's (DHS) tool, this document will be included in the Department's annual FISMA submission. The Department has been associated at an early stage with this process with both OMB and DHS and the current program reflects that level of activity in the Department.
Security Configuration Management: The Bureau of Information Resource Management (IRM) and the Bureau of Diplomatic Security (DS) are working closely to further the Department's cybersecurity program. IRM and DS are synchronizing the process of updating applicable sections of Department policy to remove conflicts and inconsistent guidance. In addition, the Department has purchased and is testing a network scanning tool and a database scanning tool to assist in the testing of high impact business processes such as financial systems, consular affairs systems, and accounting systems.
In the FISMA report and the Inspector General's Assessment of Management and Performance Challenges (located in the Other Information section of this AFR), the OIG cites weaknesses to enterprise-wide security they consider to be a significant deficiency in accordance with OMB memorandum M-14-04. While the Department acknowledges the weaknesses identified by the OIG, it does not agree that any of the findings, either individually or collectively, rises to the level of a significant deficiency that would require treating the matter as an additional material weakness in accordance with OMB M-14-04. The OMB memorandum defines a "significant deficiency...as a weakness in an agency's overall information systems security program...that significantly restricts the capability of the agency to carry out its mission or compromises the security of its information, information systems, personnel, or other resources, operations, or assets. In this context, the risk is great enough that the agency head and other agencies must be notified and immediate or near-immediate action must be taken." As outlined herein, the Department's management has defined corrective actions and notes much progress has been made. For 2015, a new corrective action plan is under development to continue efforts to address each weakness in a prioritized manner based upon the risk and impact posed to the Department's security posture.
Other Regulatory Requirements
The Department is required to comply with a number of other legal and regulatory financial requirements, including the Improper Payment Information Act (IPIA, as amended), the Debt Collection Improvement Act, and the Prompt Pay Act. The Department determined that none of its programs are risk-susceptible for making significant improper payments at or above the threshold levels set by OMB, and collected over 80 percent of amounts identified for recovery this year. In addition, the Department does not refer a substantial amount of debts to Treasury for collection, and has successfully paid vendors timely 98 percent of the time for the past three fiscal years. A detailed description of these compliance results and improvements is presented in the Other Information section of this report.
American Recovery and Reinvestment Act
Of the $787 billion appropriated for the American Recovery and Reinvestment Act (ARRA) of 2009, the Department of State received $562 million for projects and $2 million for Office of Inspector General oversight. The Department used ARRA funds to create and save jobs, repair and modernize domestic infrastructure crucial to the safety of American citizens, and expand consular services offered to American taxpayers. Details of the Department's ARRA implementation are posted on the website at http://www.state.gov/recovery/.
In prior years, the Department completed a number of construction projects using ARRA funds. For example, the Department expanded its network of passport facilities ($15 million); opened new classrooms and installed new signage at the National Foreign Affairs Training Center ($5 million); and completed a domestic Enterprise Server Operations Center ($120 million). In 2014, master planning is near completion for the site identified as the location of the Diplomatic Security Foreign Affairs Security Training Center ($70 million). This will provide a centralized location that supports hard skills security-related training for Department and other U.S. Government staff posted at U.S. embassies.
The International Boundary and Water Commission reports that their projects to raise or make structural improvements to the 237 miles of levees ($220 million) that ensure adequate flood protection to the area are complete as of September 30, 2014.
In prior years, ARRA funding was also used for information technology and cybersecurity ($132 million) and the Department's Office of Inspector General ARRA-related activities ($2 million). No new activities took place during 2014.