I Office of Inspector General
Audit
Office of Water's Implementation of the Federal
Managers' Financial Integrity Act
E1AME4-07-0024-4100236
March 31, 1994
-------�
Inspector General Division Central Audit Division
Conducting the Audit: Kansas City, Kansas
Headquarters Office: Office of Water
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
March 31, 1994
OFFICE OF
MEMORANDUM THE INSPECTOR GENERAL
SUBJECT: Office of Water's Implementation of the
Federal Managers' Financial Integrity Act
Report No. E1AME4-07-0024-4100236
FROM: Michael Simmons
Associate Assistant Inspector General
for Internal and Performance Audits
TO: Robert Perciasepe
Assistant Administrator
Office of Water
Our report on the Office of Water's (OW) implementation
of the Federal Managers' Financial Integrity Act is attached.
We conducted the audit as part of a nationwide audit of the
Environmental Protection Agency's (EPA) Integrity Act
implementation. We discussed our findings with your Policy
and Resources Management office and issued a draft report.
We summarized your comments to the draft report and exit
conference discussions in the report. Your complete response
is included as Appendix I to the report.
Our overall audit objective was to determine if OW
effectively implemented the Integrity Act to ensure its
resources were reasonably protected from fraud, waste, abuse,
and mismanagement. Specifically, our objectives were to
determine if OW: (1) developed accurate annual management
control plans (MCP) , (2) evaluated management controls
appropriately, (3) reported the evaluation results accurately
and implemented timely corrective actions when necessary, and
(4) established management control responsibilities in
managers' performance standards and trained managers in their
responsibilities .
OW emphasized the Integrity Act implementation through .
increased training and by including Integrity Act
requirements in performance agreements. However, to
effectively implement the Integrity Act, managers needed to
tie the processes for planning, evaluating, and reporting to
day-to-day operations.
Recycled/Recyclable
Printed with Soy/Canola Ink on paper that
contains at least 50% recycled fiber
-------�
In accordance with our longstanding agreement outlined
in EPA Order 2750, we request that you, as the action
official, provide us your written response to the audit
report within 90 days. Your comments should address all
findings and recommendations and include planned corrective
actions and milestones for completing the actions.
This audit report contains findings that describe
problems the Office of Inspector General (OIG) has identified
and corrective actions OIG recommends. This audit report
represents the opinion of OIG. Final determinations on
matters in this audit report will be made by EPA managers in
accordance with established EPA audit resolution procedures.
Accordingly, the findings described in this audit report do
not necessarily represent the final EPA position. We have no
objections to the release of this report to the public.
If your staff has..a'ny questions, please have them
contact Nikki Tinsley, Divisional Inspector General, at (913)
551-7824 or Bennie Salem, Audit Manager, at (913) 551-7831.
Attachment
i
Report NO. E1AME4-07-0024-4100236
-------�
EXECUTIVE SUMMARY
PURPOSE
In 1992, the Senate Committee on Governmental Affairs raised
questions with the Environmental Protection Agency's (Agency)
Inspector General regarding the adequacy of Agency controls
to detect significant management and program weaknesses.
Also, the Comptroller General stated that management controls
are necessary to account properly for resources and to help
managers positively achieve program objectives by serving as
checks and balances against undesired actions. This audit
was part of a nationwide audit of the Agency's Integrity Act
implementation.
The overall audit objective was to determine if the Office of
Water (OW) effectively implemented the Integrity Act to
ensure its resources were reasonably protected from fraud,
waste, abuse, and mismanagement. Specifically, our
objectives were to determine if OW: (1) developed accurate
annual management control plans (MCP), (2) evaluated
management controls appropriately, (3) reported the
evaluation results accurately and implemented timely
corrective actions when necessary, and (4) established
management control responsibilities in managers' performance
standards and trained managers in their responsibilities.
BACKGROUND
The Federal Managers' Financial Integrity Act of 1982
(Integrity Act), P.L. 97-255, amended the Accounting and
Auditing Act of 1950 and required agencies to conduct ongoing
evaluations of the adequacy of their accounting and
administrative control systems and report annually to the
President and Congress. Annual reports must cite material
weaknesses in agencies' control systems. To provide
reasonable assurance that agencies achieved the Integrity Act
objectives, the Integrity Act required agencies to evaluate
the control systems annually against General Accounting
Office (GAO) standards and Office of Management and Budget
guidance.
The Resource Management Division in the Office of
Administration and Resources Management, Office of the
Comptroller, coordinates the Agency's Integrity Act efforts....
The Agency is divided into 22 major organizational components
and has designated a primary organization head for each
organizational component to administer the Integrity Act
process. OW's primary organization head is the Assistant
i
Report No. E1AME4-07-0024-4100236
-------�
Administrator. Each primary organization head delegates an
individual to coordinate, monitor, and implement Agency
internal control guidance within its organization. OWs
Assistant Administrator designated a budget analyst in the
Budget and Administrative Management Staff in OWs Policy and
Resources Management Office as the Management Control
Coordinator. The budget analyst has responsibility for OWs
compliance with the Integrity Act.
RESULTS IN BRIEF
OW instructed managers on the Integrity Act processes and
submitted the required reports, but managers did not
effectively integrate the Integrity Act concepts-into
management activities. OW managers exhibited a positive
attitude, properly established Integrity Act responsibilities
in managers' fiscal 1993 performance agreements, and reported
control weaknesses. However, managers implemented the
Integrity Act as a process apart from other management
activities, and did not fully understand how the Integrity
Act process and management controls related to mission
accomplishment. Integrity Act training did not improve
managers' use of Integrity Act principles. OW managers did
not identify all control systems with the related policies
and procedures used to operate the systems, and did not
evaluate the management processes. As a result, OW's
Integrity Act efforts had not contributed to the efficiency
and productivity of the organization.
OW s MCP did not provide an adequate strategy for
implementing the Integrity Act in accordance with GAO
standards. Assessable unit managers had not listed all of
their programs and functions with associated risk levels and
appropriately scheduled evaluations. In addition, managers
did not test controls and perform scheduled control
evaluations. OW needed a complete list of programs and
functions including new and changing programs and functions
to ensure managers identified, documented, and evaluated
management controls. As a result, OW did not adequately
implement the Integrity Act and ensure that systems worked as
intended.
RECOMMENDATIONS
We recommend that the Assistant Administrator for. OW improve
the administration of the Integrity Act and tie it more
closely to daily program management by requiring managers to:
(1) identify and list all programs and functions, (2) use
risk assessments of programs and functions to prioritize
control reviews, and (3) plan and conduct their own reviews
11
Report No. E1AME4-07-0024-4100236
-------�
to evaluate and test documented controls. To tie the
Integrity Act concepts into their jobs, managers need
comprehensive training on incorporating the Integrity Act
processes into their daily activities.
AGENCY COMMENTS AND PIG EVALUATION
OW identified two factors it considered when implementing
programs and the Integrity Act. First, OW's programs are
decentralized and program managers are responsible to
Regional Administrators. Second, OW managers meet with
Regional counterparts and discuss and identify problems
outside the Integrity Act process. OW committed to integrate
management integrity concepts into its program and provide
training to managers. OW expressed concern about
implementing the recommendations prior to EPA implementing
its new Integrity Act model and said that improvements in
management integrity should be based on the new model.
We added information to the report to acknowledge OW for
identifying and discussing problems in managers' meetings.
OW's programs may be decentralized, but delegation of program
performance does not relieve OW of its responsibility and
accountability to use Agency resources to effectively and
efficiently achieve program goals and objectives. The
policies and procedures that OW and Regional managers discuss
and improve need to be documented and periodically tested to
assure programs are achieving desired results, to give
credence to OW actions and comply with the intent of the
Integrity Act. We revised our recommendations to reflect
actions necessary for OW to comply with the Integrity Act,
GAO standards, and the new Agency model.
111
Report No. E1AME4-07-0024-4100236
-------�
TABLE OF CONTENTS
Page
EXECUTIVE SUMMARY i
CHAPTERS
1 INTRODUCTION 1
PURPOSE 1
BACKGROUND 2
SCOPE AND METHODOLOGY : 3
PRIOR AUDIT COVERAGE 4
2 OW NEEDED TO APPLY INTEGRITY ACT
CONCEPTS TO ONGOING OPERATIONS 5
GAO PRESCRIBES INTEGRATING CONTROLS
INTO MANAGEMENT SYSTEMS 5
OW NEEDED TO INTEGRATE INTEGRITY ACT PROCESS
INTO ONGOING MANAGEMENT ACTIVITIES 6
OW MANAGERS NEEDED TO UNDERSTAND THEIR
INTEGRITY ACT RESPONSIBILITIES 7
OW SHOULD EXCHANGE INTEGRITY ACT INFORMATION
WITH REGIONAL PROGRAM OFFICES 8
CONCLUSION 8
RECOMMENDATIONS 9
AGENCY COMMENTS AND DIG EVALUATION 9
3 OW NEEDED TO DEVELOP A STRATEGY
FOR IMPLEMENTING THE INTEGRITY ACT 10
GAO STANDARDS PROVIDE THE FRAMEWORK FOR
IMPLEMENTING THE INTEGRITY ACT 10
OW NEEDED TO IDENTIFY ALL ACTIVITIES WHEN IT
DETERMINED WHICH CONTROL SYSTEMS TO REVIEW . 11
OW NEEDED TO RATE PROGRAM AND FUNCTION RISK . . 11
OW NEEDED TO TEST CONTROLS 12
CONCLUSION 14
Report No. E1AME4-07-0024-4100236
-------�
RECOMMENDATIONS 14
AGENCY COMMENTS AND DIG EVALUATION 14
APPENDIXES
APPENDIX I: AGENCY COMMENTS 15
APPENDIX II: ABBREVIATIONS 19
APPENDIX III: DISTRIBUTION 20
Report No. E1AME4-07-0024-4100236
-------�
CHAPTER 1
INTRODUCTION
PURPOSE
The Federal Managers' Financial Integrity Act of 1982
(Integrity Act) required agencies to conduct ongoing
evaluations and report annually to the President and Congress
on the adequacy of their accounting and administrative
control systems. Also, the Comptroller General stated that
management controls are necessary to account properly for
resources and to help managers positively achieve program
objectives by serving as checks and balances against
undesired actions. As required by the Integrity Act, the
Comptroller General prescribed the management control
standards and Office of Management and Budget (OMB)
established guidelines for agencies to implement the
Integrity Act process.
The Office of Inspector General (OIG) provides technical
assistance to improve the Environmental Protection Agency's
(Agency) management controls and reports to the Administrator
on the Agency management control efforts each year. In 1992,
the Senate Committee on Governmental Affairs raised questions
regarding the adequacy of Agency controls to detect
significant management and program weaknesses. As a result,
OIG expanded audit coverage of the Agency's Integrity Act
process and performed a nationwide audit of the Agency's
Integrity Act implementation. The Office of Water (OW) audit
was part of that nationwide effort.
OW provides Agency-wide program policy, guidance, and
direction for the Agency water programs. The Agency charges
OW with protecting the environment and human health from
hazardous water contamination through the development of
environmental and pollution source standards. OW is
responsible for evaluating regional activities to ensure
enforcement, compliance, and permitting activities minimize
water pollution. OW is responsible for providing scientific
technical assistance and developing long-term strategic
planning and long-term environmental and economic analysis
for implementation of pollution prevention strategies
nationwide. OW received annual appropriations of about $189
million and had about 640 full-time equivalents to operate
its national program office and oversee water programs
administered by the 10 regions in fiscal 1993. . .
Our overall audit objective was to determine if OW
effectively implemented the Integrity Act to ensure OW's
resources were reasonably protected from fraud, waste, abuse,
1
Report No. E1AME4-07-0024-4100236
-------�
and mismanagement. Specifically, our objectives were to
determine if OW:
developed annual management control plans (MCP)
that properly identified organizational components
with associated risk levels and provided for
necessary management control evaluations,
evaluated management controls appropriately and
determined management control systems'
effectiveness,
reported the evaluation results accurately and
implemented timely corrective actions when
necessary, and
established management control responsibilities in
managers' .performance standards and trained
managers in their responsibilities.
BACKGROUND
The Integrity Act amended the Accounting and Auditing Act of
1950. The Integrity Act required agencies' to establish
control systems in accordance with General Accounting Office
(GAO) standards issued by the Comptroller General (also
identified as GAO standards). According to the Integrity
Act, agencies' control systems should provide reasonable
assurance that agencies protect Government resources against
fraud, waste, mismanagement, or misappropriation and
effectively and efficiently manage both existing and new
program and administrative activities. Further, the
Integrity Act requires agencies to evaluate their systems
annually against GAO standards following OMB guidance and
report the results to the President and Congress.
Standards For Internal Control In The Federal Government.
dated June 1, 1983, presents GAO internal control standards
and constitutes criteria against which systems should be
evaluated. The standards apply to all operations and
administrative functions. OMB Circular A-123 (Revised),
dated August 4, 1986, requires each agency to establish,
maintain, evaluate, improve, and report on its systems of
controls. OMB issued guidelines for the process in 1982.
OMB defines management controls to include an entity's
organization; written policies and procedures; explicit
statements of organizational mission and corresponding
standards for mission performance; systems for evaluating
performance against existing laws, regulations, policies, and
performance standards; system controls; and recognized
2
Report No. E1AM14-07-0024-4100236
-------�
accounting controls. Management control weaknesses result
when controls are not designed adequately or functioning
effectively.
The Resources Management Division (RMD) in the Office of the
Comptroller, Office of Administration and Resources
Management, coordinates the Agency's Integrity Act efforts.
The Agency is divided into 22 major organization components
and has designated a primary organization head for each
organizational component to administer the Integrity Act
process. The primary organization head must annually
evaluate Integrity Act compliance and report the results.
Each primary organization head delegates an individual to
coordinate, monitor, and implement Agency internal control
guidance within its organization.
OWs primary organization head is the Assistant Administrator
and a budget analyst in the Budget and Administrative
Management Staff in OWs Policy and Resources Management
Office is the Management Control Coordinator (MCC). OW had
15 assessable units as of fiscal 1993 whose managers are
responsible for operating efficient and effective management
control systems, evaluating the control systems, and taking
timely corrective actions on all identified weaknesses.
Currently, OMB is revising Circular A-123 and RMD is
reengineering its management integrity process. RMD
envisions an approach that simplifies the process by
integrating it into ongoing management activities. Both the
OMB guidelines and the Agency's process must incorporate the
Comptroller General standards as required by the Act.
SCOPE AND METHODOLOGY
We performed our fieldwork from August 1993 through December
1993 and focused on OW's Integrity Act implementation and
reporting in fiscal 1992 and 1993. We evaluated
vulnerability assessments and MCPs to determine whether OW
identified and properly scheduled reviews of programs and
functions. We reviewed event cycles, control objectives, and
control techniques to determine whether OW properly
documented its management processes and procedures. We
reviewed OW's strategic plan and compared it to OW's
Integrity Act processes for integration of both processes.
Also, we judgmentally selected 10 of OW's 63 fiscal 1992 and
1993 control reviews and evaluated if the reviews met OMB
criteria. We selected at least one control review from each
division that had completed a review. We reviewed OW's
fiscal 1992 and 1993 assurance letters and program offices'
sub-assurance letters to determine if OW properly used the
Integrity Act process to identify weaknesses. In addition,
we evaluated the MCC's oversight and coordination of the
3
Report No. E1AME4-07-0024-4100236
-------�
Integrity Act process to determine if it was properly
implemented. We judgmentally selected and reviewed fiscal
1992 and 1993 performance agreements, 1993 appraisals, and
training records for 20 individuals: the Acting Assistant
Administrator, 2 high level policy staff managers, the MCC,
the 5 sub-MCCs, 4 office directors, and 7 division directors
to determine if OW established management control
responsibilities in managers' performance agreements, held
managers accountable for Integrity Act implementation, and
trained managers in their responsibilities. The sample
selection was designed to include a representative sample of
the key managers responsible for the Integrity Act process in
OWs six divisions. Also, we interviewed managers to
determine if they had a general understanding of the
Integrity Act process and their responsibilities.
We conducted the audit in accordance with Government Auditing
Standards (1988 Revision) issued by the Comptroller General
of the United States. The findings in this report include
control weaknesses identified during the audit and our
recommendations to correct the weaknesses, when appropriate.
No other issues came to our attention which we believed were
significant enough to warrant expanding the scope of the
audit.
PRIOR AUDIT COVERAGE
OIG and GAO have audited the Agency's Integrity Act process
and reported deficiencies since 1983. For example, the OIG
audit of the Agency's 1989 Integrity Act process reported
control reviews did not properly test controls and not all
major activities had been identified. Based on recent audits
of Regions 1, 7, and 8 Integrity Act implementation, we
determined that further audit of the administration and
implementation of the Integrity Act process at the Agency
Headquarters level was warranted. Regional audits disclosed
a general lack of understanding of the Integrity Act process.
Managers had not developed proper MCPs, scheduled control
evaluations, and evaluated existing controls. Managers were
not adequately trained on the Integrity Act and held
accountable for implementing effective management control
systems. Regional personnel stated they did not understand
that the Integrity Act was a necessary mechanism to ensure
mission accomplishment.
4
Report No. E1AME4-07-0024-4100236
-------�
CHAPTER 2
OW NEEDED TO APPLY THE INTEGRITY ACT CONCEPTS
TO ONGOING OPERATIONS
OW instructed managers on the Integrity Act processes and
submitted the required reports, but managers did not
effectively integrate the Integrity Act concepts into
management activities. OW managers exhibited a positive
attitude, properly established Integrity Act responsibilities
in managers' fiscal 1993 performance agreements, and reported
control weaknesses. However, managers did not understand the
link between their management processes and Integrity Act
requirements and stated they did not fully understand how the
Integrity Act related to mission accomplishment. Integrity
Act training was insufficient. As a result, OW managers did
not identify and assess risk for all control systems, and
properly evaluate management controls. OW's Integrity Act
efforts had not contributed to the program efficiency and
effectiveness nor to mission accomplishment.
GAP PRESCRIBES INTEGRATING CONTROLS
INTO MANAGEMENT SYSTEMS
GAO identifies internal (now called management) controls as
an integral part of the systems managers use to regulate and
guide their operations. The Comptroller General Standards
define the minimum level of quality acceptable for management
control systems and constitute the criteria against which
systems are to be evaluated. They apply to all operations
and administrative functions. The standards include the
following requirements:
Managers and employees should have clear lines of
authority and responsibility. Duties, responsibilities,
and accountabilities should be clearly communicated to
staff members. Performance appraisals should be based
on an assessment of implementation and maintenance of
effective management controls.
Managers and employees are to maintain a level of
competence that allows them to accomplish their assigned
duties, as well as understand the importance of
developing and implementing good management controls.
Individuals should be given the necessary formal and
on-the-job training.
GAO recognized that management controls facilitate the
achievement of management objectives by serving as checks and
balances against undesired actions. In preventing negative
5
Report No. E1AME4-07-0024-4100236
-------�
consequences from occurring, management controls help achieve
the positive aims of program managers.
The Integrity Act process begins at the point at which a
program or function has been authorized by the policy-level
official having authority to do so, and focuses on the steps
involved in program operation. Management controls include
the plan of organization, methods, and procedures adopted by
management to ensure that it meets its goals and objectives.
The Integrity Act process should be incorporated into the
routine of daily management activities.
OW NEEDED TO INTEGRATE INTEGRITY ACT PROCESS
INTO ONGOING MANAGEMENT ACTIVITIES
Managers did not integrate the Integrity Act process into
ongoing management activities as envisioned by the Act and
GAO standards. OW managers identified and discussed programs
and problems in management meetings, but did not link the
meetings to Integrity Act requirements. As a result, OW
managers prepared documents that they did not use and that
did not improve controls or benefit their organizations.
Managers implemented the Integrity Act as a process apart
from other management activities. They prepared time
consuming paperwork that addressed Integrity Act requirements
for planning, documenting, and evaluating controls and met
RMD milestones, but they did not increase efficiency and
productivity of OW's operations as a result of applying the
process.
As part of the strategic planning process, OW managers
appropriately identified the need for environmental risk
indicators to prioritize work and direct resources. At the
time of our review, OW's strategic plan had not been
completed and did not address why and how the water quality
goals and objectives would be met. Likewise, OW's control
documentation did not identify how its managers would achieve
the goals of the strategic plan.
After identifying priorities, managers should have identified
obstacles to accomplishing strategic plan objectives and
program goals (e.g., outdated written guidance). They should
have then documented controls necessary to produce the
desired results (e.g., written policies and procedures).
OW advised us that it reviewed program performance outside
the Integrity Act process through meetings and discussions.
For example, Office Directors, the Deputy Assistant
Administrator, and the Assistant Administrator had quarterly
meetings with Water Division Directors during which they
identified and discussed key problems, established follow-up
6
Report No. E1AME4-07-0024-4100236
-------�
actions as needed, and shared regional experiences. Program
offices met with their program counterparts at least annually
where program-specific problems were identified and discussed
in greater detail. As a result of the meetings, OW issued
guidance and direction. To integrate these management
meetings with the Integrity Act requirements and GAO
standards, OW could have based problem discussions on
documented reviews of policies and procedures and later
tested revised policies and procedures to ensure they
produced desired results.
OWs mission states that it is responsible for developing and
implementing a nationwide policy for water quality programs.
If OW managers had integrated the Integrity Act's
documentation requirements with the strategic planning
process, they would have identified and reviewed controls to
ensure the strategic plan achieved short-term goals. Also,
they would have identified and tested controls to ensure that
accomplishing short-term goals would lead to achieving the
long-term goals of the strategic plan.
OW MANAGERS NEEDED TO UNDERSTAND THEIR
INTEGRITY ACT RESPONSIBILITIES
OW appropriately established Integrity Act responsibilities
in fiscal 1993 performance agreements we reviewed, but OW
managers acknowledged they needed a better understanding to
perform their Integrity Act responsibilities. OW emphasized
the Integrity Act by developing and presenting Integrity Act
training to several OW groups, but managers stated they still
did not know how to relate the Integrity Act processes to
their jobs. To improve their understanding of the Integrity
Act process, OW management volunteered to pilot the new RMD
Integrity Act model.
We could not determine the degree to which managers were held
accountable for implementing Integrity Act requirements. OW
appropriately included Integrity Act responsibilities in
managers' performance agreements, but appraisals contained
only numerical ratings and did not discuss specifics of
managers' Integrity Act performance. For fiscal 1992, 13 of
the 19 performance agreements reviewed (68 percent) contained
Integrity Act responsibilities. In 1992, the MCC reminded
managers that their performance agreements had to include
Integrity Act responsibilities. For fiscal 1993, 19 of 20
managers' performance agreements (95 percent) contained
Integrity Act responsibilities.
Nineteen of the 20 managers received some form of Integrity
Act training, but the training did not significantly improve
managers' use of Integrity Act principles to evaluate their
controls. Six managers received formal classroom training
7
Report No. E1AME4-07-0024-4100236
-------�
and 13 received some informal training. Although managers
received training, they did not understand how to integrate
into their jobs the Integrity Act concepts of identifying
program risk, planning and performing control reviews, and
strengthening controls. The MCC and sub-MCCs stated that the
biggest obstacle in implementing the Integrity Act was
helping managers understand the correlation between risk
assessments, MCPs, and control evaluations. Managers
associated the Integrity Act with paperwork, .not with
accomplishing the water program mission.
OW SHOULD EXCHANGE INTEGRITY ACT INFORMATION
WITH REGIONAL PROGRAM OFFICES
Audits of the Integrity Act process in three regions
disclosed that regions had not developed adequate program
controls because regional program managers did not understand
what constituted a control. OW could better ensure program
offices accomplish the overall water program goals and
objectives by collaborating with regional program offices to
identify controls, evaluate risk, and review program
accomplishments in order to improve controls. OW could use
weaknesses identified by regions as early warnings of
potential program-wide problems, indicators that weaknesses
exist that affect the successful accomplishment of OW's
overall program goals and objectives and could disseminate
information on improved controls developed by regions. In
appropriate instances, OW could develop standardized water
program controls to ensure that regions support and fulfill
the Agency and program goals, since part of OW's mission is
to evaluate regional programs. OW advised us that the
Headquarters program oversight role is being reduced; this
makes its collaborative efforts to strengthen regional
capabilities more important.
CONCLUSION
OW managers followed annual Agency Integrity Act guidance but
did not properly apply the processes to achieve the intent of
the Integrity Act. Managers needed to tailor Integrity Act
guidance to their specific programs and functions to benefit
from using the Integrity Act process. Managers attempted to
interpret and understand Agency Integrity Act guidance, but
were not successful because they did not understand the
intent of Integrity Act requirements and RMD's guidance
needed improvement. OW managers need to understand the
Integrity Act concepts and apply the processes to their jobs
for management integrity to be successful.
8
Report No. E1AME4-07-0024-4100236
-------�
RECOMMENDATIONS
We recommend that the Assistant Administrator:
1. Establish procedures to ensure that all managers
integrate Integrity Act requirements into management
activities and instruct managers on the correlation
between the processes. Direct controls toward effective
and efficient implementation of OWs strategic plan.
2. Develop model management principles to share with
regional program offices to build core integrity
concepts into existing program guidance and reviews.
Collaborate with regional program offices to identify
controls, evaluate risk, and review program
accomplishments to improve controls.'
3. Obtain results of regional control evaluations to
identify potential Agency-wide weaknesses and advise the
regions and other media when appropriate. Exchange
identified weaknesses with all regions and Headquarters
program and administrative offices, when appropriate.
For potential Agency-wide weaknesses identified by
regions, strengthen controls in written policies and
procedures.
AGENCY COMMENTS AND PIG EVALUATION
OW agreed that the Integrity Act process was not fully
integrated into daily operations, but stated that it
implemented management controls and identified weaknesses and
priorities outside the process. OW stated the Agency's
current direction is to reduce regional and State oversight,
and that regional oversight is only one of its many
activities and not its primary function. OW also stated its
resources for regional and state oversight were severely
limited.
It stated that oversight was not a primary function and
resources for regional and State oversight were severely
limited.
Integrity Act implementation can be successful when OW
managers understand and apply basic management control
principles as part of their daily operations. Existing
management processes and mechanisms such as management
meetings that anticipate, identify, and resolve mission
critical issues should be recognized as management controls
and should be linked with the Integrity Act. Integrity is
more important when oversight is limited because increasing
empowerment places greater dependence on sound management
controls.
9
Report No. E1AME4-07-0024-4100236
-------�
CHAPTER 3
OW NEEDED TO DEVELOP A
FOR IMPLEMENTING THE INTEGRITY ACT
OW s MCP did not provide an adequate strategy for
implementing the Integrity Act. Assessable unit managers had
not identified risk for all of their programs and functions
and appropriately scheduled control reviews. In addition,
managers did not perform scheduled control reviews or always
test controls when they performed a control review. As a
result, OW did not adequately implement the Integrity Act and
determine that control systems were working to ensure water
program mission accomplishment.
GAP STANDARDS PROVIDE THE FRAMEWORK FOR
IMPLEMENTING THE INTEGRITY ACT
The Integrity Act focuses on the need for Agencies to
strengthen control systems, periodically evaluate the
systems, and report significant system weaknesses. As
discussed in Chapter 2, GAO established the standards for
Agencies to follow when developing and reviewing management
control systems. In addition to the items identified in
Chapter 2, the standards require that:
Management control systems document in writing items
including an Agency's organization, plans, policies, and
procedures for accomplishing management, financial,
program (mission) and administrative (program support)
goals.
Systems documentation be readily available and easily
accessible for examination.
Agencies identify risks inherent in agency operations
and develop control systems for each agency activity and
test controls for effectiveness and efficiency.
OMB Circular A-123 requires agencies to identify their
control systems, assess the risk of controls not working to
achieve expected goals, schedule control reviews based on
risk assessments (high risk systems should be reviewed
first), perform control reviews, implement actions to correct
problems identified during control reviews, and accurately
report the results of control reviews. Managers use the MCP
to list all control systems, then to identify levels of risk
that controls won't achieve goals, and finally to schedule
control reviews.
10
Report No. E1AME4-07-0024-4100236
-------�
OW NEEDED TO IDENTIFY ALL ACTIVITIES WHEN IT
DETERMINED WHICH CONTROL SYSTEMS TO REVIEW
For fiscal 1992 and 1993, the OW MCP did not include all
programs and functions (administrative activities such as
contracts, grants, resource management activities). OW
managers stated they followed RMD's written guidance which
recommends segmenting an office according to the
organizational structure to identify control systems,
although OMB Circular A-123 recommends identifying all
programs and functions. Managers appeared to be confused by
Integrity Act terminology as illustrated by items they
identified as programs and functions.
OW appropriately identified assessable units, but unit
managers did not identify all programs and functions.
OW designated each division and major program office an
assessable unit. Assessable unit managers had not identified
all major programs and functions on the MCP and thus did not
consider all control systems when assessing risk and deciding
what programs to review. Managers had developed a more
complete list of programs and functions in their control
documentation but did not use the list to determine which
controls to review.
Managers used different approaches to segment their
assessable units in the MCP, and included terms which did not
represent programs, functions, or major activities. For
example, the Permits Division improperly listed the term
"office director" as a subunit on the fiscal 1992 and 1993
MCPs rather than listing programs or functions. The Ground
Water Protection Division improperly listed the terms "office
director" and "division director" as two subunits rather than
programs or functions. The Oceans and Coastal Protection
Division and the Wetlands Division did not identify any
component inventory on the MCPs. In addition, managers
generally did not list any administrative functions in the
MCP inventory, although some managers identified functions
such as budgeting in their control documentation.
OW NEEDED TO RATE PROGRAM AND FUNCTION RISK
OW managers did not plan control evaluations based on risk as
required by the GAO standards and the risk assessments
managers performed were not meaningful. Consequently, risk
assessments did not provide a basis to identify which
programs and functions should be reviewed immediately so that
managers could identify problems impeding mission
accomplishment and take appropriate corrective action.
Thirteen of OW's 14 fiscal 1992 vulnerability assessments did
not identify specific areas of vulnerability and were so
11
Report No. E1AME4-07-0024-4100236
-------�
broad that managers could not identify individual program and
function risk ratings. Managers assessed risk based on their
impressions of overall controls rather than specific program
and function controls. Only the Municipal Support Division's
fiscal 1992 risk assessment appropriately identified specific
areas of vulnerability and identified functions needing more
effective controls.
The Wetlands Division risk assessments were too general to
identify controls needing review. In fact, Wetlands managers
did not schedule any control reviews for the 5-year period
covered by the MCP, even though OIG's report, "Wetlands:
EPA's Implementation and Management of the Section 404
Wetlands Program" (E1HWEO-04-0291-1100434), issued
September 30, 1991, identified significant program
weaknesses. Wetlands managers should have assessed controls
over activities reported as problems as high risk and
reviewed controls during the year following the audit. OW
needed a complete list of programs and functions to ensure
managers assessed risk in all areas.
Also, OW managers should have performed vulnerability
assessments when significant program and organizational
changes occurred. For example, OW reorganized in fiscal
1991, and OW significantly changed functions in the Office of
Wastewater, Enforcement and Compliance. The Office of
Watersheds, Oceans, and Wetlands changed from three separate
offices to one office with three divisions. OW managers did
not assess the risks associated with the reorganizations to
determine if the existing control structure was adequate to
ensure program goals would be effectively and efficiently
accomplished.
OW NEEDED TO TEST CONTROLS
OW managers did not test controls as required by the
Integrity Act. ' Managers generally did not plan and schedule
control reviews, because they had not learned exactly what a
control review entailed. Managers misunderstood the purpose
of the reviews and stated that their involvement in day-to-
day operations was enough control. Some managers' comments
reflected that they did not understand the difference between
control systems and control reviews. As a result, managers
relied on external audit groups to test controls or
identified control weaknesses without testing or improving
control systems documentation.
Eight of the 10 control reviews we evaluated did not test
controls. Instead managers identified recurring activities
such as program status reports and briefings and controls
themselves as control reviews. For example, the Permits
Division reviewed and updated its permits backlog list and
12
Report No. E1AME4-07-0024-4100236
-------�
reported this activity as a control evaluation. The Health
and Ecological Criteria Division counted a cost tracking
system as a control review. The Engineering and Analysis
Division counted periodic briefings to the division director
as a control review.
OW managers did not accurately test written management
policies and procedures to see if they were working to
accomplish program goals. Control tests should evaluate
whether management policies and procedures operate as
intended. For example, managers using the cost tracking
system in the Health and Ecological Criteria Division should
establish a goal to assure data accuracy and periodically
test the accuracy of data recorded in the system as a quality
assurance measure. To evaluate the accuracy, managers could
compare a small quantity of recorded data to the actual
documents. Then, as a control review, managers could check
to see that the data accuracy tests were actually being
performed and corrective measures were taken when test
results disclosed deficiencies, or managers could perform an
independent test to compare to the data accuracy tests
performed during the period.
Managers appropriately tested controls during two control
reviews but did not document control improvements made as a
result of the reviews. Managers conducting the two
evaluations stated they found controls were inadequate or
missing and changed the way they performed their work, but
did not document the change in their written policies and
procedures. Since documentation of the new control did not
exist, managers could not ensure the new control was working
as intended through validation tests. In addition, managers
could not fully or adequately correct weaknesses identified
through management discussion and judgment, because they
could not identify the extent of the control weakness without
testing the procedures.
Managers relied on external audit groups such as OIG and GAO
to test controls. External audits of programs and functions
can be adequate substitutes for planned reviews, but OW
cannot project when outside audit groups will make reviews or
what areas will be included in the review. OW managers
should plan their own reviews of programs and functions and
cancel them if an audit or other acceptable substitute review
occurs.
OW managers identified more than half of their reportable
weaknesses outside the Integrity Act process. External audit
groups identified 14 of 26 weaknesses reported in fiscal 1992
and 1993. OW managers identified the other weaknesses
through meetings and judgment. If managers had reviewed
their controls, weaknesses might have been identified and
corrected before problems became serious. For example, OW
13
Report No. E1AME4-07-0024-4100236
-------�
managers identified and appropriately reported Confidential
Business Information (CBI) as a weakness after several boxes
of CBI were lost. Managers appropriately improved CBI
protection procedures. However, if managers had reviewed CBI
controls in accordance with the Integrity Act, the control
weakness could have been identified and corrected before OW
lost CBI.
CONCLUSION
OW managers prepared the majority of the required Integrity
Act paperwork without knowing or anticipating how each piece
fit together. OW managers prepared MCPs with no consistent
method of segmenting assessable units by programs and
functions, so risk assessments were too broad to provide a
basis to schedule control reviews. Also, OW did not identify
weaknesses through control evaluations. As a result,
managers did not use the Integrity Act process to evaluate
and report on their control systems or to improve controls.
RECOMMENDATIONS
We recommend that the Assistant Administrator:
I. Advise managers to consider all programs and functions
when assessing risk. Require managers to assess risk as
a basis for control reviews and to review controls in
high risk areas. Encourage managers to use completed
audits and other reviews as part of this assessment.
2. Require control reviews to include documented tests of
management policies and procedures and require managers
to document improvements or changes.
AGENCY COMMENTS AND PIG EVALUATION
OW expressed concern that our recommendations might not be
consistent with EPA's reengineered Integrity Act process and
said it would respond to the recommendations based on EPA's
revised Integrity Act implementation guidance.
We revised our recommendations to reflect actions necessary
for OW to comply with the Integrity Act and GAO standards,
and to implement the proposed Agency model.
14
Report No. E1AME4-07-0024-4100236
-------�
APPENDIX I
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
OFFICE OF
WATER
MEMORANDUM
SUBJECT: Office of Water's Implementation of the Federal
Managers' Financial Integrity Act
Draft Report No E1SFE3-07^101-XXXX
FROM: / Robert Perciasepe
Assistant Administrat
TO: \J Michael Simmons
Associate Assistant Inspector General
for Internal and Performance Audits
The Office of Water has reviewed the Draft Report on OW's
Implementation of the Federal Managers' Financial Integrity Act.
We appreciate the recognition that OW managers exhibited a
positive attitude and OW has emphasized the Integrity Act
requirements through developing and presenting training,
including Integrity Act requirements in performance agreements,
and submitting the required reports.
Before addressing the specific findings and recommendations
in the Draft Report, I call to your attention two factors which
we in OW must consider when implementing our programs and FMFIA
activities.
First, we need to respect the heavily delegated status of
our programs. Water programs are the most delegated within the
Agency whose policy is to provide States, as well as our Regional
Offices, with increasing autonomy and flexibility to deal with
site-specific problems and develop site-specific solutions. We
in OW can and do set general priorities and directions, and
provide guidance in implementing program requirements. However,.
within this framework, Regions and States are being given
increasing freedom to administer their programs as they
determine. Moreover, as I trust you are aware, we can and do
provide guidance to the Regions, although Regional program
managers are responsible to their Regional Administrators.
Printed on Recycled Paper
15
Report No. E1AME4-07-0024-4100236
-------�
APPENDIX I
-2-
Second, OW identifies problems and provides management
direction and oversight to the Regions in many ways outside of
the FMFIA process which, I believe, meet the intent of FMFIA.
Many of these practices recognize the heavy delegation of our
programs. The Office Directors, Deputy Assistant Administrator,
and I have quarterly meetings with the Water Management Division
Directors during which we identify and discuss key problems,
establish follow-up actions as needed, and share Regional
experiences. Our program offices hold meetings with their
program counterparts at least annually where program-specific
problems are identified and discussed in greater detail. As a
result of these meetings, OW issues appropriate guidance and
direction.
We have two formal public advisory committees representing a
full range of our customers who are quick to point out to us
areas where EPA needs to pay more attention. Similarly, the
Office Directors and I meet regularly with the regulated
community and environmentalists who examine our activities
carefully. OW also created an ~OW/Regional SES-level IRM Steering
Committee to deal with information management problems and issues
when they were identified after this area was identified as an
Agency material weakness. These are just a few examples of our
management activities outside of the FMFIA arena. Some examples
of these activities are represented in the attached
documentat ion.
Our specific comments regarding the findings and revised
recommendations are presented below.
Chapter 2 Findings and Recommendations
Findings. OW NEEDS TO APPLY THE INTEGRITY ACT CONCEPTS TO DAILY
OPERATIONS. OW managers need to integrate the Integrity Act
processes into their daily operations. OW managers need
Integrity Act training to understand their responsibilities and
the Resource Management Division (RMD) guidance.
OW COMMENT. The OIG is correct in that the paperwork associated
with the FMFIA process is not fully integrated in day-to-day
operations. However, the OIG did not take into consideration
that there are management controls outside of the formal FMFIA
process that are being implemented effectively. In OW for . ..
example, FMFIA concepts are being implemented by managers, even
though everything does not get or reported through the formal
FMFIA process. In addition, we have identified the front-end
priorities which Agency management should be paying attention to
in our Material and Agency weaknesses.
16
Report NO. E1AME4-07-0024-4100236
-------�
APPENDIX I
-3-
1. Establish procedures to ensure that all managers integrate
the Integrity Act process into management activities and provide
managers instructions on the correlation between the processes.
SEE CLOSING REMARKS.
2. ^Share model_management principles with regional program
offices for their use in developing program controls consistent
with OW's mission and goals.
3. Obtain results of regional control evaluations to identify
potential Agency-wide weaknesses and advise the regions and other
media when appropriate. Exchange identified weaknesses with all
regions and Headquarters programs and administrative offices,
when appropriate. For potential Agency-wide weaknesses
identified by regions, strengthen controls in written policies
and procedures.
OW COMMENT ON 2 AND 3. OW sets policy and program direction
through regulations, guidance and technical assistance. We also
have developed a strategic plan that responds to our evolving
programs. Although OW conducts Regional reviews as part of
program implementation activities, Regional oversight is only one
of the many activities carried out vis-a-vis the Regions and is
not our primary function. The Agency's current direction is to
reduce Regional and State oversight and we have taken cuts in our
FY 1995 budget that significantly limit our resources for
performing oversight.
Chapter 3 Findings and Recommendations
Findings. OW NEEDS TO DEVELOP A STRATEGY FOR IMPLEMENTING THE
INTEGRITY ACT. OW needed to identify its programs and functions,
rate programs and function risks, and schedule appropriate
control evaluations.
1. Require managers to assess annually the effectiveness of
their management controls for each control system and document
the results to help ensure OW's strategic plans and goals are
achieved effectively and efficiently. Advise managers to
consider all programs and functions when assessing controls.
Encourage managers to use completed audits and other reviews as
part of this assessment. SEE CLOSING REMARKS.
2. Require control evaluations to include documented tests of
management policies and procedures and require managers to
document improvements or changes. SEE CLOSING REMARKS.
3. Require managers to schedule and conduct tests of controls on
all programs and functions within a 5-year period based on
results of vulnerability assessments and document results. SEE
CLOSING REMARKS. 17
Report No. E1AME4-07-0024-4100236
-------�
APPENDIX I
-4-
As I am sure you are aware, the Agency is in the process of
streamlining the management integrity process. It is anticipated
that the new integrity model will make it easy for managers to
assess and strengthen Agency programs as part of everyday
operations and decision-making. This audit process was started
while the old FMFIA process was still in place. Although your
recommendations have been revised from the original February 25,
1994 memorandum, it seems inappropriate to make further changes
in processes, procedures, documentation and other (FMFIA)
controls prior to implementation of the new process. Our
response to your final report will depend on the new Agency
guidance.
OW will continue to integrate management integrity concepts
into our programs and provide training information to our
managers. If you should have any questions, please contact
Juanita Smith, Management Control Coordinator, on 260-6226.
Attachments
Note: Beacause the attachments to this letter were
provided solely as supporting documentation, we have
not included them with this report.
18
Report NO. E1AME4-07-0024-4100236
-------�
APPENDIX II
ABBREVIATIONS
Agency Environmental Protection Agency
CBI Confidential Business Information
GAO General Accounting Office
Integrity Act Federal Managers' Financial Integrity Act
MCC Management Control Coordinator
MCP Management Control Plan
OIG Office of Inspector General
OMB Office of Management and Budget
OW Office of Water
RMD Resource Management Division
19
Report No. E1AME4-07-0024-4100236
-------�
APPENDIX III
DISTRIBUTION
Headquarters Office
Inspector General (2410)
Assistant Administrator for Administration and
Resources Management (3101)
Chief, Communications and Resources Staff (4102)
Management Control Coordinator (4102)
Audit Liaison (4102)
Director, Resource Management Division (3304)
Headquarters Audit Followup Coordinator (3304)
Associate Administrator for Regional Operations and
State/Local Relations (1501)
Headquarters Library (3404)
Regional Offices
Regional Administrator, Regions 1 -10
20
Report No. E1AME4-07-0024-4100236
-------� |