-------

-------
              UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
                         WASHINGTON, D.C. 20460  "
                           SEP. I  6 1994
                                                       THE INSPECTOR GENERAL
MEMORANDUM

SUBJECT:  EPA'S Integrity Act  Implementation
          Audit Report No. E1SFE3-07-0101-4100522

TO:       Carol M. Browner
          Administrator

     Attached is our report entitled,  "EPA'a Integrity Act
Implementation."  Our overall  audit  objective was to determine  if
the Agency's Federal Managers' Financial  Integrity Act (Integrity
Act) efforts effectively evaluated controls and created an early
warning system to prevent problems from escalating to material
weaknesses and to promote mission accomplishment.  The report     -
describes serious problems with  the  Agency's Integrity Act
implementation that can be linked to financial and performance
deficiencies identified in numerous  audit reports.

     We commend the Office of  Administration and Resources
Management (OARM), Resource Management  Division for its actions
in response to our Integrity Act audit  and to recent Government
streamlining initiatives.  We  believe that the Agency's new
Integrity Act approach will be more  responsive to the Integrity
Act's intent.  But, we are concerned that some managers'  current
misperceptions about management  integrity concepts may put the
success of the new process at  risk.   We hope that this report
will be useful to Agency managers in targeting some of the
problems which kept the former Integrity  Act approach from fully
succeeding as an early warning system.  The new approach,  if
implemented properly, should help you identify and correct
program weaknesses before they escalate to the material level.

     We addressed this report  to you as the only Agency official
with authority to hold program managers accountable for
implementation of the Integrity  Act  and the recommendations in
this report.   While the Assistant Administrator (AA)  OARM, as the
Agency's Chief Financial Officer (CFO), has broad authority over
financial management controls, his authority over program
management controls is limited.  Both the Agency Comptroller and
che Deputy Assistant Administrator for  Finance and Acquisition
advised us that as Integrity National Program Manager (NPM), the
AA OARM does not have the authority  to  hold AAs and RAs
accountable for implementing sound management controls.
            CM
            O
            O
                          US EPA Headquarters Library
                          Room 2904, Mailcode 3404
Prtnud en paper ina co
-------
     Accountability is a key aspect of the Integrity Act, the CFO
Act, the Government Performance and Results Act, and National
Performance Review reforms.  As part of your response to this
report, you should alert Assistant and Regional Administrators to
their responsibility to implement the Integrity Act and the
recommendations contained in this report, and hold them
accountable for effective Integrity Act implementation.

     The CFO Act and Office of Management and Budget (OMB)
guidance require that the CFO have the authority to establish,
review and enforce financial management control systems, and
establish, in coordination with program managers, agency-wide
management control processes.  In implementing the Act, EPA
advised OMB that its CFO would manage Agency-wide management
controls.  However, as CFO and Integrity NPM,  the AA OARM does
not have the authority to review and enforce Integrity controls,
standards and compliance involving program management.  We think
this lack of authority is a vulnerability that you should address
by strengthening the AA OARM's authority to include establishing,
reviewing and enforcing Agency-wide Integrity Act compliance.

     This audit report contains findings that describe problems
the Office of Inspector General (OIG) has identified and
corrective actions OIG recommends.  This audit report represents
the opinion of OIG.  Final determinations will be made by EPA-
managers in accordance with established EPA audit resolution
procedures.  Accordingly, the findings described in this audit
report do not necessarily represent the final EPA position.

Action Required                   '

     We have designated you as the Action Official for this
report.  We recommend that you delegate to the AA OARM, in his
role as CFO and NPM, authority for implementing the Integrity Act
Agency-wide.  With this authority, the CFO would be able to
execute the recommendations addressed to you in this report.  We
would then recommend that you designate the AA OARM as the Action
Official.

     In accordance with EPA Order 2750, the Action Official is
requested to provide this office a written response to the audit
report within 90 days of the report date.  The response should  .
address all recommendations.  For corrective actions planned but
not completed by the response date, reference to specific
milestone dateo will assist us in deciding whether to close this
report.  We have no objections to the release of this report to
the public.

     Should your staff have any questions, please have them
contact Kenneth A. Konz, Assistant Inspector General for Audit,
260-1106.
Attachment
                                        John C. Martin

-------
                               EPA'a Integrity Act Implementation
                       EXECUTIVE SUMMARY

Integrity is a key element in establishing accountability in
Government.  The President and Congress have reemphasized
management's responsibility to operate efficient and effective
control systems to support mission accomplishment.  The Office of
Inspector General (OIG) assists in promoting integrity throughout
the Environmental Protection Agency  (hereafter referred to as
Agency) by providing technical assistance to improve the Agency's
management control systems and by reporting to the Administrator
annually on the Agency's Federal Manager's Financial Integrity
Act (Integrity Act) efforts.

This report describes aspects of EPA's Integrity Act
implementation that may have impeded the Agency's progress in
achieving its mission in the past.  It is based on Integrity Act
findings in OIG audit reports issued between 1992 and 1994.  We
believe an understanding of these problems will help the Agency
avoid them in implementing a new strategy.  Our overall audit
objectives were to determine if the Agency's Integrity Act
efforts effectively evaluated controls and created an early
warning system to prevent problems from escalating to material
weaknesses and to promote mission accomplishment.

The Agency has committed to strengthening integrity as a critical
part of basic management practices.  The Administrator and Senior
Leadership Council highlighted integrity as part of the Agency's
overall management agenda.  Also, the Agency's draft strategic
plan for fiscal 1995-1999 recognizes and reinforces the
accountability that Federal program managers have for good
management processes and the need for an institutionalized Agency
framework for priority-setting, decision-making, and resource
allocation.   The strategy describes Agency activities to comply
with the Chief Financial Officers (CFO)  Act of 1990, the
Government Performance and Results Act (GPRA)  of 1993, and the
Integrity Act.  Management integrity is a key component of the
strategic plan.  Key initiatives emphasize results rather than
process.

BACKGROUND

Good internal control systems improve operations and discourage
wrongful acts by making them more difficult.  -Congress passed the
Integrity Act to amend the Accounting and Auditing Act of 1950
and require renewed focus on strengthening internal controls.
                                           E1SFE3-07-0101-4100522

-------
                               EPA'8 IntegrityAct implementation
The Accounting and Auditing Act requires agencies to establish
and maintain effective internal control systems.  The Integrity
Act requires agencies to continuously evaluate and report to
Congress and the President on the adequacy of those systems.
Also, the Integrity Act requires agencies to build control
systems around Comptroller General standards and to evaluate
those systems following Office of Management and Budget  (OMB)
guidelines.

Only the Agency Administrator has authority to hold managers
accountable for Integrity Act implementation. The Administrator
designated the Assistant Administrator for the Office of
Administration and Resources Management (OARM) as the coordinator
for the Agency's Integrity Act efforts, but Agency Assistant
Administrators and Regional Administrators are ultimately
responsible for Integrity Act implementation.  The Resource
Management Division (RMD) within OARM'S Office of the Comptroller
was delegated National Program Manager responsibility for
coordinating, monitoring, and providing guidance for the Agency's
Integrity Act implementation.  In fiscal 1992, RMD established
quality action teams to improve Integrity Act training and
guidance, promote management buy-in, and streamline the Agency
process.  In fiscal 1994, since the issuance of the National
Performance Review Report and GPRA, RMD reengineered the Agency's
Integrity Act requirements to streamline the process and make
managers more accountable for ongoing evaluations and program
improvements.

The reengineered process is responsive to the Comptroller General
standards and to OMB requirements.  It builds on Agency-wide
Management Integrity Principles, based on the standards, which
pertain to all programs and activities and which are intended to
promote best management practices.  Managers are expected to
incorporate these principles into existing management processes
and program strategies and guidance to strengthen program
operations.  It stresses integrating Integrity Act requirements
with program planning, budgeting, operations, fiscal management,
and evaluation.  Also, managers are expected to be more directly
involved and accountable for ensuring the integrity of their
programs and resources.
                                ii
                                           E1SFE3-07-0101-4100522

-------
                               EPA'sIntegrity Act Implementation
RESULTS-IN-BRIEF

We directed recommendations to the Administrator because she
should hold managers accountable for. effective Integrity Act
implementation.  The Agency had segregated Integrity Act
implementation from other management "activities.  Most managers
responded to the paper-intensive requirements of the Agency's
Integrity Act process but did not relate the process to
management control system improvement.  While senior management
was committed to identifying material weaknesses reportable to ,
Congress and the President, the Agency did not effectively
identify weaknesses through the lower management levels and
implement corrective actions before weaknesses became material
and took years and significant resources to correct.


Integrity Act Can Help Managers
Exercise Leadership

Through its Integrity Act reengineering, the Agency has adopted a
system that appropriately stresses the Agency's management
integrity principles.  Agency efforts to integrate control
reviews into ongoing management activities including budget and
planning can improve programs by focusing managers' efforts on
improving program implementation.  However, the reengineered
program cannot succeed unless managers accept responsibility for
implementing sound management practices, and the Agency gives
recognition to managers who identify problems and improve control
systems.

Many of the problems we identified with the old process resulted
from managers not employing basic management techniques and not
observing Comptroller General standards, as required by the
Integrity Act.  The Agency's Integrity Act process was paper
intensive and segregated from other management activities.
Managers did not realize that management control systems were the
plans, policies, and procedures they had established to achieve
the Agency's mission, and that the Integrity Act and related
standards required them to complete the basic management steps of
documenting,  evaluating, and improving those systems.  Managers
often limited their Integrity Act 'efforts to financial controls.
Integrity Act guidance was not tailored to mission
accomplishment, and Integrity Act training and-application
focused on completing required paperwork rather than improving
management controls.
                               iii
                                           E1SFE3-07-0101-4100522

-------
                               EPA'a Integrity act Implementation
Improved Control Reviews And Reporting
Can Prevent Problem Escalation

The Agency demonstrated strong senior management commitment to
identifying its material weaknesses by establishing a Senior
Council on Management Controls (now known as the Senior
Leadership Council) in 1989 to focus top management attention on
management integrity issues.  The Council obtained input on
weaknesses from OIG, General Accounting Office, OMB, and senior
managers.  However, the Council may have relied too extensively
on external audits and reviews to identify its material
weaknesses.  The Integrity Act intended that the Administrator's
annual assurance letter be supported by program managers'
evaluations of their internal control systems.

Although the Agency reported 18 material weaknesses in fiscal
1993, its managers did not identify weaknesses through a building
block process that let weaknesses identified through control
reviews flow up through its management structure to the program
and function offices as contemplated by the Integrity Act.
Managers did not routinely use the Integrity Act process as an
early warning system to identify and correct weaknesses before
they escalated to the material weakness levels identified by
external reviews.  As a result, the Agency's Integrity Act
process did not prevent negative consequences and improve the
economy and efficiency of operations.

RECOMMENDATIONS

We directed recommendations to the Administrator as the Agency
official who can hold managers accountable for effective
Integrity Act implementation.  The Assistant Administrator for
OARM and senior managers should stress the Integrity Act's intent
through specific Integrity Act and overall management training
courses, written policies and procedures, and senior managers'
meetings.   Agency guidance should emphasize managers as the
assessors and reporters of weaknesses and view external reviews
as only one of several sources managers should use to assess
controls.   OARM should provide guidance and procedures for
reporting weaknesses through the chain-of-command to ensure the
Agency has sufficiently identified the extent of its weaknesses
and targeted the appropriate accountable managers for
implementing corrective action.  Assistant Administrators and
Regional Administrators should hold managers accountable through
the performance appraisal process for identifying and correcting
                                iv
                                           E1SFE3-07-0101-4100522

-------
                               EPA's Integrity Act implementation
program weaknesses and achieving results and should recognize
managers for implementing and maintaining effective control
systems.

AGENCY COMMENTS AND QIC EVALUATION
                             v
OARM basically agreed with the first finding and recommendations,
but requested that the recommendations be directed to all
Assistant Administrators and Regional Administrators as they are
ultimately responsible for Integrity Act implementation.  OARM
attributed lack of adequate national training to past and
continuing travel and resource constraints.  OARM expressed
concern with the second finding related to managers being
verbally encouraged to count as many activities as possible as
control reviews.  It felt that the annual guidance provided
sufficient criteria for conducting proper reviews and for
reporting weaknesses through the chain-of-command.

OIG clarified Assistant Administrator and Regional Administrator
responsibilities for Integrity Act implementation and issued the
report to the Administrator.  The Administrator is the Agency
official with the authority to hold Assistant and Regional
Administrators accountable for their Integrity Act
responsibilities.  As National Program Manager, OARM should
design clear written guidance, effectively educate managers in
the mission critical importance of good management controls,
oversee Integrity Act implementation, and offer senior managers
ongoing technical support for continued effective program
management.  This technical support includes verbal guidance to
managers to follow the written directions which might take the
form of supplemental oral explanations of specific ways to
accomplish tasks and design program review strategies which
effectively evaluate controls.  OARM's early education and
communications with senior managers regarding the new process
should highlight that early identification and effective
communication of weaknesses across the Agency will ultimately
make managers'  jobs easier because all will benefit from knowing
which controls work,  and which controls need improvement.
                                           E1SFE3-07-0101-4100522

-------
                  EPA's  Integrity Act Implementation
This Page is intentionally left blank.
                  vi
                              E1SFE3-07-0101-4100522

-------
                               EPA's Integrity Act Implementation
                       TABLE OF CONTENTS

                                                             Page

EXECUTIVE SUMMARY 	 i

CHAPTERS                                         -  .

  1  INTRODUCTION	 .  .  . 1

          PURPOSE 	 1

          BACKGROUND		  . 2

          SCOPE AND METHODOLOGY	6

          PRIOR AUDIT COVERAGE  	 7

  2  INTEGRITY ACT CAN HELP MANAGERS
       EXERCISE LEADERSHIP  	 8

          THE INTEGRITY ACT AND STANDARDS CREATE
            A FRAMEWORK FOR MANAGING PROGRAMS 	 9

          INTEGRITY ACT IMPLEMENTATION WAS PROCESS
            RATHER THAN RESULTS ORIENTED  	   11

          GUIDANCE AND TRAINING WERE NOT CLEAR AND COMPLETE
            AND MANAGERS WERE NOT  HELD ACCOUNTABLE	14

          CONCLUSION	   16

          RECOMMENDATIONS 	   17

          AGENCY COMMENTS AND OIG  EVALUATION  	   18

  3  IMPROVED CONTROL REVIEWS AND  REPORTING
       CAN PREVENT PROBLEM ESCALATION 	   20

          OMB PROMOTES AN EFFECTIVE MANAGEMENT
            CONTROL PROGRAM	20

          THE AGENCY REPORTED WEAKNESSES
            IDENTIFIED IN EXTERNAL REVIEWS   	   21
                                           E1SFE3-07-0101-4100522

-------
                               EPA's Integrity Act  Implementation
          MANAGERS NEEDED TO REPORT WEAKNESSES THROUGH
            THE ORGANIZATIONAL CHAIN   	   22

          MANAGERS SHOULD HAVE IDENTIFIED WEAKNESSES
            THROUGH CONTROL REVIEWS 	   24

          CONCLUSION	26

          RECOMMENDATIONS 	   27

          AGENCY COMMENTS AND OIG EVALUATION  	   28

               EXHIBIT 1 - AUDITS OF INTEGRITY ACT
                           IMPLEMENTATION    	29

               EXHIBIT 2 - OIG AUDITS WITH INTEGRITY
                           ACT FINDINGS   	30

APPENDIXES

  APPENDIX I:'    AGENCY COMMENTS  	   33

  APPENDIX II:   ABBREVIATIONS  	   45

  APPENDIX III:  DISTRIBUTION	   46
                                           E1SFE3-07-0101-4100522

-------
                               EPA's Integrity Act Implementation
                            CHAPTER 1
                          INTRODUCTION
PURPOSE

Integrity is one of the key elements in establishing
accountability in Government.  The President and Congress have
reemphasized management's responsibility to operate efficient and
effective control systems to support mission accomplishment.  A
major role of the Office of Inspector General (DIG) is to improve
agency operations by making recommendations to increase
efficiency and effectiveness.  OIG assists in promoting integrity
throughout the Environmental Protection Agency (hereafter
referred to as Agency) by providing technical assistance to
improve the Agency's management control systems and by reporting
to the Administrator annually on the Agency's Integrity Act
efforts.  This report provides an overall assessment of the
Agency's implementation of the Federal Managers' Financial
Integrity Act of 1982 (Integrity Act).  It is based on Integrity
Act findings in OIG audit reports issued between 1992 and 1994.

The Agency has committed to strengthening integrity as a critical
part of basic management practices.  The Administrator and Senior
Leadership Council have manifested this commitment by
highlighting integrity as part of the Agency's overall management
agenda.  Also, the Agency's draft strategic plan for fiscal 1995-
1999 recognizes and reinforces the accountability that Federal
program managers have for good management processes and the need
for an institutionalized Agency framework for priority-setting,
decision-making, and resource allocation.  The strategy describes
Agency activities to comply with the Chief Financial Officers
(CFO) Act of 1990, the Government Performance and Results Act
(GPRA) of 1993, and the Integrity Act.  Management integrity is a
key component of the strategic plan.  Initiatives emphasize
results rather than process,, while calling for more effective
management.

This report describes Agency Integrity Act deficiencies that may
have impeded the Agency's progress in achieving its mission in
the past.  We believe an understanding of these deficiencies will
help the Agency avoid them in implementing the new strategy.  Our
overall audit objectives were to determine if the Agency's
Integrity Act efforts effectively evaluated controls and created
an early warning system to prevent problems from escalating to
material weaknesses and to promote mission accomplishment.

-------
                               EPA'3 Integrity Act Implementation
BACKGROUND

A generally  recognized effective management principle is that
good internal control systems improve operations and discourage
wrongful acts by making them more difficult.  Congress passed the
Integrity Act to amend the Accounting and Auditing Act of 1950
and require  renewed focus on strengthening internal controls.
The Accounting and Auditing Act requires agencies to establish
and maintain effective internal control systems.  The Integrity
Act requires agencies to continuously evaluate and report to
Congress and the President on the adequacy of those internal
control systems.  Also, the Integrity Act requires agencies to
build control systems around standards prescribed by the General
Accounting Office and evaluate those systems following guidelines
prescribed by the Director of the Office of Management and Budget
(OMB).

Standards for Internal Control In The Federal Government, dated
June 1, 1983, presents the control standards as defined by the
Comptroller  General.  The standards cover program management as.
well as financial management.  OMB Circular A-123 (Revised),
dated August 4, 1986, was initially issued in 1983 and defined
the policies and procedures for establishing, maintaining, and
reporting on agencies" program and administrative internal
controls.  The Circular requires agencies to complete:  (1)
annual management control plans, (2) vulnerability assessments,
and (3) management control reviews.  OMB issued guidelines for
evaluating internal controls in December 1982.  The guidelines
require extensive event cycle documentation.  The standards and
OMB guidelines describe the basic management techniques of
planning, documenting, evaluating, reporting, and correcting
operations.

In August 1994, OMB issued a working draft of the revised OMB
Circular A-123.  The proposed revision identifies statutes and
policies issued since the Integrity Act which, considered
collectively, provided a framework for assessing management
integrity.   The statutes and policies include the CFO Act; GPRA;
Executive Order 12861, Elimination of one-Half of Executive
Branch Internal Regulations; Presidential Memorandum on Agency
Streamlining (September 11,  1993); and the Inspector General Act,
as amended.  The proposed revision:  (1) allows agencies latitude
in implementing management control programs, (2) makes management
controls a more understandable and meaningful -concept for agency
managers, and (3)  eliminates ambiguities in the current circular.
                                           E1SFE3-07-0101-4100522

-------
                                EPA'a  integrity Act Implementation
The CFO Act and GPRA, coupled with  the  longstanding Integrity
Act, provide the  legislative framework  for  achieving results and
ensuring accountability in Government.  The aim of  the CFO Act is
to improve general and financial management in  Government,
providing a framework to develop reliable financial and
management systems.  GPRA establishes strategic planning and
performance measurement in Government,  providing a  framework to
achieve program results.  The Integrity Act focuses on all
aspects of agency management by providing for ongoing evaluations
and reports on the adequacy of control  systems.   All three acts
were passed to curb the threat of waste and inefficiency in
Government programs and to improve  Government management.   All
three call for resource accountability.

When properly implemented, the three acts will  work in concert to
enhance mission accomplishment.  The CFO Act calls  for 5-year
plans on financial management reform, with  annual progress
evaluations.  GPRA calls for 5-year strategic plans defining
outcome-related goals and objectives, with  annual plans and
reports oh success in
achieving performance goals.
The Integrity Act calls for
ongoing evaluations of the
management control systems
agencies have established to
achieve the reforms and
outcomes envisioned by the CFO
Act, the GPRA, and major
environmental statutes.  It
requires an annual report to
Congress and the President on
systems' adequacy and planned
corrective actions.  Integrity
reviews provide an early
warning to managers to correct
problems before they hinder  .
MANAGEMENT AND FINANCIAL
SYSTEMS ARE RELIABLE
PERFORMANCE OUTCOMES
  ARE ACHIEVED
   REFORM PLANS
                STRATEGIC PLANS
mission accomplishment.
                                    RESULTS ORIENTED GOVERNMENT
Congress expects the Agency to exercise control over  its
resources for effective and efficient mission accomplishment..
The Agency's mission to protect the environment from  airborne
pollutants and radiation, solid and hazardous wastes,  and
hazardous water contaminants requires highly complex  management
control systems. .Management control .encompasses all-activities
designed to ensure'that an organization accomplishes  its
objectives effectively and efficiently:   (1) within the  planned
timeframes, (2) within approved cost limitations, and (3) with
the planned quality and quantity of output.  Management  control
                                           E1SFE3-07-0101-4100522

-------
                               EPA'a Integrity Act Implementation
 systems span management activities from deciding what the Agency
 should do or what it should emphasize, to allocating funds,
 monitoring activities, reviewing operations, making mid-course
 corrections, and evaluating overall organizational and individual
 performance.

 Only the Agency Administrator has authority to hold managers
 accountable for Integrity Act implementation.  The Administrator
 designated the Assistant Administrator for the Office of
 Administration and Resources Management (OARM) as the coordinator
 for the Agency's Integrity Act compliance.  The Resource
 Management Division  (RMD) within the Office of the Comptroller
 has been the National Program Manager and was responsible for
 coordinating, monitoring, and providing guidance for the
 Integrity Act implementation.  In August 1988, RMD issued its
 guidance manual entitled EPA Internal Control Guidance for
 Managers and Coordinators which outlined procedures consistent
 with the requirements of OMB Circular A-123 and Comptroller
 General standards.  The manual stressed management responsibility
 and accountability for effective internal control systems.  Also,
 RMD issued supplemental annual guidance.

 Within the Agency, 22 primary organization heads, Assistant
 Administrators (AA) in the Headquarters program offices and
 Regional Administrators (RA), are ultimately responsible for
 implementing the Integrity Act.  Their responsibilities include
 assuring the Administrator that they recognize the importance of
 management controls and believe their organizational units meet
 the Integrity Act intent, and ensuring their staff
 conscientiously fulfill their management control responsibilities
 and perform control reviews following the Agency's guidelines.

 In fiscal 1992, RMD recognized that the Integrity Act process
 continued to work ineffectively and established quality action
 teams to improve Integrity Act training and guidance, promote
 management acceptance, and streamline the process.  In fiscal
 1994, since the issuance of the National Performance Review and
 the GPRA, RMD reengineered the Agency's Integrity Act
 requirements to streamline the process and integrate
 responsibilities for prompt detection, correction, and prevention
 of problems in program planning, budgeting, operations, fiscal
management, and evaluation.  The reengineered process makes
managers more accountable for evaluating and improving their
programs as -part of ;everyday ^operations.  Tq April _L994, the
Agency received a waiver of the Circular A-123 requirements for
management control plans, vulnerability assessments, separate
management control reviews, and event cycle documentation.
                                           E1SFE3-07-0101-4100522

-------
                               EPA7s Integrity Act Implementation
The reengineered process is responsive to the Comptroller General
standards and the proposed revisions to OMB Circular A-123.  It
adopts Agency-wide Management Integrity Principles, based on the
standards, which pertain to all programs and activities and which
are intended to promote best management practices.  Agency
managers are expected to incorporate these principles into
existing management processes and program strategies, guidance
and procedures, which serve as the Agency's management control
framework to safeguard resources and achieve mission goals.
Agency managers are expected to be more directly involved and
accountable for ensuring the integrity of their programs and
resources.  Specifically, new Integrity Act guidance calls for
Agency managers to:

     0    Assess and revise guidance and strategies to ensure
          adequate coverage and consistency with the Agency's
          Management Integrity Principles;

     0    Develop administrative and program-specific integrity
          principles for use Agency-wide;

     0    Develop a systematic review strategy, that includes
          program and oversight reviews, CFO and GPRA results,
          and other relevant information sources, to assess
          effectiveness of guidance and strategies;

     0    Establish a building block process to identify
          weaknesses through the chain-of-command and report on
          progress at mid-year and in annual assurance letters to
          the Administrator.

Also,  under the reengineered process, the 22 primary organization
heads retain accountability for management integrity and rely on
their Senior Resource Officials (SRO)  to communicate the
Agency's national management integrity guidance, oversee
compliance with Integrity Act requirements,  and provide an
overall assessment of the effectiveness of their offices' program
strategies and guidance.  Agency Allowance Holders carry out the
specific Integrity Act requirements for their programs.   OARM is
currently streamlining its office and plans to eliminate RMD,
transferring its functional responsibilities elsewhere within the
Office of the Comptroller.
                                           E1SFE3-07-0101-4100522

-------
                               EPA's Integrity Act Implementation
SCOPE AND METHODOLOGY

We performed our fieldwork at RMD from June 1993 through June
1994 and focused on the Agency's Integrity Act implementation,
administration, and reporting in fiscal 1992 and 1993.  RMD is
located in Washington, D.C.  At RMD, we reviewed documentation
and discussed policies, plans, and procedures to determine if RMD
provided sufficient Integrity Act oversight and to evaluate its
process for developing and supporting the Administrator's annual
assurance letter to the President and Congress.  We reviewed the
Agency's fiscal 1992 and 1993 assurance letters to determine
whether reported Agency weaknesses were identified through the
Integrity Act process.  We reviewed the new integrity model to
see if it addressed all of the problems we identified in our
audit work.

We conducted audits that support findings in this report in three
regional and two program offices.  (Exhibit 1 lists the audit
reports, report dates, and office locations.)  At the regional
and program offices, we judgmentally selected a sample of large
divisions and offices whose Integrity Act process had not been
reviewed and reviewed plans, control system documentation,
control reviews, and subassurance reports to evaluate Integrity
Act implementation during fiscal 1990-1994.   We judgmentally
selected a sample of managers and interviewed them about their
understanding of their Integrity Act responsibilities.  We re-
viewed portions of their performance agreements and appraisals
and training records to determine whether they understood
Integrity Act procedures and the extent of oversight they had
received.  We reviewed recent OIG audit reports issued between
September 30, 1991, and 1994 that discussed Integrity Act
findings or other management control findings to determine
whether the Agency's Integrity Act process was working
effectively.  (Exhibit 2 lists the reports.)

We did not review the Agency's compliance with the Integrity
Act's Section 4 on whether the Agency's accounting system
conforms to Comptroller General requirements.  Rather, we relied
on the work of other OIG auditors.  Their audits addressed
deficiencies in the Agency's accounting system.

We conducted our audits in accordance with Government Auditing
Standards (1988 Revision).   The findings in this report include
control weaknesses identified during the audit and our
recommendations to correct the weaknesses, when appropriate.  No
                                           E1SFE3-07-0101-4100522

-------
                               EPA's Integrity Act Implementation
other issues came to our attention which we believed were
significant enough to warrant expanding the audit scope.

PRIOR AUDIT COVERAGE

OIG and General Accounting Office (GAO) have audited the Agency's
Integrity Act process and reported deficiencies since 1983.  This
report summarizes Integrity Act deficiencies reported by OIG
between 1992 and 1994.   GAO has not recently issued reports on
the Agency's Integrity Act process.
                                           E1SFE3-07-0101-4100522

-------
                               EPA'a Integrity Act Implementation
                            CHAPTER 2
      INTEGRITY ACT CAN HELP MANAGERS EXERCISE LEADERSHIP
Through its Integrity Act reengineering, the Agency has adopted a
system that integrates responsibilities for identifying,
preventing and correcting problems into day-to-day operations and
Agency centralized systems for program planning, budgeting,
operations, fiscal management, and evaluation.  AAs and RAs will
identify vulnerabilities through the strategic planning process,
as well as routine review of day-to-day program information
provided by Agency reporting systems and customer feedback, and
develop and carry out a systematic review strategy to assess
these vulnerabilities.  The reengineered process relies heavily
on effective implementation of the Agency's management integrity
principles, which are based on Comptroller General standards.
Agency efforts to integrate control reviews into ongoing
management activities can improve programs by focusing managers'
efforts on improving program implementation.  However, the
reengineered program cannot succeed unless managers accept
responsibility for implementing sound management practices, and
the Agency rewards managers for identifying problems and
improving control systems.

Many of the problems we identified under the prior process
resulted from managers not employing basic management techniques
and not observing Comptroller General standards as required by
the Integrity Act.  We found that while managers performed
Integrity Act process tasks and completed required paperwork,
many managers did not use the Integrity Act process to measure
progress toward program goals and objectives,  detect deviations
from their plans, and take corrective action.   Some managers did
not realize that management controls were the plans, policies,
and procedures they had established to achieve program goals and
objectives and, ultimately, Agency mission.  At times, managers
had not developed or documented controls.  Some managers did not
connect the risk assessment process with selecting which
management control systems to review.  Most managers were not
effectively trained and were not held accountable for treating
controls as a high management priority.
                                8
                                           E1SFE3-07-0101-4100522

-------
                               EPA'a Integrity Act Implementation
THE
              ACT AND STANDARDS CREATE
A FRAMEWORK FOR MANAGING PROGRAMS

The Integrity Act requires agencies to establish and maintain
cost-effective control systems in accordance with Comptroller
General standards to provide reasonable assurance that Government
resources are protected against fraud, waste, mismanagement, and
misappropriation and that activities are effectively and
efficiently managed to achieve agency goals.  To ensure agencies
managed their funds and programs, Congress required agencies to
perform ongoing control system evaluations and to report the
results annually.

The preface to the Comptroller General standards describes the
ultimate benefit of effective management control systems.  It
explains that controls:

     facilitate the achievement of management objectives by
     serving as checks and balances against undesired
     actions.  In preventing negative consequences from
     occurring, internal controls help achieve the positive
     aims of program managers.

Several key standards are directed toward managers' and
employees' activities.  Additional standards require that
controls be developed and documented for all agency management,
financial, program, and administrative activities.

The standards require managers and employees to demonstrate a
positive and supportive attitude toward internal controls and
treat controls as a consistently high management priority.  The
standards recognize that attitude is reflected through managers'
actions concerning agency organization, personnel practices,
communication, and protection and use of resources.

The standards require managers and employees to have skills to
accomplish their assigned duties and an understanding of controls
sufficient to discharge their duties.  They recognize the
importance of performance appraisals and suggest performance
evaluations be based in part on implementation and maintenance of
effective control systems.

The standards require control -systems and -all -transactions and
other significant events to be clearly documented in management
directives, administrative policy, and accounting manuals.  They
require that transactions and events be useful to managers by
                                           E1SFE3-07-0101-4100522

-------
                               EPA7a Integrity Act Implementation
being complete and accurate, tracing an action or event before it
occurs, while it is in process, and after it is completed.  They
require agencies to develop and identify logical and reasonably
complete control objectives for all agency management, financial,
program, and administrative activities compatible with the
agency's organization and division of responsibilities.

The standards require supervisors to guide and train staff to
help ensure that errors, waste, and wrongful acts are minimized
and management directives are achieved.  This includes clearly
communicating duties, responsibilities, and accountabilities to
staff, and reviewing and approving work to ensure work flows as
intended.

The Agency's new process recognizes 10 fundamental principles as
integrity guideposts for good management of all programs and
activities.  OARM based the principles on the Comptroller General
standards.  The principles are:

     0    Develop written strategies, policies, guidance,
          procedures, and performance measures to achieve the
          Agency's mission and safeguard programs and resources
          against waste, loss, unauthorized use,  and
          misappropriation.

     0    Establish an organizational structure and delegate
          authority, responsibility and accountability in
          accordance with Agency guidelines to achieve the
          mission of the organization.

     0    Carry out program activities, consistent with
          established policies, strategies, guidance and
          procedures, and report significant, emerging management
          problems through the chain-of-command to the
          appropriate National Program Manager for action.

     *    Demonstrate personal integrity, provide quality
          supervision, and sustain a level of professional
          competence to accomplish assignments and to ensure that
          management objectives are achieved.

     0    Collect and assure the quality of data and other
          information necessary to manage environmental programs
      .  -.and. continuously—improve the-basis Xor .the. Agency's
          scientific, technical,  legal, enforcement,  or
          management decisions.
                               10
                                           E18FE3-07-0101-4100522

-------
                               EPA7s Integrity Act Implementation
          Separate key duties and responsibilities in
          authorizing, reviewing and approving payment, and
          maintain individual accountability for the custody and
          use of resources.

          Periodically compare written records of actual and
          planned activities for budget expenditures, program
          operations, property inventory, and staffing levels, to
          identify discrepancies and take appropriate action,
          where vulnerabilities exist.

          Use all available information sources to identify and
          routinely assess program areas that are vulnerable to
          fraud, mismanagement, and noncompliance with law.

          Develop and carry out a systematic review strategy,
          comprised of internal program reviews, OI6 audits, and
          GAO studies, to assess the effectiveness of program
          guidance and procedures, and revise, as necessary.

          Promptly determine and carry out management actions to
          correct, within established time frames, significant
          problems identified by internal program, OIG, and GAO
          reviews.
INTEGRITY ACT IMPLEMENTATION WAS PROCESS
RATHER THAN RESUT/TS ORTFNTED

The Agency's Integrity Act procedures should have provided a
satisfactory level of confidence (considering costs, benefits,
and risks) that control systems were achieving desired goals and
objectives.  Agency managers invested a lot of time and effort .
implementing the Integrity Act, but significant management
control weaknesses continued to exist because managers did not
use the process as a management tool.  Agency procedures created
cumbersome lines of authority and a paper-intensive system,
separate from operational activities.  Many managers did not
realize implementing the Integrity Act could help them accomplish
their jobs.
                               11
                                           E1SFE3-07-0101-4100522

-------
                               EPA'a Integrity Act implementation
The Agency's Integrity Act Process
Was Cumbersome And Paper Intensive

Resources Management Directive 2560  (June 4, 1987) outlined
Integrity Act roles and responsibilities based on the assignments
of responsibility prescribed by OMB Circular A-123.  It segmented
the Agency into 22 primary offices.  The Agency designated 266
assessable unit managers, such as division and laboratory
directors, to manage the Integrity Act process.  Offices often
delegated implementing Integrity Act process steps to one or two
Management Control Coordinators (MCC) within the primary offices
and sub-MCCs within the assessable units..

The Agency's process required the 266 assessable unit managers to
prepare numerous documents including extensive control
documentation, annual vulnerability assessments and management
control plans, quarterly progress reports, high risk reports,
management control reviews, material weakness position papers,
and annual assurance letters.  The control documentation
consisted of a list of all program operations and administrative
functions, each activity within the program and administrative
functions, control objectives for each activity, and control
techniques for each objective.  Under this process, control
documentation needlessly duplicated existing Agency plans,
policies, procedures, and guidance.

Managers generally accomplished the process steps, but did not
realize the processes were a means of establishing effective
program management and that the processes should be linked
together.  Managers did not ensure programs and administrative
policies, procedures, and directives were fully developed and
documented to achieve the Agency's mission and goals.  Some
managers did not realize that controls related to program as well
as financial activities.

Where managers understood the intent behind the paperwork
requirements, they performed tasks outside the process which
better met the intent than the actual requirements of the
Agency's process.   Instead of using the required standard
vulnerability assessment form, some managers in the Office of
Solid Waste and Emergency Response (OSWER) analyzed their
programs, priorities and resources and identified potential
obstacles to accomplishing these priorities.  These.managers then
appropriately scheduled control reviews to ensure that the
programs' priorities were achieved.
                                12
                                           E1SFE3-07-0101-4100522
                   \

-------
                               EPA'8 Integrity Act Implementation
Other managers who did not understand the concepts followed the
paperwork requirements and completed the standard vulnerability
assessment form.  However, this form did not lead managers to
identify potentially vulnerable areas within their, programs.
Most managers submitted the completed standard vulnerability
assessments to RMD but did not have any useful results to
identify control weaknesses and make improvements.

Our review of 15 OIG reports  (listed in Exhibits 1 and 2)
disclosed that managers did not prepare complete control
documentation or did not use documented controls.  Complete
programs or functions were often missing from the documentation.
For example, a Headquarters office did not have procedures to
safeguard confidential business information and did not realize
it lacked procedures until it lost several boxes of confidential
information.  In two offices, procedures for issuing permits were
not documented.  Control documentation was also missing for
critical function areas such as data integrity, financial
management system planning and cost tracking, and contracts
management.  An audit of the Agency's sensitive information
systems disclosed that 17 of 29 sensitive information systems
were not included in Headquarters Integrity Act control
documentation.  In 1 region, 14 of 20 managers identified
vulnerabilities and took corrective actions but did not document
the improved controls.  Thus, the region had little assurance
that the corrective actions would be implemented.

At two Headquarters offices, managers had not established •
controls for regional oversight.  Although Agency regulations
state that National Program Managers have overall responsibility
for accomplishing program goals, Headquarters program managers
stated that the Agency is decentralized and they did not have
authority over regional personnel to ensure program policies and
procedures were followed and resources were properly used.  They
did not see this as part of the control systems National Program
Managers need to help ensure mission accomplishment.

The Reengineered Integrity Act Model Simplifies
and Integrates the Agency's Approach
The reengineered Integrity Act model simplifies the Agency's
approach and integrates Integrity Act requirements into managers'
daily management ..activities.  The model .reduces Jthe.Agency's
segmentation from 266 units to 48.  It reduces the number of
reports managers must prepare and incorporates assessing program
                                13
                                           E1SFE3-07-0101-4100522

-------
                               EPA's Integrity Act Implementation
vulnerability and creating control review strategies into ongoing
management activities.  It eliminates the requirement for
separate event cycle documentation by requiring managers to
modify program strategic plans, operating guidance, regulations,
policies, and procedures to incorporate the Agency's integrity
principles which are based on Comptroller General standards.

In the new model, the Agency has appropriately recognized the
need for national program leadership.  OARM will develop model
principles for administrative activities such as contracts,
grants, and resource management practices.  Other National
Program Managers are expected to develop program specific
integrity principles to clearly articulate policy priorities,
best management practices, and current guidance in effect.
Managers are required to review and revise written strategies and
guidance to serve as a management control framework for
safeguarding program mission and resources.  The model ties the
process of establishing vulnerabilities with strategic plans,
written strategies, and guidance.  It directs managers to
systematically review programs to assess protection from fraud
and mismanagement and support mission accomplishment.  The new
guidance clearly links controls with mission accomplishment.

Because the new process aligns integrity responsibilities with
day-to-day operations and program planning, budgeting,
operations, fiscal management, and evaluation, program managers
should strengthen accountability for identifying weaknesses
through the chain-of-command,  correct them promptly, and prevent
serious systemic problems.   The new process should greatly
improve integrity results if AAs and RAs respond to the OARM
Assistant Administrator's expectations as outlined in his June 6,
1994, memorandum and hold managers accountable for routinely
identifying systemic problems and correcting them.


GUIDANCE AND TRAINING WERE NOT CLEAR AND COMPLETE
AND MANAGERS WERE NOT HELD ACCOUNTABLE

Managers were not adequately trained to implement effective
management control systems.  Integrity Act implementation
instructions were not always clear and complete.  HMD's basic
guidance and training packages were process-oriented and
examples/forms for several key processes such as segmentation and
vulnerability assessments conflicted with the guidance narrative.
Annual guidance did not always explain how certain processes,
such as corrective action validation, should be accomplished.
                               14
                                           E1SPE3-07-0101-4100522

-------
                               EPA's  Integrity Act  Implementation
Managers were not held accountable or recognized for  supporting
Integrity Act requirements.

Agency managers misunderstood Integrity Act guidance  and
terminology and were unable to apply the processes effectively.
The guidance had not communicated Integrity Act concepts
successfully to Agency managers.  Both regional and Headquarters
program managers said the Integrity Act guidance manual and
fiscal 1992 and 1993 quarterly technical guidance were ambiguous
and confusing, that terminology was not clearly defined, and that
different phases of the process were not linked.

RMD recognized deficiencies in its guidance and reported its
policy directives as a weakness in fiscal 1993.  RMD  planned
revisions to its directives and Agency guidance to demonstrate
linkage between Integrity Act phases, planning and budgeting
phases, and Agency goals and strategic plans, and to  integrate
new regulations such as those implementing GPRA.

Managers had not received adequate Integrity Act training.
Managers complained that neither local nor Headquarters training
provided the necessary information to relay the conceptual
meaning of the different Integrity Act phases and reporting
requirements.  Integrity Act training classes were usually brief
2-hour sessions and were process-oriented.  Managers  did not
receive substantive training in developing controls or in
relating the processes, such as the use of the risk assessment to
identify problem areas for review.  Managers in the offices we
audited explained that they did not fully understand  terminology
used in describing Integrity Act requirements, and therefore, did
not link the phases to their day-to-day operations.   Managers did
not understand completely what was required of them to fulfill
Integrity Act requirements.  In the 3 regions, 55 of  56
individuals did not have Integrity Act training documented in
their files.

RMD developed a new management integrity training package and
presented it to MCCs in June 1993.  MCCs responded positively
that the guidance was needed and helpful.  RMD improved its
quarterly MCC meetings and met more often with program and
regional MCCs simultaneously rather than in separate  meetings as
was its previous practice.  RMD is developing training that
incorporates terminology compatible with managers' knowledge and
is working .with .some .offices .to develop a .comprehensive, long-
term training program.
                                15
                                           E1SFE3-07-0101-4100522

-------
                               EPA's integrity Act Implementation
We did not  find any evidence that individuals were rewarded or
penalized for Integrity Act performance.  We reviewed 128
performance agreements and found that 96 included measures for
Integrity Act performance.  However, the appraisal narratives
were too brief to recognize if managers were held accountable for
their performance.  Without suitable recognition, managers had
little incentive to execute their Integrity Act responsibilities.

HMD's new integrity model differs from the previous Integrity Act
requirements, and managers and employees will require training to
understand  the comparisons.  The new model requires managers to
perform the basic management processes of establishing standards,
measuring performance, comparing performance against standards
and interpreting discrepancies, and taking corrective action.  In
light of the Agency's movement toward employee empowerment,
streamlining, and other management initiatives, it is especially
important that individuals are held accountable for their
performance and appraised and rewarded accordingly.

CONCLUSION

The Agency's former Integrity Act process did not work well
because managers did not relate the requirements to their daily
activities  and were not held accountable for improving their
programs.   RMD has recognized that changing 10 years of
management  perceptions about a process is no small undertaking.
Success of  the new process will involve significant reeducation
for managers to understand and focus on integrity issues as an
integral part of program management responsibilities.  RMD
recognizes  that additional education and training in the new
approach are required and that the Agency will need to devote
additional  resources to this major effort.

The Agency's reengineered model would make management controls
purposeful  and useful if Agency managers understand and properly
apply the principles.  The new guidance appropriately requires
Agency managers to review written strategies and guidance for all
major programs and functions to determine their consistency with
the Agency's management integrity principles  To adhere to the
principles, Agency's plans, policies, procedures, and directives
must describe logical, applicable, and reasonably complete
guidance for performing work processes.  The reengineered
approach can only work if senior managers emphasize management
integrity in meetings, training programs^ -and directives, and
hold managers accountable.
                                16
                                           E1SFE3-07-0101-4100522

-------
                               EPA's Integrity Act Implementation
RECOMMENDATIONS

We recommend that the Administrator:

1.   Direct AAs and RAs to hold SROs accountable for providing
     training on the Agency's new integrity process in their
     offices and recognize those who implement and maintain
     effective control systems.  SROs should seek technical
     assistance from OARM, as necessary.

2.   Require AAs and RAs to hold managers accountable through the
     performance appraisal process for identifying and correcting
     weaknesses in the way they carry out their programs and
     achieve results.  They should recognize managers for
     effectively and efficiently implementing Integrity Act
     requirements.

3.   Require AAs and RAs to stress to senior managers and staff
     the mission critical importance of the Agency's reengineered
     integrity process and the Agency's Management Integrity
     Principles; emphasize that the process helps safeguard
     resources and achieve program results.  Incorporate this
     emphasis into specific Integrity Act and overall management
     training courses, management policies and procedures, and
     senior managers' meetings.

4.   Require the AA for OARM to assign sufficient OARM oversight
     staff to bring managers up to speed on the new process and
     ensure the new process is implemented as intended.

5.   Require the AA for OARM to provide basic training to SROs in
     the new Integrity Act approach and the Agency's Management
     Integrity Principles.
                               17
                                           E18FE3-07-0101-4100522

-------
                               EPA's Integrity Act Implementation
AGENCY COMMENTS AND O1G EVALUATION

OARM generally agreed with the finding and provided comments to
clarify some issues and redirect the recommendations.  OARM
requested that, because responsibility for safeguarding resources
in achieving mission goals goes beyond OARM, the recommendations
be redirected to all AAs and RAs.  Also, OARM requested that
specific recommendations for relating GPRA to integrity issues be
directed to the Office of Policy, Planning and Evaluation.  Other
comments primarily related to adding language to stress the link
between the Integrity Act process and program planning,
budgeting, operations, fiscal management, and evaluation
responsibilities.  OARM commented that RMO recognized the
Integrity Act process was not working much earlier than 1992 and
challenged the report's assertion that HMD could have provided
more effective oversight prior to 1993.  RMD commented that it
attempted to improve the process each year in response to OIG's
annual  audit.  OARM attributed lack of adequate national training
to past and continuing travel and staff resource constraints.
RMD attempted to overcome these constraints by providing training
packages to the regions.

We clarified AA and RA responsibility for Integrity Act
implementation.  As Integrity National Program Manager, OARM
should  work with the Office of Policy, Planning, and Evaluation
to ensure Integrity concepts are appropriately integrated into
GPRA implementation.  OARM is primarily responsible for educating
the national and regional offices in the reengineered process and
overseeing its implementation.  As part of its initial training
and awareness sessions, OARM should highlight the findings in
this report to encourage managers to avoid the cited problems in
carrying out the reengineered Integrity Act process.

OIG applauds the Agency in its initiatives to integrate the
Integrity Act process with program and administrative management.
We added OARM'S recommended language to explain the new process
and its links to administrative management.  However, OARM's
response to the draft report appeared to focus more on
administrative management than day-to-day program operations.
Although both are important, OARM will need to stress how
managers can integrate the Integrity Act process with daily
activities in its training and guidance, because many managers
did not make this connection using the old process.
                                18
                                           E1SFE3-07-0101-4100522

-------
                               EPA*a Integrity Act Implementation
We believe that the major efforts to overhaul the Integrity Act
process did not start until 1993.  Also, while OIG recognizes
RMD's limited resources, the training packages provided to the
regions focused on process and did not provide managers
sufficient technical assistance to meaningfully assess their
program and function controls.
                               19
                                           E1SFE3-07-0101-4100522

-------
                               EPA's Integrity Act Implementation
                            CHAPTER3

            IMPROVED CONTROL REVIEWS AND REPORTING
                CAN PREVENT PROBLEM ESCALATION

The Agency demonstrated senior management commitment to
identifying its material weaknesses by establishing a Senior
Council on Management Controls (now known as the Senior
Leadership Council) in 1989 to focus top management attention on
management integrity issues.  The Council appropriately sought
input from OIG, GAO, OMB, and senior managers to help identify
its material weaknesses.  Although the Agency reported 18
material weaknesses in fiscal 1993, the majority of the
weaknesses were not discovered through managers' control
assessments which flowed through the Agency's chain-of-command to
the senior managers.  Managers reported weaknesses to RMD rather
than through the Agency's management structure to the national
program and function offices where further analysis or policy and
guidance changes could have corrected problems or prevented
problem escalation.  Managers did not use the Integrity Act
process as an early warning system to identify and correct
weaknesses before they escalated to the material weakness levels
identified by external reviews.   As a result, the Agency's
Integrity Act process did not prevent control weaknesses from
escalating or improve the economy and efficiency of operations.
Instead, material weaknesses,  once detected,  required significant
resources to correct.
OMB PROMOTES AN EFFECTIVE MANAGEMENT
CONTROL PROGRAM

In accordance with the Integrity Act and OMB Circular A-123,  each
executive agency must annually evaluate its system of internal
accounting and administrative controls and report to Congress and
the President on whether its internal control systems comply  with
the goals of the Act.  If systems do not comply,  the agency head
must identify material weaknesses and present plans for
corrective action.  OMB encourages managers to utilize external
reviews, such as DIG and GAO audits and internal  management
reviews in managers' assessment of controls.  However,  recent OMB
draft guidance stresses that the external reviews be incorporated
as part of a self assessment and weaknesses fee reported through
the agency chain-of-command structure.   Each supervisory level
should determine and report the materiality of the weakness to
the next level.
                               20
                                           E1SFE3-07-0101-4100522

-------
                               EPR'a Integrity Act implementation
The Agency requires regional and national program offices to
submit annual assurance reports to identify potential material
and Agency-level weaknesses.  The offices' reports must describe
any material weaknesses disclosed by any management control
evaluations or other reports, the action plans for correcting the
weaknesses, and the status of actions taken to correct any
weaknesses identified in any prior year reports.


THE AGENCY REPORTED WEAKNESSES IDENTIFTFT)
IN EXTERNAL REVIEWS                                 .

The Agency did not identify its weaknesses through the Integrity
Act process.  Weaknesses were identified primarily by external
auditors or by managers during meetings or through managers'
judgment.
                                  f
The Agency reported 18 material weaknesses to the President and
the Congress in fiscal 1993, but the majority of the weaknesses
were identified externally.  OIG and 6AO identified 11 of the 18
weaknesses (over 60 percent).  While the Agency appropriately
reported weaknesses identified by external sources, program
managers did not review external audit findings as an initial
step in assessing the full extent of Agency management control
weaknesses.

Likewise, national and regional program managers in four of the
five offices we reviewed did not routinely identify material or
Agency-level weaknesses through the Integrity Act process.  They
primarily identified weaknesses through external reviews and
activities such as management meetings and studies.  Because
managers identified weaknesses through discussion and not by
testing controls,  they could not sufficiently determine the
extent of the weakness.
          One region did not report any weaknesses prior to
          fiscal 1993.

          One national program office identified more than half
          of its fiscal 1992 and 1993 weaknesses (14 of 26)
          through external reviews.  Others were identified
          through managers' judgment and meetings.

          One region-identified 21 of its 49 fiscal 1991 and 1992
          weaknesses through external reviews.   One weakness was
          identified through the Integrity Act
                               21
                                           E1SFE3-07-0101-4100522

-------
                               EPA*s Integrity Act Implementation
          process and 27 were identified primarily through
          discussions, meetings, or "insight into operations."

     0    Another region identified at least 7 of its 11 fiscal
          1992 weaknesses reported outside the Integrity Act
          process.  One of the seven was determined through
          external reviews and the other six through methods
          other than testing documented controls.

The new model encourages managers to rely on all information
sources to evaluate the effectiveness of controls.  It cautions
that managers should not rely exclusively on external reviews to
assess existing or potential vulnerabilities, but must conduct
their own reviews which test controls to ensure timely and
adequate information on which to base their assurance statement.
Also, it stresses that managers should use their judgment and
experience as the first step in identifying vulnerable areas for
review.  Managers then should develop a review strategy to focus
on these vulnerable areas.  The guidance appropriately states,
"Reviews, whether conducted by internal or external sources, must
involve actual tests to determine effectiveness of guidance and
procedures."


MANAGERS NEEDED TO REPORT WEAKNESSES
THROUGH THE ORGANIZATIONAL CHAIN

The Agency did not effectively use the Integrity Act process to
identify and report the full extent of its weaknesses.  Agency
managers did not use a building block process to report
weaknesses beyond the primary organization head through the
organizational chain so that the overall magnitude of the
weaknesses could be assessed.  Managers only reported weaknesses
that were material at the Agency or Presidential level.

Regional and program offices reported 174 Agency-level and
material weaknesses, but did not always report these and other
identified .weaknesses to national program offices with authority
to take action and determine the overall extent of the weakness.
When regional offices did report weaknesses requiring
Headquarters action to national program offices, Headquarters
personnel did not always take appropriate action.  Additionally,
RMD did not have a formal process for disseminating reported
weaknesses to program and rfunction managers who-might have an
interest or responsibility to evaluate the weaknesses and
initiate corrective actions once the full extent of the
                               22
                                           E1SFE3-07-0101-4100522

-------
                               EPA7s integrity Act Implementation
weaknesses was determined.  Thus, progressively senior managers
with a broader perspective on the Agency's mission did not have
the opportunity to exercise their judgment regarding the extent
and impact of program and function weaknesses.  Also, managers
could not benefit from compensating controls developed by other
regional or national program offices.

RAs and National Program Managers reported their weaknesses
directly to the Deputy Administrator with copies to RHD.  The
weaknesses did not flow between the regional offices and the
national program offices or across media lines.  RMD had an
informal process for relaying weaknesses that were not reported
in AA and RA assurance letters to national program offices, but
the process did not appear to be effective.  RMD's informal
process for advising National Program Managers of unreported
weaknesses may have allowed regions and National Program Managers
to avoid taking prompt action to assess the full extent of weak
controls and report material weaknesses.  As a result, the Agency
did not always report its material weaknesses in a timely manner
or require all potentially impacted managers to evaluate their
controls for similar
weaknesses and take
appropriate corrective actions
to remedy the weaknesses.  For
the Agency to identify the
full extent of system
weaknesses and determine if
weaknesses were fully
corrected, managers at each
level needed to evaluate the
controls they were responsible
for implementing and report
all weaknesses that were
material to their operations,
not just Presidential-level
weaknesses.
                                    THE  BUILDING  BLOCK PROCESS
Managers in one region
identified weaknesses in 1992
in air program and policy
guidance for implementing and
enforcing the Clean Air Act Amendments (CAAA).  Regional managers
developed ..and implemented, added .procedures .txs..comply ..with new
CAAA while awaiting national air program policy and guidance.
However, the region interpreted the Agency's Integrity Act
                               23
                                           E1SFE3-07-0101-4100522

-------
                               EPA's Integrity Act Implementation
guidance as not requiring it to report the lack of policy and
guidance as a weakness nor problems encountered in enforcing air
program requirements.  If regional managers had reported the
weaknesses and corrective actions, national and other regional
program managers could have bene fitted from an early warning of
potential material weaknesses in the Clean Air program, assessed
the weakness Agency-wide, and possibly shared the region's.
compensating controls as a best practices approach.

RMD and the national program offices did not always follow up on
reported Agency-level and material weaknesses to determine how
prevalent the problems were and correct the problems Agency-wide.
Two OIG audit reports (listed in Exhibit 2) disclosed that
environmental research laboratories in Athens, Georgia, and
Corvallis, Oregon, did not assess their management controls over
extramural resources even after the Headquarters Office of
Research and Development (ORD) reported management of extramural
resources as a material weakness in 1990.  Extramural resources
accounted for nearly 70 percent of total ORD funds.  Audit
reports issued 3 and 4 years after ORD reported extramural
resource weaknesses noted that the laboratories did not identify
the weaknesses because the laboratories had not established
effective controls over extramural resources and evaluated the
controls.

RMD's reengineered Integrity Act model indicates managers will
only report material and Agency-level weaknesses which require
the attention of the Administrator.  The new guidance does not
clearly stress the benefit of reporting weaknesses up and down
the organizational chain and across media lines.  The guidance
should stress following the organizational chain to report all
weaknesses so that National Program Managers can determine
whether the weakness should be assessed Agency-wide or best
practices for compensating controls can be shared with other
potentially impacted Agency offices.
MANAGERS SHOULD HAVE IDENTIFIED WEAKNESSES
THROUGH CONTROL REVIEWS

Managers generally did not identify weaknesses through control
reviews because they did not test controls to see if programs and
functions were operating as intended.  In part, managers did not
test controls because they did not know Trtrat -a -control review
entailed.  Although Agency written guidance specifically
identified criteria for control reviews, some Agency managers
                               24
                                           E1SFE3-07-0101-4100522

-------
                               EFA's  integrity Act  Implementation
 said they were verbally encouraged to count activities which did
 not test controls as control reviews.  As a result, the Agency's
 success in  identifying all  its significant weaknesses was
 severely limited as indicated by the number and severity of
 weaknesses  identified through audit findings.

 Many control reviews did not appropriately test controls nor meet
 OMB criteria.  For fiscal 1992, the Agency reported to OMB that
 it performed 796 control reviews and planned to complete 909
 reviews in  1993.  We reviewed 67 control reviews for 1990, 1991,
 1992, and 1993 for compliance with OMB requirements and found
 that 50 reviews, or 75 percent, did not meet basic requirements
 such as testing controls and documenting the results.

 Thirteen OIG audit reports  issued between September 30, 1991, and
 1994 identified improvements needed in control reviews.  Eleven
 of these reports stated managers did not plan or perform reviews
 over controls that the auditors found deficient.  Two of the
 reports stated that managers did not document reviews and,
 consequently, could not be  certain that identified weaknesses
were included in an Integrity Act report.

 OIG reports cited various reasons for reviews not testing
 controls.  Some managers had not learned what a control review
 entailed or considered control reviews unnecessary.  Other
managers commented that they:  (l) thought MCCs were responsible
 for conducting reviews, (2)  considered management control reviews
a financial function and their staff were not financial experts,
 (3) did not understand the purpose of reviews, and (4)  did not
know the difference between control systems and control reviews.
HMD may have contributed to managers' confusion regarding the
purpose and definition of control reviews.

RMD's manual clearly and accurately described the step-by-step
process for performing a control review.   However, some managers
said that prior to 1993,  RMD had verbally advised them to count
as many activities as possible as alternative control reviews.
Regional managers continued this practice beyond 1993.   As a
result,  regions and Headquarters program offices inappropriately
counted activities which did not test controls and thus did not
result in improved controls.

     0    Three regions counted activities which were really
        ..controls rather .than reviews. —For..example,  two regions
          counted annual quality assurance assessments as control
          reviews.   The regions should have determined whether
                               25
                                           E1SFE3-07-0101-4100522

-------
                                   a Integrity Act Implementation
          the quality assurance assessments were performed, met
          the testing requirements, and resulted in corrective
          actions.  Instead, they counted the control as the
          review.

     0    Two regions counted Headquarters reviews as control
          reviews.  However, the reviews were general discussions
          with personnel regarding goals and did not test
          controls.

     o    jn other instances, offices counted activities such as
          a written justification to OMB for program
          continuation, a compilation of policy memorandums,
          status reports, and management briefings as control
          reviews.  None of these activities tested controls.

In response to a 1990 OIG audit of the Agency's 1989 Integrity
Act activities, OSWER initiated annual reviews of its control
review process.  Reviewers provided informal feedback to managers
on the quality of their control reviews and how to improve them.
In 2 years, the number of reviews meeting control review
requirements increased from 39 percent to 75 percent.

The new Integrity model reminds managers that they cannot rely
exclusively on external reviews to assess vulnerabilities.  They
must conduct their own reviews and perform actual tests to
determine if guidance and procedures are followed and working to
efficiently accomplish their mission.  As stated in the new
guidance, this is necessary "to ensure timely and adequate
information on which to base their statement of assurance."  The
model contains general criteria for selecting, conducting, and
documenting program reviews and developing corrective action
plans.  In order for their program reviews to be effective,
managers will need formal training on the control review process
that illustrates how to perform transaction tests and document
test results.
CONCLUSION

The Agency's reengineered Integrity Act approach can improve
procedures for identifying weaknesses and reduce the number of
excess reviews planned and reported, but managers must also
improve their examinations of their operations.  Managers'
program reviews must test plans, policies, and procedures and
determine if Agency personnel promptly and properly recorded
                               26
                                           E1SFE3-07-0101-4100522

-------
                               EPA's Integrity Act Implementation
management actions; executed the management actions in accordance
with applicable laws and regulations; adequately separated duties
to ensure a system of checks and balances; and applied sufficient
supervision.  Weaknesses must be identified, reported, and
corrected at each level to determine the extent of weaknesses,
establish accountability, and provide early detection and
correction.                                           -

The new integrity process relies more on management judgment and
accountability than the previous process.  Senior Agency
officials should stress the importance of integrating management
integrity into each manager's day-to-day operations.  Managers
must be educated in their responsibilities under the new process,
and how to carry them out.  But beyond this, managers will need
ongoing technical assistance from OARM and reinforcement from the
Senior Leadership Council to ensure success.

RECOMMENDATIONS

We recommend that the Administrator require AAs and RAs to:

1.   Hold SROs accountable for developing annual systematic
     review strategies to evaluate guidance and procedures in
     identified vulnerable areas and include documented program
     review results and recommendations.  When new weaknesses are
     identified through external review, SROs should improve
     their systems to detect such vulnerabilities through the
     integrity process in the future.

2.   Direct SROs to base corrective action and validation of
     current material weaknesses on assessment in the field as
     well as at the Headquarters level.

3.   Direct SROs to develop guidance and procedures for reporting
     weaknesses and suggested corrective actions through the
     organizational structure which includes requiring managers
     to report weaknesses in writing to National Program
     Managers.                                            '•>'

4.   Assess and document the overall magnitude of weaknesses and
     corrective actions reported to them by managers throughout
     the Agency.
                               27
                                           E1SFE3-07-0101-4100522

-------
                               EPA'a Integrity Act Implementation
AGENCY COMMENTS AND OIG EVALUATION

OARM disagreed with several assertions in this finding.  RMD
commented that the annual guidance in 1990, 1991, and 1993
specifically identified criteria for reviews to be listed in the
management control plan.  OARM disagreed that RMD did not have a
formal process for reporting weaknesses through the chain-of-
command and for HMD's analysis of weaknesses submitted in the
annual assurance letters.  OARM did not concur with the report's
assertion that the new Integrity Act guidance does not provide
managers a clear understanding of the importance and advantages
to reporting weaknesses up and down the organizational chain and
across media lines.  OARM challenged the validity of the accounts
receivable issue as an example of ineffective chain-of-command
reporting, and pointed out actions taken by the national program
manager in 1990 and 1991 as appropriate actions to improve
accounts receivable problems within the Agency.  OARM expressed
concern that OIG did not acknowledge management judgment as an
important part of the reengineered process.

While annual guidance may have provided criteria for listing
reviews in the management control plan, several managers told us
that RMD verbally encouraged them to report other activities
which would not meet the A-123 criteria for management control
reviews and alternative management control reviews.  OIG
disagrees that RMD had a formal process for raising weaknesses to
other program offices.  Although written guidance encouraged such
reporting, again verbal guidance either conflicted with the
written guidance or confused managers regarding what should be
reported.  OARM may not have understood our intent in the
accounts receivable example, so we deleted it from the final
report.  One of the main points intended in this chapter is that
National Program Managers need to encourage the identification
and widespread reporting of potential weaknesses to help them
timely assess what action needs to be taken to correct weaknesses
and to share actions managers may be taking to compensate for the
weaknesses until more permanent action can be taken.
                               28
                                           E1SFE3-07-0101-4100522

-------
                EPA's integrity Act Implementation
                                         EXHIBIT 1.
AUDITS OF INTEGRITY ACT IMPLEMENTATION
Report Title
and Number
1. Region 7's
Implementation of the
Federal Managers'
Financial Integrity Act
(FMFIA)
E1RMF2-07-0134-3 100148

2. Region 1's
Administration of the
Federal Managers'
Financial Integrity Act
E1RML3-07-0011-3100322

3 . Region 8 ' s
Implementation of the
Federal Managers'
Financial Integrity Act
E1RML2-08-0091-3100326

4. OSWER's
Implementation of the
Federal Managers'
Financial Integrity Act
E1SFE3-07-0101-4100224

5. Office of Water's
Implementation of the
Federal Managers'
Financial Integrity Act
E1AME4-07-0024-4 100236
Report
Date
3/30/93

8/23/93

8/24/93

3/28/94

3/31/94
Location
Kansas City, Kansas

Boston ,
Massachusetts

Denver , Colorado .

Washington, DC

Washington , DC
                29
                            E1SPE3-07-0101-4100S22

-------
                EPA's Integrity Act  Implementation
                                         EXHIBIT  2
DIG AUDITS WITH INTEGRITY ACT FINDINGS
Report Title and Number
1. SPECIAL REVIEW OF THE FACILITIES
MANAGEMENT & SERVICES DIVISION'S SECURITY
& PROPERTY MANAGEMENT BRANCH
E1PMG1-13-0038-2400022

2. CONTRACT MANAGEMENT /EPA Needs to
Strengthen The Acquisition Process For
ADP Support Services Contracts
E1NMF1-15-0032-2100300
N
3. SOFTWARE INTEGRITY /EPA Needs to
Strengthen General Controls Over System
Software
E1NMF1-15-0055-2100591

4. EPA'S MANAGEMENT OF COMPUTER SCIENCES
CORPORATION CONTRACT ACTIVITIES
E1NME1-04-0169-2100295

5. SPECIAL REVIEW ON FOLLOW UP OF CERCLIS
REPORTING AND POST-IMPLEMENTATION
E1SFG1-15-5001-2400027

6. COMPUTER SYSTEMS INTEGRITY: EPA Must
Fully Address Longstanding Information
Resource Management Problems
E1NMF1-15-0032-2100641

Report
Date
3/92

3/31/92

9/22/92

3/31/92

3/27/92
<->

9/28/92

                30
                           E1SFE3-07-0101-4100522

-------
EPA's Integrity Act Implementation
7. FOLLOWUP REVIEW ON EPA'S EMERGENCY
SUSPENDED AND CANCELED
PESTICIDE PROGRAM
E1EPG2-05-6008-3400030

8. MANAGEMENT OF EXTRAMURAL
RESOURCES/OFFICE OF RESEARCH AND
DEVELOPMENT/ ENVIRONMENTAL RESEARCH
LABORATORY /ATHENS, GEORGIA
E1JBF2-04-0300-3100156

9. FISCAL 1992 FINANCIAL STATEMENT AUDIT
OF THE PESTICIDES REVOLVING FUNDS
E1EPL2-20-7001-3100265

10. FISCAL 1992 FINANCIAL STATEMENT AUDIT
OF THE SUPERFUND TRUST FUND, LEAKING
UNDERGROUND STORAGE TANK TRUST FUND AND
ASBESTOS LOAN PROGRAM
P1SFL2-2 0-8001-3 1002 64

11. REVIEW OF REGION 9 SUPERFUND PROGRAM
ACCOMPLISHMENTS FOR FISCAL 1992
E1SFR3-09-0101-380006

12. CONSOLIDATED REPORT ON FISCAL 1992
CERCLIS DATA INTEGRITY
E1SFF3 -11-0016-3 1003 92

13. MANAGEMENT OF ASSISTANCE AND
INTERAGENCY AGREEMENTS /OFFICE OF RESEARCH
AND DEVELOPMENT/ ENVIRONMENTAL RESEARCH
LABORATORY/ CORVALLIS , OREGON
E1FBF3-10-0069-4100214

3/26/93

3/31/93

6/30/93

6/30/93

8/12/93

9/29/93

3/21/94

31
            E1SFE3-07-0101-4100522

-------
EPA's Integrity Act Implementation
14. FISCAL 1993 FINANCIAL STATEMENT AUDIT
OF THE PESTICIDES REVOLVING FUNDS, AND
THE OIL SPILL TRUST FUND
E1AML3-20-7001-4100230

15. AUDITORS' REPORT ON FISCAL 1993
FINANCIAL STATEMENTS FOR THE SUPERFUND
TRUST FUND, LEAKING UNDERGROUND STORAGE
TANK TRUST FUND AND THE ASBESTOS LOAN
PROGRAM
P1SFL3-20-8003-4100231
i
16. MANAGEMENT OF COOPERATIVE
AGREEMENTS /OFFICE OF RESEARCH AND
DEVELOPMENT/ ENVIRONMENTAL RESEARCH
LABORATORY /GULF BREEZE, FLORIDA
E1JBF2-04-0386-4100237

17. DRAFT REPORT OF AUDIT — INTEGRATED
FINANCIAL MANAGEMENT SYSTEM
E1NMF3 -15-007 3-
3/31/94

3/30/94

3/31/94

5/09/94
32
            E1SFE3-07-0101-4100522

-------
                                                                      Appendix  1
                                                                      Page  1 of 2
                  UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
                                WASHINGTON, D.C. 20460
                                  27 JUL  1994
                                                                          OFFICE OF
                                                                        ADMINISTRATION
                                                                        AND RESOURCES
                                                                         MANAGEMENT
MEMORANDUM

SUBJECT: .  Response to Draft Report on EPA's Integrity Act Implementation
             Audit Report No. E1AME4-07-0024-XXXXXX
FROM:
TO:
             Comptroller (3301)
Michael Simmons
Associate Assistant Inspector General
 for Internal and Performance Audits (2421)
      Thank you for the opportunity to review and comment on the Office of Inspector
General's (OIG) draft audit of EPA's Integrity Act implementation.  We appreciate the
auditors' work with OARM during the audit to keep apprised of and support our efforts to
reengineer EPA's management integrity process, consistent with the Administration's
National Performance Review (NPR).  We recognize the OIG's considerable challenge to
audit the "old FMFIA" within a context of such great change and to develop effective
recommendations that support the Agency's new integrity direction.

      We have provided comments on the draft report to clarify findings, strengthen
recommendations, and reinforce the audit's support for EPA's new vision of integrity as a
fundamental tenet of integrated program planning, budgeting, fiscal management, and
evaluation.  Our major comments are summarized below, with supporting examples attached.

Emphasize Integrity Role in Current Context of Change and  Accountability Framework

      We commend the OIG's efforts to identify and discuss linkages among Integrity Act,
Government Performance andResults~Act(GPRA) wd.Chief-Finandal Officers Act (CFO)
requirements as part of the Agency's management accountability framework.  Last year's
enactment of the GPRA  and issuance of the NPR recommendations gave OARM the
opportunity to radically  rethink the Agency's integrity process. Our goal was to eliminate
the separate administrative stovepipe process and integrate responsibilities for prompt
detection, correction and prevention of problems in program planning, budgeting, fiscal
management, and evaluation.
                                         33
                                                                    Rtcycled/Rvcyclabto
                                                                    PrinM with Sey/dnof* ink on pipac that
                                                                    contain* MIMM 50% r*cyOM "Mr
                                                         E1SFE3-07-0101-4100522

-------
                                                        Appendix  1
                                                        Page  2 of 12
      We suggest that your final report discuss these significant events, which occurred
during the 1992-1994 audit focus, to establish a clearer context for understanding why the
Agency decided to reengineer the integrity process.  We believe that the draft report's
findings and recommendations do not sufficiently relate the role of EPA's new process within
the framework of integrated Agency-wide strategic planning and goal-based budgeting to
strengthen management accountability for results.  This understanding is critical to managers'
successful implementation of EPA's reengineered integrity process.

Clarify Audit Focus on Program^Not Financial. Management Integrity Implementation

      We suggest that your final report explicitly establish at the outset that its primary
focus is on program managers' implementation of the Integrity Act.  We believe that the
report, as written, does not apply to financial management under Section 4.  For example,
the report should acknowledge the existence of EPA's Financial Management Quality
Assurance Program and its policy oversight, guidance and training role working with Agency
Financial Management Officers (FMOs) and Senior Resource Officials (SROs) to carry out
CFO and Integrity Act requirements.   EPA trains FMOs, conducts financial internal control
and systems reviews, and assesses overall financial management operations in annual Quality
Assurance Reviews and reports on these assessments in Integrity Act assurance letters.

Clarify Relationship of OMB/GAO Policy Requirements to EPA Guidance. Past and Present

      We suggest that the final report clearly state that EPA's integrity guidance has
consistently promoted compliance with requirements of Office of Management and Budget
(OMB) Circular A-123 and General Accounting Office (GAO) Standards for Internal Control
in the Federal Government.   Your draft report gives the mistaken impression that integrity
requirements associated with EPA's Resource Management Directive 2560 (described on
page 8) do not derive from OMB Circular A-123 or the GAO standards.  We suggest that
your final report consolidate discussion of the Integrity Act and OMB and GAO requirements
in Chapter 1, identify the consistency of Resource Management Division (RMD) integrity
guidance with these  requirements,  and distinguish between that guidance and managers'
response in implementing it.

       Your draft report attributes problems with the Agency's old integrity process to
segregating responsibilities from other management activities and not observing GAO
standards (page iii; Chapter 2, page 6).  We believe that your final report should also
acknowledge ongoing Agency efforts to strengthen integrity as a critical part of basic
management practices... These include the Administrator^ and her Senior Leadership
Council's attention to integrity as part of the Agency's overall management agenda, policy
memoranda from the Deputy Administrator and OARM senior management, and RMD
annual guidance and corrective actions taken in response to annual OIG special reviews of
the Agency's Integrity Act implementation.
                                        34
                                                          E1SFE3-07-0101"4100522

-------
                                                                     Appendix  1
                                                                     Page  3 of 12
       We suggest that your final report reinforce its stated support for EPA's new integrity
process as more responsive to GAO standards and OMB guidance (pages ii and 4) through
concrete examples of management action in program planning, budgeting, fiscal
management, and evaluation.  Chapter 3 in particular seems to reinforce the old segregated
paradigm in its discussion of the "Integrity Act process" and "control reviews" to identify
problems.

                     expectations of EPA's New Integrity Process

       We concur with your draft report observations linking success of EPA's new integrity
process and past problems with Agency managers' understanding how their Integrity Act and
program management responsibilities relate.  We strongly recommend reorganizing your
audit report to consolidate discussion of the old and new processes and clearly distinguish
them from each other.  We note factual inaccuracies in the draft report's summary of EPA's
new integrity requirements, as identified in Attachment 2. We recommend correcting these
errors and increasing discussion of integrity requirements' impact on program management
responsibilities.

       We appreciate the many draft report endorsements of EPA's new integrity approach
and suggest deleting the final statement on page 20 that "the Agency's reengineered Integrity
Act process is highly vulnerable."  We believe that you  should replace this statement with
specific actions needed to ensure the success of EPA's new process as part of the integrated
accountability framework supported by the OIG, OMB,  and the Agency.

Redirect Recommendations to  Focus on Agency-wide Management Accountability

       As your draft report concludes, responsibility for safeguarding resources in achieving
mission goals goes beyond OARM to all Assistant and Regional Administrators. We believe
that directing the draft report recommendations solely to the AA/OARM limits its value in
promoting Agency-wide accountability for sound management controls.  We suggest that the
final report be transmitted to, and direct recommendations to, all AAs and RAs, with specific
actions directed to the AA/OARM and the AA/OPPE to ensure that EPA's GPRA
implementation (e.g., strategic planning, goal-based budgeting) addresses integrity issues.
                                                                      t
       We appreciate your consideration of cur comments in preparing your final report.
We look forward  to meeting with you to discuss our response and resolve any outstanding
issues. Please contact me at 260-9674, or have your staff call Kathy  Sedlak O'Brien at
260-9650 to arrange a meeting at a mutually agreeable time.

Attachments

cc:    Jonathan Z. Cannon (3101)
       David M.  Gardiner (2111)
       Sallyanne Harper (3101)
                                       35
                                                              E1SFE3-07-0101-4100522

-------
                                                            Appendix  1
                                                            Page  4  of  12
                                                               ATTACHMENT 1

      RESPONSE TO RECOMMENTATIONS IN DRAFT AUDIT REPORT ON
                  EPA'S INTEGRITY ACT IMPLEMENTATION
                             DATED JUNE 29, 1994

SUGGESTED NEW RECOMMENDATIONS

We recommend that the Assistant Administrator for OARM:

1.    Incorporate guidance and procedures for EPA's reengineered integrity process into the
      Administrator's policy and Budget Division's technical call memoranda to promote
      effective integration with the goal-based budgeting process.

2.    Provide technical assistance  and training to  SROs in instituting EPA's new integrity
      requirements in their offices as an integral part of program planning, budgeting, fiscal
      management, and evaluation.

3.    Ensure sufficient staff resources to  oversee and assess Agency-wide  implementation of
      reengineered integrity process.

We recommend that the Assistant Administrator for OPPE:

1.    Ensure that the Agency's strategic planning and GPRA implementation processes
      address financial and management integrity priorities.

2.    Integrate requirements of EPA's reengineered integrity process, specifically those that
      pertain to developing and evaluating program strategies and guidance, into relevant
      Agency guidance memoranda and program evaluation curriculum.

CHAPTER 2 RECOMMENDATIONS
[Note:  We recommend that the following recommendations be redirected to AAs and RAs.]

Recommendation

1. Advise National Program Managers and senior Agency managers to stress to  their staffs
that Integrity Act implementation is mission critical.  Incorporate this emphasis into specific
Integrity Act and overall management training courses, management policies and procedures,
and senior managers' meetings.

•    Response:  All AAs and RAs need to stress to their senior managers and staff the
      importance of Integrity Act responsibilities in achieving the Agency's mission. AAs
      and RAs are accountable for timely completion of requirements in OARM's June 6,
      1994 Integrity Act guidance.  AAs  and RAs should work together in this effort and
      advise OARM of progress and barriers.  We suggest changing the recommendation to
      read: Advise senior managers and staff on  the mission critical importance of EPA's
                                     36
                                                          E1SFE3-07-0101-4100522

-------
                                                                Appendix  1
                                                                Page 5  of  12
      importance ofEPA's reengineered integrity process to safeguarding resources and
      achieving results as an integral pan of program planning, budgeting, fiscal
      management, and evaluation.

Recommendation

2. Provide basic training to SROs in the new Integrity Act approach.  Stress that SROs are
responsible for providing Integrity Act training to their offices.

*     Response:  We suggest changing the recommendation to read:  Hold SROs
      accountable for providing training on EPA's new integrity process in their office.
      SROs should seek technical assistance from OARM, as necessary, in providing
      training that includes: basic Integrity Act elements as a management tool for
      preventing problems; the relationship of these elements to program planning,
      budgeting, fiscal management, and evaluation; understanding ofEPA's Management
      Integrity Principles in developing and revising guidance as Agency's management
      control framework; development of program-specific integrity principles and
      systematic review strategies; assessment of guidance and procedures in program
      reviews.

Recommendation

3. Ensure that training includes the principles of management controls and ensure that
managers and employees understand the intent and use of good management processes for
resource protection and effective and efficient mission accomplishment. Stress the early
importance of early identification of potential problems and the need for correction before
problems become critical and affect mission accomplishment.

*     Response:  Suggested changes to recommendation 2 incorporate this recommendation.

Recommendation

4. Ensure sufficient staff is available to bring managers up to speed on the new process and
to be sure the new  process is implemented as intended.

•     Response;  This recommendation applies  to AAs  and RAs as written.

Recommendation

5. Hold managers accountable through the performance-appraisal-pfocess-for identifying and
correcting weaknesses in the way they carry out their programs and achieve results.
Recognize managers for effectively and efficiently implementing Integrity Act requirements.

o    Response: This  recommendation applies  to AAs  and RAs as written.
                                          2

                                         37
                                                               E1SFE3-07-0101^100522

-------
                                                                  Appendix  1
                                                                  Page 6  of  12
CHAPTER 3 RECOMMENDATIONS
[NOTE: We recommend that the following recommendations be redirected to Ms

Recommendation
1. Advise SROs to ensure that managers implement the new Integrity Act guidance for
assessing controls.  SROs should ensure that managers fully document program review
strategies and results.

•    Response:  We suggest changing the recommendation to read: Hold SROs
      accountable for developing annual systematic review strategies, that include
      documented results and recommendations of program reviews, to evaluate guidance
      and procedures in identified vulnerable areas.

Recommendation

2. For those management problems and weaknesses brought to management's attention from
external sources (e.g., OIG, GAO and other reviews), and accepted by management for
corrective action, SROS should assess and document why their program review strategy did
not discover the problem or weaknesses, and modify their strategy accordingly.

•    Response:  We suggest deleting this recommendation. EPA's new integrity process
     - requires NPMs and Regions to develop systematic review strategies that include both
      external and internal reviews to examine their identified vulnerabilities.  By
      definition, offices may use external review results to inform their judgment on needed
      corrective actions to address a program vulnerability.

Recommendation

3. Advise National Program Managers to ensure that corrective action and validation of
current material weaknesses is based on assessment in the field as well as at the Headquarters
level.

•    Response:  This recommendation applies to AAs and RAs as written.

Recommendation

4. Ensure that Agency guidance and procedures for reporting weaknesses and suggested
corrective actions through the organizational structure includes requiring managers to report
weaknesses in writing to the- National Program Manager. National Program Managers
should assess the overall magnitude of reported weaknesses and corrective actions or
document the rationale for not reporting the weaknesses.

•    Response: This recommendation applies to AAs and RAs as written.
                                       38
                                                            E1SFE3-07-0101-4100522

-------
                                                           Appendix  1
                                                           PAge  7 of  12
                                                                ATTACHMENT 2
               FACTUAL INACCURACIES IN DRAFT REPORT ON
                   EPA'S INTEGRITY ACT IMPLEMENTATION
                              DATED JUNE 29, 1994
UNSUPPORTED GLOBAL CONCLUSIONS BEYOND THE SCOPE OF REPORT

      Several statements and assertions in the draft report refer to periods prior to the
audit's specified focus of 1992 to 1994. Additionally, several of these statements are
factually inaccurate.  We recommend that the OIG remove the statements from the report or
rewrite them to be factually correct.  If the assertions are based on the auditors' beliefs, then
the report should reflect this.

      We recommend that the final report include the word "most" or "some" for global
conclusions not supported in fact, e.g., "Managers responded to...but did not relate the ,
process to management control system improvement." (page iii, 51).  Other examples can be
found on page 6, 12, last sentence; page 9, 12, last sentence; and page 18, 13, sentence 1.

AGENCY-WIDE AA/RA MANAGEMENT ACCOUNTABILITY
      The draft audit makes several statements that assign responsibility to the "Agency" for
holding managers accountable (page iv, 13, last sentence; page 10,13, last sentence; and
page 13, 11, last sentence.)  Yet the draft report directs recommendations to the AA/OARM
who has direct line authority for holding only OARM managers accountable. We
recommend that the final report replace "Agency" with AAs and RAs or SROs, as
appropriate, to emphasize Agency-wide accountability for Integrity Act implementation.

OMB AND GAP POLICY GUIDANCE

      The final report should discuss  OMB Circular A-123, Internal Control Standards
(Revised 1986) requirements in greater detail since they provide the basis for the audit (page
2, 12). The final report should identify A-123 reporting requirements to point out the close
link with EPA's reporting procedures prior to reengineering (page 8, 13).  In addition, the
audit should correctly report that OMB issued its Guidelines in December 1982, and later
published Circular A-123 in August 1983, followed by the revised Circular in 1986  (page 2,
12, sentence 4). The audit report should also correctly note that EPA, not RMD, received
OMB's waiver from the four primary A-123 requirements:  event cycle documentation,
separate management control reviews,  management control plans and vulnerability
assessments (page 4, 12, last sentence).

      The draft report devotes extensive discussion to the 1983 GAO standards, much more
so than OMB's new policy direction or EPA's new integrity process.  As the draft report
indicates, the Agency acknowledges the importance of the GAO standards and based EPA's
management integrity principles on them. We recommend that the final audit report replace
                                    39
                                                          E1SFE3-07-0101-4100522

-------
                                                               Appendix  1
                                                               Page  8 of 12
the discussion of GAO standards (page 7) with requirements of EPA's Management Integrity
Principles since they refocus the GAO standards and extend relevance beyond their historical
financial accounting focus to programs.

       The final report should consistently use the term "management" controls (not
"internal''), except when citing a historic reference (e.g., GAO Internal Control Standards).
REOUIRFMTJNTS  F EPA'S
                                              INTEGRITY
       The basic premise of EPA's reengineered integrity process is the close linkage with
program planning, budgeting, fiscal management, and evaluation responsibilities.  The final
audit report should explicitly cite Integrity Act compliance through "planning, budgeting,
fiscal management, and evaluation", not just "program operations" (page it, 14) or
"management activities"  (page iii, 12).

       To more clearly describe EPA's new integrity process, the report should identify the
basic elements: 1) assess and revise guidance and strategies to ensure adequate coverage and
consistency with EPA's Management Integrity Principles; 2) .develop administrative and
program-specific integrity principles for use Agency-wide;   3) develop systematic review
strategy, that includes program and oversight reviews, CFO and GPRA results, and other
relevant information sources, to assess effectiveness of guidance and strategies; and
4) establish building block process to identify weaknesses through the chain-of-command and
report on progress at mid-year and in annual assurance letters to the Administrator.

       The final report should describe these elements in its discussion of EPA's new
integrity process (page 4, 13).  At a minimum, the final report should make the following
corrections:

•     "It establishes EPA's Management Integrity Principles... Agency managers are
       expected to incorporate these principles into program strategies, guidance and
       procedures, which serve as the Agency's management control framework to safeguard
       resources and the achievement of mission goals.  Agency managers are expected ... of
       their programs and resources as an integral pan of program planning, budgeting,
      fiscal management, and evaluation responsibilities, (page 4,  13)

•     "Also, under the  reengineered process, the 22 primary organization heads retain
       accountability for management integrity, and refy on their Senior Resource Officials to
       communicate the Agency's national management integrity guidance,... OARM is
       currently streamlining its office and plans to eliminate RMD, transferring  its
      functional responsibilities  elsewhere within the OfficeTrfthe Comptroller." (page 4,
       14)

•     "Through its Integrity Act reengineering, the Agency has adopted a system that
       integrates responsibilities for identifying, preventing and correcting problems into
                                          2

                                         40
                                                              E1SFE3-07-0101-4100522

-------
                                                               Appendix  1
                                                               Page 9  of  12

      program planning, budgeting, fiscal management, and evaluation.  The Agency will
      identify vulnerabilities through its strategic planning process and develop and carry
      out a systematic review strategy to assess these vulnerabilities, (page 6,  11)

•    "Other National Program Managers are expected to develop program-specific integrity
      principles to clearly articulate policy priorities, best management practices, and
      current guidance in effect, (page 10, 12, sentence 3)

«    "Because the new process aligns integrity responsibilities with program planning,
      budgeting, fiscal management,  and evaluation, program managers will strengthen
      accountability for identifying weaknesses through the chain-of-command, correct them
      promptly, and prevent serious systemic problems,  (page 10, 13, sentence 1)

o    "The Agency's ^engineered model would make management controls purposeful by
      integrating them with program management responsibilities.  The new guidance ...
      functions to determine their consistency with the Agency's management integrity
      principles. {Delete next sentence.] ... The Agency's approach can only work if senior
      managers emphasize management integrity in program planning, budgeting, fiscal
      management, and evaluation, (page 12, 14)

RMD GUIDANCE

      The draft report states that "the Agency has segregated the Integrity Act
implementation from other management activities" (page iii, 11, sentence 1). It is unclear
whether the draft report means that RMD guidance intended this segregation or  that incorrect
interpretation by Agency managers resulted in a separate  function. Various EPA guidance
documents, based on OMB Circular A-123, continually emphasized that Integrity Act
activities were a critical part of basic management.  The Deputy Administrator,  at several
Senior Council on Management Controls (SCMC) meetings, specifically reemphasized this.

      The draft report suggests  that RMD first recognized  that the Integrity Act process was
not working in 1992 (page 4, 12, sentence 1). In fact, RMD recognized this much earlier.
RMD attempted to use the results of the OIG's annual special reviews of Integrity Act
implementation to help EPA strengthen the program.  Even though each OIG review found
that the Agency was implementing the Integrity Act in a  reasonable and prudent manner,
RMD worked with the OIG and the Agency to address OIG recommendations, concerns and
observations. We suggest that the OIG delete the statement, "RMD could have provided-
more effective oversight prior to 1993." (page iii, 13, sentence 5).

      Additionally, when the OIG Central Audit Division met witrTRMD in planning for the
Regional audits that led to the capping report; RMD expressed concern that the  Agency was
overemphasizing paper  compliance rather than accountability by Agency managers to achieve
the intent of the Integrity Act: RMD asked that the auditors move away from assessing  paper
work compliance to assessing true Integrity Act implementation.

                                          3

                                         41
                                                              E1SFE3-07-0101-4100522

-------
                                                                 Appendix  1
                                                                 Page  10 of
12
      The draft report suggests (page 3, 13) that the }
-------
                                                                   Appendix 1
                                                                   PAge 11  of
12
CHAIN-OF-COMMAND REPORTING OF WEAKNESSES TO NPMg

       Regarding the reporting of weaknesses through the chain-of-command, we believe the
OIG has inaccurately characterised RMD's actions (page iv, 13, third sentence; page 3, 54;
and implied throughout page 17).

       The draft report suggests  EPA did not have a formal process for offices to raise
weaknesses to other program offices. This is not true.  RMD included specific language in
formal guidance that addressed this (e.g.,  1990 and 1991 guidance: "If you believe a
material weakness exists in the Agency  but must be addressed by another office, you should
notify the appropriate office in a separate  memorandum, with a copy to RMD. Work with
the other office to raise and investigate  the issue,  so that those offices can determine whether
to report it in their Integrity Act report."

       The draft report incorrectly states that EPA's new  integrity  guidance "does not clearly
stress the benefit of reporting weaknesses  up  and down the organizational chains and across
media lines."  (page 18, 12, sentence 2)  We refer you to page 6, 112, 3 and 4 of RMD's
June 6, 1994 guidance memorandum.

       Additionally, the final report should note that RMD analyzed AA and RA assurance
letter weaknesses and prepared matrices showing cross-cutting Agency programmatic
problems that may not have surfaced to the National Program Manager (NPM).  The former
SCMC and current Senior Leadership Council used these analyses to assess the severity of
the problem and support their decisions  on material weaknesses included in the Agency's
annual Integrity Act Report to the President and Congress.

       The draft report makes several references to POHs reporting weaknesses to RMD,
thereby by-passing EPA senior management (page iv, 12,  third sentence; page 14, 11,
sentence 4; page 16, 12, sentence 3; and page 16, 13, sentence 1).  While RMD did request
to receive reports on weaknesses, RMD always advised the program and Regional offices to
report these weaknesses to the affected NPMs as well.  In all cases, POHs provided their
assurance letters directly to the Deputy  Administrator in accordance with EPA's chain-of-
command.  RMD received copies of these assurance letters.

ACCOUNTS  RECEIVABLE

       We recommend deleting accounts receivable  (page 17) as an example that "the
Agency did not always report its material  weaknesses in a timely manner," because it is
factually inaccurate. The draft report does not recognize early and continuing actions taken
by EPA to identify and address accounts receivable problems through the chain-of-command.
For example,  in 1990 EPA issued Chapter 9 of the Resource Management Directive 2S40D
to prescribe detailed procedures for handling accounts receivable, and in 1991, EPA formed
the Accounts Receivable Task  Force, which conducted Regional reviews to verify the
                                                                 E1SFE3-07-0101- 4100522-

-------
                                                                 Appendix 1
                                                                 Page  12  of  12


completion of corrective actions. EPA management declared accounts receivable a material
weakness in 1992 as a result of the continuing problems disclosed by these reviews.

TRAINING

       The draft report does not address that the primary responsibility for front-line
management integrity training rests with the SROs.  It is unclear from the draft audit report
"who" provides training (page 6, 12, last sentence; and page 11, 14, sentence 1).

       Additionally, the draft report suggests (page 12, 14, last sentence) that RMD "just
now" recognizes the need for additional resources to conduct training. In reality, since the
inception of the program, RMD has recognized that training is critical to successful Integrity
Act implementation. However,  past and continuing travel and staff resource constraints have
limited RMD's ability to conduct national training.

       The draft report states (page 11, 15, sentence 1) that "RMD developed the
management integrity training package and presented it to Management Control Coordinators
(MCCs) in June  1993."  Given resource constraints in the late 1980s, RMD prepared a
"train-the-trainer" package for MCCs to use in training their managers.

       The draft report implies that training consisted of two-hour boiler plate sessions (page
11, 14, sentence 2).  Over the years, RMD has worked  with MCCs to tailor training that is
responsive to office needs and focuses on relevant program issues.

QARM REORGANIZATION

       The draft report refers to the potential future location of Integrity Act oversight
responsibilities (page 4, last sentence).  The OIG should clarify that RMD will no longer
exist as an organization and that its functions will be transferred elsewhere within the Office
of the Comptroller. As currently written, the statement gives the impression that RMD will
still exist, but with other duties.
                                           6

                                          44
                                                                 E1SFE 3-0.7-010 1^.100522

-------
                        EPA's Integrity Act Implementation
                                               APPENDIX II
                    ABBREVIATIONS
Agency
AA
CAAA
CFO
GAO
GPRA
Integrity Act

MCC
OARM

DIG
OMB
ORD
OSWER

RA
RMD
SRO
Environmental Protection Agency
Assistant Administrator
Clean Air Act Amendments
Chief Financial Officer
General Accounting Office
Government Performance and Results Act
Federal Managers' Financial Integrity
  Act of 1982
Management Control Coordinator
Office of Administration and Resources
  Management
Office.of Inspector General
Office of Management and Budget
Office of Research and Development
Office of Solid Waste and Emergency
  Response
Regional Administrator
Resource Management Division
Senior Resource Official
                        45
                                    E18FE3-07-0101-4100522

-------
                             EPA's Integrity Act Implementation
                                                   APPENDIX III


                          DISTRIBUTION


Office of Inspector General

     Inspector General (2410)


Headquarters Office

     Assistant Administrator and Chief Financial Officer (3101)
     Assistant Administrators
     Comptroller  (3301)
     Director, Resource Management Division (3304)
     Agency Followup Official; Attn:  Director, Resource
       Management Division   (3304)
     Director, Financial Management Division   (3303)
     Associate Administrator for Regional Operations and
       State/Local Relations  (1501)
     Associate Administrator for Congressional and Legislative
       Affairs  (1301)
     Headquarters Library  (3304)


Regional Office

     Regional Administrators
                             46
                                         E1SFE3-07-0101-4100522

-------