1701 Duke Street, Suite 500, Alexandria, VA 22314 PH: 703.931.5600, FX: 703.931.3655, www.kearneyco.com INDEPENDENT AUDITOR’S REPORT AUD-FM-16-09 To the Secretary and the Inspector General of the U.S. Department of State Report on the Financial Statements We have audited the accompanying consolidated financial statements of the U.S. Department of State (Department), which comprise the consolidated balance sheets as of September 30, 2015 and 2014, the related consolidated statements of net cost and changes in net position, the combined statements of budgetary resources for the years then ended, and the related notes to the consolidated financial statements (hereinafter referred to as the “consolidated financial statements”). Management’s Responsibility for the Financial Statements Management is responsible for the preparation and fair presentation of these consolidated financial statements in accordance with accounting principles generally accepted in the United States of America; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of consolidated financial statements that are free from material misstatement, whether due to fraud or error. Auditor’s Responsibility Our responsibility is to express an opinion on these consolidated financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 15-02, “Audit Requirements for Federal Financial Statements.” Those standards and OMB Bulletin No. 15-02 require that we plan and perform the audits to obtain reasonable assurance about whether the consolidated financial statements are free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate under the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements. 1 We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion. Opinion on the Consolidated Financial Statements In our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the financial position of the Department as of September 30, 2015 and 2014, and its net cost of operations, changes in net position, and budgetary resources for the years then ended, in accordance with accounting principles generally accepted in the United States of America. Other Matters Required Supplementary Information Accounting principles generally accepted in the United States of America require that the Management’s Discussion and Analysis, condition assessments of Heritage Assets, Combining Statement of Budgetary Resources, and Deferred Maintenance (hereinafter referred to as “required supplementary information”) be presented to supplement the consolidated financial statements. Such information, although not a part of the consolidated financial statements, is required by OMB Circular A-136, “Financial Reporting Requirements,” and the Federal Accounting Standards Advisory Board, which consider the information to be an essential part of financial reporting for placing the consolidated financial statements in an appropriate operational, economic, or historical context. We have applied certain limited procedures to the required supplementary information in accordance with auditing standards generally accepted in the United States of America, which consisted of inquiries of management about the methods of preparing the information and comparing the information for consistency with management’s responses to our inquiries, the consolidated financial statements, and other knowledge we obtained during our audits of the consolidated financial statements. We do not express an opinion or provide any assurance on the information because the limited procedures do not provide us with sufficient evidence to express an opinion or provide any assurance. Other Information Our audits were conducted for the purpose of forming an opinion on the consolidated financial statements as a whole. The information in the Message from the Secretary, the Message from the Comptroller, the Introduction, Appendices, and the Other Information Section, as listed in the Table of Contents of the Department’s Agency Financial Report, is presented for purposes of additional analysis and is not a required part of the consolidated financial statements. Such information has not been subjected to the auditing procedures applied in the audits of the consolidated financial statements, and accordingly, we do not express an opinion or provide any assurance on the information. 2 Other Reporting Required by Government Auditing Standards In accordance with Government Auditing Standards and OMB Bulletin No. 15-02, we have also issued reports, dated November 16, 2015, on our consideration of the Department’s internal control over financial reporting and on our tests of the Department’s compliance with provisions of applicable laws, regulations, contracts, and grant agreements for the year ended September 30, 2015. The purpose of those reports is to describe the scope of our testing of internal control over financial reporting and compliance and the results of that testing and not to provide an opinion on internal control over financial reporting or on compliance. Those reports are an integral part of an audit performed in accordance with auditing standards generally accepted in the United States of America, Government Auditing Standards, and OMB Bulletin No. 15-02 and should be considered in assessing the results of our audits. Alexandria, Virginia November 16, 2015 3 1701 Duke Street, Suite 500, Alexandria, VA 22314 PH: 703.931.5600, FX: 703.931.3655, www.kearneyco.com INDEPENDENT AUDITOR’S REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING To the Secretary and the Inspector General of the U.S. Department of State We have audited the consolidated financial statements of the U.S. Department of State (Department) as of and for the year ended September 30, 2015, and have issued our report thereon dated November 16, 2015. We conducted our audit in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 15-02, “Audit Requirements for Federal Financial Statements.” Internal Control Over Financial Reporting In planning and performing our audit of the consolidated financial statements, we considered the Department’s internal control over financial reporting (internal control) as a basis for designing audit procedures that are appropriate under the circumstances for the purpose of expressing our opinion on the consolidated financial statements but not for the purpose of expressing an opinion on the effectiveness of the Department’s internal control. Accordingly, we do not express an opinion on the effectiveness of the Department’s internal control. We limited our internal control testing to those controls necessary to achieve the objectives described in OMB Bulletin No. 15-02. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act of 1982, such as those controls relevant to ensuring efficient operations. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis. Our consideration of internal control was for the limited purpose described in the first paragraph and was not designed to identify all deficiencies in internal control that might be material weaknesses. Given these limitations, during our audit we did not identify any deficiencies in internal control that we consider to be material weaknesses. However, material weaknesses may exist that have not been identified. Our audit was also not designed to identify deficiencies in internal control that might be significant. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance. We consider the following deficiencies in the Department’s internal control to be significant deficiencies. 1 Significant Deficiencies I. Financial Reporting Weaknesses in controls over financial reporting have been reported as either a material weakness or a significant deficiency since the audit of the Department’s FY 2009 financial statements. The Department has addressed certain control deficiencies reported in prior financial statement audit reports related to financial reporting and improved underlying data. However, financial reporting continues to be a significant deficiency because of issues with the preparation of the Statement of Budgetary Resources (SBR). The SBR is derived predominately from an entity’s budgetary general ledger in accordance with budgetary accounting rules. Information on the SBR should reconcile to budget execution information reported to the Department of the Treasury on Standard Form (SF) 133, Report on Budget Execution and Budgetary Resources, and with information reported in the Budget of the U.S. Government to ensure the integrity of the number presented. Agencies must submit their financial information, including budgetary data, to the Treasury using the Governmentwide Treasury Account Symbol Adjusted Trial Balance System (GTAS). We found that the Department had made numerous adjustments related to budgetary resources outside of the financial system, most of which were needed to pass GTAS automated edit checks. Further, audit adjustments were required to be made to the SBR and related footnotes as a result of the audit procedures performed on the Department’s SBR reporting process. The Department did not use the full functionality of its accounting systems to capture all budgetary accounting events and to automate SBR reporting procedures. In addition, the Department did not formalize or implement sufficient controls to ensure all manual budgetary adjustments were supported or that adjustments were consistently recorded when preparing the SBR. Manual adjustments require an increased measure of internal control and review, reduce the Department’s ability to produce statements timely, and increase the likelihood of errors in the statements. II. Property and Equipment The Department reported over $20 billion in net property and equipment on its FY 2015 balance sheet. Real and leased property consisted primarily of facilities used for U.S. diplomatic missions abroad and capital improvements to these facilities. Personal property consisted of several asset categories, including aircraft, vehicles, security equipment, communication equipment, and software. Weaknesses in property and equipment were initially reported in the audit of the Department’s FY 2005 consolidated financial statements and subsequent audits. In FY 2015, the Department’s internal control structure continued to exhibit several deficiencies that negatively affected the Department’s ability to account for real and personal property in a complete, accurate, and timely manner. We concluded that the combination of property-related control deficiencies was a significant deficiency. The individual deficiencies we identified are summarized as follows: 2 1 • Personal Property Acquisitions and Disposals – The Department uses several nonintegrated systems to track, manage, and record personal property transactions, which are periodically merged or reconciled with the financial management system in order to centrally account for the acquisition, disposal, and transfer of personal property. We noted a significant number of prior year personal property transactions that were not recorded until the current year. In addition, we noted that the acquisition value for a number of selected items could not be supported and that the gain or loss on personal property disposals was not recorded properly for numerous items. The Department’s control structure did not ensure that personal property acquisitions, disposals, and transfers were recorded timely and accurately. In addition, the Department’s monitoring activities were not always effective to ensure proper financial reporting for personal property. The errors resulted in misstatements to the Department’s consolidated financial statements. The lack of effective control may result in the loss of accountability for asset custodianship, which could lead to undetected theft or waste. • Accounting for Leases – The Department manages over 16,700 real property leases throughout the world. The majority of the Department’s leases are short-term operating leases. The Department must disclose the future minimum lease payments (FMLP) related to the Department’s operating lease obligations in the footnotes to the consolidated financial statements. We found numerous recorded lease terms that did not agree with supporting documentation. We also tested leases that were scheduled to expire and found multiple leases that had been renewed; however, the renewed lease terms were not included in the Department’s FMLP calculations. The Department’s process to monitor lease information provided by posts was not always effective. The discrepancies identified in the Department’s FMLP calculation methodology led to multiple errors in the Department’s footnote disclosure. • Incomplete Reporting of Software in Development – Federal agencies use various types of software, such as applications for operating a program or administrative applications. Applications in the development phase are considered software in development (SID). Agencies are required to report software as general property in the financial statements. We identified three projects that met the criteria to be capitalized; however, the spending relating to the projects was excluded from the Department’s SID listing. Although the Department performs a quarterly data call to obtain SID costs from bureau project managers, this process was not sufficient because it relied on the responsiveness and understanding of individual project managers. Additionally, the Department does not have an effective process to confirm that information provided during the quarterly data call is complete. However, without an effective process to obtain information pertaining to SID projects, the Department may understate its property balances and overstate its expenses in future periods. • Incomplete Real Property Records – The Foreign Missions Act 1 established the Office of Foreign Missions (OFM) within the Department to review and control the operations of foreign missions in the United States. OFM manages all acquisitions, including leases, 22 U.S.C 4301-4316. 3 additions, and sales of real property by foreign missions. In certain cases, based on reciprocity, the Department owns real property in the United States that is used by foreign missions for diplomatic purposes. During FY 2015, the Department notified us of 13 Department-owned properties used by foreign missions for diplomatic purposes that were not included in the Department’s financial system. We performed additional work to confirm the completeness of the list of properties and identified one additional unreported property. OFM officials were unaware of the requirement to report Department-owned property in the Department’s financial system. In addition, officials that prepare the financial statements were unaware that OFM owned real property. Until this situation was identified by the Department, the Department’s annual financial statements were incomplete. Without a process to consolidate property information, planned future acquisitions or disposals of property by OFM will not be reflected in the Department’s financial statements. III. Budgetary Accounting The Department lacked sufficient reliable funds control over its accounting and business processes to ensure budgetary transactions were properly recorded, monitored, and reported. Beginning in our report on the Department’s FY 2010 consolidated financial statements, we identified budgetary accounting as a significant deficiency. During FY 2015, the audit continued to identify control limitations, and we concluded that the combination of control deficiencies remained a significant deficiency. The individual deficiencies we identified are summarized as follows: • Support of Obligations – Obligations are definite commitments that create a legal liability of the Government for payment. The Department should record only legitimate obligations, which would include a reasonable estimate of potential future outlays. We identified a large number of low-value obligations for which the Department could not provide evidence of a binding agreement. The Department’s financial system was designed to reject payments for invoices without established obligations. Because allotment holders were not always recording valid and accurate obligations prior to the receipt of goods and services, the Department established low-value obligations, which allowed invoices to be paid in compliance with the Prompt Payment Act but effectively bypassed system controls. The continued use of this practice could lead to a violation of the Antideficiency Act, and it increases the risk of fraud, misuse, and waste. • Timeliness of Obligations – The Department should record an obligation in its financial management system when it enters into an agreement, such as a contract or a purchase order, to purchase goods and services. During our testing, we identified numerous obligations that were not recorded within 15 days of execution of the obligating document and obligations that were posted subsequent to the receipt of goods and services. We also identified obligations that were recorded in the financial management systems prior to the formal execution of a contract. The Department did not have processes to ensure the accurate and timely creation and recording of obligations. Without an effective obligation process, controls to monitor funds and make timely 4 payments may be compromised, which may lead to violations of the Antideficiency Act and the Prompt Payment Act. IV. • Capital Lease Obligations – The Department must obligate funds to cover the net present value of the Government’s total estimated legal obligation over the life of a capital lease contract. However, the Department annually obligates funds equal to 1 year of the capital lease cost rather than the entire amount of the lease agreement. The Department obligated leases on an annual basis rather than the entire lease agreement period because that is the manner in which funds are budgeted and appropriated. Because of the unrecorded obligation, the Department’s consolidated financial statements were misstated. • Effectiveness of Allotment Controls – Federal agencies use allotments to allocate funds in accordance with statutory authority. Allotments provide authority to agency officials to incur obligations as long as those obligations are within the scope and terms of the allotment authority. We identified systemic issues in the Department’s use of allotment overrides, which allowed officials to exceed allotments. Department systems did not have an automated control to prevent users from recording obligations that exceeded allotment amounts. Department management stated that an automated control is not reasonable because there are instances in which an allotment may need to be exceeded; however, the Department has not formally identified, documented, and communicated the circumstances under which an allotment override is acceptable. The Department has a process to identify instances in which an obligation exceeded a domestic allotment; however, this process does not include overseas allotments. Additionally, the process does not adequately confirm whether the override was consistent with Department policy, including whether the allotment holder determined whether sufficient funds were available or obtained approval from authorized officials or whether the override was acceptable under the circumstances. Overriding allotment controls could lead to a violation of the Antideficiency Act and increases the risk of fraud, misuse, and waste. Validity and Accuracy of Unliquidated Obligations Unliquidated obligations (ULO) represent the cumulative amount of orders, contracts, and other binding agreements for which the goods and services that were ordered have not been received or the goods and services have been received but for which payment has not yet been made. The Department’s policies and procedures provide guidance related to the periodic review, analysis, and validation of the ULO balances posted to the general ledger. We identified a significant amount of invalid ULOs that had not been identified by the Department’s review process. The internal control structure was not operating effectively to comply with existing policy or facilitate the accurate reporting of ULO balances in the financial statements. The Department’s internal controls were not effective to ensure that ULOs were consistently and systematically evaluated for validity and deobligation. As a result of the invalid ULOs, the Department’s consolidated financial statements were misstated. In addition, funds that could have been used for other purposes may have remained in unneeded obligations. Weaknesses in controls over ULOs were initially reported in the audit of the Department’s FY 1997 consolidated financial statements and subsequent audits. 5 V. Information Technology The Department’s IT internal control structure, both for the general support system and critical financial reporting applications, exhibited limitations in several areas, including risk management strategies and user account management. The National Institute of Standards and Technology and the Government Accountability Office’s Federal Information System Controls Audit Manual provide control objectives and evaluation techniques that we used during our audit. Weaknesses in IT controls have been reported as a financial statement significant deficiency since the audit of the Department’s FY 2009 consolidated financial statements. In accordance with the Federal Information Security Modernization Act of 2014 (FISMA), the Office of Inspector General (OIG) performed a review of the Department’s information security program for FY 2015, including controls related to the Department’s general support system. 2 The Department’s general support system is the gateway for all of the Department’s systems, including its financial management systems. Generally, control deficiencies noted in the support system are inherited by the other systems that reside on it. We did not perform additional work on the controls related to the general support system but instead relied on the work performed by OIG. Overall, OIG found that the Department had made progress during FY 2015 in addressing IT deficiencies identified in prior FISMA reports, but OIG continued to identify weaknesses in the Department’s information security program. OIG had found that the Department was not in compliance with Federal laws, regulations, and information security standards. The FISMA audit identified deficiencies in configuration management, identity and access management, incident response and reporting, security training, plans of action and milestones, contingency planning, and contractor systems. Collectively, the control deficiencies identified represented a significant deficiency to organization-wide security. Specifically, ineffective IT security controls increase the risk that sensitive financial information could be accessed by unauthorized individuals or that financial transactions could be altered either accidentally or intentionally. IT weaknesses increase the risk that the Department will be unable to report financial data accurately. The focus of our IT-related audit work was primarily on financial system-specific deficiencies that could lead to significant misstatements of or corruption to the Department’s financial data. Based on IT deficiencies with the general support system identified by OIG, we developed additional risk-based audit procedures to substantively test financial management system inputs and outputs. In addition, we tested and confirmed certain compensating controls that would mitigate some of the risks that were attributable to the general support system deficiencies. Our IT-related audit procedures identified a financial system control deficiency with the Global Employment Management System (GEMS), which is the Department’s human resource system. We identified instances where users had access to security administration and human resources business activities—a combination generally considered incompatible. Although the Department indicated that the combination of these incompatible roles for the aforementioned individuals were required to perform job functions, the Department did not provide evidence of compensating controls to address these conflicts. The Department created a Corrective Action 2 OIG, Audit of the Department of State Information Security Program (AUD-IT-16-16, Nov. 2015). 6 Plan in FY 2015 that outlined procedures the Department would implement to mitigate the deficiencies identified by the prior year audit; however, the plan had not been fully implemented prior to our audit. Inadequate segregation of duties contributes to an overall weakening of the internal control environment for GEMS and increases the risk that errors and irregularities could occur and remain undetected. The weaknesses identified by OIG during the FISMA audit and by us during the financial statement audit are considered to be a significant deficiency within the scope of our financial statement audit. During the audit, we noted certain additional matters involving internal control over financial reporting that we will report to Department management in a separate letter. Status of Prior Year Findings In the Independent Auditor’s Report on Internal Control Over Financial Reporting included in the audit report on the Department’s FY 2014 financial statements, 3 we noted several issues that were related to internal control over financial reporting. The status of the FY 2014 internal control findings are summarized in Table 1. Table 1. Status of Prior Year Findings Control Deficiency FY 2014 Status FY 2015 Status Financial Reporting Significant Deficiency Significant Deficiency Property and Equipment Significant Deficiency Significant Deficiency Budgetary Accounting Significant Deficiency Significant Deficiency Validity and Accuracy of Unliquidated Obligations Significant Deficiency Significant Deficiency Information Technology Significant Deficiency Significant Deficiency 3 OIG, Independent Auditor’s Report on the U.S. Department of State 2014 and 2013 Financial Statements (AUD-FM-15-07, Nov. 2014). 7 Department’s Response to Findings Department management has provided its response to our findings in a separate memorandum included in this report as Appendix A. We did not audit management’s response, and accordingly, we express no opinion on it. Purpose of This Report The purpose of this report is solely to describe the scope of our testing of internal control over financial reporting and the results of that testing and not to provide an opinion on the effectiveness of the Department’s internal control. This report is an integral part of an audit performed in accordance with auditing standards generally accepted in the United States of America, Government Auditing Standards, and OMB Bulletin No. 15-02, in considering the entity’s internal control over financial reporting. Accordingly, this report is not suitable for any other purpose. Alexandria, Virginia November 16, 2015 8 1701 Duke Street, Suite 500, Alexandria, VA 22314 PH: 703.931.5600, FX: 703.931.3655, www.kearneyco.com INDEPENDENT AUDITOR’S REPORT ON COMPLIANCE WITH LAWS, REGULATIONS, CONTRACTS, AND GRANT AGREEMENTS To the Secretary and the Inspector General of the U.S. Department of State We have audited the consolidated financial statements of the U.S. Department of State (Department) as of and for the year ended September 30, 2015, and have issued our report thereon dated November 16, 2015. We conducted our audit in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and Office of Management and Budget (OMB) Bulletin No. 15-02, “Audit Requirements for Federal Financial Statements.” Compliance As part of obtaining reasonable assurance about whether the Department’s consolidated financial statements are free from material misstatement, we performed tests of the Department’s compliance with provisions of applicable laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material impact on the financial statement amounts, including the provisions referred to in Section 803(a) of the Federal Financial Management Improvement Act of 1996 (FFMIA) that we determined were applicable. We limited our tests of compliance to these provisions and did not test compliance with all laws, regulations, contracts, and grant agreements applicable to the Department. However, providing an opinion on compliance with those provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests, exclusive of those related to FFMIA, disclosed instances of noncompliance that are required to be reported under Government Auditing Standards and OMB Bulletin No. 15-02 and which are summarized as follows: • Antideficiency Act. This act prohibits the Department from (1) making or authorizing an expenditure from, or creating or authorizing an obligation under, any appropriation or fund in excess of the amount available in the appropriation or fund unless authorized by law; (2) involving the Government in any obligation to pay money before funds have been appropriated for that purpose, unless otherwise allowed by law; and (3) making obligations or expenditures in excess of an apportionment or reapportionment, or in excess of the amount permitted by agency regulations. Our audit procedures identified Department of the Treasury account fund symbols with negative balances that were potentially in violation of the Antideficiency Act. We also identified systemic issues in the Department’s use of allotment overrides to exceed available allotment authority. Establishing obligations that exceed available allotment authority increases the risk of noncompliance with the Antideficiency Act. In addition, the Department identified and was required to report an Antideficiency Act violation in the current year. Conditions 1 impacting the Department’s compliance with the Antideficiency Act have been reported annually since our FY 2009 audit. • Prompt Payment Act. This act requires Federal agencies to make payments in a timely manner, pay interest penalties when payments are late, and take discounts only when payments are made within the discount period. The Department did not always make payments within 30 days, as required. Additionally, we found that the Department did not consistently pay interest penalties for domestic and overseas payments in accordance with the Prompt Payment Act. Conditions impacting the Department’s compliance with the Prompt Payment Act have been reported annually since our FY 2009 audit. Under FFMIA, we are required to report whether the Department’s financial management systems substantially comply with Federal financial management systems requirements, applicable Federal accounting standards, and the U.S. Standard General Ledger (USSGL) at the transaction level. Although we did not identify any instances of substantial noncompliance with Federal accounting standards, we did identify instances, when combined, in which the Department’s financial management systems and related controls did not comply substantially with certain Federal financial management system requirements and the USSGL at the transaction level. Federal Financial Management Systems Requirements • • • • • • 1 The Department has long-standing weaknesses in its financial management systems regarding its capacity to account for and record financial information. For instance, the Department has significant deficiencies relating to financial reporting, property and equipment, budgetary accounting, and unliquidated obligations. During its annual evaluation of the Department’s information security program, as required by the Federal Information Security Management Act, the Department’s Office of Inspector General (OIG) identified weaknesses with computer security that it reported collectively as representing a significant deficiency. 1 The Department did not maintain effective administrative control of funds. Specifically, obligations were not created in a timely manner or were recorded in advance of an executed obligating document. In addition, there were systemic issues identified in the Department’s use of allotment overrides. The Department was required to report an Antideficiency Act violation in the current year. Specifically, the Department obligated and expended funds for specific Congressionally notified projects without the proper apportionment. The Department did not always minimize waste, loss, unauthorized use, or misappropriation of Federal funds. For example, OIG reported more than $209 million in questioned costs and funds put to better use during FY 2015. Interest was not always paid on overdue domestic and overseas payments. OIG, Audit of the Department of State Information Security Program (AUD-IT-16-16, Nov. 2015). 2 Standard General Ledger at the Transaction Level • • The Department’s financial management systems did not consistently post transactions to USSGL compliant accounts or track proprietary and budgetary account attributes consistent with the USSGL. General ledger account balances could not always be traced to discrete transactions. Further, discrete transactions could not always be traced to source documents. The Department had not implemented and enforced systematic financial management controls to ensure substantial compliance with FFMIA. The Department had not developed and executed remediation plans to address instances of noncompliance or validate compliance against criteria. The Department’s ability to meet Federal financial management system requirements and fully process transaction-level data in accordance with the USSGL was hindered by limitations in systems and processes. We have reported that the Department did not substantially comply with FFMIA annually since our FY 2009 audit. During the audit, we noted certain additional matters involving compliance that we will report to Department management in a separate letter. Department’s Response to Findings Department management has provided its response to our findings in a separate memorandum included in this report as Appendix A. We did not audit management’s response, and accordingly, we express no opinion on it. Purpose of This Report The purpose of this report is solely to describe the scope of our testing of compliance and the results of that testing and not to provide an opinion on the effectiveness of the entity’s compliance. This report is an integral part of an audit performed in accordance with auditing standards generally accepted in the United States of America, Government Auditing Standards, and OMB Bulletin No. 15-02, in considering the entity’s compliance. Accordingly, this report is not suitable for any other purpose. Alexandria, Virginia November 16, 2015 3 Appendix A United States Department of State Washington, D.C. 20520 November 16, 20 15 UNCLASSIFIED MEMORANDUM TO: OIG- Steve A. Linick FROM: CGFS- Christopher H. Flag'g~ SUBJECT: Draft Report on the Department of State's Fiscal Year 2015 Financial Statements CL>- 'h~ This memo is in response to your request for comments on the Draft Report of the Independent Auditor' s Report on Internal Control Over Financial Reporting, and Report on Compliance With Applicable Provisions of Laws, Regulations, Contracts, and Grant Agreements. As the OIG is aware, the Department operates in over 270 locations and 180 countries in some of the most challenging environments. The scale and complexity of Department activities and corresponding financial management operations and requirements are immense. We understand and take this dynamic into account as we pursue an efficient, accountable, and transparent financial management platform that supports the Department's and broader U.S. Government's forei gn affairs mission. Part of our accountability is the essential discipline of the annual external audit process and the issuance of the Department's annual audited financial statements. Few outside the financial community likely realize the time and effort that go into producing the audit and the Agency Financial Report, as we all work to demonstrate our commitment to strong financial management and to producing meaningful financial statements. It is a rigorous and exhaustive process. This year was no exception. It has been a concerted and dedicated effort by all stakeholders involved. While we may not agree on every aspect of the process and findings, we certainly appreciate and extend our sincere thanks for the professionalism and commitment by all parties, including the Office of the Inspector General and Kearney & Company, to work together throughout the audit process. We know there will always be new challenges and concerns given our global operating environment and scope of compliance requirements. Nonetheless, we believe the overall results of the audit reflect the continuous improvement we strive to achieve in the Bureau of the Comptroller and Global Financial Services and across the Department's financial management community. As expressed in the Independent Auditor's Report, we are pleased that the Department has received an unmodified ("clean") audit opinion on its FY 2015 and FY 2014 principal financial statements, and with no material weaknesses reported by the Independent Auditor. 1 2 We remain committed to strong corporate governance and internal controls as demonstrated by our robust system of internal controls overseen by our Senior Assessment Team (SAT), Management Control Steering Committee (MCSC), and validated by senior leadership. We appreciate the OIG participation in both the SAT and MCSC forums. For FY 2015, no material management control issues or material weaknesses in internal controls over financial reporting were identified by senior leadership. As a result, the Secretary was able to provide an unqualified Statement of Assurance for the Department's overall internal controls and internal controls over fmancial reporting in accordance with the Federal Managers' Financial lntegrity Act. We fully recognize that there is more to be done and that the items identified in the Draft Report will require our continued attention, action, and improvement. We look forward to working with you, Kearney & Company, and other stakeholders on addressing these issues in the coming year. 2