U.S. Department of State Fiscal Year 2020 Agency Financial Report

7 funds were accurate. For example, the Department did not communicate effectively with child fund agencies to ensure that the validity of ULOs was reviewed periodically. In addition, the Department did not have a routine process to ensure that transaction-level details were readily available from the other agencies and were auditable. The Department adjusted its financial statements to correct the errors identified with the ULOs. However, without an effective process to accurately monitor child funds, a risk of errors remains in the Department’s future financial statements. V. Information Technology The Department’s information systems and electronic data depend on the confidentiality, integrity, and availability of the Department’s comprehensive and interconnected IT infrastructure using various technologies around the globe. Therefore, it is critical that the Department manage information security risks effectively throughout the organization. The Department uses several financial management systems to compile information for financial reporting purposes. The Department’s general support system, a component of its information security program, is the gateway for all the Department’s systems, including its financial management systems. Generally, control deficiencies noted in the information security program are inherited by the systems that reside in it. In accordance with the Federal Information Security Modernization Act of 2014 (FISMA), 8 the Office of Inspector General (OIG) is responsible for annually auditing the Department’s information security program. In the FY 2019 FISMA report, 9 OIG reported security deficiencies that significantly impacted the Department’s information security program and were considered a significant deficiency within the scope of the FY 2019 financial statements audit. 10 Due to the COVID-19 pandemic, OMB granted OIG an extension, from October 2020 to December 2020, for reporting the results of the FY 2020 FISMA audit. As a result, the FY 2020 FISMA audit report was not available before the deadline for reporting the results of the annual financial statements audit. Therefore, we performed procedures to assess the Department’s corrective actions to remediate deficiencies in the FY 2019 FISMA audit report that we considered to be the most significant to the FY 2020 financial statements. We found that the Department did not sufficiently develop, prioritize, and monitor corrective actions to remediate known security weaknesses and deficiencies, including those identified and reported to the Department by OIG. Without an effective information security program, the Department remains vulnerable to IT-centered attacks and threats to its critical mission-related functions. Information security program weaknesses can affect the integrity of financial applications, which increases the risk that sensitive financial information could be accessed by unauthorized individuals or that financial transactions could be altered, either accidentally or intentionally. Information security program weaknesses and deficiencies increase the risk that the Department will be unable to report financial data accurately. 8 Pub. L. No. 113-283, 128 STAT. 3079-3080 (December 18, 2014). 9 OIG, Audit of the Department of State Information Security Program (AUD-IT-20-04, October 2019). 10 OIG, Independent Auditor’s Report on the U.S. Department of State FY 2019 and FY 2018 Consolidated Financial Statements (AUD-FM-20-18, January 2020). 2020 A gency F inanci al R eport U ni ted S tates D epartment of S tate | 55 INDEPENDENT AUDITOR’S REPORT | FINANCIAL SECTION