2 FAM 020
(Office of Origin: CGFS/DCFO)
2 FAM 021 SCOPE AND AUTHORITY
2 FAM 021.1 Policy and Scope
a. The Department of State must maintain effective systems of management controls (also referred to as internal controls). All levels of management are responsible for ensuring adequate controls over all Department operations. New organizations, programs, or functions must incorporate effective systems of management controls.
b. All Department managers (domestic and at post) must establish cost-effective systems of management controls to ensure U.S. Government activities are managed effectively, efficiently, economically, and with integrity. Responsibility for preventing fraud and waste is not solely confined to financial or internal audit personnel. Each manager and supervisor, whether in accounting, administration, program, or budget, is responsible for management controls. A sound management control process is a dynamic, cost-saving management tool. Management control programs must be designed to provide reasonable assurance regarding the prevention of or prompt detection of errors, irregularities, and mismanagement.
c. As required by the Federal Managers' Financial Integrity Act (FMFIA), all management control systems must incorporate the Government Accountability Office (GAO) Internal Control Standards. Department of State managers must:
(1) Evaluate such systems on an ongoing basis;
(2) Correct detected deficiencies in such systems;
(3) Perform risk assessments as circumstances warrant, but not less than every 5 years;
(4) Undertake management control reviews once a need is determined; and
(5) Review and report on the adequacy of the Department’s control systems annually in support of the Secretary’s annual assurance statement to the President and the Congress.
d. The management control program applies to all program, administrative, operational, and financial areas of the Department.
2 FAM 021.2 Authorities and Requirements
The authority to establish, maintain, evaluate, improve, and report on management controls throughout the Department is derived from the statutory requirements listed in this section. The relevant U.S. Office of Management and Budget (OMB) guidance and the U.S. Government Accountability Office (GAO) internal control standards for implementing these requirements are also noted. Additional statutory requirements are contained in OMB Circular A-123, Section III:
(1) Accounting and Auditing Act of 1950, as amended: This Act requires the head of each executive agency to establish and maintain adequate systems of internal accounting and administrative controls; i.e., internal controls;
(2) Federal Managers' Financial Integrity Act (FMFIA) of 1982, 31 U.S.C. 3512: This Act amended the Accounting and Auditing Act of 1950 to require ongoing evaluations and reports of the adequacy of the systems for internal accounting and administrative control of each executive agency. It includes the following additional requirements and objectives:
(a) Internal accounting and administrative control standards are to be prescribed by the Comptroller General (Standards for Internal Control in the Federal Government, issued in 1999, revised);
(b) Evaluations are to be conducted by each executive agency of its system of internal accounting and administrative control in accordance with guidelines established by the Director of the Office of Management and Budget in OMB Circular A-123; and
(c) An annual statement of assurance is to be submitted by the head of each executive agency to the President and the Congress on the status of the agency’s systems of management controls and whether the agency’s financial management systems conform to Government-wide requirements;
(3) Chief Financial Officers Act of 1990, 31 U.S.C. 902, Public Law 101-576: This Act has as one of its stated purposes the improvement of systems of accounting, financial management, and internal controls to assure the issuance of reliable financial information and to deter fraud, waste, and abuse of U.S. Government resources;
(4) Improper Payments Elimination and Recovery Act (IPERA) of 2010, Public Law 111-204, which amended the Improper Payments Information Act of 2002, Public Law 107-300: This Act requires that agencies periodically review all programs and activities that the agency head administers and identify all program and activities that may be susceptible to significant improper payments, and have a cost-effective recapture audit program to identify and collect overpayments and other improper payments;
(5) OMB Circular A-123, as amended, Management’s Responsibility for Internal Control: This circular promulgates a U.S. Government-wide internal control policy and a system of agency responsibilities and requirements. Its purpose is to address instances of fraud, waste, and abuse of Government resources and mismanagement of Government programs resulting from deficiencies in internal controls or deficiencies in compliance with internal controls. The circular provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on management controls. The circular has specific appendices that address controls over financial reporting (Appendix A); the U.S. Government charge card program (Appendix B); and payments made under IPERA (Appendix C). The circular requires each agency head to report annually on management control through management assurance statements (overall FMFIA assurance). In addition to, and as a component of the overall FMFIA assurance statement, the agency head must provide an assurance statement on the effectiveness of internal control over financial reporting;
(6) OMB Circular A-123 Appendix D, as amended, Financial Management Systems: This circular prescribes policies and standards for executive departments and agencies to follow in developing, operating, evaluating, and reporting on financial management systems; and
(7) Government Accountability Office (GAO) Standards for Internal Control in the Federal Government, as revised: The FMFIA requires the GAO to issue standards for internal controls in Government. The standards provide the overall framework for establishing and maintaining internal control and for identifying and addressing major performance and management challenges and areas at greatest risk of fraud, waste, abuse, and mismanagement.
2 FAM 021.3 Definitions
Assessable unit: Any Department segment having one or more management control system upon which periodic risk assessments must be performed. The individual assessable unit should be of an appropriate nature and size to facilitate a meaningful risk assessment. All Department segments must be assessed, with the exception of those involved in statutory development or interpretation or other discretionary policymaking processes.
Control deficiency: An inadequacy in a design or operation of a control that does not allow management or employees, in the normal course of their assigned functions, to prevent or detect misstatements on a timely basis and to meet the organization’s internal control objectives.
Corrective action plan (CAP): A document that is developed by management for all material weaknesses and significant deficiencies identified either for program or financial reporting. The CAP specifically identifies an overall corrective action accountability official; describes the significant deficiencies; and lists and provides a status of corrective actions and a timeline for resolution. CAPs for program or financial reporting are tracked internally by either the Management Control Steering Committee (MCSC) or the Senior Assessment Team (SAT).
Corrective action review (CAR): The method by which the action taken by Department managers to correct material weaknesses and significant deficiencies are validated to ensure the intended results were achieved and adequate management controls were established and are working. Normally coordinated by the bureau or office management control coordinator, the CAR will be completed within 1 year of reporting the material weakness or significant deficiencies as corrected or downgraded to a deficiency. Results of the CAR are reportable to the Management Control Steering Committee.
Department segment: A component (organization, program, operation, or function) having a specific, responsible manager, which can be considered as an assessable unit.
Evaluation and corrective action documentation: The documents that explain and support the results of corrective action reviews and must be maintained for risk assessments, management control reviews, and follow-up corrective actions. They should contain the methodology used; the personnel involved and their roles; the key factors considered; the evidence reviewed; and the conclusions reached. This information will be useful for reviewing the validity of conclusions reached; evaluating the performance of individuals and the effectiveness of controls involved in the assessments and reviews; and for performing subsequent assessments and reviews. The incumbent manager of the segment must retain this documentation for a period of not less than 3 years.
General control environment: The reflection of the overall attitude, awareness, and actions of management concerning the importance of controls and its emphasis in the Department segment. Such factors include, but are not limited to, the following:
(1) Management emphasis on management control;
(2) Organizational structure;
(3) Policies and procedures;
(4) Delegation and communication of authority and responsibility;
(6) Procurement practices; and
(7) Knowledge of and enforcement of a code of conduct.
Improper payment: Any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. Improper payment also includes any payment to an ineligible recipient, payment for an ineligible good or service, a duplicate payment, or payment for a good or service not received (except for such payments where authorized by law).
Inherent risk: The potential for waste, loss, unauthorized use, or misappropriation due solely to the nature of an activity itself. Unacceptable or highly undesirable risk becomes the basis for establishing and maintaining management controls.
Internal control/management control: The plan of organization, policies, and procedures adopted by management to provide reasonable assurance that throughout all organizational elements and activities of the Department, the objectives of management are achieved and the integrity of the programs are safeguarded. The internal control objectives, which are enumerated in the FMFIA, are summarized as follows:
(1) Obligations and costs comply with applicable law and regulations;
(2) Assets are safeguarded against waste, loss, unauthorized use, and misappropriation;
(3) Revenues and expenditures applicable to agency operations are recorded and accounted for properly so that accounts and reliable financial and statistical reports may be prepared and accountability of the assets may be maintained; and
(4) Programs are efficiently and effectively carried out in accordance with applicable law and management policy.
Internal control standards: The standards issued by the Comptroller General, as revised, to establish, maintain, and evaluate systems of management control. These are applicable to all Department operations and administrative functions but are not intended to limit or interfere with duly granted authority related to developing legislation, rulemaking, or other discretionary policymaking.
Management control coordinator: A senior-level manager designated by an Assistant Secretary, office head, or chief of mission (COM) to ensure that the requirements of the FMFIA and the Department’s management control program are adequately carried out by the bureau, office, or post. Also serves as the bureau liaison to the Office of Management Control staff.
Management control evaluation: A detailed evaluation of a program or activity to determine whether adequate and appropriate control techniques exist. There are two types:
(1) Management control review is a detailed evaluation of the existing systems of management controls to determine whether necessary controls are in place and producing the intended results; and
(2) Alternative management control review is an Office of Inspector General (OIG) audit or a financial, a computer security system management, or a consulting review. The review determines that the control techniques of the activity are operating in compliance with Circular A-123. These types of reviews can be used in lieu of a management control review if they encompass the same scope and techniques of a management control review.
Management or internal control objective: A desired goal or condition to be achieved by the control techniques used on a component. Each objective is to take into consideration the nature of the component and the requirements of Circular A-123 (revised). Limiting factors such as budget constraints, statutory and regulatory restrictions, staff limitations, and the cost-benefits of each control technique are to be considered in determining desired management control objectives.
Management control officer: The Chief Financial Officer (CFO), who is designated by the Secretary of State to direct the Department’s implementation of and compliance with the Federal Managers’ Financial Integrity Act.
Management control system (or system of management control): The organizational structure, operating procedures, and administrative practices adopted by all levels of management to provide reasonable assurance that programs and administrative activities are effectively carried out in accordance with the objectives of the Federal Managers’ Financial Integrity Act (FMFIA) and OMB Circular A-123, revised.
Management control system documentation: Consists of written policies, organization charts, procedures, manuals, memoranda, flow charts, decision tables, software, and other related written materials pertaining to controls within each Department segment. This documentation must be current and permanently on file. Such documentation will serve to:
(1) Describe the management control methods and measures;
(2) Communicate responsibilities and authorities for operating such methods and measures; and
(3) Assist in the review of the management controls and their functioning.
Management control techniques: The processes and documents used to efficiently and effectively accomplish a management control objective and thus help safeguard an activity from waste, loss, unauthorized use, or misappropriation.
Material weaknesses: Significant deficiencies in which the agency head determines to be significant enough to report outside of the agency. Such weakness would:
(1) Significantly impair the fulfillment of the Department’s mission;
(2) Deprive the public of needed services;
(3) Significantly weaken safeguards against waste, loss, unauthorized use, or misappropriation of funds, property, other assets or conflict of interest;
(4) Merit the attention of the agency head/senior management, the President, or the relevant congressional oversight committee; or
(5) Be of a nature that omission from the report could reflect adversely on the actual or perceived management integrity of the agency.
In the context of financial reporting, a material weakness is a significant deficiency, or a combination of significant deficiencies, that result in more than a remote likelihood that a material misstatement of the financial statements, or other significant financial reports, will not be prevented or detected.
Nonconformance: Instances in which financial management systems do not substantially conform to financial systems requirements. Financial management systems include both financial and financially related (or mixed) systems.
Reasonable assurance: A judgment by Department management based upon available information that the systems of management controls are operating as the FMFIA intended. Reasonable assurance equates to a satisfactory level of confidence under given considerations of costs, benefits, and risks.
Recapture auditing: A documented review of financial records and supporting documentation that is specifically designed to identify and recover overpayments.
Risk assessment: A documented review of the susceptibility of an assessable unit, program, or activity to the occurrence of fraud, waste, loss, unauthorized use, misappropriation, or susceptibility to generate significant improper payments. General reviews will focus on areas such as the existing inherent risk or vulnerability, existing general control environment and safeguards in place, and adherence to the internal control standards. The Department will employ a systematic method of reviewing all programs and activities to identify programs and activities that are susceptible to significant improper payments.
Significant deficiency (formerly called a reportable condition): A deficiency, or combination of deficiencies, that in management’s judgment should be communicated because they represent significant weaknesses in the design or operation of internal control that could adversely affect the organization’s ability to meet its internal control objectives. A significant deficiency does not yet rise to the level of seriousness of a material weakness; however, if effective corrections are not made, the matter has the potential over time to develop into a material weakness. Such weakness could:
(1) Significantly impair the fulfillment of the Department’s mission;
(2) Deprive the public of needed services;
(3) Significantly weaken safeguards against waste, loss, unauthorized use, or misappropriation of funds, property, other assets, or conflict of interest;
(4) Merit the attention of the agency head/senior management, the President, or the relevant Congressional oversight committee; or
(5) Be of a nature that omission from the report could reflect adversely on the actual or perceived management integrity of the agency.
In the context of financial reporting, a significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements, or other significant financial reports, that is more that inconsequential will not be prevented or detected.
Statement of assurance: A letter or memorandum that states or certifies to a higher level of management that the required evaluation of management controls was conducted in accordance with OMB Circular A-123, revised. The memorandum states that the organization’s systems of management control taken as a whole complies with GAO standards and provides reasonable assurance that programs are effectively carried out in accordance with applicable law. The statement also identifies the material weaknesses and/or significant deficiencies, if any, in the organization’s systems of management control, however identified, and contains a plan for correcting these weaknesses.
2 FAM 022 RESPONSIBILITIES
2 FAM 022.1 The Secretary
The Secretary is responsible for submitting an annual statement of assurance to the President and the Congress on the overall adequacy and effectiveness of the management controls within the Department and conformance with U.S. Government-wide financial system requirements. Additional detail on the annual assurance process is provided in 2 FAM 024.
2 FAM 022.2 The Under Secretary for Management
The Under Secretary for Management is responsible for establishing and maintaining systems of management controls over all operations within the Department of State. This responsibility includes determining that systems are functioning as prescribed and are modified as required by changes in conditions.
2 FAM 022.3 The Comptroller
The Comptroller has the following responsibilities:
(1) Serves as the management control officer for the Department, under authority delegated by the Chief Financial Officer;
(2) Ensures the implementation of all statutory and procedural requirements prescribed by the Federal Managers’ Financial Integrity Act and OMB Circular A-123, Management’s Responsibility for Internal Control (Appendices A and C);
(3) Prepares the annual assurance statement from the Secretary of State to the President and Congress;
(4) Chairs the Management Control Steering Committee, which establishes Department policies and procedures for implementing and evaluating management controls;
(5) Provides the Under Secretary for Management periodic written or oral progress reports regarding significant weaknesses in management controls and policy issues requiring consideration that are outside the purview of the Management Control Steering Committee;
(6) Directs the segmentation of the Department into organizations, programs, operations, and functions; directs the development of an inventory of assessable units; ensures that risk assessments are performed on a periodic basis; and monitors the implementation of corrective actions;
(7) Provides advice and technical assistance in developing necessary guides for performing risk assessments and management control reviews and designing management control systems;
(8) Approves subsequent plans for risk assessments and reviews of management control systems;
(9) Establishes and maintains a program of quality assurance over management control evaluations, reviews, and follow-up corrective actions;
(10) Recommends Management Control Steering Committee action on proposed management control designs;
(11) Ensures that appropriate follow-up action is taken on management control deficiencies and financial losses by providing necessary guidance in designing needed additional controls;
(12) Maintains a continuing liaison with and awareness of the activities of other Department elements having responsibilities for activities that contribute to the goals and objectives of the management control program; and
(13) Reviews Government Accountability Office, Inspector General, contractor, or management reports that apply in whole or in part to management controls; reviews the analyses that Information Resource Management (IRM) performs, which focuses on automated systems (general and application controls); and ensures that risk assessments, management control reviews, and determinations of deficiencies consider these sources of information.
2 FAM 022.4 Management Control Steering Committee (MCSC)
a. A Management Control Steering Committee (MCSC) of Department officials at the Assistant Secretary or equivalent level, chaired by the management control officer (Comptroller), is responsible for setting management control policy that will meet the needs of the Department. The Under Secretary for Management selects the members. The Inspector General is a nonvoting member of the committee.
b. In addition, the members of the committee work with the management control officer to:
(1) Ensure that statutory and procedural requirements established by the FMFIA and OMB Circular A-123, revised, are carried out;
(2) Set management control objectives for the Department;
(3) Provide oversight of the Corrective Action Review and other validation processes for the Department;
(4) Clear the final version of the annual FMFIA statement of assurance; and
(5) Ensure attendance at all meetings of the committee and will ensure that the principal deputy assistant secretary, or equivalent, is available to attend when unavoidable travel commitments prevent attendance by a member.
c. The MCSC is also responsible for providing oversight of the status of the corrective action plans for areas of heightened risk for waste, fraud, and mismanagement, otherwise known as high-risk areas. To carry out this responsibility, the MCSC requires the cognizant bureau(s) to:
(1) Report at least annually on the status of action plans by milestone completion dates;
(2) Validate that corrective actions undertaken have achieved the intended results; and
(3) Link the corrective action plans to the budgeting process.
d. The first MCSC meeting of the year will be held primarily to report to the committee the status of all outstanding significant deficiencies and or material weaknesses. At the end of the fiscal year, after all of the chiefs-of-mission (COM) and bureau statement of assurance letters are received, the MCSC will meet to discuss and determine whether or not the Department needs to report:
(1) Any justification for closure to existing significant deficiencies or material weaknesses;
(2) Any potential new significant deficiencies or material weaknesses in the Department’s Federal Managers' Financial Integrity Act (FMFIA) statement of assurance; and
(3) Additional meetings will be held as frequently as necessary to ensure timely preparation and clearance of the FMFIA statement of assurance. Committee members may be accompanied to meetings by key staff members unless notified by the chair that the committee will be meeting in executive session.
2 FAM 022.5 Senior Assessment Team
The Senior Assessment Team (SAT) was established by the Management Control Steering Committee (MCSC) and is responsible for the oversight of the Department’s compliance with the requirements of Appendix A of OMB Circular A-123. The SAT is composed of senior executive-level managers from various bureaus in the Department and is chaired by the Deputy Chief Financial Officer. The SAT reports to the MCSC concerning the results of the annual Appendix A work. This includes providing the status of material weaknesses and significant deficiencies in the internal controls over financial reporting and making recommendations to the MCSC concerning the annual assurance regarding internal controls over financial reporting.
2 FAM 022.6 Office of Management Control (CGFS/DCFO/MC)
The Office of Management Control (CGFS/DCFO/MC) administers the requirements of FMFIA for the Department. These requirements include providing annual FMFIA guidance materials to the bureaus and posts; compiling the results of the statement of assurance from the Assistant Secretaries and chiefs of mission; and making recommendations to the MCSC concerning both the Secretary’s overall statement of assurance and assurance over assessing internal controls over financial reporting as it will be presented in the annual report. Procedures necessary to comply with Circular A-123 Appendix A (internal controls over financial reporting) and Appendix C (improper payments) are also performed by CGFS/DCFO/MC, including the coordination of reporting in the annual report in accordance with OMB requirements. Additionally, CGFS/DCFO/MC performs audit follow-up for GAO and OIG open recommendations. (See 1 FAM 614.14 for further description.)
2 FAM 022.7 Bureau and Office Heads and Chiefs of Mission
Bureau and office heads (Assistant Secretaries or equivalent) and chiefs of missions have the following responsibilities related to internal control:
(1) Develop and maintain appropriate systems of management controls for their organizations;
(2) Implement, maintain, and review management controls on an ongoing basis to determine whether the controls are adequate and functioning as prescribed;
(3) Perform risk assessments of each assessable unit within their organizations as frequently as circumstances warrant, but not less frequently than every 5 years;
(4) Report promptly to the management control officer all significant management control deficiencies, weaknesses, and financial losses. Follow-up reports on the corrective action(s) planned or taken to prevent a recurrence must be submitted to the management control officer on an annual basis; and
(5) Submit the chiefs-of-mission statements of assurance to the regional bureaus (posts) and the corresponding bureau/office statements of assurance to the Secretary (bureaus and offices) as described in 2 FAM 024.
2 FAM 022.8 Management Control Coordinators
a. The Assistant Secretary, office head, or chief of mission designates management control coordinators. Fulfilling assigned responsibilities must be a critical job element in performance agreements of management control coordinators. In addition, bureau and office management control coordinators should be the chief liaison to the Office of Management Control (CGFS/DCFO/MC) staff and have direct access to the Assistant Secretary, office head, or the next level below them.
b. The Assistant Secretary or office head must submit the name, title, address, and telephone number of the coordinator to the Office of Management Control whenever the designated coordinator is changed. The individual designated should be a senior-level manager and is responsible for coordinating the input for the Assistant Secretaries and chiefs of mission annual assurance statements.
c. With direction and guidance from the management control officer and the Office of Management Control, the bureau or office management control coordinator will:
(1) Determine the inventory of assessable units for the bureau or office;
(2) Conduct or arrange for all relevant management control training;
(3) Coordinate the timely performance of risk assessments and management control reviews (when required) among managers responsible for the assessable units within the bureau or office and thoroughly review all management control process products prior to their submission to the management control officer;
(4) Ensure that managers of assessable units consider Government Accountability Office and Inspector General reports and audits, contractor and management studies, and analyses performed by the Information Assurance Office (IRM/IA) and other Department offices when evaluating management controls within their area of responsibility;
(5) Evaluate proposed bureau/post corrective actions to ensure that they represent an effective and cost-beneficial approach for resolving identifiable deficiencies or risks within existing resource constraints; and
(6) Track and monitor these same required activities among the post management control coordinators reporting to the bureau or office.
d. The chief of mission designates a post management control coordinator at each embassy, international organization or consulate general (where the COM heads the consulate general) and submits the name, title, address, and telephone number of this coordinator to the cognizant bureau or office management control coordinator within 45 days from the issuance of this subchapter and thereafter, whenever the designated officer is changed. The individual designated should be a ranking officer, usually a management officer, with direct access to the chief of mission or deputy chief of mission on matters related to management controls.
e. Where there are constituent posts or multiple-post missions, the COM will designate a management control coordinator for each constituent post and/or mission, who will report directly to the embassy management control coordinator. The embassy management control coordinator is responsible for compiling and incorporating the responses from the constituent posts and/or missions into the chief of mission (COM) annual statement of assurance and submitting this information to the respective bureau for inclusion of the Assistant Secretary’s statement of assurance.
2 FAM 022.9 Director General of the Foreign Service and Director of Personnel
The Director General of the Foreign Service and Director of Personnel, with advice and guidance from the management control officer, is responsible for establishing and issuing procedures to provide that performance agreements appropriately reflect management control responsibilities for developing and issuing guidance for recognition of positive accomplishments related to management control and for appropriate disciplinary action for violations.
2 FAM 022.10 Director of the Foreign Service Institute (FSI)
a. The Director of the Foreign Service Institute (FSI), with advice and guidance from the management control officer, is responsible for establishing courses of instruction on policies, procedures, methods, and systems of management controls, as well as on approaches to evaluating, improving, and reporting on systems of management controls utilizing risk assessments and management control reviews.
b. In addition, the director is responsible for:
(1) Coordinating the development of course content with the management control officer;
(2) Revising course content to reflect changes to policies, procedures, methods, and systems of management control; and
(3) Providing the management control officer periodic reports on course effectiveness and student evaluation of course content.
2 FAM 022.11 Inspector General
a. The Inspector General (IG) has the responsibility to conduct independent and objective audits, inspections, reviews, and investigations of Department programs and operations (see 1 FAM 050). This work can include reviews of management controls to determine whether they are documented, effective, and operating as intended, with recommendations for improvement, when appropriate. Also when appropriate, the IG reports significant management control deficiencies to the Under Secretary for Management or to the Secretary.
b. The IG provides advice and technical assistance to managers and management control officers to establish/improve management controls.
c. The IG serves as a nonvoting member of the Department’s Management Control Steering Committee and the Senior Assessment Team (SAT) to offer advice and guidance to the MCSC and SAT regarding audit and inspection findings and recommendations, material weaknesses and significant deficiencies, and the status of corrective actions, as well as other management areas of concern and interest to the Department.
2 FAM 022.12 Department Managers
a. All managers throughout the bureaus, offices, and posts are responsible for maintaining and monitoring systems of management controls in their areas, and performance agreements must appropriately reflect this responsibility.
b. Department managers must provide their management control coordinator with plans, reports, and necessary information required to fulfill the responsibility for ensuring that policies and standards established by the Federal Managers’ Financial Integrity Act, OMB Circular A-123, revised, and this subchapter are met and carried out. This includes, but is not limited to, the information required for their respective bureaus or posts to prepare chiefs of mission assurance submitted to regional bureaus and the corresponding bureau/office statements of assurance submitted to the Secretary.
c. Department managers must submit reports to the management control officer on significant positive accomplishments related to management control and disciplinary action taken for significant violations of management controls.
2 FAM 023 MANAGEMENT CONTROL EVALUATIONS AND IMPROVEMENT PROCESS
2 FAM 023.1 Implementation
a. Bureau, office, and post managers, under the direction and guidance of the management control officer, are responsible for improving management controls in the Department. The management control evaluation, improvement, and reporting process is comprised of seven steps:
(1) Organizing the process;
(2) Segmenting the organization;
(3) Conducting risk assessments;
(4) Developing plans for subsequent actions;
(5) Conducting management control reviews;
(6) Taking corrective actions; and
(7) Reporting on management controls.
b. Coordinating with bureau and office management control coordinators, the Office of Management Control (CGFS/DCFO/MC) will develop guidelines for the seven steps listed in paragraph a of this section. The bureau and office management control coordinators are responsible for further dissemination and coordination to ensure compliance.
c. The Office of Management Control must maintain adequate documentation to support the management control evaluation, improvement, and reporting process. This includes management control systems documentation as well as evaluation and corrective action documentation, as defined in 2 FAM 021.3.
2 FAM 023.2 Reporting Significant Accomplishments or Violations Relating to Management Controls
a. As necessary, the head of the bureau or office must send to the Office of Management Control (CGFS/DCFO/MC) a memorandum addressed to the management control officer setting forth the following:
(1) If appropriate, the name and position of the officer(s) or employee(s) responsible for a significant accomplishment or violation;
(2) All pertinent facts, including the type of accomplishment or violation; the primary reason or cause of violations; and any statement of the responsible officer(s) or employee(s) with respect to circumstances believed to be extenuating;
(3) A statement of the administrative action taken to reward recognized accomplishments and discipline violators of management controls including, if applicable, an explanation as to why no administrative action was taken; and
(4) A statement recommending additional steps that could be taken relating to the individual (e.g., award or disciplinary action) or the system (e.g., communicates accomplishment to other Department organizations or develops and issue new safeguards to prevent recurrence of the violation).
b. As appropriate, use applicable TAGS and follow procedures for including this material in the individual(s) official personnel file (see 3 FAM).
2 FAM 024 Annual Management assurance process
a. The Federal Managers' Financial Integrity Act (FMFIA) requires the Secretary to submit an annual statement of assurance to the President and the Congress (at the close of the fiscal year) on the overall adequacy and effectiveness of the management controls within the Department. FMFIA also requires the Secretary to provide an annual statement on whether the Department’s financial management systems conform with U.S. Government-wide requirements, presented in OMB Circular A-123 Appendix D, Financial Management Systems. Beginning with fiscal year 2006, the Secretary was also required to provide an annual assurance statement on the effectiveness of internal control over financial reporting, which is an addition to and also a component of the overall FMFIA assurance statement.
b. The Secretary must disclose any material weaknesses or nonconformances for the Department and provide plans for corrective actions and progress against those plans. The annual statements are included in the Department’s annual report, which is due November 15.
c. The Office of Management Control (CGFS/DCFO/MC) prepares the Secretary’s assurance letter based on the recommendation of the Management Control Steering Committee (MCSC). The MCSC’s recommendation is based on the results of the annual statements of assurance from the Department’s Assistant Secretaries, the results of the review and test work done in accordance with OMB Circular A-123 Appendix A, the status of corrective actions for existing significant deficiencies and material weaknesses, and other internal control work. The Senior Assessment Team (SAT) will provide recommendation to the MCSC concerning the assurance related to internal controls over financial reporting.
d. Annually, chiefs of mission, Assistant Secretaries, and office heads will provide an assurance statement, addressed to the Secretary, concerning the effectiveness of internal controls in their respective operations. The Bureau of the Comptroller and Global Financial Services will provide guidance concerning the timing and content of the assurance statements.
2 FAM 025 THROUGH 029 UNASSIGNED