Report of Independent Auditors

FY 2003 Performance and Accountability Report
Bureau of Resource Management
December 2003
Report

Skip Letterhead and Read the Auditor's ReportLEONARD G. BIRNBAUM AND COMPANY, LLP

CERTIFIED PUBLIC ACCOUNTANTS
WASHINGTON OFFICE
6285 FRANCONIA ROAD
ALEXANDRIA, VA 22310-2510


(703) 922-7622
FAX: (703) 922-8256

LESLIE A. LEIPER
LEONARD G. BIRNBAUM
DAVID SAKOFS
CAROL A. SCHNEIDER
DORA M. CLARKE

WASHINGTON, D.C.
SUMMIT, NEW JERSEY
REDWOOD CITY, CALIFORNIA

INDEPENDENT AUDITOR'S REPORT

 

To the Secretary, Department of State:

We have audited the Department of State's (Department) Consolidated Balance Sheet, Consolidated Statement of Net Cost, Consolidated Statement of Changes in Net Position, Combined Statement of Budgetary Resources, and Combined Statement of Financing as of, and for the years ended, September 30, 2003 and 2002 (collectively the Principal Financial Statements); we have examined internal control over financial reporting in place as of September 30, 2003; and we have examined compliance with laws and regulations.

In our opinion, the Department's 2003 and 2002 Principal Financial Statements are presented fairly in all material respects.

We found:

  • reportable conditions on weaknesses in the Department's internal controls,
  • instances of noncompliance with selected provisions of applicable laws and regulations involving the Department's financial management system, and
  • noncompliance with the Federal Financial Management improvement Act (FFMIA) of 1996.

Each of these conclusions is discussed in more detail below. This report also discusses the scope of our work.

PRINCIPAL FINANCIAL STATEMENTS

In our opinion, the Department's 2003 and 2002 Consolidated Balance Sheets, Consolidated Statements of Net Cost, Consolidated Statements of Changes in Net Position, Combined Statements of Budgetary Resources, and Combined Statements of Financing, including the notes thereto, present fairly, in all material respects, the Department's financial position as of September 30, 2003 and 2002, and the net cost of operations, the changes in net position, the use of budgetary resources, and the use of financing, for the years then ended, in conformity with accounting principles generally accepted in the United States of America.

In 2003 and 2002, the Department implemented revised financial statement reporting requirements and Statements of Federal Financial Accounting Standards that became effective for those years. The details of these changes are presented in Note 2 to the Principal Financial Statements. The Department also changed its method for estimating domestic accounts payable in 2003. Details regarding this change are presented in Note 1 to the Principal Financial Statements.

INTERNAL CONTROL

We considered the Department's internal control over financial reporting in order to determine our auditing procedures for the purpose of expressing our opinion on the Principal Financial Statements. We limited our internal control testing to those controls necessary to achieve the objectives described in the Office of Management and Budget's (OMB) Bulletin 01- 02, Audit Requirements for Federal Financial Statements. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers' Financial Integrity Act of 1982, such as those controls relevant to ensuring efficient operations. The objective of our audit was not to provide assurance on internal control. Consequently, we do not provide an opinion on internal control.

The objectives of internal control are to provide management with reasonable, but not absolute, assurance that the following objectives are met:

  • transactions are properly recorded and accounted for to permit the preparation of reliable financial reports and to maintain accountability over assets;
  • funds, property, and other assets are safeguarded against loss from unauthorized acquisition, use, or disposition;
  • transactions, including those related to obligations and costs, are executed in compliance with laws and regulations that could have a direct and material effect on the financial statements and other laws and regulations that OMB, Department management, or the Inspector General have identified as being significant for which compliance can be objectively measured and evaluated; and
  • data that support reported performance measures are properly recorded and accounted for to permit preparation of reliable and complete performance information.

Our consideration of the internal control over financial reporting would not necessarily disclose all matters of internal control over financial reporting that might be reportable conditions. Under standards issued by the American Institute of Certified Public Accountants, reportable conditions are matters coming to our attention relating to significant deficiencies in the design or operation of internal control that, in our judgment, could adversely affect the Department's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements. Material weaknesses are reportable conditions in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that errors or irregularities in amounts, which would be material in relation to the financial statements being audited, may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.

We noted four matters, discussed in the following paragraphs, involving internal control that we consider to be reportable conditions.

  • We have identified significant weaknesses related to information system security that we believe could be exploited to have a detrimental effect on the information used to prepare the financial statements. We believe that the information system networks for domestic operations are vulnerable to unauthorized access. Consequently, systems, including the Department's financial management system, which process data using these networks, may also be vulnerable. This weakness was first reported in Computer Security: Pervasive, Serious Weaknesses Jeopardize State Department Operations (GAO/AIMD-98-145) based on penetration tests performed by the General Accounting Office (GAO) and was then reported in our opinion on the 1997 financial statements.

    The Department was able to close the recommendations related to this GAO report in FY 2000. However, we did not believe that the closure of the GAO recommendations demonstrated that the previously cited material weakness had necessarily been corrected. Therefore, the Department performed tests of access controls in this area, which identified significant weaknesses. The Department has initiated a program to assess its information systems security on a comprehensive basis.

This condition had been reported as a material weakness in our audits of the Department's 1997 Principal Financial Statements and subsequent audits. The Department's work toward correcting this deficiency is now considered to be sufficiently advanced to reduce this deficiency to a reportable condition.

  • The Department's financial and accounting system, as of September 30, 2003, was inadequate. This inadequacy prevented the Department from routinely issuing timely financial statements. There is a risk of materially misstating financial information under the current conditions. The principal areas of inadequacy were:

    • Certain elements of the financial statements, including, but not limited to, personal property, capital leases, and certain accounts payable, are developed from sources other than the general ledger. This is due, at least in part, to untimely processing and reporting of transactions by posts and bureaus. OMB Circular A-127, Financial Management Systems, requires that transaction processing be applied consistently throughout the Department's financial management system. The use of sources other than the general ledger to generate elements of the financial statements increases the potential for omission of significant transactions.
    • During 2003, the Department used several systems for the management of grants and other types of financial assistance. These lacked standard data classifications and common processes and were not integrated with the Department's centralized financial management system. Further, the Department could not produce reliable financial information that defined the universe of grants and other federal financial assistance.
  • The Department's internal control process related to the management of undelivered orders was inadequate. The Department has made significant improvements in this area over the past two years. The Department has actively worked with bureaus to validate undelivered orders and has successfully cleared up a significant number of obligations that were outstanding from past years. However, the Department needs to perform additional work to correct this weakness. Our tests indicated that over $334 million of undelivered orders should have been deobligated as of September 30, 2003. Also, we noted that the Department's undelivered orders balance has grown significantly to $6.7 billion, as of September 30, 2003. The Budget and Accounting Procedures Act of 1950 requires that the Department's accounting system provide effective control over funds. Failure to deobligate funds in a timely manner may result in the loss of availability of those funds.

The above two reportable conditions were cited in our audits of the Department's 1997 Principal Financial Statements and subsequent audits.

  • Although the Department complied with certain aspects of Statement of Federal Financial Accounting Standards #4, Managerial Cost Accounting Standards - for instance, it chose reasonable responsibility segments, recognized the cost of goods and services that it receives from other entities, and used an appropriate allocation methodology - it did not implement an effective process to routinely collect managerial cost accounting information, establish outputs for each responsibility segment, or allocate all support costs. Until this is done, we do not believe the information will be useful as a management decisionmaking tool. This was first reported in our audit of the Department's 2000 Principal Financial Statements.

These deficiencies in internal control may adversely affect any decision by management that is based, in whole or in part, on information that is inaccurate because of the deficiencies. Unaudited financial information reported by the Department, including budget information, also may contain misstatements resulting from these deficiencies.

We are not aware of any other known but uncorrected material findings or recommendations from prior audits that affect the current audit objectives.

In addition, we considered the Department's internal control over Required Supplementary Stewardship Information and Required Supplementary Information by obtaining an understanding of the Department's internal control, determining whether controls had been placed in operation, assessing control risk, and performing tests of controls as required by OMB Bulletin 01-02, and not to provide assurance on those internal controls. Accordingly, we do not provide an opinion on those controls.

Finally, with respect to internal control related to performance measures reported in Management's Discussion and Analysis, we obtained an understanding of the design of significant controls relating to the existence and completeness assertions and determined whether those controls had been placed in operation as required by OMB Bulletin 01-02. Our procedures were not designed to provide assurance on internal control over reported performance measures, and, accordingly, we do not provide an opinion on such controls.

We noted certain other internal control issues that we have reported to the Department's management in a separate letter dated December 24, 2003.

COMPLIANCE WITH LAWS AND REGULATIONS

The Department's management is responsible for complying with laws and regulations applicable to the Department. As part of obtaining reasonable assurance about whether the financial statements are free of material misstatement, we performed tests of the Department's compliance with certain provisions of laws and regulations, noncompliance with which could have a direct and material effect on the determination of financial statement amounts, and certain other laws and regulations specified in OMB Bulletin 01-02, including the requirements referred to in FFMIA. We limited our tests of compliance to these provisions, and we did not test compliance with all laws and regulations applicable to the Department. The objective of our audit of the Principal Financial Statements, including our tests of compliance with selected provisions of applicable laws and regulations, was not to provide an opinion on overall compliance with such provisions. Accordingly, we do not express such an opinion.

Material instances of noncompliance are failures to follow requirements, or violations of prohibitions in statutes and regulations, that cause us to conclude that the aggregation of the misstatements resulting from those failures or violations is material to the financial statements or that sensitivity warrants disclosure thereof.

The results of our tests of compliance with the laws and regulations described in the preceding paragraph, exclusive of FFMIA, disclosed the following instances of noncompliance with laws and regulations that are required to be reported under Government Auditing Standards issued by the Comptroller General of the United States and OMB Bulletin 01-02.

Overall, we found that the Department's financial management system did not comply with a number of laws and regulations, as follows:

  • Budget and Accounting Procedures Act of 1950. This requires an accounting system to provide full disclosure of the results of financial operations; adequate financial information needed in the management of operations and the formulation and execution of the budget; and effective control over income, expenditures, funds, property, and other assets. However, we found that the financial systems: (1) did not manage undelivered orders effectively, and (2) did not issue interim financial reports that could be used for effective management of operations.
  • Federal Managers' Financial Integrity Act of 1982. This requires the implementation of internal accounting and administrative controls that provide reasonable assurance that: (1) obligations and costs are in compliance with applicable laws; (2) funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation; and (3) revenues and expenditures applicable to Department operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the assets. However, as discussed above, we found that the financial system did not manage undelivered orders effectively. Hence, these funds are not adequately protected from waste or loss.
  • Chief Financial Officers Act of 1990. This requires the development and maintenance of an integrated accounting and financial management system that: (1) complies with applicable accounting principles, standards and requirements, and internal control standards; (2) complies with such policies and requirements as may be prescribed by the Director of OMB; (3) complies with any other requirements applicable to such systems; and (4) provides for (i) complete, reliable, consistent, and timely information that is prepared on a uniform basis and that is responsive to the financial information needs of agency management; (ii) the development and reporting of cost information; (iii) the integration of accounting and budgeting information; and (iv) the systematic measurement of performance. However, we found that the financial systems: (1) did not issue interim financial statements that could be used for effective management; and (2) did not provide complete information in that certain elements of the financial statements are developed from sources other than the general ledger.
  • OMB Circular A-127. This requires the Department to establish and maintain an accounting system that provides for: (1) complete disclosure of the financial results of the activities of the Department; (2) adequate financial information for Department management and for formulation and execution of the budget; and (3) effective control over revenue, expenditure, funds, property, and other assets. However, we found, again, that the financial system did not maintain effective control over undelivered orders. Further, the Department's failure to implement an effective managerial cost accounting system precludes effective control over revenues and expenditures.

The above areas of noncompliance were cited in our audits of the Department's 1997 Principal Financial Statements and subsequent audits.

The results of our tests of compliance with other laws and regulations disclosed no material instances of noncompliance. Compliance with FFMIA is discussed below.

Under FFMIA, we are required to report whether the Department's financial management systems substantially comply with federal financial management system requirements, applicable accounting standards, and the U.S. Standard General Ledger at the transaction level. To meet this requirement, we performed tests of compliance, using the implementation guidance for FFMIA issued by OMB on January 4, 2001.

The results of our tests disclosed instances, described below, where the Department's financial management systems did not substantially comply with the requirement to follow the federal financial management system requirements. OMB implementation guidance states that, to be in substantial compliance with this requirement, the Department must meet specific requirements of OMB Circular A-127, including the computer security controls required by OMB Circular A-130, Management of Federal Information Resources. We found instances of substantial noncompliance with these two requirements.

  • Circular A-127 requires that the Department's systems support management's fiduciary role by providing complete, reliable, consistent, timely, and useful financial management information. Based on the weaknesses related to financial management systems discussed in the report on internal controls and the preceding paragraphs in the report on compliance with laws and regulations, we determined that the Department was not substantially in compliance with this standard.
  • Circular A-130, Appendix III, requires that the Department ensure an adequate level of security for all agency automated information systems. Specifically, the Department should ensure that automated information systems operate effectively and have appropriate safeguards to ensure the integrity of those systems. Based on our concerns related to the financial management systems discussed in the report on internal control and the preceding paragraphs in the report on compliance with laws and regulations, we determined that the Department was not substantially in compliance with this standard.

The Department's Bureau of Resource Management (RM) has overall responsibility for the Department's financial management systems. The foregoing noncompliance has its roots in the lack of organization and integration of the Department's financial management systems. This issue has been highlighted since 1983 in the Department's annual report, required by the Federal Managers' Financial Integrity Act. In our audits of the Department's Principal Financial Statements since 1997, we observed that the Department's financial management systems were not in compliance with FFMIA and recommended, in connection with our audits of the Department's 1997 and 1998 Principal Financial Statements, that a remediation plan be prepared. RM submitted its plan to remediate noncompliance with FFMIA to OMB on March 16, 2000. The plan initially projected achieving substantial compliance with FFMIA during FY 2003. RM currently expects to achieve this goal in 2004. Although RM has completed several significant phases of its plan, the plan needs to specifically address systems security and management of grants and other types of federal assistance.

We noted certain other instances of noncompliance that we reported to the Department's management in a separate letter dated December 24, 2003.

RESPONSIBILITIES AND METHODOLOGY

Department management has the responsibility for:

  • preparing the Principal Financial Statements and required supplementary stewardship information, required supplementary information, and other accompanying information in conformity with accounting principles generally accepted in the United States of America;
  • establishing and maintaining effective internal control; and
  • complying with applicable laws and regulations.

Our responsibility is to express an opinion on the Principal Financial Statements based on our audit. Auditing standards generally accepted in the United States of America require that we plan and perform the audit to obtain reasonable assurance about whether the Principal Financial Statements are free of material misrepresentation and presented fairly in accordance with accounting principles generally accepted in the United States of America. We considered the Department's internal control for the purpose of expressing our opinion on the Principal Financial Statements referred to above and not to provide an opinion on internal control. We are also responsible for testing compliance with selected provisions of applicable laws and regulations that may materially affect the financial statements.

In order to fulfill these responsibilities, we:

  • examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements;
  • assessed the accounting principles used and significant estimates made by management;
  • evaluated the overall presentation of the Principal Financial Statements;
  • obtained an understanding of the internal controls over financial reporting by obtaining an understanding of the agency's internal control, determined whether internal controls had been placed in operation, assessed control risk, and performed tests of controls;
  • obtained an understanding of the internal controls relevant to performance measures included in Management's Discussion and Analysis, including obtaining an understanding of the design of internal controls relating to the existence and completeness assertions and determined whether they had been placed in operations;
  • obtained an understanding of the process by which the agency identifies and evaluates weaknesses required to be reported under FMFIA and related agency implementing procedures;
  • tested compliance with selected provisions of laws and regulations that may have a direct and material effect on the financial statements;
  • obtained written representations from management; and
  • performed other procedures as we considered necessary in the circumstances.

Our audits were conducted in accordance with auditing standards generally accepted in the United States of America, the standards applicable to financial audits contained in Government Auditing Standards and OMB Bulletin 01-02. We believe that our audits provide a reasonable basis for our opinion.

The Management's Discussion and Analysis, Required Supplementary Stewardship Information, and Required Supplementary Information are not a required part of the Principal Financial Statements, but are supplementary information required by OMB Bulletin 01-09, Form and Content of Agency Financial Statements, and the Federal Accounting Standards Advisory Board. We have applied certain limited procedures, which consisted principally of inquiries of management regarding the methods of measurement and presentation of the supplementary information. However, we did not audit the information and express no opinion on it.

This report is intended for the information of the Inspector General of the U.S. Department of State, the Department's management, the Office of Management and Budget, and the Congress. This restriction is not intended to limit the distribution of this report, which is a matter of public record.

Comments by the Department's management on this report are presented as Appendix A.

Signature of Leonard G. Birnbaum and Company, LLP

Leonard G. Birnbaum and Company, LLP

Alexandria, Virginia
December 24, 2003