Financial Highlights | Management Assurance
The Department of Education is committed to management excellence and recognizes the importance of strong financial systems and internal controls to ensure accountability, integrity, and reliability. Management, administrative, and financial system controls have been developed to ensure the following:
- All programs and operations achieve their intended results efficiently and effectively.
- Resources are used in accordance with the Department's mission.
- All programs and resources are protected from waste, fraud, and mismanagement.
- Laws and regulations are followed.
- Reliable, complete, and timely data are maintained and used for decisionmaking at all levels.
We believe that the rapid implementation of audit recommendations is essential to improving the efficiency and effectiveness of our programs and operations and to achieving our integrity and accountability goals.
Federal Managers' Financial Integrity Act
During fiscal year (FY) 2005, in accordance with the requirements of the Federal Managers' Financial Integrity Act (FMFIA) and using the guidelines of the Department and the Office of Management and Budget, we reviewed our management control system. The objectives of our management control system are to provide reasonable assurance that the following occur:
- Our obligations and costs are in compliance with applicable laws.
- Our assets are safeguarded against waste, loss, unauthorized use, or misappropriation.
- The revenues and expenditures applicable to agency operations are properly recorded and accounted for; to permit the preparation of accounts and reliable financial and statistical reports; and to maintain accountability over assets.
- All programs are efficiently and effectively carried out in accordance with applicable laws and management policy.
The efficiency of the Department's operations is continually evaluated using information obtained from reviews conducted by the Government Accountability Office and the Office of Inspector General, specifically requested studies, or observations of daily operations. These reviews ensure that our systems and controls comply with the standards established by FMFIA. Managers throughout the Department are responsible for ensuring that effective controls are implemented in their areas of responsibility. Individual assurance statements from assistant secretaries serve as a primary basis for the Department's assurance that management controls are adequate. The assurance statements are based upon each principal office's evaluation of progress made in correcting any previously reported problems; new problems identified by the Office of Inspector General, the Government Accountability Office, and other management reports; and the management environment within each principal office. Department organizations that have material weaknesses identified are required to submit plans for correcting those weaknesses. The plans, combined with the individual assurance statements, provide the framework for continually monitoring and improving the Department's management controls.
FMFIA Section 2, Management Control. All of the 80 internal control material weaknesses identified since the inception of FMFIA have been corrected and closed.
FMFIA Section 4, Financial Management Systems. All of the 95 financial management systems nonconformances identified since the inception of FMFIA have been corrected and closed.
Federal Financial Management Improvement Act. The Secretary has determined that the Department is in compliance with the Federal Financial Management Improvement Act (FFMIA), although our auditor has identified instances of which the Department's financial management systems did not substantially comply.
We are cognizant of our auditors concerns relating to instances of non-compliance with FFMIA as noted in the Compliance with Laws and Regulations Report located on p. 275 of this report, we continue to strengthen and improve our financial management systems.
However, since our last FFMIA report, the Department has continued to invest a considerable amount of time, effort and resources in assessing and strengthening the security controls protecting its information and information resources. As a result of these assessments, the Department has learned that certain vulnerabilities identified by OIG and our auditors in this year's reports were previously accepted on an enterprise-wide basis by the Department's Designated Approving Authorities, Certifier and Government Technical Expert, supported by the recommendation of the Department's Independent Verification and Validation Management Committee (IV&V MC).
The IV&V MC prescribes five basic tenets in the acceptance of any individual vulnerability:
- It is not technically feasible to correct the vulnerability.
- It is cost prohibitive to correct the vulnerability.
- Correcting the vulnerability will result in the loss of system or application functionality.
- In the context of the Common Vulnerabilities and Exposures definition, the vulnerability is more correctly identified as a security exposure.
- All accepted vulnerabilities or security exposures must demonstrate that compensating security controls are in place and are operating as intended.
To this end, the Department has come to understand its risk management responsibilities. The Department has made a well-informed and documented risk-based business decision to operate its networks, systems and applications in the presence of certain vulnerabilities and security exposures. This acceptance of risk is in keeping with the rules and principles governing a risk management program.
Furthermore, the Department fully understands the risks inherent in operating information resources in the presence of common vulnerabilities and security exposures. To assist in the management of the potential risks, the Department has implemented proactive processes to identify research, manage, remediate and monitor for vulnerabilities and security exposures. This remediation cycle can be an extended process for any particular vulnerability and as a result, at any given time as they await remediation, vulnerabilities may be present in any networked environment, including the Department's.