-------
-------
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460 "
SEP. I 6 1994
THE INSPECTOR GENERAL
MEMORANDUM
SUBJECT: EPA'S Integrity Act Implementation
Audit Report No. E1SFE3-07-0101-4100522
TO: Carol M. Browner
Administrator
Attached is our report entitled, "EPA'a Integrity Act
Implementation." Our overall audit objective was to determine if
the Agency's Federal Managers' Financial Integrity Act (Integrity
Act) efforts effectively evaluated controls and created an early
warning system to prevent problems from escalating to material
weaknesses and to promote mission accomplishment. The report -
describes serious problems with the Agency's Integrity Act
implementation that can be linked to financial and performance
deficiencies identified in numerous audit reports.
We commend the Office of Administration and Resources
Management (OARM), Resource Management Division for its actions
in response to our Integrity Act audit and to recent Government
streamlining initiatives. We believe that the Agency's new
Integrity Act approach will be more responsive to the Integrity
Act's intent. But, we are concerned that some managers' current
misperceptions about management integrity concepts may put the
success of the new process at risk. We hope that this report
will be useful to Agency managers in targeting some of the
problems which kept the former Integrity Act approach from fully
succeeding as an early warning system. The new approach, if
implemented properly, should help you identify and correct
program weaknesses before they escalate to the material level.
We addressed this report to you as the only Agency official
with authority to hold program managers accountable for
implementation of the Integrity Act and the recommendations in
this report. While the Assistant Administrator (AA) OARM, as the
Agency's Chief Financial Officer (CFO), has broad authority over
financial management controls, his authority over program
management controls is limited. Both the Agency Comptroller and
che Deputy Assistant Administrator for Finance and Acquisition
advised us that as Integrity National Program Manager (NPM), the
AA OARM does not have the authority to hold AAs and RAs
accountable for implementing sound management controls.
CM
O
O
US EPA Headquarters Library
Room 2904, Mailcode 3404
Prtnud en paper ina co
-------
Accountability is a key aspect of the Integrity Act, the CFO
Act, the Government Performance and Results Act, and National
Performance Review reforms. As part of your response to this
report, you should alert Assistant and Regional Administrators to
their responsibility to implement the Integrity Act and the
recommendations contained in this report, and hold them
accountable for effective Integrity Act implementation.
The CFO Act and Office of Management and Budget (OMB)
guidance require that the CFO have the authority to establish,
review and enforce financial management control systems, and
establish, in coordination with program managers, agency-wide
management control processes. In implementing the Act, EPA
advised OMB that its CFO would manage Agency-wide management
controls. However, as CFO and Integrity NPM, the AA OARM does
not have the authority to review and enforce Integrity controls,
standards and compliance involving program management. We think
this lack of authority is a vulnerability that you should address
by strengthening the AA OARM's authority to include establishing,
reviewing and enforcing Agency-wide Integrity Act compliance.
This audit report contains findings that describe problems
the Office of Inspector General (OIG) has identified and
corrective actions OIG recommends. This audit report represents
the opinion of OIG. Final determinations will be made by EPA-
managers in accordance with established EPA audit resolution
procedures. Accordingly, the findings described in this audit
report do not necessarily represent the final EPA position.
Action Required '
We have designated you as the Action Official for this
report. We recommend that you delegate to the AA OARM, in his
role as CFO and NPM, authority for implementing the Integrity Act
Agency-wide. With this authority, the CFO would be able to
execute the recommendations addressed to you in this report. We
would then recommend that you designate the AA OARM as the Action
Official.
In accordance with EPA Order 2750, the Action Official is
requested to provide this office a written response to the audit
report within 90 days of the report date. The response should .
address all recommendations. For corrective actions planned but
not completed by the response date, reference to specific
milestone dateo will assist us in deciding whether to close this
report. We have no objections to the release of this report to
the public.
Should your staff have any questions, please have them
contact Kenneth A. Konz, Assistant Inspector General for Audit,
260-1106.
Attachment
John C. Martin
-------
EPA'a Integrity Act Implementation
EXECUTIVE SUMMARY
Integrity is a key element in establishing accountability in
Government. The President and Congress have reemphasized
management's responsibility to operate efficient and effective
control systems to support mission accomplishment. The Office of
Inspector General (OIG) assists in promoting integrity throughout
the Environmental Protection Agency (hereafter referred to as
Agency) by providing technical assistance to improve the Agency's
management control systems and by reporting to the Administrator
annually on the Agency's Federal Manager's Financial Integrity
Act (Integrity Act) efforts.
This report describes aspects of EPA's Integrity Act
implementation that may have impeded the Agency's progress in
achieving its mission in the past. It is based on Integrity Act
findings in OIG audit reports issued between 1992 and 1994. We
believe an understanding of these problems will help the Agency
avoid them in implementing a new strategy. Our overall audit
objectives were to determine if the Agency's Integrity Act
efforts effectively evaluated controls and created an early
warning system to prevent problems from escalating to material
weaknesses and to promote mission accomplishment.
The Agency has committed to strengthening integrity as a critical
part of basic management practices. The Administrator and Senior
Leadership Council highlighted integrity as part of the Agency's
overall management agenda. Also, the Agency's draft strategic
plan for fiscal 1995-1999 recognizes and reinforces the
accountability that Federal program managers have for good
management processes and the need for an institutionalized Agency
framework for priority-setting, decision-making, and resource
allocation. The strategy describes Agency activities to comply
with the Chief Financial Officers (CFO) Act of 1990, the
Government Performance and Results Act (GPRA) of 1993, and the
Integrity Act. Management integrity is a key component of the
strategic plan. Key initiatives emphasize results rather than
process.
BACKGROUND
Good internal control systems improve operations and discourage
wrongful acts by making them more difficult. -Congress passed the
Integrity Act to amend the Accounting and Auditing Act of 1950
and require renewed focus on strengthening internal controls.
E1SFE3-07-0101-4100522
-------
EPA'8 IntegrityAct implementation
The Accounting and Auditing Act requires agencies to establish
and maintain effective internal control systems. The Integrity
Act requires agencies to continuously evaluate and report to
Congress and the President on the adequacy of those systems.
Also, the Integrity Act requires agencies to build control
systems around Comptroller General standards and to evaluate
those systems following Office of Management and Budget (OMB)
guidelines.
Only the Agency Administrator has authority to hold managers
accountable for Integrity Act implementation. The Administrator
designated the Assistant Administrator for the Office of
Administration and Resources Management (OARM) as the coordinator
for the Agency's Integrity Act efforts, but Agency Assistant
Administrators and Regional Administrators are ultimately
responsible for Integrity Act implementation. The Resource
Management Division (RMD) within OARM'S Office of the Comptroller
was delegated National Program Manager responsibility for
coordinating, monitoring, and providing guidance for the Agency's
Integrity Act implementation. In fiscal 1992, RMD established
quality action teams to improve Integrity Act training and
guidance, promote management buy-in, and streamline the Agency
process. In fiscal 1994, since the issuance of the National
Performance Review Report and GPRA, RMD reengineered the Agency's
Integrity Act requirements to streamline the process and make
managers more accountable for ongoing evaluations and program
improvements.
The reengineered process is responsive to the Comptroller General
standards and to OMB requirements. It builds on Agency-wide
Management Integrity Principles, based on the standards, which
pertain to all programs and activities and which are intended to
promote best management practices. Managers are expected to
incorporate these principles into existing management processes
and program strategies and guidance to strengthen program
operations. It stresses integrating Integrity Act requirements
with program planning, budgeting, operations, fiscal management,
and evaluation. Also, managers are expected to be more directly
involved and accountable for ensuring the integrity of their
programs and resources.
ii
E1SFE3-07-0101-4100522
-------
EPA'sIntegrity Act Implementation
RESULTS-IN-BRIEF
We directed recommendations to the Administrator because she
should hold managers accountable for. effective Integrity Act
implementation. The Agency had segregated Integrity Act
implementation from other management "activities. Most managers
responded to the paper-intensive requirements of the Agency's
Integrity Act process but did not relate the process to
management control system improvement. While senior management
was committed to identifying material weaknesses reportable to ,
Congress and the President, the Agency did not effectively
identify weaknesses through the lower management levels and
implement corrective actions before weaknesses became material
and took years and significant resources to correct.
Integrity Act Can Help Managers
Exercise Leadership
Through its Integrity Act reengineering, the Agency has adopted a
system that appropriately stresses the Agency's management
integrity principles. Agency efforts to integrate control
reviews into ongoing management activities including budget and
planning can improve programs by focusing managers' efforts on
improving program implementation. However, the reengineered
program cannot succeed unless managers accept responsibility for
implementing sound management practices, and the Agency gives
recognition to managers who identify problems and improve control
systems.
Many of the problems we identified with the old process resulted
from managers not employing basic management techniques and not
observing Comptroller General standards, as required by the
Integrity Act. The Agency's Integrity Act process was paper
intensive and segregated from other management activities.
Managers did not realize that management control systems were the
plans, policies, and procedures they had established to achieve
the Agency's mission, and that the Integrity Act and related
standards required them to complete the basic management steps of
documenting, evaluating, and improving those systems. Managers
often limited their Integrity Act 'efforts to financial controls.
Integrity Act guidance was not tailored to mission
accomplishment, and Integrity Act training and-application
focused on completing required paperwork rather than improving
management controls.
iii
E1SFE3-07-0101-4100522
-------
EPA'a Integrity act Implementation
Improved Control Reviews And Reporting
Can Prevent Problem Escalation
The Agency demonstrated strong senior management commitment to
identifying its material weaknesses by establishing a Senior
Council on Management Controls (now known as the Senior
Leadership Council) in 1989 to focus top management attention on
management integrity issues. The Council obtained input on
weaknesses from OIG, General Accounting Office, OMB, and senior
managers. However, the Council may have relied too extensively
on external audits and reviews to identify its material
weaknesses. The Integrity Act intended that the Administrator's
annual assurance letter be supported by program managers'
evaluations of their internal control systems.
Although the Agency reported 18 material weaknesses in fiscal
1993, its managers did not identify weaknesses through a building
block process that let weaknesses identified through control
reviews flow up through its management structure to the program
and function offices as contemplated by the Integrity Act.
Managers did not routinely use the Integrity Act process as an
early warning system to identify and correct weaknesses before
they escalated to the material weakness levels identified by
external reviews. As a result, the Agency's Integrity Act
process did not prevent negative consequences and improve the
economy and efficiency of operations.
RECOMMENDATIONS
We directed recommendations to the Administrator as the Agency
official who can hold managers accountable for effective
Integrity Act implementation. The Assistant Administrator for
OARM and senior managers should stress the Integrity Act's intent
through specific Integrity Act and overall management training
courses, written policies and procedures, and senior managers'
meetings. Agency guidance should emphasize managers as the
assessors and reporters of weaknesses and view external reviews
as only one of several sources managers should use to assess
controls. OARM should provide guidance and procedures for
reporting weaknesses through the chain-of-command to ensure the
Agency has sufficiently identified the extent of its weaknesses
and targeted the appropriate accountable managers for
implementing corrective action. Assistant Administrators and
Regional Administrators should hold managers accountable through
the performance appraisal process for identifying and correcting
iv
E1SFE3-07-0101-4100522
-------
EPA's Integrity Act implementation
program weaknesses and achieving results and should recognize
managers for implementing and maintaining effective control
systems.
AGENCY COMMENTS AND QIC EVALUATION
v
OARM basically agreed with the first finding and recommendations,
but requested that the recommendations be directed to all
Assistant Administrators and Regional Administrators as they are
ultimately responsible for Integrity Act implementation. OARM
attributed lack of adequate national training to past and
continuing travel and resource constraints. OARM expressed
concern with the second finding related to managers being
verbally encouraged to count as many activities as possible as
control reviews. It felt that the annual guidance provided
sufficient criteria for conducting proper reviews and for
reporting weaknesses through the chain-of-command.
OIG clarified Assistant Administrator and Regional Administrator
responsibilities for Integrity Act implementation and issued the
report to the Administrator. The Administrator is the Agency
official with the authority to hold Assistant and Regional
Administrators accountable for their Integrity Act
responsibilities. As National Program Manager, OARM should
design clear written guidance, effectively educate managers in
the mission critical importance of good management controls,
oversee Integrity Act implementation, and offer senior managers
ongoing technical support for continued effective program
management. This technical support includes verbal guidance to
managers to follow the written directions which might take the
form of supplemental oral explanations of specific ways to
accomplish tasks and design program review strategies which
effectively evaluate controls. OARM's early education and
communications with senior managers regarding the new process
should highlight that early identification and effective
communication of weaknesses across the Agency will ultimately
make managers' jobs easier because all will benefit from knowing
which controls work, and which controls need improvement.
E1SFE3-07-0101-4100522
-------
EPA's Integrity Act Implementation
This Page is intentionally left blank.
vi
E1SFE3-07-0101-4100522
-------
EPA's Integrity Act Implementation
TABLE OF CONTENTS
Page
EXECUTIVE SUMMARY i
CHAPTERS - .
1 INTRODUCTION . . . 1
PURPOSE 1
BACKGROUND . 2
SCOPE AND METHODOLOGY 6
PRIOR AUDIT COVERAGE 7
2 INTEGRITY ACT CAN HELP MANAGERS
EXERCISE LEADERSHIP 8
THE INTEGRITY ACT AND STANDARDS CREATE
A FRAMEWORK FOR MANAGING PROGRAMS 9
INTEGRITY ACT IMPLEMENTATION WAS PROCESS
RATHER THAN RESULTS ORIENTED 11
GUIDANCE AND TRAINING WERE NOT CLEAR AND COMPLETE
AND MANAGERS WERE NOT HELD ACCOUNTABLE 14
CONCLUSION 16
RECOMMENDATIONS 17
AGENCY COMMENTS AND OIG EVALUATION 18
3 IMPROVED CONTROL REVIEWS AND REPORTING
CAN PREVENT PROBLEM ESCALATION 20
OMB PROMOTES AN EFFECTIVE MANAGEMENT
CONTROL PROGRAM 20
THE AGENCY REPORTED WEAKNESSES
IDENTIFIED IN EXTERNAL REVIEWS 21
E1SFE3-07-0101-4100522
-------
EPA's Integrity Act Implementation
MANAGERS NEEDED TO REPORT WEAKNESSES THROUGH
THE ORGANIZATIONAL CHAIN 22
MANAGERS SHOULD HAVE IDENTIFIED WEAKNESSES
THROUGH CONTROL REVIEWS 24
CONCLUSION 26
RECOMMENDATIONS 27
AGENCY COMMENTS AND OIG EVALUATION 28
EXHIBIT 1 - AUDITS OF INTEGRITY ACT
IMPLEMENTATION 29
EXHIBIT 2 - OIG AUDITS WITH INTEGRITY
ACT FINDINGS 30
APPENDIXES
APPENDIX I:' AGENCY COMMENTS 33
APPENDIX II: ABBREVIATIONS 45
APPENDIX III: DISTRIBUTION 46
E1SFE3-07-0101-4100522
-------
EPA's Integrity Act Implementation
CHAPTER 1
INTRODUCTION
PURPOSE
Integrity is one of the key elements in establishing
accountability in Government. The President and Congress have
reemphasized management's responsibility to operate efficient and
effective control systems to support mission accomplishment. A
major role of the Office of Inspector General (DIG) is to improve
agency operations by making recommendations to increase
efficiency and effectiveness. OIG assists in promoting integrity
throughout the Environmental Protection Agency (hereafter
referred to as Agency) by providing technical assistance to
improve the Agency's management control systems and by reporting
to the Administrator annually on the Agency's Integrity Act
efforts. This report provides an overall assessment of the
Agency's implementation of the Federal Managers' Financial
Integrity Act of 1982 (Integrity Act). It is based on Integrity
Act findings in OIG audit reports issued between 1992 and 1994.
The Agency has committed to strengthening integrity as a critical
part of basic management practices. The Administrator and Senior
Leadership Council have manifested this commitment by
highlighting integrity as part of the Agency's overall management
agenda. Also, the Agency's draft strategic plan for fiscal 1995-
1999 recognizes and reinforces the accountability that Federal
program managers have for good management processes and the need
for an institutionalized Agency framework for priority-setting,
decision-making, and resource allocation. The strategy describes
Agency activities to comply with the Chief Financial Officers
(CFO) Act of 1990, the Government Performance and Results Act
(GPRA) of 1993, and the Integrity Act. Management integrity is a
key component of the strategic plan. Initiatives emphasize
results rather than process,, while calling for more effective
management.
This report describes Agency Integrity Act deficiencies that may
have impeded the Agency's progress in achieving its mission in
the past. We believe an understanding of these deficiencies will
help the Agency avoid them in implementing the new strategy. Our
overall audit objectives were to determine if the Agency's
Integrity Act efforts effectively evaluated controls and created
an early warning system to prevent problems from escalating to
material weaknesses and to promote mission accomplishment.
-------
EPA'3 Integrity Act Implementation
BACKGROUND
A generally recognized effective management principle is that
good internal control systems improve operations and discourage
wrongful acts by making them more difficult. Congress passed the
Integrity Act to amend the Accounting and Auditing Act of 1950
and require renewed focus on strengthening internal controls.
The Accounting and Auditing Act requires agencies to establish
and maintain effective internal control systems. The Integrity
Act requires agencies to continuously evaluate and report to
Congress and the President on the adequacy of those internal
control systems. Also, the Integrity Act requires agencies to
build control systems around standards prescribed by the General
Accounting Office and evaluate those systems following guidelines
prescribed by the Director of the Office of Management and Budget
(OMB).
Standards for Internal Control In The Federal Government, dated
June 1, 1983, presents the control standards as defined by the
Comptroller General. The standards cover program management as.
well as financial management. OMB Circular A-123 (Revised),
dated August 4, 1986, was initially issued in 1983 and defined
the policies and procedures for establishing, maintaining, and
reporting on agencies" program and administrative internal
controls. The Circular requires agencies to complete: (1)
annual management control plans, (2) vulnerability assessments,
and (3) management control reviews. OMB issued guidelines for
evaluating internal controls in December 1982. The guidelines
require extensive event cycle documentation. The standards and
OMB guidelines describe the basic management techniques of
planning, documenting, evaluating, reporting, and correcting
operations.
In August 1994, OMB issued a working draft of the revised OMB
Circular A-123. The proposed revision identifies statutes and
policies issued since the Integrity Act which, considered
collectively, provided a framework for assessing management
integrity. The statutes and policies include the CFO Act; GPRA;
Executive Order 12861, Elimination of one-Half of Executive
Branch Internal Regulations; Presidential Memorandum on Agency
Streamlining (September 11, 1993); and the Inspector General Act,
as amended. The proposed revision: (1) allows agencies latitude
in implementing management control programs, (2) makes management
controls a more understandable and meaningful -concept for agency
managers, and (3) eliminates ambiguities in the current circular.
E1SFE3-07-0101-4100522
-------
EPA'a integrity Act Implementation
The CFO Act and GPRA, coupled with the longstanding Integrity
Act, provide the legislative framework for achieving results and
ensuring accountability in Government. The aim of the CFO Act is
to improve general and financial management in Government,
providing a framework to develop reliable financial and
management systems. GPRA establishes strategic planning and
performance measurement in Government, providing a framework to
achieve program results. The Integrity Act focuses on all
aspects of agency management by providing for ongoing evaluations
and reports on the adequacy of control systems. All three acts
were passed to curb the threat of waste and inefficiency in
Government programs and to improve Government management. All
three call for resource accountability.
When properly implemented, the three acts will work in concert to
enhance mission accomplishment. The CFO Act calls for 5-year
plans on financial management reform, with annual progress
evaluations. GPRA calls for 5-year strategic plans defining
outcome-related goals and objectives, with annual plans and
reports oh success in
achieving performance goals.
The Integrity Act calls for
ongoing evaluations of the
management control systems
agencies have established to
achieve the reforms and
outcomes envisioned by the CFO
Act, the GPRA, and major
environmental statutes. It
requires an annual report to
Congress and the President on
systems' adequacy and planned
corrective actions. Integrity
reviews provide an early
warning to managers to correct
problems before they hinder .
MANAGEMENT AND FINANCIAL
SYSTEMS ARE RELIABLE
PERFORMANCE OUTCOMES
ARE ACHIEVED
REFORM PLANS
STRATEGIC PLANS
mission accomplishment.
RESULTS ORIENTED GOVERNMENT
Congress expects the Agency to exercise control over its
resources for effective and efficient mission accomplishment..
The Agency's mission to protect the environment from airborne
pollutants and radiation, solid and hazardous wastes, and
hazardous water contaminants requires highly complex management
control systems. .Management control .encompasses all-activities
designed to ensure'that an organization accomplishes its
objectives effectively and efficiently: (1) within the planned
timeframes, (2) within approved cost limitations, and (3) with
the planned quality and quantity of output. Management control
E1SFE3-07-0101-4100522
-------
EPA'a Integrity Act Implementation
systems span management activities from deciding what the Agency
should do or what it should emphasize, to allocating funds,
monitoring activities, reviewing operations, making mid-course
corrections, and evaluating overall organizational and individual
performance.
Only the Agency Administrator has authority to hold managers
accountable for Integrity Act implementation. The Administrator
designated the Assistant Administrator for the Office of
Administration and Resources Management (OARM) as the coordinator
for the Agency's Integrity Act compliance. The Resource
Management Division (RMD) within the Office of the Comptroller
has been the National Program Manager and was responsible for
coordinating, monitoring, and providing guidance for the
Integrity Act implementation. In August 1988, RMD issued its
guidance manual entitled EPA Internal Control Guidance for
Managers and Coordinators which outlined procedures consistent
with the requirements of OMB Circular A-123 and Comptroller
General standards. The manual stressed management responsibility
and accountability for effective internal control systems. Also,
RMD issued supplemental annual guidance.
Within the Agency, 22 primary organization heads, Assistant
Administrators (AA) in the Headquarters program offices and
Regional Administrators (RA), are ultimately responsible for
implementing the Integrity Act. Their responsibilities include
assuring the Administrator that they recognize the importance of
management controls and believe their organizational units meet
the Integrity Act intent, and ensuring their staff
conscientiously fulfill their management control responsibilities
and perform control reviews following the Agency's guidelines.
In fiscal 1992, RMD recognized that the Integrity Act process
continued to work ineffectively and established quality action
teams to improve Integrity Act training and guidance, promote
management acceptance, and streamline the process. In fiscal
1994, since the issuance of the National Performance Review and
the GPRA, RMD reengineered the Agency's Integrity Act
requirements to streamline the process and integrate
responsibilities for prompt detection, correction, and prevention
of problems in program planning, budgeting, operations, fiscal
management, and evaluation. The reengineered process makes
managers more accountable for evaluating and improving their
programs as -part of ;everyday ^operations. Tq April _L994, the
Agency received a waiver of the Circular A-123 requirements for
management control plans, vulnerability assessments, separate
management control reviews, and event cycle documentation.
E1SFE3-07-0101-4100522
-------
EPA7s Integrity Act Implementation
The reengineered process is responsive to the Comptroller General
standards and the proposed revisions to OMB Circular A-123. It
adopts Agency-wide Management Integrity Principles, based on the
standards, which pertain to all programs and activities and which
are intended to promote best management practices. Agency
managers are expected to incorporate these principles into
existing management processes and program strategies, guidance
and procedures, which serve as the Agency's management control
framework to safeguard resources and achieve mission goals.
Agency managers are expected to be more directly involved and
accountable for ensuring the integrity of their programs and
resources. Specifically, new Integrity Act guidance calls for
Agency managers to:
0 Assess and revise guidance and strategies to ensure
adequate coverage and consistency with the Agency's
Management Integrity Principles;
0 Develop administrative and program-specific integrity
principles for use Agency-wide;
0 Develop a systematic review strategy, that includes
program and oversight reviews, CFO and GPRA results,
and other relevant information sources, to assess
effectiveness of guidance and strategies;
0 Establish a building block process to identify
weaknesses through the chain-of-command and report on
progress at mid-year and in annual assurance letters to
the Administrator.
Also, under the reengineered process, the 22 primary organization
heads retain accountability for management integrity and rely on
their Senior Resource Officials (SRO) to communicate the
Agency's national management integrity guidance, oversee
compliance with Integrity Act requirements, and provide an
overall assessment of the effectiveness of their offices' program
strategies and guidance. Agency Allowance Holders carry out the
specific Integrity Act requirements for their programs. OARM is
currently streamlining its office and plans to eliminate RMD,
transferring its functional responsibilities elsewhere within the
Office of the Comptroller.
E1SFE3-07-0101-4100522
-------
EPA's Integrity Act Implementation
SCOPE AND METHODOLOGY
We performed our fieldwork at RMD from June 1993 through June
1994 and focused on the Agency's Integrity Act implementation,
administration, and reporting in fiscal 1992 and 1993. RMD is
located in Washington, D.C. At RMD, we reviewed documentation
and discussed policies, plans, and procedures to determine if RMD
provided sufficient Integrity Act oversight and to evaluate its
process for developing and supporting the Administrator's annual
assurance letter to the President and Congress. We reviewed the
Agency's fiscal 1992 and 1993 assurance letters to determine
whether reported Agency weaknesses were identified through the
Integrity Act process. We reviewed the new integrity model to
see if it addressed all of the problems we identified in our
audit work.
We conducted audits that support findings in this report in three
regional and two program offices. (Exhibit 1 lists the audit
reports, report dates, and office locations.) At the regional
and program offices, we judgmentally selected a sample of large
divisions and offices whose Integrity Act process had not been
reviewed and reviewed plans, control system documentation,
control reviews, and subassurance reports to evaluate Integrity
Act implementation during fiscal 1990-1994. We judgmentally
selected a sample of managers and interviewed them about their
understanding of their Integrity Act responsibilities. We re-
viewed portions of their performance agreements and appraisals
and training records to determine whether they understood
Integrity Act procedures and the extent of oversight they had
received. We reviewed recent OIG audit reports issued between
September 30, 1991, and 1994 that discussed Integrity Act
findings or other management control findings to determine
whether the Agency's Integrity Act process was working
effectively. (Exhibit 2 lists the reports.)
We did not review the Agency's compliance with the Integrity
Act's Section 4 on whether the Agency's accounting system
conforms to Comptroller General requirements. Rather, we relied
on the work of other OIG auditors. Their audits addressed
deficiencies in the Agency's accounting system.
We conducted our audits in accordance with Government Auditing
Standards (1988 Revision). The findings in this report include
control weaknesses identified during the audit and our
recommendations to correct the weaknesses, when appropriate. No
E1SFE3-07-0101-4100522
-------
EPA's Integrity Act Implementation
other issues came to our attention which we believed were
significant enough to warrant expanding the audit scope.
PRIOR AUDIT COVERAGE
OIG and General Accounting Office (GAO) have audited the Agency's
Integrity Act process and reported deficiencies since 1983. This
report summarizes Integrity Act deficiencies reported by OIG
between 1992 and 1994. GAO has not recently issued reports on
the Agency's Integrity Act process.
E1SFE3-07-0101-4100522
-------
EPA'a Integrity Act Implementation
CHAPTER 2
INTEGRITY ACT CAN HELP MANAGERS EXERCISE LEADERSHIP
Through its Integrity Act reengineering, the Agency has adopted a
system that integrates responsibilities for identifying,
preventing and correcting problems into day-to-day operations and
Agency centralized systems for program planning, budgeting,
operations, fiscal management, and evaluation. AAs and RAs will
identify vulnerabilities through the strategic planning process,
as well as routine review of day-to-day program information
provided by Agency reporting systems and customer feedback, and
develop and carry out a systematic review strategy to assess
these vulnerabilities. The reengineered process relies heavily
on effective implementation of the Agency's management integrity
principles, which are based on Comptroller General standards.
Agency efforts to integrate control reviews into ongoing
management activities can improve programs by focusing managers'
efforts on improving program implementation. However, the
reengineered program cannot succeed unless managers accept
responsibility for implementing sound management practices, and
the Agency rewards managers for identifying problems and
improving control systems.
Many of the problems we identified under the prior process
resulted from managers not employing basic management techniques
and not observing Comptroller General standards as required by
the Integrity Act. We found that while managers performed
Integrity Act process tasks and completed required paperwork,
many managers did not use the Integrity Act process to measure
progress toward program goals and objectives, detect deviations
from their plans, and take corrective action. Some managers did
not realize that management controls were the plans, policies,
and procedures they had established to achieve program goals and
objectives and, ultimately, Agency mission. At times, managers
had not developed or documented controls. Some managers did not
connect the risk assessment process with selecting which
management control systems to review. Most managers were not
effectively trained and were not held accountable for treating
controls as a high management priority.
8
E1SFE3-07-0101-4100522
-------
EPA'a Integrity Act Implementation
THE
ACT AND STANDARDS CREATE
A FRAMEWORK FOR MANAGING PROGRAMS
The Integrity Act requires agencies to establish and maintain
cost-effective control systems in accordance with Comptroller
General standards to provide reasonable assurance that Government
resources are protected against fraud, waste, mismanagement, and
misappropriation and that activities are effectively and
efficiently managed to achieve agency goals. To ensure agencies
managed their funds and programs, Congress required agencies to
perform ongoing control system evaluations and to report the
results annually.
The preface to the Comptroller General standards describes the
ultimate benefit of effective management control systems. It
explains that controls:
facilitate the achievement of management objectives by
serving as checks and balances against undesired
actions. In preventing negative consequences from
occurring, internal controls help achieve the positive
aims of program managers.
Several key standards are directed toward managers' and
employees' activities. Additional standards require that
controls be developed and documented for all agency management,
financial, program, and administrative activities.
The standards require managers and employees to demonstrate a
positive and supportive attitude toward internal controls and
treat controls as a consistently high management priority. The
standards recognize that attitude is reflected through managers'
actions concerning agency organization, personnel practices,
communication, and protection and use of resources.
The standards require managers and employees to have skills to
accomplish their assigned duties and an understanding of controls
sufficient to discharge their duties. They recognize the
importance of performance appraisals and suggest performance
evaluations be based in part on implementation and maintenance of
effective control systems.
The standards require control -systems and -all -transactions and
other significant events to be clearly documented in management
directives, administrative policy, and accounting manuals. They
require that transactions and events be useful to managers by
E1SFE3-07-0101-4100522
-------
EPA7a Integrity Act Implementation
being complete and accurate, tracing an action or event before it
occurs, while it is in process, and after it is completed. They
require agencies to develop and identify logical and reasonably
complete control objectives for all agency management, financial,
program, and administrative activities compatible with the
agency's organization and division of responsibilities.
The standards require supervisors to guide and train staff to
help ensure that errors, waste, and wrongful acts are minimized
and management directives are achieved. This includes clearly
communicating duties, responsibilities, and accountabilities to
staff, and reviewing and approving work to ensure work flows as
intended.
The Agency's new process recognizes 10 fundamental principles as
integrity guideposts for good management of all programs and
activities. OARM based the principles on the Comptroller General
standards. The principles are:
0 Develop written strategies, policies, guidance,
procedures, and performance measures to achieve the
Agency's mission and safeguard programs and resources
against waste, loss, unauthorized use, and
misappropriation.
0 Establish an organizational structure and delegate
authority, responsibility and accountability in
accordance with Agency guidelines to achieve the
mission of the organization.
0 Carry out program activities, consistent with
established policies, strategies, guidance and
procedures, and report significant, emerging management
problems through the chain-of-command to the
appropriate National Program Manager for action.
* Demonstrate personal integrity, provide quality
supervision, and sustain a level of professional
competence to accomplish assignments and to ensure that
management objectives are achieved.
0 Collect and assure the quality of data and other
information necessary to manage environmental programs
. -.and. continuously—improve the-basis Xor .the. Agency's
scientific, technical, legal, enforcement, or
management decisions.
10
E18FE3-07-0101-4100522
-------
EPA7s Integrity Act Implementation
Separate key duties and responsibilities in
authorizing, reviewing and approving payment, and
maintain individual accountability for the custody and
use of resources.
Periodically compare written records of actual and
planned activities for budget expenditures, program
operations, property inventory, and staffing levels, to
identify discrepancies and take appropriate action,
where vulnerabilities exist.
Use all available information sources to identify and
routinely assess program areas that are vulnerable to
fraud, mismanagement, and noncompliance with law.
Develop and carry out a systematic review strategy,
comprised of internal program reviews, OI6 audits, and
GAO studies, to assess the effectiveness of program
guidance and procedures, and revise, as necessary.
Promptly determine and carry out management actions to
correct, within established time frames, significant
problems identified by internal program, OIG, and GAO
reviews.
INTEGRITY ACT IMPLEMENTATION WAS PROCESS
RATHER THAN RESUT/TS ORTFNTED
The Agency's Integrity Act procedures should have provided a
satisfactory level of confidence (considering costs, benefits,
and risks) that control systems were achieving desired goals and
objectives. Agency managers invested a lot of time and effort .
implementing the Integrity Act, but significant management
control weaknesses continued to exist because managers did not
use the process as a management tool. Agency procedures created
cumbersome lines of authority and a paper-intensive system,
separate from operational activities. Many managers did not
realize implementing the Integrity Act could help them accomplish
their jobs.
11
E1SFE3-07-0101-4100522
-------
EPA'a Integrity Act implementation
The Agency's Integrity Act Process
Was Cumbersome And Paper Intensive
Resources Management Directive 2560 (June 4, 1987) outlined
Integrity Act roles and responsibilities based on the assignments
of responsibility prescribed by OMB Circular A-123. It segmented
the Agency into 22 primary offices. The Agency designated 266
assessable unit managers, such as division and laboratory
directors, to manage the Integrity Act process. Offices often
delegated implementing Integrity Act process steps to one or two
Management Control Coordinators (MCC) within the primary offices
and sub-MCCs within the assessable units..
The Agency's process required the 266 assessable unit managers to
prepare numerous documents including extensive control
documentation, annual vulnerability assessments and management
control plans, quarterly progress reports, high risk reports,
management control reviews, material weakness position papers,
and annual assurance letters. The control documentation
consisted of a list of all program operations and administrative
functions, each activity within the program and administrative
functions, control objectives for each activity, and control
techniques for each objective. Under this process, control
documentation needlessly duplicated existing Agency plans,
policies, procedures, and guidance.
Managers generally accomplished the process steps, but did not
realize the processes were a means of establishing effective
program management and that the processes should be linked
together. Managers did not ensure programs and administrative
policies, procedures, and directives were fully developed and
documented to achieve the Agency's mission and goals. Some
managers did not realize that controls related to program as well
as financial activities.
Where managers understood the intent behind the paperwork
requirements, they performed tasks outside the process which
better met the intent than the actual requirements of the
Agency's process. Instead of using the required standard
vulnerability assessment form, some managers in the Office of
Solid Waste and Emergency Response (OSWER) analyzed their
programs, priorities and resources and identified potential
obstacles to accomplishing these priorities. These.managers then
appropriately scheduled control reviews to ensure that the
programs' priorities were achieved.
12
E1SFE3-07-0101-4100522
\
-------
EPA'8 Integrity Act Implementation
Other managers who did not understand the concepts followed the
paperwork requirements and completed the standard vulnerability
assessment form. However, this form did not lead managers to
identify potentially vulnerable areas within their, programs.
Most managers submitted the completed standard vulnerability
assessments to RMD but did not have any useful results to
identify control weaknesses and make improvements.
Our review of 15 OIG reports (listed in Exhibits 1 and 2)
disclosed that managers did not prepare complete control
documentation or did not use documented controls. Complete
programs or functions were often missing from the documentation.
For example, a Headquarters office did not have procedures to
safeguard confidential business information and did not realize
it lacked procedures until it lost several boxes of confidential
information. In two offices, procedures for issuing permits were
not documented. Control documentation was also missing for
critical function areas such as data integrity, financial
management system planning and cost tracking, and contracts
management. An audit of the Agency's sensitive information
systems disclosed that 17 of 29 sensitive information systems
were not included in Headquarters Integrity Act control
documentation. In 1 region, 14 of 20 managers identified
vulnerabilities and took corrective actions but did not document
the improved controls. Thus, the region had little assurance
that the corrective actions would be implemented.
At two Headquarters offices, managers had not established •
controls for regional oversight. Although Agency regulations
state that National Program Managers have overall responsibility
for accomplishing program goals, Headquarters program managers
stated that the Agency is decentralized and they did not have
authority over regional personnel to ensure program policies and
procedures were followed and resources were properly used. They
did not see this as part of the control systems National Program
Managers need to help ensure mission accomplishment.
The Reengineered Integrity Act Model Simplifies
and Integrates the Agency's Approach
The reengineered Integrity Act model simplifies the Agency's
approach and integrates Integrity Act requirements into managers'
daily management ..activities. The model .reduces Jthe.Agency's
segmentation from 266 units to 48. It reduces the number of
reports managers must prepare and incorporates assessing program
13
E1SFE3-07-0101-4100522
-------
EPA's Integrity Act Implementation
vulnerability and creating control review strategies into ongoing
management activities. It eliminates the requirement for
separate event cycle documentation by requiring managers to
modify program strategic plans, operating guidance, regulations,
policies, and procedures to incorporate the Agency's integrity
principles which are based on Comptroller General standards.
In the new model, the Agency has appropriately recognized the
need for national program leadership. OARM will develop model
principles for administrative activities such as contracts,
grants, and resource management practices. Other National
Program Managers are expected to develop program specific
integrity principles to clearly articulate policy priorities,
best management practices, and current guidance in effect.
Managers are required to review and revise written strategies and
guidance to serve as a management control framework for
safeguarding program mission and resources. The model ties the
process of establishing vulnerabilities with strategic plans,
written strategies, and guidance. It directs managers to
systematically review programs to assess protection from fraud
and mismanagement and support mission accomplishment. The new
guidance clearly links controls with mission accomplishment.
Because the new process aligns integrity responsibilities with
day-to-day operations and program planning, budgeting,
operations, fiscal management, and evaluation, program managers
should strengthen accountability for identifying weaknesses
through the chain-of-command, correct them promptly, and prevent
serious systemic problems. The new process should greatly
improve integrity results if AAs and RAs respond to the OARM
Assistant Administrator's expectations as outlined in his June 6,
1994, memorandum and hold managers accountable for routinely
identifying systemic problems and correcting them.
GUIDANCE AND TRAINING WERE NOT CLEAR AND COMPLETE
AND MANAGERS WERE NOT HELD ACCOUNTABLE
Managers were not adequately trained to implement effective
management control systems. Integrity Act implementation
instructions were not always clear and complete. HMD's basic
guidance and training packages were process-oriented and
examples/forms for several key processes such as segmentation and
vulnerability assessments conflicted with the guidance narrative.
Annual guidance did not always explain how certain processes,
such as corrective action validation, should be accomplished.
14
E1SPE3-07-0101-4100522
-------
EPA's Integrity Act Implementation
Managers were not held accountable or recognized for supporting
Integrity Act requirements.
Agency managers misunderstood Integrity Act guidance and
terminology and were unable to apply the processes effectively.
The guidance had not communicated Integrity Act concepts
successfully to Agency managers. Both regional and Headquarters
program managers said the Integrity Act guidance manual and
fiscal 1992 and 1993 quarterly technical guidance were ambiguous
and confusing, that terminology was not clearly defined, and that
different phases of the process were not linked.
RMD recognized deficiencies in its guidance and reported its
policy directives as a weakness in fiscal 1993. RMD planned
revisions to its directives and Agency guidance to demonstrate
linkage between Integrity Act phases, planning and budgeting
phases, and Agency goals and strategic plans, and to integrate
new regulations such as those implementing GPRA.
Managers had not received adequate Integrity Act training.
Managers complained that neither local nor Headquarters training
provided the necessary information to relay the conceptual
meaning of the different Integrity Act phases and reporting
requirements. Integrity Act training classes were usually brief
2-hour sessions and were process-oriented. Managers did not
receive substantive training in developing controls or in
relating the processes, such as the use of the risk assessment to
identify problem areas for review. Managers in the offices we
audited explained that they did not fully understand terminology
used in describing Integrity Act requirements, and therefore, did
not link the phases to their day-to-day operations. Managers did
not understand completely what was required of them to fulfill
Integrity Act requirements. In the 3 regions, 55 of 56
individuals did not have Integrity Act training documented in
their files.
RMD developed a new management integrity training package and
presented it to MCCs in June 1993. MCCs responded positively
that the guidance was needed and helpful. RMD improved its
quarterly MCC meetings and met more often with program and
regional MCCs simultaneously rather than in separate meetings as
was its previous practice. RMD is developing training that
incorporates terminology compatible with managers' knowledge and
is working .with .some .offices .to develop a .comprehensive, long-
term training program.
15
E1SFE3-07-0101-4100522
-------
EPA's integrity Act Implementation
We did not find any evidence that individuals were rewarded or
penalized for Integrity Act performance. We reviewed 128
performance agreements and found that 96 included measures for
Integrity Act performance. However, the appraisal narratives
were too brief to recognize if managers were held accountable for
their performance. Without suitable recognition, managers had
little incentive to execute their Integrity Act responsibilities.
HMD's new integrity model differs from the previous Integrity Act
requirements, and managers and employees will require training to
understand the comparisons. The new model requires managers to
perform the basic management processes of establishing standards,
measuring performance, comparing performance against standards
and interpreting discrepancies, and taking corrective action. In
light of the Agency's movement toward employee empowerment,
streamlining, and other management initiatives, it is especially
important that individuals are held accountable for their
performance and appraised and rewarded accordingly.
CONCLUSION
The Agency's former Integrity Act process did not work well
because managers did not relate the requirements to their daily
activities and were not held accountable for improving their
programs. RMD has recognized that changing 10 years of
management perceptions about a process is no small undertaking.
Success of the new process will involve significant reeducation
for managers to understand and focus on integrity issues as an
integral part of program management responsibilities. RMD
recognizes that additional education and training in the new
approach are required and that the Agency will need to devote
additional resources to this major effort.
The Agency's reengineered model would make management controls
purposeful and useful if Agency managers understand and properly
apply the principles. The new guidance appropriately requires
Agency managers to review written strategies and guidance for all
major programs and functions to determine their consistency with
the Agency's management integrity principles To adhere to the
principles, Agency's plans, policies, procedures, and directives
must describe logical, applicable, and reasonably complete
guidance for performing work processes. The reengineered
approach can only work if senior managers emphasize management
integrity in meetings, training programs^ -and directives, and
hold managers accountable.
16
E1SFE3-07-0101-4100522
-------
EPA's Integrity Act Implementation
RECOMMENDATIONS
We recommend that the Administrator:
1. Direct AAs and RAs to hold SROs accountable for providing
training on the Agency's new integrity process in their
offices and recognize those who implement and maintain
effective control systems. SROs should seek technical
assistance from OARM, as necessary.
2. Require AAs and RAs to hold managers accountable through the
performance appraisal process for identifying and correcting
weaknesses in the way they carry out their programs and
achieve results. They should recognize managers for
effectively and efficiently implementing Integrity Act
requirements.
3. Require AAs and RAs to stress to senior managers and staff
the mission critical importance of the Agency's reengineered
integrity process and the Agency's Management Integrity
Principles; emphasize that the process helps safeguard
resources and achieve program results. Incorporate this
emphasis into specific Integrity Act and overall management
training courses, management policies and procedures, and
senior managers' meetings.
4. Require the AA for OARM to assign sufficient OARM oversight
staff to bring managers up to speed on the new process and
ensure the new process is implemented as intended.
5. Require the AA for OARM to provide basic training to SROs in
the new Integrity Act approach and the Agency's Management
Integrity Principles.
17
E18FE3-07-0101-4100522
-------
EPA's Integrity Act Implementation
AGENCY COMMENTS AND O1G EVALUATION
OARM generally agreed with the finding and provided comments to
clarify some issues and redirect the recommendations. OARM
requested that, because responsibility for safeguarding resources
in achieving mission goals goes beyond OARM, the recommendations
be redirected to all AAs and RAs. Also, OARM requested that
specific recommendations for relating GPRA to integrity issues be
directed to the Office of Policy, Planning and Evaluation. Other
comments primarily related to adding language to stress the link
between the Integrity Act process and program planning,
budgeting, operations, fiscal management, and evaluation
responsibilities. OARM commented that RMO recognized the
Integrity Act process was not working much earlier than 1992 and
challenged the report's assertion that HMD could have provided
more effective oversight prior to 1993. RMD commented that it
attempted to improve the process each year in response to OIG's
annual audit. OARM attributed lack of adequate national training
to past and continuing travel and staff resource constraints.
RMD attempted to overcome these constraints by providing training
packages to the regions.
We clarified AA and RA responsibility for Integrity Act
implementation. As Integrity National Program Manager, OARM
should work with the Office of Policy, Planning, and Evaluation
to ensure Integrity concepts are appropriately integrated into
GPRA implementation. OARM is primarily responsible for educating
the national and regional offices in the reengineered process and
overseeing its implementation. As part of its initial training
and awareness sessions, OARM should highlight the findings in
this report to encourage managers to avoid the cited problems in
carrying out the reengineered Integrity Act process.
OIG applauds the Agency in its initiatives to integrate the
Integrity Act process with program and administrative management.
We added OARM'S recommended language to explain the new process
and its links to administrative management. However, OARM's
response to the draft report appeared to focus more on
administrative management than day-to-day program operations.
Although both are important, OARM will need to stress how
managers can integrate the Integrity Act process with daily
activities in its training and guidance, because many managers
did not make this connection using the old process.
18
E1SFE3-07-0101-4100522
-------
EPA*a Integrity Act Implementation
We believe that the major efforts to overhaul the Integrity Act
process did not start until 1993. Also, while OIG recognizes
RMD's limited resources, the training packages provided to the
regions focused on process and did not provide managers
sufficient technical assistance to meaningfully assess their
program and function controls.
19
E1SFE3-07-0101-4100522
-------
EPA's Integrity Act Implementation
CHAPTER3
IMPROVED CONTROL REVIEWS AND REPORTING
CAN PREVENT PROBLEM ESCALATION
The Agency demonstrated senior management commitment to
identifying its material weaknesses by establishing a Senior
Council on Management Controls (now known as the Senior
Leadership Council) in 1989 to focus top management attention on
management integrity issues. The Council appropriately sought
input from OIG, GAO, OMB, and senior managers to help identify
its material weaknesses. Although the Agency reported 18
material weaknesses in fiscal 1993, the majority of the
weaknesses were not discovered through managers' control
assessments which flowed through the Agency's chain-of-command to
the senior managers. Managers reported weaknesses to RMD rather
than through the Agency's management structure to the national
program and function offices where further analysis or policy and
guidance changes could have corrected problems or prevented
problem escalation. Managers did not use the Integrity Act
process as an early warning system to identify and correct
weaknesses before they escalated to the material weakness levels
identified by external reviews. As a result, the Agency's
Integrity Act process did not prevent control weaknesses from
escalating or improve the economy and efficiency of operations.
Instead, material weaknesses, once detected, required significant
resources to correct.
OMB PROMOTES AN EFFECTIVE MANAGEMENT
CONTROL PROGRAM
In accordance with the Integrity Act and OMB Circular A-123, each
executive agency must annually evaluate its system of internal
accounting and administrative controls and report to Congress and
the President on whether its internal control systems comply with
the goals of the Act. If systems do not comply, the agency head
must identify material weaknesses and present plans for
corrective action. OMB encourages managers to utilize external
reviews, such as DIG and GAO audits and internal management
reviews in managers' assessment of controls. However, recent OMB
draft guidance stresses that the external reviews be incorporated
as part of a self assessment and weaknesses fee reported through
the agency chain-of-command structure. Each supervisory level
should determine and report the materiality of the weakness to
the next level.
20
E1SFE3-07-0101-4100522
-------
EPR'a Integrity Act implementation
The Agency requires regional and national program offices to
submit annual assurance reports to identify potential material
and Agency-level weaknesses. The offices' reports must describe
any material weaknesses disclosed by any management control
evaluations or other reports, the action plans for correcting the
weaknesses, and the status of actions taken to correct any
weaknesses identified in any prior year reports.
THE AGENCY REPORTED WEAKNESSES IDENTIFTFT)
IN EXTERNAL REVIEWS .
The Agency did not identify its weaknesses through the Integrity
Act process. Weaknesses were identified primarily by external
auditors or by managers during meetings or through managers'
judgment.
f
The Agency reported 18 material weaknesses to the President and
the Congress in fiscal 1993, but the majority of the weaknesses
were identified externally. OIG and 6AO identified 11 of the 18
weaknesses (over 60 percent). While the Agency appropriately
reported weaknesses identified by external sources, program
managers did not review external audit findings as an initial
step in assessing the full extent of Agency management control
weaknesses.
Likewise, national and regional program managers in four of the
five offices we reviewed did not routinely identify material or
Agency-level weaknesses through the Integrity Act process. They
primarily identified weaknesses through external reviews and
activities such as management meetings and studies. Because
managers identified weaknesses through discussion and not by
testing controls, they could not sufficiently determine the
extent of the weakness.
One region did not report any weaknesses prior to
fiscal 1993.
One national program office identified more than half
of its fiscal 1992 and 1993 weaknesses (14 of 26)
through external reviews. Others were identified
through managers' judgment and meetings.
One region-identified 21 of its 49 fiscal 1991 and 1992
weaknesses through external reviews. One weakness was
identified through the Integrity Act
21
E1SFE3-07-0101-4100522
-------
EPA*s Integrity Act Implementation
process and 27 were identified primarily through
discussions, meetings, or "insight into operations."
0 Another region identified at least 7 of its 11 fiscal
1992 weaknesses reported outside the Integrity Act
process. One of the seven was determined through
external reviews and the other six through methods
other than testing documented controls.
The new model encourages managers to rely on all information
sources to evaluate the effectiveness of controls. It cautions
that managers should not rely exclusively on external reviews to
assess existing or potential vulnerabilities, but must conduct
their own reviews which test controls to ensure timely and
adequate information on which to base their assurance statement.
Also, it stresses that managers should use their judgment and
experience as the first step in identifying vulnerable areas for
review. Managers then should develop a review strategy to focus
on these vulnerable areas. The guidance appropriately states,
"Reviews, whether conducted by internal or external sources, must
involve actual tests to determine effectiveness of guidance and
procedures."
MANAGERS NEEDED TO REPORT WEAKNESSES
THROUGH THE ORGANIZATIONAL CHAIN
The Agency did not effectively use the Integrity Act process to
identify and report the full extent of its weaknesses. Agency
managers did not use a building block process to report
weaknesses beyond the primary organization head through the
organizational chain so that the overall magnitude of the
weaknesses could be assessed. Managers only reported weaknesses
that were material at the Agency or Presidential level.
Regional and program offices reported 174 Agency-level and
material weaknesses, but did not always report these and other
identified .weaknesses to national program offices with authority
to take action and determine the overall extent of the weakness.
When regional offices did report weaknesses requiring
Headquarters action to national program offices, Headquarters
personnel did not always take appropriate action. Additionally,
RMD did not have a formal process for disseminating reported
weaknesses to program and rfunction managers who-might have an
interest or responsibility to evaluate the weaknesses and
initiate corrective actions once the full extent of the
22
E1SFE3-07-0101-4100522
-------
EPA7s integrity Act Implementation
weaknesses was determined. Thus, progressively senior managers
with a broader perspective on the Agency's mission did not have
the opportunity to exercise their judgment regarding the extent
and impact of program and function weaknesses. Also, managers
could not benefit from compensating controls developed by other
regional or national program offices.
RAs and National Program Managers reported their weaknesses
directly to the Deputy Administrator with copies to RHD. The
weaknesses did not flow between the regional offices and the
national program offices or across media lines. RMD had an
informal process for relaying weaknesses that were not reported
in AA and RA assurance letters to national program offices, but
the process did not appear to be effective. RMD's informal
process for advising National Program Managers of unreported
weaknesses may have allowed regions and National Program Managers
to avoid taking prompt action to assess the full extent of weak
controls and report material weaknesses. As a result, the Agency
did not always report its material weaknesses in a timely manner
or require all potentially impacted managers to evaluate their
controls for similar
weaknesses and take
appropriate corrective actions
to remedy the weaknesses. For
the Agency to identify the
full extent of system
weaknesses and determine if
weaknesses were fully
corrected, managers at each
level needed to evaluate the
controls they were responsible
for implementing and report
all weaknesses that were
material to their operations,
not just Presidential-level
weaknesses.
THE BUILDING BLOCK PROCESS
Managers in one region
identified weaknesses in 1992
in air program and policy
guidance for implementing and
enforcing the Clean Air Act Amendments (CAAA). Regional managers
developed ..and implemented, added .procedures .txs..comply ..with new
CAAA while awaiting national air program policy and guidance.
However, the region interpreted the Agency's Integrity Act
23
E1SFE3-07-0101-4100522
-------
EPA's Integrity Act Implementation
guidance as not requiring it to report the lack of policy and
guidance as a weakness nor problems encountered in enforcing air
program requirements. If regional managers had reported the
weaknesses and corrective actions, national and other regional
program managers could have bene fitted from an early warning of
potential material weaknesses in the Clean Air program, assessed
the weakness Agency-wide, and possibly shared the region's.
compensating controls as a best practices approach.
RMD and the national program offices did not always follow up on
reported Agency-level and material weaknesses to determine how
prevalent the problems were and correct the problems Agency-wide.
Two OIG audit reports (listed in Exhibit 2) disclosed that
environmental research laboratories in Athens, Georgia, and
Corvallis, Oregon, did not assess their management controls over
extramural resources even after the Headquarters Office of
Research and Development (ORD) reported management of extramural
resources as a material weakness in 1990. Extramural resources
accounted for nearly 70 percent of total ORD funds. Audit
reports issued 3 and 4 years after ORD reported extramural
resource weaknesses noted that the laboratories did not identify
the weaknesses because the laboratories had not established
effective controls over extramural resources and evaluated the
controls.
RMD's reengineered Integrity Act model indicates managers will
only report material and Agency-level weaknesses which require
the attention of the Administrator. The new guidance does not
clearly stress the benefit of reporting weaknesses up and down
the organizational chain and across media lines. The guidance
should stress following the organizational chain to report all
weaknesses so that National Program Managers can determine
whether the weakness should be assessed Agency-wide or best
practices for compensating controls can be shared with other
potentially impacted Agency offices.
MANAGERS SHOULD HAVE IDENTIFIED WEAKNESSES
THROUGH CONTROL REVIEWS
Managers generally did not identify weaknesses through control
reviews because they did not test controls to see if programs and
functions were operating as intended. In part, managers did not
test controls because they did not know Trtrat -a -control review
entailed. Although Agency written guidance specifically
identified criteria for control reviews, some Agency managers
24
E1SFE3-07-0101-4100522
-------
EFA's integrity Act Implementation
said they were verbally encouraged to count activities which did
not test controls as control reviews. As a result, the Agency's
success in identifying all its significant weaknesses was
severely limited as indicated by the number and severity of
weaknesses identified through audit findings.
Many control reviews did not appropriately test controls nor meet
OMB criteria. For fiscal 1992, the Agency reported to OMB that
it performed 796 control reviews and planned to complete 909
reviews in 1993. We reviewed 67 control reviews for 1990, 1991,
1992, and 1993 for compliance with OMB requirements and found
that 50 reviews, or 75 percent, did not meet basic requirements
such as testing controls and documenting the results.
Thirteen OIG audit reports issued between September 30, 1991, and
1994 identified improvements needed in control reviews. Eleven
of these reports stated managers did not plan or perform reviews
over controls that the auditors found deficient. Two of the
reports stated that managers did not document reviews and,
consequently, could not be certain that identified weaknesses
were included in an Integrity Act report.
OIG reports cited various reasons for reviews not testing
controls. Some managers had not learned what a control review
entailed or considered control reviews unnecessary. Other
managers commented that they: (l) thought MCCs were responsible
for conducting reviews, (2) considered management control reviews
a financial function and their staff were not financial experts,
(3) did not understand the purpose of reviews, and (4) did not
know the difference between control systems and control reviews.
HMD may have contributed to managers' confusion regarding the
purpose and definition of control reviews.
RMD's manual clearly and accurately described the step-by-step
process for performing a control review. However, some managers
said that prior to 1993, RMD had verbally advised them to count
as many activities as possible as alternative control reviews.
Regional managers continued this practice beyond 1993. As a
result, regions and Headquarters program offices inappropriately
counted activities which did not test controls and thus did not
result in improved controls.
0 Three regions counted activities which were really
..controls rather .than reviews. —For..example, two regions
counted annual quality assurance assessments as control
reviews. The regions should have determined whether
25
E1SFE3-07-0101-4100522
-------
a Integrity Act Implementation
the quality assurance assessments were performed, met
the testing requirements, and resulted in corrective
actions. Instead, they counted the control as the
review.
0 Two regions counted Headquarters reviews as control
reviews. However, the reviews were general discussions
with personnel regarding goals and did not test
controls.
o jn other instances, offices counted activities such as
a written justification to OMB for program
continuation, a compilation of policy memorandums,
status reports, and management briefings as control
reviews. None of these activities tested controls.
In response to a 1990 OIG audit of the Agency's 1989 Integrity
Act activities, OSWER initiated annual reviews of its control
review process. Reviewers provided informal feedback to managers
on the quality of their control reviews and how to improve them.
In 2 years, the number of reviews meeting control review
requirements increased from 39 percent to 75 percent.
The new Integrity model reminds managers that they cannot rely
exclusively on external reviews to assess vulnerabilities. They
must conduct their own reviews and perform actual tests to
determine if guidance and procedures are followed and working to
efficiently accomplish their mission. As stated in the new
guidance, this is necessary "to ensure timely and adequate
information on which to base their statement of assurance." The
model contains general criteria for selecting, conducting, and
documenting program reviews and developing corrective action
plans. In order for their program reviews to be effective,
managers will need formal training on the control review process
that illustrates how to perform transaction tests and document
test results.
CONCLUSION
The Agency's reengineered Integrity Act approach can improve
procedures for identifying weaknesses and reduce the number of
excess reviews planned and reported, but managers must also
improve their examinations of their operations. Managers'
program reviews must test plans, policies, and procedures and
determine if Agency personnel promptly and properly recorded
26
E1SFE3-07-0101-4100522
-------
EPA's Integrity Act Implementation
management actions; executed the management actions in accordance
with applicable laws and regulations; adequately separated duties
to ensure a system of checks and balances; and applied sufficient
supervision. Weaknesses must be identified, reported, and
corrected at each level to determine the extent of weaknesses,
establish accountability, and provide early detection and
correction. -
The new integrity process relies more on management judgment and
accountability than the previous process. Senior Agency
officials should stress the importance of integrating management
integrity into each manager's day-to-day operations. Managers
must be educated in their responsibilities under the new process,
and how to carry them out. But beyond this, managers will need
ongoing technical assistance from OARM and reinforcement from the
Senior Leadership Council to ensure success.
RECOMMENDATIONS
We recommend that the Administrator require AAs and RAs to:
1. Hold SROs accountable for developing annual systematic
review strategies to evaluate guidance and procedures in
identified vulnerable areas and include documented program
review results and recommendations. When new weaknesses are
identified through external review, SROs should improve
their systems to detect such vulnerabilities through the
integrity process in the future.
2. Direct SROs to base corrective action and validation of
current material weaknesses on assessment in the field as
well as at the Headquarters level.
3. Direct SROs to develop guidance and procedures for reporting
weaknesses and suggested corrective actions through the
organizational structure which includes requiring managers
to report weaknesses in writing to National Program
Managers. '•>'
4. Assess and document the overall magnitude of weaknesses and
corrective actions reported to them by managers throughout
the Agency.
27
E1SFE3-07-0101-4100522
-------
EPA'a Integrity Act Implementation
AGENCY COMMENTS AND OIG EVALUATION
OARM disagreed with several assertions in this finding. RMD
commented that the annual guidance in 1990, 1991, and 1993
specifically identified criteria for reviews to be listed in the
management control plan. OARM disagreed that RMD did not have a
formal process for reporting weaknesses through the chain-of-
command and for HMD's analysis of weaknesses submitted in the
annual assurance letters. OARM did not concur with the report's
assertion that the new Integrity Act guidance does not provide
managers a clear understanding of the importance and advantages
to reporting weaknesses up and down the organizational chain and
across media lines. OARM challenged the validity of the accounts
receivable issue as an example of ineffective chain-of-command
reporting, and pointed out actions taken by the national program
manager in 1990 and 1991 as appropriate actions to improve
accounts receivable problems within the Agency. OARM expressed
concern that OIG did not acknowledge management judgment as an
important part of the reengineered process.
While annual guidance may have provided criteria for listing
reviews in the management control plan, several managers told us
that RMD verbally encouraged them to report other activities
which would not meet the A-123 criteria for management control
reviews and alternative management control reviews. OIG
disagrees that RMD had a formal process for raising weaknesses to
other program offices. Although written guidance encouraged such
reporting, again verbal guidance either conflicted with the
written guidance or confused managers regarding what should be
reported. OARM may not have understood our intent in the
accounts receivable example, so we deleted it from the final
report. One of the main points intended in this chapter is that
National Program Managers need to encourage the identification
and widespread reporting of potential weaknesses to help them
timely assess what action needs to be taken to correct weaknesses
and to share actions managers may be taking to compensate for the
weaknesses until more permanent action can be taken.
28
E1SFE3-07-0101-4100522
-------
EPA's integrity Act Implementation
EXHIBIT 1.
AUDITS OF INTEGRITY ACT IMPLEMENTATION
Report Title
and Number
1. Region 7's
Implementation of the
Federal Managers'
Financial Integrity Act
(FMFIA)
E1RMF2-07-0134-3 100148
2. Region 1's
Administration of the
Federal Managers'
Financial Integrity Act
E1RML3-07-0011-3100322
3 . Region 8 ' s
Implementation of the
Federal Managers'
Financial Integrity Act
E1RML2-08-0091-3100326
4. OSWER's
Implementation of the
Federal Managers'
Financial Integrity Act
E1SFE3-07-0101-4100224
5. Office of Water's
Implementation of the
Federal Managers'
Financial Integrity Act
E1AME4-07-0024-4 100236
Report
Date
3/30/93
8/23/93
8/24/93
3/28/94
3/31/94
Location
Kansas City, Kansas
Boston ,
Massachusetts
Denver , Colorado .
Washington, DC
Washington , DC
29
E1SPE3-07-0101-4100S22
-------
EPA's Integrity Act Implementation
EXHIBIT 2
DIG AUDITS WITH INTEGRITY ACT FINDINGS
Report Title and Number
1. SPECIAL REVIEW OF THE FACILITIES
MANAGEMENT & SERVICES DIVISION'S SECURITY
& PROPERTY MANAGEMENT BRANCH
E1PMG1-13-0038-2400022
2. CONTRACT MANAGEMENT /EPA Needs to
Strengthen The Acquisition Process For
ADP Support Services Contracts
E1NMF1-15-0032-2100300
N
3. SOFTWARE INTEGRITY /EPA Needs to
Strengthen General Controls Over System
Software
E1NMF1-15-0055-2100591
4. EPA'S MANAGEMENT OF COMPUTER SCIENCES
CORPORATION CONTRACT ACTIVITIES
E1NME1-04-0169-2100295
5. SPECIAL REVIEW ON FOLLOW UP OF CERCLIS
REPORTING AND POST-IMPLEMENTATION
E1SFG1-15-5001-2400027
6. COMPUTER SYSTEMS INTEGRITY: EPA Must
Fully Address Longstanding Information
Resource Management Problems
E1NMF1-15-0032-2100641
Report
Date
3/92
3/31/92
9/22/92
3/31/92
3/27/92
<->
9/28/92
30
E1SFE3-07-0101-4100522
-------
EPA's Integrity Act Implementation
7. FOLLOWUP REVIEW ON EPA'S EMERGENCY
SUSPENDED AND CANCELED
PESTICIDE PROGRAM
E1EPG2-05-6008-3400030
8. MANAGEMENT OF EXTRAMURAL
RESOURCES/OFFICE OF RESEARCH AND
DEVELOPMENT/ ENVIRONMENTAL RESEARCH
LABORATORY /ATHENS, GEORGIA
E1JBF2-04-0300-3100156
9. FISCAL 1992 FINANCIAL STATEMENT AUDIT
OF THE PESTICIDES REVOLVING FUNDS
E1EPL2-20-7001-3100265
10. FISCAL 1992 FINANCIAL STATEMENT AUDIT
OF THE SUPERFUND TRUST FUND, LEAKING
UNDERGROUND STORAGE TANK TRUST FUND AND
ASBESTOS LOAN PROGRAM
P1SFL2-2 0-8001-3 1002 64
11. REVIEW OF REGION 9 SUPERFUND PROGRAM
ACCOMPLISHMENTS FOR FISCAL 1992
E1SFR3-09-0101-380006
12. CONSOLIDATED REPORT ON FISCAL 1992
CERCLIS DATA INTEGRITY
E1SFF3 -11-0016-3 1003 92
13. MANAGEMENT OF ASSISTANCE AND
INTERAGENCY AGREEMENTS /OFFICE OF RESEARCH
AND DEVELOPMENT/ ENVIRONMENTAL RESEARCH
LABORATORY/ CORVALLIS , OREGON
E1FBF3-10-0069-4100214
3/26/93
3/31/93
6/30/93
6/30/93
8/12/93
9/29/93
3/21/94
31
E1SFE3-07-0101-4100522
-------
EPA's Integrity Act Implementation
14. FISCAL 1993 FINANCIAL STATEMENT AUDIT
OF THE PESTICIDES REVOLVING FUNDS, AND
THE OIL SPILL TRUST FUND
E1AML3-20-7001-4100230
15. AUDITORS' REPORT ON FISCAL 1993
FINANCIAL STATEMENTS FOR THE SUPERFUND
TRUST FUND, LEAKING UNDERGROUND STORAGE
TANK TRUST FUND AND THE ASBESTOS LOAN
PROGRAM
P1SFL3-20-8003-4100231
i
16. MANAGEMENT OF COOPERATIVE
AGREEMENTS /OFFICE OF RESEARCH AND
DEVELOPMENT/ ENVIRONMENTAL RESEARCH
LABORATORY /GULF BREEZE, FLORIDA
E1JBF2-04-0386-4100237
17. DRAFT REPORT OF AUDIT — INTEGRATED
FINANCIAL MANAGEMENT SYSTEM
E1NMF3 -15-007 3-
3/31/94
3/30/94
3/31/94
5/09/94
32
E1SFE3-07-0101-4100522
-------
Appendix 1
Page 1 of 2
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
27 JUL 1994
OFFICE OF
ADMINISTRATION
AND RESOURCES
MANAGEMENT
MEMORANDUM
SUBJECT: . Response to Draft Report on EPA's Integrity Act Implementation
Audit Report No. E1AME4-07-0024-XXXXXX
FROM:
TO:
Comptroller (3301)
Michael Simmons
Associate Assistant Inspector General
for Internal and Performance Audits (2421)
Thank you for the opportunity to review and comment on the Office of Inspector
General's (OIG) draft audit of EPA's Integrity Act implementation. We appreciate the
auditors' work with OARM during the audit to keep apprised of and support our efforts to
reengineer EPA's management integrity process, consistent with the Administration's
National Performance Review (NPR). We recognize the OIG's considerable challenge to
audit the "old FMFIA" within a context of such great change and to develop effective
recommendations that support the Agency's new integrity direction.
We have provided comments on the draft report to clarify findings, strengthen
recommendations, and reinforce the audit's support for EPA's new vision of integrity as a
fundamental tenet of integrated program planning, budgeting, fiscal management, and
evaluation. Our major comments are summarized below, with supporting examples attached.
Emphasize Integrity Role in Current Context of Change and Accountability Framework
We commend the OIG's efforts to identify and discuss linkages among Integrity Act,
Government Performance andResults~Act(GPRA) wd.Chief-Finandal Officers Act (CFO)
requirements as part of the Agency's management accountability framework. Last year's
enactment of the GPRA and issuance of the NPR recommendations gave OARM the
opportunity to radically rethink the Agency's integrity process. Our goal was to eliminate
the separate administrative stovepipe process and integrate responsibilities for prompt
detection, correction and prevention of problems in program planning, budgeting, fiscal
management, and evaluation.
33
Rtcycled/Rvcyclabto
PrinM with Sey/dnof* ink on pipac that
contain* MIMM 50% r*cyOM "Mr
E1SFE3-07-0101-4100522
-------
Appendix 1
Page 2 of 12
We suggest that your final report discuss these significant events, which occurred
during the 1992-1994 audit focus, to establish a clearer context for understanding why the
Agency decided to reengineer the integrity process. We believe that the draft report's
findings and recommendations do not sufficiently relate the role of EPA's new process within
the framework of integrated Agency-wide strategic planning and goal-based budgeting to
strengthen management accountability for results. This understanding is critical to managers'
successful implementation of EPA's reengineered integrity process.
Clarify Audit Focus on Program^Not Financial. Management Integrity Implementation
We suggest that your final report explicitly establish at the outset that its primary
focus is on program managers' implementation of the Integrity Act. We believe that the
report, as written, does not apply to financial management under Section 4. For example,
the report should acknowledge the existence of EPA's Financial Management Quality
Assurance Program and its policy oversight, guidance and training role working with Agency
Financial Management Officers (FMOs) and Senior Resource Officials (SROs) to carry out
CFO and Integrity Act requirements. EPA trains FMOs, conducts financial internal control
and systems reviews, and assesses overall financial management operations in annual Quality
Assurance Reviews and reports on these assessments in Integrity Act assurance letters.
Clarify Relationship of OMB/GAO Policy Requirements to EPA Guidance. Past and Present
We suggest that the final report clearly state that EPA's integrity guidance has
consistently promoted compliance with requirements of Office of Management and Budget
(OMB) Circular A-123 and General Accounting Office (GAO) Standards for Internal Control
in the Federal Government. Your draft report gives the mistaken impression that integrity
requirements associated with EPA's Resource Management Directive 2560 (described on
page 8) do not derive from OMB Circular A-123 or the GAO standards. We suggest that
your final report consolidate discussion of the Integrity Act and OMB and GAO requirements
in Chapter 1, identify the consistency of Resource Management Division (RMD) integrity
guidance with these requirements, and distinguish between that guidance and managers'
response in implementing it.
Your draft report attributes problems with the Agency's old integrity process to
segregating responsibilities from other management activities and not observing GAO
standards (page iii; Chapter 2, page 6). We believe that your final report should also
acknowledge ongoing Agency efforts to strengthen integrity as a critical part of basic
management practices... These include the Administrator^ and her Senior Leadership
Council's attention to integrity as part of the Agency's overall management agenda, policy
memoranda from the Deputy Administrator and OARM senior management, and RMD
annual guidance and corrective actions taken in response to annual OIG special reviews of
the Agency's Integrity Act implementation.
34
E1SFE3-07-0101"4100522
-------
Appendix 1
Page 3 of 12
We suggest that your final report reinforce its stated support for EPA's new integrity
process as more responsive to GAO standards and OMB guidance (pages ii and 4) through
concrete examples of management action in program planning, budgeting, fiscal
management, and evaluation. Chapter 3 in particular seems to reinforce the old segregated
paradigm in its discussion of the "Integrity Act process" and "control reviews" to identify
problems.
expectations of EPA's New Integrity Process
We concur with your draft report observations linking success of EPA's new integrity
process and past problems with Agency managers' understanding how their Integrity Act and
program management responsibilities relate. We strongly recommend reorganizing your
audit report to consolidate discussion of the old and new processes and clearly distinguish
them from each other. We note factual inaccuracies in the draft report's summary of EPA's
new integrity requirements, as identified in Attachment 2. We recommend correcting these
errors and increasing discussion of integrity requirements' impact on program management
responsibilities.
We appreciate the many draft report endorsements of EPA's new integrity approach
and suggest deleting the final statement on page 20 that "the Agency's reengineered Integrity
Act process is highly vulnerable." We believe that you should replace this statement with
specific actions needed to ensure the success of EPA's new process as part of the integrated
accountability framework supported by the OIG, OMB, and the Agency.
Redirect Recommendations to Focus on Agency-wide Management Accountability
As your draft report concludes, responsibility for safeguarding resources in achieving
mission goals goes beyond OARM to all Assistant and Regional Administrators. We believe
that directing the draft report recommendations solely to the AA/OARM limits its value in
promoting Agency-wide accountability for sound management controls. We suggest that the
final report be transmitted to, and direct recommendations to, all AAs and RAs, with specific
actions directed to the AA/OARM and the AA/OPPE to ensure that EPA's GPRA
implementation (e.g., strategic planning, goal-based budgeting) addresses integrity issues.
t
We appreciate your consideration of cur comments in preparing your final report.
We look forward to meeting with you to discuss our response and resolve any outstanding
issues. Please contact me at 260-9674, or have your staff call Kathy Sedlak O'Brien at
260-9650 to arrange a meeting at a mutually agreeable time.
Attachments
cc: Jonathan Z. Cannon (3101)
David M. Gardiner (2111)
Sallyanne Harper (3101)
35
E1SFE3-07-0101-4100522
-------
Appendix 1
Page 4 of 12
ATTACHMENT 1
RESPONSE TO RECOMMENTATIONS IN DRAFT AUDIT REPORT ON
EPA'S INTEGRITY ACT IMPLEMENTATION
DATED JUNE 29, 1994
SUGGESTED NEW RECOMMENDATIONS
We recommend that the Assistant Administrator for OARM:
1. Incorporate guidance and procedures for EPA's reengineered integrity process into the
Administrator's policy and Budget Division's technical call memoranda to promote
effective integration with the goal-based budgeting process.
2. Provide technical assistance and training to SROs in instituting EPA's new integrity
requirements in their offices as an integral part of program planning, budgeting, fiscal
management, and evaluation.
3. Ensure sufficient staff resources to oversee and assess Agency-wide implementation of
reengineered integrity process.
We recommend that the Assistant Administrator for OPPE:
1. Ensure that the Agency's strategic planning and GPRA implementation processes
address financial and management integrity priorities.
2. Integrate requirements of EPA's reengineered integrity process, specifically those that
pertain to developing and evaluating program strategies and guidance, into relevant
Agency guidance memoranda and program evaluation curriculum.
CHAPTER 2 RECOMMENDATIONS
[Note: We recommend that the following recommendations be redirected to AAs and RAs.]
Recommendation
1. Advise National Program Managers and senior Agency managers to stress to their staffs
that Integrity Act implementation is mission critical. Incorporate this emphasis into specific
Integrity Act and overall management training courses, management policies and procedures,
and senior managers' meetings.
• Response: All AAs and RAs need to stress to their senior managers and staff the
importance of Integrity Act responsibilities in achieving the Agency's mission. AAs
and RAs are accountable for timely completion of requirements in OARM's June 6,
1994 Integrity Act guidance. AAs and RAs should work together in this effort and
advise OARM of progress and barriers. We suggest changing the recommendation to
read: Advise senior managers and staff on the mission critical importance of EPA's
36
E1SFE3-07-0101-4100522
-------
Appendix 1
Page 5 of 12
importance ofEPA's reengineered integrity process to safeguarding resources and
achieving results as an integral pan of program planning, budgeting, fiscal
management, and evaluation.
Recommendation
2. Provide basic training to SROs in the new Integrity Act approach. Stress that SROs are
responsible for providing Integrity Act training to their offices.
* Response: We suggest changing the recommendation to read: Hold SROs
accountable for providing training on EPA's new integrity process in their office.
SROs should seek technical assistance from OARM, as necessary, in providing
training that includes: basic Integrity Act elements as a management tool for
preventing problems; the relationship of these elements to program planning,
budgeting, fiscal management, and evaluation; understanding ofEPA's Management
Integrity Principles in developing and revising guidance as Agency's management
control framework; development of program-specific integrity principles and
systematic review strategies; assessment of guidance and procedures in program
reviews.
Recommendation
3. Ensure that training includes the principles of management controls and ensure that
managers and employees understand the intent and use of good management processes for
resource protection and effective and efficient mission accomplishment. Stress the early
importance of early identification of potential problems and the need for correction before
problems become critical and affect mission accomplishment.
* Response: Suggested changes to recommendation 2 incorporate this recommendation.
Recommendation
4. Ensure sufficient staff is available to bring managers up to speed on the new process and
to be sure the new process is implemented as intended.
• Response; This recommendation applies to AAs and RAs as written.
Recommendation
5. Hold managers accountable through the performance-appraisal-pfocess-for identifying and
correcting weaknesses in the way they carry out their programs and achieve results.
Recognize managers for effectively and efficiently implementing Integrity Act requirements.
o Response: This recommendation applies to AAs and RAs as written.
2
37
E1SFE3-07-0101^100522
-------
Appendix 1
Page 6 of 12
CHAPTER 3 RECOMMENDATIONS
[NOTE: We recommend that the following recommendations be redirected to Ms
Recommendation
1. Advise SROs to ensure that managers implement the new Integrity Act guidance for
assessing controls. SROs should ensure that managers fully document program review
strategies and results.
• Response: We suggest changing the recommendation to read: Hold SROs
accountable for developing annual systematic review strategies, that include
documented results and recommendations of program reviews, to evaluate guidance
and procedures in identified vulnerable areas.
Recommendation
2. For those management problems and weaknesses brought to management's attention from
external sources (e.g., OIG, GAO and other reviews), and accepted by management for
corrective action, SROS should assess and document why their program review strategy did
not discover the problem or weaknesses, and modify their strategy accordingly.
• Response: We suggest deleting this recommendation. EPA's new integrity process
- requires NPMs and Regions to develop systematic review strategies that include both
external and internal reviews to examine their identified vulnerabilities. By
definition, offices may use external review results to inform their judgment on needed
corrective actions to address a program vulnerability.
Recommendation
3. Advise National Program Managers to ensure that corrective action and validation of
current material weaknesses is based on assessment in the field as well as at the Headquarters
level.
• Response: This recommendation applies to AAs and RAs as written.
Recommendation
4. Ensure that Agency guidance and procedures for reporting weaknesses and suggested
corrective actions through the organizational structure includes requiring managers to report
weaknesses in writing to the- National Program Manager. National Program Managers
should assess the overall magnitude of reported weaknesses and corrective actions or
document the rationale for not reporting the weaknesses.
• Response: This recommendation applies to AAs and RAs as written.
38
E1SFE3-07-0101-4100522
-------
Appendix 1
PAge 7 of 12
ATTACHMENT 2
FACTUAL INACCURACIES IN DRAFT REPORT ON
EPA'S INTEGRITY ACT IMPLEMENTATION
DATED JUNE 29, 1994
UNSUPPORTED GLOBAL CONCLUSIONS BEYOND THE SCOPE OF REPORT
Several statements and assertions in the draft report refer to periods prior to the
audit's specified focus of 1992 to 1994. Additionally, several of these statements are
factually inaccurate. We recommend that the OIG remove the statements from the report or
rewrite them to be factually correct. If the assertions are based on the auditors' beliefs, then
the report should reflect this.
We recommend that the final report include the word "most" or "some" for global
conclusions not supported in fact, e.g., "Managers responded to...but did not relate the ,
process to management control system improvement." (page iii, 51). Other examples can be
found on page 6, 12, last sentence; page 9, 12, last sentence; and page 18, 13, sentence 1.
AGENCY-WIDE AA/RA MANAGEMENT ACCOUNTABILITY
The draft audit makes several statements that assign responsibility to the "Agency" for
holding managers accountable (page iv, 13, last sentence; page 10,13, last sentence; and
page 13, 11, last sentence.) Yet the draft report directs recommendations to the AA/OARM
who has direct line authority for holding only OARM managers accountable. We
recommend that the final report replace "Agency" with AAs and RAs or SROs, as
appropriate, to emphasize Agency-wide accountability for Integrity Act implementation.
OMB AND GAP POLICY GUIDANCE
The final report should discuss OMB Circular A-123, Internal Control Standards
(Revised 1986) requirements in greater detail since they provide the basis for the audit (page
2, 12). The final report should identify A-123 reporting requirements to point out the close
link with EPA's reporting procedures prior to reengineering (page 8, 13). In addition, the
audit should correctly report that OMB issued its Guidelines in December 1982, and later
published Circular A-123 in August 1983, followed by the revised Circular in 1986 (page 2,
12, sentence 4). The audit report should also correctly note that EPA, not RMD, received
OMB's waiver from the four primary A-123 requirements: event cycle documentation,
separate management control reviews, management control plans and vulnerability
assessments (page 4, 12, last sentence).
The draft report devotes extensive discussion to the 1983 GAO standards, much more
so than OMB's new policy direction or EPA's new integrity process. As the draft report
indicates, the Agency acknowledges the importance of the GAO standards and based EPA's
management integrity principles on them. We recommend that the final audit report replace
39
E1SFE3-07-0101-4100522
-------
Appendix 1
Page 8 of 12
the discussion of GAO standards (page 7) with requirements of EPA's Management Integrity
Principles since they refocus the GAO standards and extend relevance beyond their historical
financial accounting focus to programs.
The final report should consistently use the term "management" controls (not
"internal''), except when citing a historic reference (e.g., GAO Internal Control Standards).
REOUIRFMTJNTS F EPA'S
INTEGRITY
The basic premise of EPA's reengineered integrity process is the close linkage with
program planning, budgeting, fiscal management, and evaluation responsibilities. The final
audit report should explicitly cite Integrity Act compliance through "planning, budgeting,
fiscal management, and evaluation", not just "program operations" (page it, 14) or
"management activities" (page iii, 12).
To more clearly describe EPA's new integrity process, the report should identify the
basic elements: 1) assess and revise guidance and strategies to ensure adequate coverage and
consistency with EPA's Management Integrity Principles; 2) .develop administrative and
program-specific integrity principles for use Agency-wide; 3) develop systematic review
strategy, that includes program and oversight reviews, CFO and GPRA results, and other
relevant information sources, to assess effectiveness of guidance and strategies; and
4) establish building block process to identify weaknesses through the chain-of-command and
report on progress at mid-year and in annual assurance letters to the Administrator.
The final report should describe these elements in its discussion of EPA's new
integrity process (page 4, 13). At a minimum, the final report should make the following
corrections:
• "It establishes EPA's Management Integrity Principles... Agency managers are
expected to incorporate these principles into program strategies, guidance and
procedures, which serve as the Agency's management control framework to safeguard
resources and the achievement of mission goals. Agency managers are expected ... of
their programs and resources as an integral pan of program planning, budgeting,
fiscal management, and evaluation responsibilities, (page 4, 13)
• "Also, under the reengineered process, the 22 primary organization heads retain
accountability for management integrity, and refy on their Senior Resource Officials to
communicate the Agency's national management integrity guidance,... OARM is
currently streamlining its office and plans to eliminate RMD, transferring its
functional responsibilities elsewhere within the OfficeTrfthe Comptroller." (page 4,
14)
• "Through its Integrity Act reengineering, the Agency has adopted a system that
integrates responsibilities for identifying, preventing and correcting problems into
2
40
E1SFE3-07-0101-4100522
-------
Appendix 1
Page 9 of 12
program planning, budgeting, fiscal management, and evaluation. The Agency will
identify vulnerabilities through its strategic planning process and develop and carry
out a systematic review strategy to assess these vulnerabilities, (page 6, 11)
• "Other National Program Managers are expected to develop program-specific integrity
principles to clearly articulate policy priorities, best management practices, and
current guidance in effect, (page 10, 12, sentence 3)
« "Because the new process aligns integrity responsibilities with program planning,
budgeting, fiscal management, and evaluation, program managers will strengthen
accountability for identifying weaknesses through the chain-of-command, correct them
promptly, and prevent serious systemic problems, (page 10, 13, sentence 1)
o "The Agency's ^engineered model would make management controls purposeful by
integrating them with program management responsibilities. The new guidance ...
functions to determine their consistency with the Agency's management integrity
principles. {Delete next sentence.] ... The Agency's approach can only work if senior
managers emphasize management integrity in program planning, budgeting, fiscal
management, and evaluation, (page 12, 14)
RMD GUIDANCE
The draft report states that "the Agency has segregated the Integrity Act
implementation from other management activities" (page iii, 11, sentence 1). It is unclear
whether the draft report means that RMD guidance intended this segregation or that incorrect
interpretation by Agency managers resulted in a separate function. Various EPA guidance
documents, based on OMB Circular A-123, continually emphasized that Integrity Act
activities were a critical part of basic management. The Deputy Administrator, at several
Senior Council on Management Controls (SCMC) meetings, specifically reemphasized this.
The draft report suggests that RMD first recognized that the Integrity Act process was
not working in 1992 (page 4, 12, sentence 1). In fact, RMD recognized this much earlier.
RMD attempted to use the results of the OIG's annual special reviews of Integrity Act
implementation to help EPA strengthen the program. Even though each OIG review found
that the Agency was implementing the Integrity Act in a reasonable and prudent manner,
RMD worked with the OIG and the Agency to address OIG recommendations, concerns and
observations. We suggest that the OIG delete the statement, "RMD could have provided-
more effective oversight prior to 1993." (page iii, 13, sentence 5).
Additionally, when the OIG Central Audit Division met witrTRMD in planning for the
Regional audits that led to the capping report; RMD expressed concern that the Agency was
overemphasizing paper compliance rather than accountability by Agency managers to achieve
the intent of the Integrity Act: RMD asked that the auditors move away from assessing paper
work compliance to assessing true Integrity Act implementation.
3
41
E1SFE3-07-0101-4100522
-------
Appendix 1
Page 10 of
12
The draft report suggests (page 3, 13) that the }89 Internal Control Guidance for
Managers and Coordinators was the only major guidance issued for Agency Integrity Act
implementation. In fact, RMD issued major guidance at least annually prior to 1993, and
quarterly during FY 1993.
The draft report suggests that managers were not encouraged to report weaknesses
other than Presidential-level (page 17,11, last sentence). In fact, each year the Primary
Organization Heads (POHs) reported about 200 Agency-level weaknesses to the Deputy
Administrator in their assurance letters. RMD tracked these weaknesses in the Agency's
Corrective Action Tracking System.
REVIEWS AND BUTT .nTNfi KLOCK IDENTIFICATION OF WEAKNESSES
The draft report inaccurately asserts that "Agency managers were encouraged to count
activities which did not test controls as control reviews" (page 18, 113&4). The draft report
makes a similar assertion - "RMD advised managers to count as many activities as possible
as AMCRs." (page 19, 13, sentence 3). In fact, just the opposite is true. RMD annual
guidance and training materials (e.g., 1990, 1991, 1993) specifically identified criteria for
reviews to be listed in Management Control Plans (e.g., testing of management controls;
written report to document review results and corrective actions).
The draft report makes numerous and unclear references to the "Integrity Act process"
(page iii, 11, sentence 3; page iv, 12, sentence 2; page 4, 12, sentence 1; page 5, 11,
sentence 3 and 14, sentence 1; page 14, 11, sentences 5 and 6; page 15, 12, sentence 1 and
14, sentence 1; page 16, 12, sentence 1). Three different implied meanings include: 1) the
process for identifying weaknesses through the chain of command; 2) the process for
identifying weaknesses through program reviews originated and conducted by an office; and
3) overall Agency process to implement the Integrity Act, including accountability structure
and reporting requirements.
The draft report also uses the term "control process1* (page 6, 12, sentence 2)
interchangeably with the "Integrity Act process," conveying the second meaning identified
above.
We are concerned that the draft audit report is promoting a narrow interpretation that
primarily singles out "control reviews" for identifying weaknesses. This is inconsistent with
EPA's new integrity process that emphasizes management judgment in identifying program
vulnerabilities through strategic planning and developing systematic review strategies to
evaluate these vulnerabilities. Other than two brief paragraphs (pages 16 and 20), the draft
audit report does not discuss the review concept and requirements of EPA's reengineered
process. Moreover, the draft report appears to denigrate management judgment in
identifying weaknesses (page IS, 12, sentence 2 and 14, second bullet). We suggest that the
final report refocus its discussion of reviews to be consistent with EPA's reengineered
pKX-SSS.
4
42
E1SFE3-07-0101-4100522
-------
Appendix 1
PAge 11 of
12
CHAIN-OF-COMMAND REPORTING OF WEAKNESSES TO NPMg
Regarding the reporting of weaknesses through the chain-of-command, we believe the
OIG has inaccurately characterised RMD's actions (page iv, 13, third sentence; page 3, 54;
and implied throughout page 17).
The draft report suggests EPA did not have a formal process for offices to raise
weaknesses to other program offices. This is not true. RMD included specific language in
formal guidance that addressed this (e.g., 1990 and 1991 guidance: "If you believe a
material weakness exists in the Agency but must be addressed by another office, you should
notify the appropriate office in a separate memorandum, with a copy to RMD. Work with
the other office to raise and investigate the issue, so that those offices can determine whether
to report it in their Integrity Act report."
The draft report incorrectly states that EPA's new integrity guidance "does not clearly
stress the benefit of reporting weaknesses up and down the organizational chains and across
media lines." (page 18, 12, sentence 2) We refer you to page 6, 112, 3 and 4 of RMD's
June 6, 1994 guidance memorandum.
Additionally, the final report should note that RMD analyzed AA and RA assurance
letter weaknesses and prepared matrices showing cross-cutting Agency programmatic
problems that may not have surfaced to the National Program Manager (NPM). The former
SCMC and current Senior Leadership Council used these analyses to assess the severity of
the problem and support their decisions on material weaknesses included in the Agency's
annual Integrity Act Report to the President and Congress.
The draft report makes several references to POHs reporting weaknesses to RMD,
thereby by-passing EPA senior management (page iv, 12, third sentence; page 14, 11,
sentence 4; page 16, 12, sentence 3; and page 16, 13, sentence 1). While RMD did request
to receive reports on weaknesses, RMD always advised the program and Regional offices to
report these weaknesses to the affected NPMs as well. In all cases, POHs provided their
assurance letters directly to the Deputy Administrator in accordance with EPA's chain-of-
command. RMD received copies of these assurance letters.
ACCOUNTS RECEIVABLE
We recommend deleting accounts receivable (page 17) as an example that "the
Agency did not always report its material weaknesses in a timely manner," because it is
factually inaccurate. The draft report does not recognize early and continuing actions taken
by EPA to identify and address accounts receivable problems through the chain-of-command.
For example, in 1990 EPA issued Chapter 9 of the Resource Management Directive 2S40D
to prescribe detailed procedures for handling accounts receivable, and in 1991, EPA formed
the Accounts Receivable Task Force, which conducted Regional reviews to verify the
E1SFE3-07-0101- 4100522-
-------
Appendix 1
Page 12 of 12
completion of corrective actions. EPA management declared accounts receivable a material
weakness in 1992 as a result of the continuing problems disclosed by these reviews.
TRAINING
The draft report does not address that the primary responsibility for front-line
management integrity training rests with the SROs. It is unclear from the draft audit report
"who" provides training (page 6, 12, last sentence; and page 11, 14, sentence 1).
Additionally, the draft report suggests (page 12, 14, last sentence) that RMD "just
now" recognizes the need for additional resources to conduct training. In reality, since the
inception of the program, RMD has recognized that training is critical to successful Integrity
Act implementation. However, past and continuing travel and staff resource constraints have
limited RMD's ability to conduct national training.
The draft report states (page 11, 15, sentence 1) that "RMD developed the
management integrity training package and presented it to Management Control Coordinators
(MCCs) in June 1993." Given resource constraints in the late 1980s, RMD prepared a
"train-the-trainer" package for MCCs to use in training their managers.
The draft report implies that training consisted of two-hour boiler plate sessions (page
11, 14, sentence 2). Over the years, RMD has worked with MCCs to tailor training that is
responsive to office needs and focuses on relevant program issues.
QARM REORGANIZATION
The draft report refers to the potential future location of Integrity Act oversight
responsibilities (page 4, last sentence). The OIG should clarify that RMD will no longer
exist as an organization and that its functions will be transferred elsewhere within the Office
of the Comptroller. As currently written, the statement gives the impression that RMD will
still exist, but with other duties.
6
44
E1SFE 3-0.7-010 1^.100522
-------
EPA's Integrity Act Implementation
APPENDIX II
ABBREVIATIONS
Agency
AA
CAAA
CFO
GAO
GPRA
Integrity Act
MCC
OARM
DIG
OMB
ORD
OSWER
RA
RMD
SRO
Environmental Protection Agency
Assistant Administrator
Clean Air Act Amendments
Chief Financial Officer
General Accounting Office
Government Performance and Results Act
Federal Managers' Financial Integrity
Act of 1982
Management Control Coordinator
Office of Administration and Resources
Management
Office.of Inspector General
Office of Management and Budget
Office of Research and Development
Office of Solid Waste and Emergency
Response
Regional Administrator
Resource Management Division
Senior Resource Official
45
E18FE3-07-0101-4100522
-------
EPA's Integrity Act Implementation
APPENDIX III
DISTRIBUTION
Office of Inspector General
Inspector General (2410)
Headquarters Office
Assistant Administrator and Chief Financial Officer (3101)
Assistant Administrators
Comptroller (3301)
Director, Resource Management Division (3304)
Agency Followup Official; Attn: Director, Resource
Management Division (3304)
Director, Financial Management Division (3303)
Associate Administrator for Regional Operations and
State/Local Relations (1501)
Associate Administrator for Congressional and Legislative
Affairs (1301)
Headquarters Library (3304)
Regional Office
Regional Administrators
46
E1SFE3-07-0101-4100522
------- |