Report of Independent Auditors: Report on Internal Control Over Financial Reporting
INDEPENDENT AUDITOR’S REPORT ON INTERNAL CONTROL OVER
To the Secretary and the Inspector General of the U.S. Department of State
We have audited the consolidated financial statements of the U.S. Department of State (Department) as of and for the year ended September 30, 2017, and have issued our report thereon dated November 15, 2017. We conducted our audit in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 17-03, “Audit Requirements for Federal Financial Statements.”
Internal Control Over Financial Reporting
In planning and performing our audit of the consolidated financial statements, we considered the Department’s internal control over financial reporting (internal control) as a basis for designing audit procedures that are appropriate under the circumstances for the purpose of expressing our opinion on the consolidated financial statements but not for the purpose of expressing an opinion on the effectiveness of the Department’s internal control. Accordingly, we do not express an opinion on the effectiveness of the Department’s internal control. We limited our internal control testing to those controls necessary to achieve the objectives described in OMB Bulletin No. 17‑03. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act of 1982, such as those controls relevant to ensuring efficient operations.
A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis.
Our consideration of internal control was for the limited purpose described in the first paragraph and was not designed to identify all deficiencies in internal control that might be material weaknesses. Given these limitations, during our audit we did not identify any deficiencies in internal control that we consider to be material weaknesses. However, material weaknesses may exist that have not been identified.
Our audit was also not designed to identify deficiencies in internal control that might be significant. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance. We consider the following deficiencies in the Department’s internal control to be significant deficiencies.
I. Property and Equipment
The Department reported over $23 billion in net property and equipment on its FY 2017 balance sheet. Real and leased property consisted primarily of facilities used for U.S. diplomatic missions abroad and capital improvements to these facilities. Personal property consisted of several asset categories, including aircraft, vehicles, security equipment, communication equipment, and software. Weaknesses in property and equipment were initially reported in the audit of the Department’s FY 2005 consolidated financial statements and subsequent audits. In FY 2017, the Department’s internal control structure continued to exhibit several deficiencies that negatively affected the Department’s ability to account for real and personal property in a complete, accurate, and timely manner. We concluded that the combination of property-related control deficiencies was a significant deficiency. The individual deficiencies we identified are summarized as follows:
- Personal Property Acquisitions and Disposals – The Department uses several non-integrated systems to track, manage, and record personal property transactions, which are periodically merged or reconciled with the financial management system to centrally account for the acquisition, disposal, and transfer of personal property. We noted a significant number of personal property transactions from prior years that were not recorded until the current year. In addition, we noted that the acquisition value for a number of selected items could not be supported and that the gain or loss on personal property disposals was not recorded properly for numerous items. We also reviewed expenditures made by the Department and identified several items that related to personal property assets but that were not capitalized. The Department’s control structure did not ensure that personal property acquisitions, disposals, and transfers were recorded in a complete, timely, and accurate manner. In addition, the Department’s monitoring activities were not always effective to ensure proper financial reporting for personal property. The errors resulted in misstatements to the Department’s consolidated financial statements. The lack of effective control may result in the loss of accountability for asset custodianship, which could lead to undetected theft or waste.
- Real Property Acquisitions – The Department operates at more than 270 posts in more than 180 countries around the world and is primarily responsible for acquiring and managing real property in foreign countries on behalf of the U.S. Government. We found that real property transactions were not always recorded by the Department in a timely manner. Although the Department has a process to identify real property transactions that should be recorded in its accounting records, certain transactions were unrecorded because of the timing of key process activities and human error. The untimely processing of property transactions resulted in misstatements in the Department’s property balances.
- Accounting for Leases – The Department manages approximately 17,000 real property leases throughout the world. The majority of the Department’s leases are short-term operating leases. The Department must disclose the future minimum lease payments (FMLP) related to the Department’s operating lease obligations in the footnotes to the consolidated financial statements. We found numerous recorded lease terms that did not agree with supporting documentation. We also found errors in the Department’s FMLP calculations despite using accurate lease data. In addition, we tested leases that were scheduled to expire and found multiple leases that had been renewed; however, the renewed lease terms were not included in the Department’s FMLP calculations. The Department’s processes to record lease information and to ensure the accuracy of FMLP calculations were not always effective. As a result of errors identified by our audit, the Department adjusted its financial statement footnote disclosure.
- Incomplete and Inaccurate Reporting of Software – Federal agencies use various types of software applications, called “internal use software” (IUS), to conduct business. Applications in the development phase are considered software in development (SID). Agencies are required to report software as general property in their financial statements. We identified numerous instances in which the data recorded for SID and IUS were inaccurate and additional instances where software projects were inaccurately classified as SID rather than IUS. We also identified software spending that was not reported as SID or IUS. Although the Department performs a quarterly data call to obtain software costs from bureau project managers, this process was not sufficient because it relied on the responsiveness and understanding of individual project managers, not all of whom provided necessary information. Additionally, the Department did not have an effective process to confirm that information provided by project managers was complete or accurate or a process to confirm the status of SID projects. Without an effective process to obtain information pertaining to software projects, the Department may continue to understate its property balances and overstate its expenses.
- Accounting for Significant Improvements to Overseas Properties – The Department occupies some facilities overseas using varying types of unique, non-lease, non-ownership agreements. For example, the Department occupies space in facilities owned by other Federal agencies and facilities owned by international organizations. We identified instances in which the Department funded significant improvements to these types of facilities that met the criteria to be recorded as capitalized amounts; the Department, however, treated them as expenses. Although Department officials were generally aware of the accounting requirements relating to capital improvements, the Department had not considered applying the criteria to overseas properties that it occupied but did not own or formally lease. Without a process to capitalize the costs of significant improvements to overseas property that is occupied by but not owned or formally leased by the Department, capital assets will be understated and operating expenses will be overstated on the Department’s financial statements.
II. Budgetary Accounting
The Department lacked sufficient reliable funds control over its accounting and business processes to ensure budgetary transactions were properly recorded, monitored, and reported. Beginning in our report on the Department’s FY 2010 consolidated financial statements, we identified budgetary accounting as a significant deficiency. During FY 2017, the audit continued to identify control limitations, and we concluded that the combination of control deficiencies remained a significant deficiency. The individual deficiencies we identified are summarized as follows:
- Support of Obligations – Obligations are definite commitments that create a legal liability of the Government for payment. The Department should record only legitimate obligations, which include a reasonable estimate of potential future outlays. We identified a large number of low-value obligations for which the Department could not provide evidence of a binding agreement. The Department’s financial system was designed to reject payments for invoices without established obligations. Because allotment holders did not always record valid and accurate obligations prior to the receipt of goods and services, the Department established low-value obligations, which allowed invoices to be paid in compliance with the Prompt Payment Act, however this effectively bypassed the controls in the financial system. The continued use of this practice could lead to a violation of the Antideficiency Act and increases the risk of fraud, misuse, and waste.
- Timeliness of Obligations – The Department should record an obligation in its financial management system when it enters into an agreement, such as a contract or a purchase order, to purchase goods and services. During our testing, we identified numerous obligations that were not recorded within the requisite 15 days of execution of the obligating document and obligations that were posted after the receipt of goods and services. We also identified obligations that were recorded in the financial management system prior to the formal execution of a contract. The Department did not have processes to ensure the accurate and timely creation and recording of obligations. Without an effective obligation process, controls to monitor funds and make timely payments may be compromised, which may lead to violations of the Antideficiency Act and the Prompt Payment Act.
- Capital Lease Obligations – The Department must obligate funds to cover the net present value of the Government’s total estimated legal obligation over the life of a capital lease contract. However, the Department annually obligates funds equal to 1 year of the capital lease cost rather than the entire amount of the lease agreement. The Department obligates leases on an annual basis rather than for the entire lease agreement period because that is the manner in which funds are budgeted and appropriated. Because of the unrecorded obligation, the Department’s consolidated financial statements were misstated.
- Effectiveness of Allotment Controls – Federal agencies use allotments to allocate funds in accordance with statutory authority. Allotments provide authority to agency officials to incur obligations as long as those obligations are within the scope and terms of the allotment authority. We identified systemic issues in the Department’s use of allotment overrides that allowed officials to exceed allotments. Certain Department systems did not have an automated control to prevent users from recording obligations that exceeded allotment amounts. Department management stated that such an automated control is not reasonable because there are instances in which an allotment may need to be exceeded; however, the Department has not formally identified, documented, and communicated the circumstances under which an allotment override is acceptable. The Department has a process to review instances in which an obligation exceeded an allotment; however, this process does not include overseas allotments, transactions related to employee and annuitant compensation, and transactions under a certain dollar threshold. The Department has not formally established justification for excluding certain allotment overrides from its review process. Additionally, for the overrides that were reviewed, the Department did not adequately confirm whether the override was consistent with Department policy, including whether the allotment holder determined if sufficient funds were available and obtained approval from authorized officials. Overriding allotment controls could lead to a violation of the Antideficiency Act and increases the risk of fraud, misuse, and waste.
III. Validity and Accuracy of Unliquidated Obligations
Unliquidated obligations (ULO) represent the cumulative amount of orders, contracts, and other binding agreements for which the goods and services that were ordered have not been received or the goods and services have been received but for which payment has not yet been made. The Department’s policies and procedures provide guidance related to the periodic review, analysis, and validation of the ULO balances posted to the general ledger. We identified a significant number of invalid ULOs that had not been identified by the Department’s review process. The internal control structure was not operating effectively to comply with existing policy or facilitate the accurate reporting of ULO balances in the financial statements. The Department’s internal controls were also not effective to ensure that ULOs were consistently and systematically evaluated for validity and deobligation. As a result of invalid ULOs identified by our audit, the Department adjusted its financial statements. In addition, funds that could have been used for other purposes may have remained in unneeded obligations. Weaknesses in controls over ULOs were initially reported in the audit of the Department’s FY 1997 consolidated financial statements and subsequent audits.
IV. Information Technology
The Department’s information systems and sensitive information rely on the confidentiality, integrity, and availability of the Department’s comprehensive and interconnected information systems utilizing various technologies around the globe. Thus, it is critical that the Department manage information security risk effectively throughout the organization. The Department uses several financial management systems to compile information for financial reporting purposes. The Department’s general support system, a component of its information security program, is the gateway for all of the Department’s systems, including its financial management systems. Generally, control deficiencies noted in the information security program are inherited by the systems that reside in it.
In accordance with the Federal Information Security Modernization Act of 2014 (FISMA), the Office of Inspector General (OIG) is responsible for the audit of the Department’s information security program. In the FY 2017 FISMA report,1 OIG reported security weaknesses that significantly impacted the Department’s information security program. Specifically, OIG reported weaknesses in all seven FY 2017 Inspector General FISMA metric domains, which consist of risk management, configuration management, identity and access management, security training, information security continuous monitoring, incident response, and contingency planning. OIG reported, “The primary reason the Department has not implemented an effective information security program is because the [Chief Information Officer] does not have sufficient authority to manage IT activities, as provided for in law. Furthermore, the [Chief Information Officer] is not properly positioned within the Department to ensure that the Department’s information security program is effective.”
Without an effective information security program, the Department is vulnerable to IT-centered attacks and threats. Information security program weaknesses can affect the integrity of financial applications, which increases the risk that sensitive financial information could be accessed by unauthorized individuals or that financial transactions could be altered, either accidentally or intentionally. Information security program weaknesses increase the risk that the Department will be unable to report financial data accurately.
The weaknesses reported by OIG as a result of the FISMA audit are considered to be a significant deficiency within the scope of our financial statement audit. We have reported weaknesses in IT security controls as a significant deficiency in each audit since our audit of the Department’s FY 2009 financial statements.
During the audit, we noted certain additional matters involving internal control over financial reporting that we will report to Department management in a separate letter.
Status of Prior Year Findings
In the Independent Auditor’s Report on Internal Control Over Financial Reporting included in the audit report on the Department’s FY 2016 financial statements,2 we noted several issues that were related to internal control over financial reporting. The status of the FY 2016 internal control findings is summarized in Table 1.
|Control Deficiency||FY 2016 Status||FY 2017 Status|
|Financial Reporting||Significant Deficiency||Management Letter|
|Property and Equipment||Significant Deficiency||Significant Deficiency|
|Budgetary Accounting||Significant Deficiency||Significant Deficiency|
|Validity and Accuracy of Unliquidated Obligations||Significant Deficiency||Significant Deficiency|
|Information Technology||Significant Deficiency||Significant Deficiency|
Department’s Response to Findings
Department management provided its response to our findings in a separate memorandum included in this report as Appendix A. We did not audit management’s response, and accordingly, we express no opinion on it.
Purpose of This Report
The purpose of this report is solely to describe the scope of our testing of internal control over financial reporting and the results of that testing and not to provide an opinion on the effectiveness of the Department’s internal control. This report is an integral part of an audit performed in accordance with auditing standards generally accepted in the United States of America, Government Auditing Standards, and OMB Bulletin No. 17-03 in considering the entity’s internal control over financial reporting. Accordingly, this report is not suitable for any other purpose.
November 15, 2017
1 OIG, Audit of the Department of State Information Security Program (AUD-IT-18-12, October 2017). (back to text)
2 OIG, Independent Auditor’s Report on the U.S. Department of State 2016 and 2015 Financial Statements (AUD-FM-17-09, November 2016). (back to text)