I
3
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
Catalyst for Improving the Environment
Early Warning Report
EPA Should Use FMFIA to
Improve Programmatic Operations
Report No. 09-P-0203
August 6, 2009
United Elates
Environmental Phaeton
QtfkA oi the
Comptroller
(330-*!
EPA205-B-96-001
March 1996
AEFA Management Integrity
at EPA
A Managers "How To" Guide
for Program Reviews:
Seeing the Forest and the Trees
-------�
Report Contributors:
Patrick Gilbride
Erin Barnes-Weaver
Karen L. Hamilton
Bryan Holtrop
Mary Anne Strasser
Abbreviations
EPA U.S. Environmental Protection Agency
FMFIA Federal Managers' Financial Integrity Act
FY Fiscal Year
GAO Government Accountability Office
GPRA Government Performance and Results Act
NPM National Program Manager
OCFO Office of the Chief Financial Officer
OIG Office of Inspector General
OMB Office of Management and Budget
OPPTS Office of Prevention, Pesticides, and Toxic Substances
ORD Office of Research and Development
OSWER Office of Solid Waste and Emergency Response
PART Program Assessment Rating Tool
Cover photo:
Cover of EPA guidance document, Management Integrity at EPA: A
Manager's "How To " Guide for Program Reviews: Seeing the Forest and the
Trees (EPA-205-B-96-001, March 1996), and other management integrity
guidance.
-------�
^
^to 57-4
1
%
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
Report No. 09-P-0203
August 6, 2009
Catalyst for Improving the Environment
Why We Did This Review
We conducted this review to
determine how the U.S.
Environmental Protection
Agency (EPA) develops
annual guidance under the
Federal Managers' Financial
Integrity Act (FMFIA). We
asked whether EPA offices
integrate FMFIA internal
control standards into
programmatic operations. We
also asked whether offices use
Government Accountability
Office (GAO) guidance to
develop and monitor internal
controls.
Background
FMFIA requires federal
agency managers to annually
evaluate and indicate whether
their agencies' internal
controls comply with
standards prescribed by GAO.
FMFIA requirements purport
to provide reasonable
assurance that agencies
maintain adequate internal
control systems to prevent
against fraud, waste, abuse,
and mismanagement.
For further information,
contact our Office of
Congressional, Public Affairs
and Management at
(202)566-2391.
To view the full report,
click on the following link:
www.epa.gov/oig/reports/2009/
20090806-09-P-0203.pdf
EPA Should Use FMFIA to
Improve Programmatic Operations
What We Found
EPA has not implemented and used FMFIA to improve program operations, as
intended by federal and Agency guidance. Although EPA offices rely on annual
guidance that the Office of the Chief Financial Officer (OCFO) issues,
• EPA offices have not developed internal control review strategies that include
elements such as the Government Performance and Results Act (GPRA);
• OCFO's guidance and training have not provided staff and managers with
adequate awareness of GAO's internal control standards;
• OCFO's guidance, until recently, has not required offices to report on
compliance with all GAO standards; and
• OCFO did not devote needed resources to validate assurance letters.
Per Agency guidance, OCFO is responsible for ensuring and implementing a
strategy for validating EPA's compliance with FMFIA. However, OCFO relies on
Assistant and Regional Administrators to verify letters' program elements before
certifying them. EPA offices view FMFIA reporting as an administrative task,
rather than an opportunity to assess program results and identify risks toward
achieving goals. As a result, the Administrator has little assurance when signing
EPA's letter that offices reviewed program operations. Additional emphasis on
FMFIA's importance could result in more certain, documented assurance in the
Agency's Performance and Accountability Report that EPA programs annually
evaluate internal controls to comply with GAO's standards and deter fraud, waste,
and mismanagement.
What We Recommend
We recommended that EPA's Administrator support internal controls by
announcing the Fiscal Year (FY) 2010 FMFIA process and requiring that senior
managers attend training. We also recommended that the Chief Financial Officer
develop comprehensive, tiered FMFIA training for managers and staff; revise the
internal checklist used as part of the strategy for validating Agency-wide FMFIA
compliance; codify its validation strategy; and develop FY 2010 FMFIA guidance
that contains OCFO FY 2009 supplemental guidance. EPA initially agreed with
all but one of our recommendations. The Agency agreed when we revised that
recommendation's language to focus on OCFO's internal tool to validate letters.
-------�
3
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
OFFICE OF
INSPECTOR GENERAL
MEMORANDUM
SUBJECT:
August 6, 2009
EPA Should Use FMFIA to Improve Programmatic Operations
Report No. 09-P-0203
FROM:
TO:
Melissa M. Heist
Assistant Inspector General for Audit
Lisa P. Jackson
Administrator
Office of the Administrator
Maryann Froehlich
Acting Chief Financial Officer
Office of the Chief Financial Officer
The Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA)
conducted this report on the subject audit. This report contains findings that describe problems
we identified and corrective actions we recommend. This report represents our opinion and does
not necessarily represent the final EPA position. EPA managers will make final determinations
on matters in this report in accordance with established audit resolution procedures.
The estimated cost of this report - calculated by multiplying the project's staff days by the
applicable daily full cost billing rates in effect at the time - is $212,476.
Action Required
In accordance with EPA Manual 2750, EPA's Audit Management Process, you are required to
provide a written response to this report within 90 calendar days. You should include a
corrective actions plan for agreed upon actions, including milestone dates. We have no
objections to the further release of this report to the public. This report will be available at
http://www.epa.gov/oig.
If you or your staff has any questions regarding this report, please contact me at (202) 566-0899
or heist.melissa@epa.gov, or Patrick Gilbride, Director for Audit, Risk and Program
Performance Issues, at (303) 312-6969 or gilbride.patrick@epa.gov.
-------�
EPA Should Use FMFIA to Improve Programmatic Operations Report No. 09-P-0203
Table of Contents
Purpose 1
Background 1
Scope and Methodology 6
Findings 7
Conclusion 11
Recommendations 12
Agency Comments and OIG Evaluation 13
Status of Recommendations and Potential Monetary Benefits 14
Appendices
A Agency Response to Draft Report 15
B Distribution 19
-------�
Report No. 09-P-0203
Purpose
We conducted this review to determine how EPA develops and uses annual
guidance under the Federal Managers' Financial Integrity Act (FMFIA). We
asked whether EPA offices fully integrate internal control standards under FMFIA
into their programmatic operations. We also asked whether EPA offices use
available Government Accountability Office (GAO) guidance to develop and
monitor their internal controls. We found that several EPA offices had not
demonstrated compliance with GAO's Standards for Internal Control in the
Federal Government in Fiscal Year (FY) 2008 assurance letters. While EPA's
FY 2009 FMFIA reporting ends in mid-August 2009, we wanted to communicate
our observations and recommendations to influence the FY 2009 process and
enhance how the Agency develops FY 2010 guidance.
Background
Federal Management Integrity Criteria
FMFIA requires federal agency managers to establish internal accounting and
administrative controls in accordance with standards prescribed by the
Comptroller General (hereafter referred to as "GAO's Standards"). FMFIA
requires federal agency managers to annually evaluate and report on the
effectiveness of internal controls and financial accounting systems in accordance
with, respectively, Sections 2 and 4 of FMFIA. FMFIA also requires federal
agency managers to annually evaluate, in accordance with Office of Management
Budget (OMB) guidelines, whether their agencies' internal controls comply with
GAO's Standards and issue a statement of assurance and indicate full compliance
or non-compliance.
OMB Circular A-123, dated December 21, 2004, describes federal managers'
responsibilities for internal control, stating that management is responsible for
establishing and maintaining internal control to achieve the objectives of (1)
effective and efficient operations, (2) reliable financial reporting, and (3)
compliance with applicable laws and regulations. Appendix A of the Circular
requires federal agencies to separately assess effectiveness of internal controls
over financial reporting. The Circular also states that "Management shall
consistently apply the internal control standards to meet each of the internal
control objectives and to assess internal control effectiveness." OMB Circular A-
123 provides guidance to federal managers on meeting requirements of FMFIA.
The Circular states that "Internal control guarantees neither the success of agency
programs, nor the absence of waste, fraud, and mismanagement, but is a means of
managing the risk associated with Federal programs and operations." By
including "programs and operations," OMB emphasized goals set by the
organization, risks agencies face in meeting those goals, whether agencies have
identified and assessed risks, and whether agencies have taken steps to manage
those risks. The Circular requires federal managers to take systematic and
-------�
Report No. 09-P-0203
proactive measures to develop and implement appropriate internal controls for
results-oriented management.
The Circular describes the requirements of FMFIA as "an umbrella under which
other reviews, evaluations, and audits should be coordinated and considered to
support management's assertion about the effectiveness of internal control over
operations, financial reporting, and compliance with laws and regulations."
"Other reviews" that FMFIA reporting should coordinate and consider include
activities under the Government Performance and Results Act (GPRA), such as
developing strategic plans, setting performance goals and measures, and reporting
annually on actual performance results compared to goals. These efforts all
support an overall internal control framework illustrated in Figure 1.1.
Figure 1.1: EPA's Internal Control Program - A Visual Overview
Federal Managers' Financial Integrity Act (FMFIA]
n n
OMB Circular A-1 23, Management's GAO Standards for Internal Controls
Responsibility for Internal Control in the Federal Government
U.S. Environmental Protection Agency
Delegations / Orders / Policies / Manuals / Guidance
AA/RA Assurance Letters
Administrator's Assurance Statement
EPA's Performance and Accountability Report
Source: EPA training, EPA Internal Control and Management Integrity: Make It Second Nature,
issued (via EPA's Intranet) on May 28, 2008 (slide 11 of 21).
As required by FMFIA, GAO established the Standards for Internal Control in
the Federal Government listed in OMB Circular A-123 (see Table 1.1 on the next
page).
The Standards provide the overall framework for establishing and maintaining
internal control, and for identifying and addressing performance and management
challenges and areas at greatest risk of fraud, waste, abuse, and mismanagement.
The Standards compose a major part of managing an organization, including
plans, methods, and procedures used to meet missions, goals, and objectives and,
in doing so, support performance-based management.
-------�
Report No. 09-P-0203
Table 1.1: GAO's Standards for Internal Control in the Federal Government
1.
Control
Environment
This standard establishes and maintains an environment
throughout the organization that sets a positive and supporting
attitude toward internal control and conscientious
management. This includes establishing goals, objectives,
and performance measures at the entity and activity level.
2.
Risk
Assessment
Once the goals, objectives, and measures have been defined,
the risks that could impede the efficient and effective
achievement of those objectives are identified. This includes
an assessment of the risks the agency faces from both
internal and external sources. Risk assessment includes
identifying and analyzing relevant risks associated with
achieving objectives, such as those defined in strategic and
annual performance plans developed under GPRA, and form
a basis for determining how to manage risks. Management
needs to comprehensively identify risks and should consider
all significant interactions between the entity and other parties
as well as internal factors at both the entity-wide and activity
levels.
3.
Control
Activities
These are the policies, procedures, techniques, and
mechanisms that implement management's direction toward
achievement of goals. Internal control activities help ensure
that management's directives are carried out.
4.
Information and
Communications
This standard includes data and information (performance and
financial) to determine whether the organization is meeting its
goals and objectives and maintaining accountability over
resources.
5.
Monitoring
Internal control monitoring should assess the quality of
performance over time and ensure that findings of audits and
other reviews are promptly resolved.
Source: OIG summary of GAO's Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (November 1999).
EPA Management Integrity Guidance and Policy
EPA issued Order 1000.24, Management's Responsibility for Internal Control, as
the Agency's strategy for implementing FMFIA. The Order specifies how EPA:
• Prescribes policies, procedures, and standards for internal controls at
EPA.
• Outlines Agency senior managers' roles and responsibilities for
developing, implementing, assessing, documenting, improving, and
reporting on internal controls.
• Incorporates specific requirements for assessing internal controls over
financial reporting.
• Provides tools to help managers monitor both overall program
progress and the effectiveness of day-to-day operations (e.g., EPA
Management Integrity Principles1).
1 EPA first developed its Management Integrity Principles in 1996. The 10 Principles are (1) guidance, (2)
accountability, (3) feedback, (4) competency, (5) quality data, (6) separation, (7) comparison, (8) identification,
-------�
Report No. 09-P-0203
EPA Order 1000.24 requires the Administrator to foster an environment that
supports awareness and compliance with internal controls. EPA's Order also
requires Assistant and Regional Administrators to develop systematic review
strategies and advises them to use GAO's Standards as the basis for determining
the effectiveness of internal controls. The Order also requires senior managers to
annually evaluate whether their programs' internal controls effectively meet
GAO's Standards and attest to the soundness of internal controls for their
respective organizations. Per EPA's Order, senior managers annually issue
assurance letters to the Administrator that report results of evaluations and their
programs' compliance status with GAO's Standards. The Order requires that
systematic review strategies are consistent and coordinate with Agency-wide
processes used to develop and report on program performance measures and
results, such as GPRA and reviews under OMB's Program Assessment Rating
Tool (PART). For example, EPA's Office of the Chief Financial Officer (OCFO)
annually issues National Program Manager (NPM) guidance to promote
consistency, describe priorities and strategies, and report on performance
commitments in order to strengthen planning and accountability processes and
better align measures.
The Order further designates senior managers (e.g., Deputy Administrator,
Assistant, and Regional Administrators) to implement internal control
frameworks and assure continual progress to strengthen internal controls
(reported annually in EPA's Performance and Accountability Report). The
Order also requires senior managers to designate a Management Integrity
Advisor who serves as the organization's staff contact responsible for
disseminating pertinent information regarding the Agency's management
integrity program. The Order outlines specific responsibilities for OCFO listed
in Table 1.2 (on the next page).
(9) review, and (10) correction. EPA advocates that managers incorporate the Principles into existing management
processes, program strategies, and guidance to strengthen program operations.
-------�
Report No. 09-P-0203
Table 1.2: OCFO Responsibilities per EPA Order 1000.24
Chief Financial Officer
• Develop and administer EPA's guidance to ensure compliance with FMFIA
and OMB Circular A-123;
• Ensure that the Agency implements FMFIA and OMB Circular A-123 at
appropriate organizational levels; and
• Provide annual management integrity/A-123 guidance to the Agency.
Office of Planning, Analysis, and Accountability
Plan, develop, and implement national policies for ensuring EPA's
compliance with FMFIA;
Develop and implement a strategy for validating Agency-wide compliance
with FMFIA;
Develop the form and content of the Administrator's annual statement of
assurance on management controls based on recommendations and
annual assurance letters from senior managers/senior assessment team;
Maintain technical expertise in the field of internal controls;
Provide technical assistance to program managers and staff; and
Provide supplemental guidance and training materials as needed to support
senior managers in interpreting and applying EPA Order 1000.24.
Source: EPA Order 1000.24 "Management's Responsibility for Internal Control" (July 18,
2008).
OCFO issues annual guidance to program and regional offices on complying with
FMFIA, and for FYs 2008 and 2009, OCFO's guidance included a reporting
template with specific instructions for completing each section of assurance
letters. For example, in FYs 2008 and 2009, OCFO's annual guidance included
seven specific elements program and regional offices needed to address in
assurance letters under the Control Environment standard.2 OCFO's guidance
also listed significant financial processes to review, such as accounts receivable,
grants, procurement, accounts payable, and payroll, as well as core administrative
areas (e.g. purchase card, property management, funds control). OCFO also
attached the Internal Control Evaluation Checklist, an abbreviated version of
GAO's full Internal Control Management and Evaluation Tool that Assistant and
Regional Administrators could use to evaluate their internal controls. The FY
2009 guidance required offices to complete the Checklist and retain a copy as
supporting documentation. The FY 2009 guidance also provided references to
obtain full text of GAO's Standards and EPA's Order. Program and regional
office assurance letters provide the basis for the Agency's annual assurance
statement. The Agency's Performance and Accountability Reports due to the
President and Congress each year describe progress made to strengthen internal
controls.
OCFO identified the following seven "control environment" elements for which offices needed to report in
assurance letters: (1) integrity and ethical values, (2) commitment to competence, (3) management's philosophy and
operating style, (4) organizational structure, (5) assignment of authority and responsibility, (6) human resource
policies and practices, and (7) oversight groups. OCFO said it drew these elements from GAO's Standards and
focused on them due to past questions from Agency offices on the control environment.
-------�
Report No. 09-P-0203
Scope and Methodology
We conducted our review, in accordance with Government Auditing Standards,
from January to May 2009.3 Government Auditing Standards require that we plan
and perform the review to provide a reasonable basis for our findings and
conclusions, and we believe the evidence we obtained meets that standard based
upon our review objectives. Our review findings only address EPA's
implementation of Section 2 of FMFIA (internal control over programs), and not
Section 4 (financial accounting systems) or Appendix A of OMB Circular A-123
(internal control over financial reporting). While evaluating how EPA's Office of
Research and Development (ORD) implements FMFIA,4 we identified issues
related to OCFO's Agency-wide management integrity guidance. We reviewed
OCFO's FY 2009 FMFIA guidance issued on December 22, 2008. Following
OCFO's issuance of FY 2009 guidance, we participated in meetings that OCFO
held on the Agency's FY 2009 FMFIA reporting process, and spoke with OCFO
about enhancing its reporting template. We provided written comments to OCFO
on January 30, 2009, suggesting that they revise the FY 2009 FMFIA guidance
reporting template. We also reviewed FY 2008 assurance letters from three
program5 and four regional6 offices, and interviewed the Management Integrity
Advisors in each office on their awareness and understanding of internal controls
and examples of internal control compliance in assurance letters. The
size/resource budget of program and regional offices we reviewed include some
of the largest dollar and full-time equivalent components of the Agency, and
OCFO recommended three of the seven offices as examples of good FMFIA
processes/assurance letters.7
Recently, the Office of Inspector General (OIG) issued a memorandum
recommending ways to strengthen management integrity processes affecting
specific activities under the American Recovery and Reinvestment Act of 2009,8
whereas this report addresses EPA's FMFIA reporting process generally. We
issue this early warning report to bring to the Agency's attention findings that
could impact FMFIA reporting by EPA offices in FY 2009 (reports due to the
Administrator by August 14, 2009) and to influence development of FY 2010
guidance.
Related facts and observations arose during our current review of ORD's FMFIA implementation.
4 We anticipate issuing our final report on ORD's FMFIA implementation in the fall of 2009.
5 We reviewed fiscal 2008 FMFIA assurance letters from EPA's ORD, Office of Solid Waste and Emergency
Response (OSWER), and Office of Prevention, Pesticides, and Toxic Substances (OPPTS).
6 We reviewed fiscal 2008 FMFIA assurance letters from EPA Regions 1,2,5, and 9.
7 OCFO recommended that we review assurance letters from OSWER, OPPTS, and Region 5.
US EPA OIG Special Report, Recommendation to Strengthen Management Integrity Processes Affecting Recovery
Act Activities, Report No. 09-X-0145, April 27, 2009.
8
-------�
Report No. 09-P-0203
Findings
EPA Offices Have Not Developed Systematic Internal Control Review
Strategies
Based on our review of FY 2008 assurance letters, all seven EPA offices we
examined had not developed strategies that systematically and annually assess the
effectiveness and compliance of their programmatic internal controls with GAO's
Standards. Our review found that strategies did not address whether offices
established and evaluated internal controls over their programs in accordance with
GAO's Standards. In addition, strategies did not address implementation of other
statutory requirements such as GPRA or annual performance plans and
performance measures associated with NPM Guidance. For example, 2008 NPM
Guidance for OSWER identified six priority areas under its remedial program;
however neither the OSWER nor regional assurance letters we reviewed
addressed these priority areas or measures. Similarly, NPM Guidance for EPA's
clean air program identified priority areas specifically for the Agency's regional
offices, such as reducing diesel emissions; however, no regional letter we
reviewed mentioned risks or accomplishments related to that goal. We found that
strategies did not use GAO's Standards and did not consider program
performance information such as GPRA measures. Further, most Advisors
described FMFIA as primarily addressing administrative and financial elements
(as opposed to program performance), and all Advisors acknowledged that their
offices had not conducted risk or vulnerability assessments to identify needed
controls. OCFO recently issued a document to explain roles and responsibilities
between Advisors and lead region program staff. OCFO believes its document
will allow regions an opportunity to provide a consolidated regional perspective
to the appropriate NPM on current weaknesses or other emerging issues.
EPA Order 1000.24 requires that Assistant and Regional Administrators develop
and implement strategies to show how they will evaluate their internal controls
and the information they will use to report how they comply with FMFIA in their
annual assurance letters. The Order states that program managers have flexibility
in designing review strategies and directs them to use all credible sources of
information to assess effectiveness of internal controls. Information sources
specified by the Order include OIG and GAO audits, program evaluations, PART
or other similar reviews, and knowledge gained from daily operations. The Order
also notes that, in addition to FMFIA, managers should consider "other statutory
requirements" (such as GPRA) as part of the Agency's system of internal
controls, and that "processes, plans, policies, procedures, and performance
measures help organizations achieve results." The Order further states that
Assistant and Regional Administrators should conduct their own reviews to
ensure they have the information necessary to make their evaluations (including a
plan to validate whether they achieved desired results). Further, OCFO's FY
2008 FMFIA guidance required that Assistant and Regional Administrators
provide a detailed description of their review strategies for assessing how well
-------�
Report No. 09-P-0203
internal controls over their programs perform, may be improved, and the degree to
which they identify and address significant vulnerabilities. Results of these
systematic review strategies provide the basis for annual assurance letters upon
which the Administrator relies to assess the Agency's overall compliance with
FMFIA.
Agency Staff and Managers Need Additional Internal Control Training
Advisors we interviewed had a range of training experience on FMFIA
requirements. The majority of Advisors (four of seven) we interviewed believed
they could benefit from additional training, especially on internal control
standards and programmatic reviews.9 One senior manager suggested that OCFO
consider tiered training for senior managers and Advisors that emphasizes,
respectively, requirements per EPA Order 1000.24 and "nuts and bolts" of
implementing and reporting (such as required administrative reviews, reporting
elements, and milestone dates). Advisors suggested other elements, including
training on:
• Conducting internal control reviews for program staff (not just
financial staff), and
• Making OCFO's checklist useful for senior managers, perhaps by
including specific programmatic examples.
EPA Order 1000.24 requires OCFO's Office of Planning, Analysis, and
Accountability to provide technical assistance and training to support program
managers and staff. In FY 2008, OCFO offered a discretionary online training
course, moderated by the Deputy Administrator, to briefly introduce internal
control responsibilities. In 2008, in collaboration with OIG staff, OCFO offered
staff-level training for Management Integrity Advisors that outlined basic steps
for conducting a program review and provided tools and examples of how to
document results of reviews. In response to requests for technical assistance,
OCFO staff conducted individual management integrity briefings for senior
managers in two offices.10 Additionally, OCFO holds one to two "kick-off
meetings or teleconferences with Management Integrity Advisors and senior
managers upon issuing the annual guidance/template, which both OCFO and
Advisors view as training on FMFIA requirements.
OCFO agrees on the need for more in-depth training on assessing risk, developing
program review strategies based on GAO's Standards, and reporting on how key
activities fit together and expects to develop a strategy for comprehensive, tiered
training by the end of FY 2009.
9 During our interviews, we had to define and describe GAO's Standards to most Advisors. Most Advisors were
also not familiar with EPA's 1996 guidance document that listed the Agency's ten management integrity principles.
10 OCFO said it briefed managers in OSWER and the Administrator's Office.
-------�
Report No. 09-P-0203
OCFO Recently Strengthened Its FMFIA Guidance to Better Align
with EPA Order 1000.24
In FY 2008 OCFO revised its guidance from previous years to require that
Agency senior managers evaluate their program's internal controls in accordance
with GAO's five standards. As an attachment to the guidance, OCFO included an
assurance letter template that provided "specific instructions" for reporting results
of internal control evaluations. However, the template only required reporting on
one of the five GAO Standards, "control environment." OCFO explained that it
outlined this standard in detail because Advisors and others expressed the greatest
confusion over what to include in a discussion of "control environment." OCFO
believes its guidance implicitly requires program and regional offices to apply
GAO's Standards and that, by following OCFO's guidance, offices will in effect
address all five standards. OCFO staff said it was not their responsibility to
dictate to program and regional offices what to include in their program review
strategy or how to conduct their assessments. However, OCFO agreed that its
responsibility includes providing direction on steps in the FMFIA reporting
process, and OCFO's annual guidance and template specifies the reporting format
EPA offices must follow. OCFO acknowledges that most offices follow their
template. Management Integrity Advisors we interviewed said OCFO's guidance
provides administrative processes for completing assurance letters, and all
Advisors stated they followed OCFO's guidance/template. During our
interviews, we found that half of the Advisors were not familiar with GAO's
Standards. Despite this, all Advisors we interviewed believed their offices'
assurance letters addressed all five standards, but could not provide examples as
to how letters addressed the Standards. All but one assurance letter we reviewed
did not comprehensively address the seven "control environment" elements
specified in Agency FMFIA guidance.11 All assurance letters we reviewed did
not indicate that offices had conducted "risk assessment" on vulnerabilities
toward meeting program goals, and did not assess and report on performance
measures (a "control activity").
In its FY 2009 FMFIA guidance issued on December 22, 2008, OCFO maintained
the same template from FY 2008 guidance requiring that assurance letters address
only the "control environment" standard, but not the other four GAO Standards.
We met with OCFO in January 2009 on ways to enhance the FY 2009 template to
address all standards and documented our suggestions in a memorandum to the
Acting Chief Financial Officer.12 We undertook our review of seven offices' FY
2008 assurance letters to find further support for our suggestions to OCFO. Our
ongoing communications with OCFO,13 coupled with newly developed
management integrity processes affecting specific activities under the American
11 Region 9's fiscal 2008 assurance letter provided a detailed description of activities related to all seven control
environment elements.
12 Melissa Heist, OIG's Assistant Inspector General for Audit, issued the memorandum to Maryann Froehlich,
EPA's Acting Chief Financial Officer, on January 30, 2009.
13 We briefed OCFO on our letter review results on April 14, 2009, and in a draft report issued on May 5, 2009.
-------�
Report No. 09-P-0203
Recovery and Reinvestment Act of 2009, resulted in OCFO's decision to issue
supplemental FY 2009 FMFIA guidance. We reviewed OCFO's draft
supplemental guidance and suggested specific text - including programmatic
examples - for OCFO to provide in its guidance. OCFO's supplemental FY 2009
FMFIA guidance, issued on May 19, 2009, included our suggestions. OCFO's
supplemental guidance:
• Revised language for the general statement of assurance that all
Assistant and Regional Administrators must include in assurance
letters to more clearly address whether they assessed internal controls
and comply with GAO's Standards;
• Defined all five GAO Standards; and
• Provided examples of programmatic activities related to each GAO
Standard.
OCFO Has Not Validated Annual Assurance Letters
OCFO said its validation strategy does not include validating the content and
accuracy of offices' assurance letters. OCFO assumes offices take seriously
statements in assurance letters asserting compliance, and noted that accountable
officials - Assistant and Regional Administrators - should verify assurance letter
content to make compliance determinations. Management integrity staff in
OCFO's Office of Planning, Analysis, and Accountability said they assume that if
an office conducted a review and indicated no material weaknesses, then that
office did what it was supposed to do. OCFO does not ask offices to show that
everything is fine.
EPA Order 1000.24 requires OCFO to develop and implement a strategy for
validating Agency-wide compliance with FMFIA and OMB Circular A-123. To
date, OCFO has not compiled a written strategy but said it will to include
activities such as annual guidance, kick-off meeting and update meetings, and
ongoing communication with Advisors - all of which we view as providing
guidance and advising up-front as opposed to validating end results. Management
Integrity Advisors we interviewed expect OCFO to communicate any problems
with their offices' assurance letters. Advisors assumed their FY 2008 assurance
letters met reporting requirements since OCFO accepted letters without comment.
OCFO told us that when it receives assurance letters from program and regional
offices, OCFO reviews them primarily for completeness against guidance and to
identify current and new material weaknesses, management challenges, and
emerging issues that warrant the Administrator's attention. OCFO uses an
internal checklist to ensure that offices' letters addressed template headings and
other requirements from OCFO's annual guidance. OCFO acknowledged that it
does not review assurance letters to verify that offices reported all internal and
external reviews, results of those reviews related to programmatic controls, or
whether offices addressed all elements in the checklist excerpted from GAO's
10
-------�
Report No. 09-P-0203
tool. To date, OCFO has limited resources to oversee annual FMFIA reporting on
14
programmatic elements, and OCFO considers its staffing levels adequate.
OCFO acknowledged, however, that financial reporting has received emphasis
over the past few years given extensive reporting requirements in that area in
OCFO's annual guidance (e.g. accounts receivable, grants, procurement and
accounts payable, payroll, purchase card, property management, funds control).
OCFO's staff person responsible for management integrity said focus swung too
far in the direction of financial reviews, thus missing programmatic elements.15
When we asked whether OCFO intended to review fiscal 2009 assurance letters
against GAO's Standards, OCFO responded, "Only in that we have asked offices
to comply with the checklist." OCFO has not required offices to provide copies
of completed checklists; rather offices will retain them for their records. We
found that for FY 2008 letters we reviewed, offices did not use or complete the
checklist. This year, OCFO has planned a new program compliance review to
identify major problem areas and "work with a contractor on where weaknesses
are in the FMFIA implementation process" at selected Headquarters and regional
offices to correct the Agency's management integrity approach in FY 2010.
OCFO's review will identify areas where OCFO should strengthen its guidance,
and gather specific input for developing training plans. We believe OCFO could
use program compliance review results to also revise its validation strategy to
include, at a minimum, how EPA offices meet each of the five GAO Standards
and annually evaluate internal controls established under GAO's Standards.
Program compliance reviews could also determine the extent to which offices
incorporate GPRA measures and NPM Guidance elements into their FMFIA
reporting and internal control structure. Additionally, OCFO should describe
components of its validation strategy in FY 2010 guidance to make clear to EPA
offices what OCFO uses to review assurance letters.
Conclusion
Because OCFO did not require - and program and regional offices did not
evaluate and report on - compliance with GAO's Standards in FY 2008, EPA
risked not fully complying with FMFIA. These actions gave the Administrator no
documented basis upon which to make a compliance determination when signing
the Agency's FY 2008 letter. Assistant and Regional Administrators issue
14 OCFO said it relies on a "team" to focus on the programmatic aspect; however we found that OCFO relies upon
one project lead in its Office of Planning, Analysis, and Accountability. OCFO said other groups help review
financial/administrative elements, such as financial reporting and oversight on grants and contracts.
15 OCFO staff said focus shifted shortly after Congress enacted the Sarbanes-Oxley Act on July 30, 2002. The
legislation set new or enhanced standards for all U.S. public company boards, management and public accounting
firms and addressed issues relating to (1) auditor independence, (2) corporate responsibility, (3) enhanced financial
disclosures, and (4) accountability and certifying financial results. OMB revised Circular A-123 on December 21,
2004, in light of new internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley
Act of 2002. Then Comptroller Linda Springer said in a memorandum, "The policy changes in this circular are
intended to strengthen the requirements for conducting management's assessment of internal control over financial
reporting."
11
-------�
Report No. 09-P-0203
assurance letters to the Administrator without utilizing strategies that provide a
sound, documented basis for reasonably assuring that their programs implement
effective internal controls consistent with EPA Order 1000.24 and comply with
GAO's Standards. The Agency's OCFO-driven FMFIA process has emphasized
administrative and financial reporting over programmatic performance and - until
recently - has not integrated other relevant Agency-wide processes such as annual
performance plans, measures, and results to evaluate internal controls. OCFO's
recent emphasis on all five GAO internal control standards, as well as increased
awareness through training, could help EPA offices improve certifications to the
Administrator that they have effective and efficient program operations.
Recommendations
We recommend that the Chief Financial Officer:
1. Develop a training course on FMFIA that provides (a) senior managers
with an overall understanding on internal controls and their
responsibilities in EPA Order 1000.24, and (b) Management Integrity
Advisors with details on implementing and reporting.
2. Develop fiscal 2010 FMFIA guidance and a reporting template that
requires reporting all five GAO Standards to ensure consistency with
OMB Circular A-123 and EPA Order 1000.24. Incorporate language
in supplemental FMFIA guidance issued on May 19, 2009, into fiscal
2010 guidance.
3. Revise the internal checklist that OCFO uses as part of its strategy for
validating Agency-wide FMFIA compliance to confirm that EPA
offices addressed each of the five GAO standards in evaluating their
internal controls and identifying weaknesses. Describe, in its annual
Agency guidance, OCFO's strategy for assessing offices' assurance
letters for compliance.
We also recommend that the Administrator foster an environment that supports
internal control by:
4. Announcing the FY 2010 FMFIA process that describes the
significance of annual FMFIA reporting and certification that
programs comply with GAO's Standards.
5. Requiring all Senior Executive Service members, GS-15 managers,
and Management Integrity Advisors to attend OCFO's initial FMFIA
training course and annual updates.
12
-------�
Report No. 09-P-0203
Agency Comments and OIG Evaluation
The Agency agreed with our draft report findings and concurred with our
recommendations for strengthening EPA's FMFIA implementation. Initially
OCFO disagreed with our third recommendation previously worded, "Determine
staffing levels needed to implement requirements in EPA Order 1000.24 and
invest adequate resources to validate annual assurance letters against
administrative, financial, and programmatic review elements." OCFO said it
relies on Assistant and Regional Administrators' signed personal statements of
assurance as the cornerstone of OCFO's validation strategy and as the primary
form of validating compliance with GAO internal control standards. We met with
OCFO to clarify that our recommendation did not imply that EPA Order 1000.24
required OCFO to independently test the content of EPA offices' assurance
letters; a mandate which OCFO said would require detailed programmatic
knowledge, technical expertise, and substantial resources. We agree that OCFO
lacks the technical expertise and resources necessary to perform in-depth reviews
of letter contents. However, we believe "validating" includes OCFO's assurance
that offices applied all relevant information - consistent with our report findings -
to support signed assurance statements. As such, we discussed with OCFO how
its validation strategy should address how OCFO assesses how each EPA office
met - and annually evaluated internal controls established under - each of GAO's
five standards. We revised our recommendation wording to reflect our
discussions and consensus with OCFO. OCFO agreed and said it plans to revise
the internal checklist it uses to validate assurance letters to include GAO's five
standards. OCFO believes it has adequate resources to revise and apply this
validation strategy. OCFO also believes EPA offices are equipped to address
expanded requirements (i.e. all five GAO standards) under the planned FY 2010
FMFIA process. Further, OCFO indicated that its validation strategy is unwritten
but includes: (1) signed assurance statements, (2) annual guidance, (3) regular
meetings, (4) training and technical assistance, (5) internal checklist against which
to review assurance letters, and (6) program compliance reviews. We suggested -
and OCFO agreed - that it should codify this validation strategy in annual
guidance to make clear to EPA offices how OCFO validates Agency-wide
FMFIA compliance. Appendix A includes EPA's full response.
13
-------�
Report No. 09-P-0203
Status of Recommendations and
Potential Monetary Benefits
Rec. Page
No. No.
RECOMMENDATIONS
Subject
Status1
Action Official
Planned
Completion
Date
POTENTIAL MONETARY
BENEFITS (in SOOOs)
Claimed Agreed To
Amount Amount
12 Develop a training course on FMFIA.
Chief Financial Officer
12 Develop FY 2010 FMFIA guidance and a reporting
template that requires reporting all fve GAO
Standards to ensure consistency with OMB
Circular A-123 and EPA Order 1000.24.
Incorporate language in supplemental FMFIA
guidance issued on May 19, 2009, into FY 2010
guidance.
12 Revise the internal checklist that OCFO uses as
part of its strategy for validating Agency-wide
FMFIA compliance to conf rm that EPA offices
addressed each of the five GAO standards in
evaluating their internal controls and identifying
weaknesses. Describe, in its annual Agency
guidance, OCFO's strategy for assessing offices'
assurance letters for compliance.
12 Announce the FY 2010 FMFIA process that
describes the significance of annual FMFIA
reporting and certification that programs comply
with GAO Standards.
12 Require that all Senior Executive Service
members, GS-15 managers, and Management
Integrity Advisors attend OCFO's initial FMFIA
training course and annual updates.
Chief Financial Officer
Chief Financial Officer
Administrator
Administrator
0 = recommendation is open with agreed-to corrective actions pending
C = recommendation is closed with all agreed-to actions completed
U = recommendation is undecided with resolution efforts in progress
14
-------�
Report No. 09-P-0203
Appendix A
Agency Response to Draft Report
July 16, 2009
MEMORANDUM
SUBJECT: OCFO Response to Draft Audit Report: EPA Should Use FMFIA to Improve
Programmatic Operations (Project No. 08-FY08-0323)
FROM: Maryann Froehlich /signed by/
Acting Chief Financial Officer
TO: Melissa M. Heist
Assistant Inspector General for Audit
This memorandum responds to the Office of Inspector General (OIG) draft audit report,
EPA Should Use FMFIA to Improve Programmatic Operations (Project No. 08-FY08-0323),
dated June 22, 2009.
The Office of the Chief Financial Officer (OCFO) appreciates your consideration of the
comments and suggestions we offered on the discussion draft report, EPA Federal Managers'
Financial Integrity Act (FMFIA) Process Improvements, and the resulting modifications
reflected in this draft report. We are now responding to you on behalf of both OCFO and the
Office of the Administrator (OA), as your report was issued to both offices. We have worked
closely with OA to prepare the following consolidated response, which represents the views of
both offices.
In general, OA and OCFO agree with the findings presented in the draft report and
support the majority of OIG's recommendations for strengthening EPA's FMFIA
implementation. We will be working together to implement recommendations for the
Administrator to continue emphasizing to senior managers the importance of FMFIA and of
sound internal controls. We do, however, remain concerned about Recommendation 3—that
OCFO "invest adequate resources to validate annual assurance letters against administrative,
financial, and programmatic review elements." We continue to work closely with program and
regional offices to strengthen their implementation of FMFIA and ensure a sound basis for their
letters of assurance to the Administrator, which provide the foundation for the Administrator's
overall statement of assurance. We believe that OCFO is fulfilling its responsibility, outlined in
EPA Order 1000.24, to implement a strategy for validating Agency-wide compliance with the
Integrity Act.
Please find attached our responses to each of the recommendations contained in the draft
report. As we have agreed with Patrick Gilbride (via a July 1, 2009 email exchange), we will
provide planned completion dates for all recommendations once OIG has issued its final report.
15
-------�
Report No. 09-P-0203
In addition, I have attached a copy of the draft report that we have annotated with a few specific
comments and suggestions. If you would like to discuss these attachments further, please have
your staff contact Debbie Rutherford (202-564-1913) or Annette Morant (202-564-3671) in
OCFO's Office of Planning, Analysis, and Accountability.
We appreciate your sharing these findings and recommendations with OCFO and OA,
and we look forward to working with you to strengthen the Agency's management integrity
program.
Attachments
cc: Scott Fulton
Ray Spears
Josh Baylson
Rita Smith
Stefan Silzer
Patrick Gilbride
Erin Barnes-Weaver
OCFO and OA Response to
OIG Draft Report Recommendations:
EPA Should Use FMFIA to Improve Programmatic Operations
Project No. OA-FY08-0323
June 22, 2009
1. Develop a training course on FMFIA that provides (a) senior managers with an overall
understanding on internal controls and their responsibilities in EPA Order 1000.24, and (b)
Management Integrity Advisors with details on implementing and reporting.
Concur. OCFO agrees that further training is needed at both senior manager and
Management Integrity Advisor (MIA) levels. At a June meeting of Assistant Regional
Administrators, Office of Planning, Analysis, and Accountability (OPAA) staff led a brief
discussion to help identify training needs and potential approaches and mechanisms. We
continue to consult with MI As to determine their training and information needs. In addition,
beginning in late July/early August, OCFO will be conducting contractor-supported Program
Compliance Reviews in several selected regional and program offices. Preliminary surveys
and the on-site reviews will help to diagnose training needs and inform development of
training tools and materials. (OCFO expects the on-site reviews also to provide some "on the
spot" training/assistance to MIAs in participating offices.) In addition, OCFO is dedicating
contract resources to a more comprehensive training effort, and we will be working with
training experts to explore vehicles/mechanisms for delivering the training. We expect to
complete development of an Agency-wide strategy for comprehensive, tiered FMFIA
training by the end of fiscal year 2009.
16
-------�
Report No. 09-P-0203
2. Develop fiscal 2010 FMFIA guidance and a reporting template that requires reporting all five
GAO standards to ensure consistency with OMB Circular A-123 and EPA Order 1000.24.
Incorporate language in supplemental FMFIA guidance issued on May 19, 2009, into fiscal
2010 guidance.
Concur. OCFO agrees on the need to revise our guidance and assurance letter template so
that assurance letters clearly address all five GAO standards. The Acting CFO's February
19, 2009 memo to the Assistant Inspector General for Audit makes this commitment for FY
2010. In developing FY 2010 guidance, we will incorporate elements of the FY 2009
supplemental guidance issued on May 19, including an emphasis on the need for all
programs to comply with the five GAO standards for internal control and the revised
Assistant Administrator (AA) and Regional Administrator (RA) assurance statement
certifying compliance with the GAO standards.
3. Determine staffing levels needed to implement requirements in EPA Order 1000.24 and
invest adequate resources to validate annual assurance letters against administrative,
financial, and programmatic review elements.
Disagree. EPA holds AAs and RAs accountable for their integrity programs and internal
controls. OCFO relies on AAs' and RAs' signed personal statements of assurance as the
primary form of validation of compliance with GAO standards for internal control. These
signed statements testify to the soundness of the internal controls established to protect EPA
programs from fraud, waste, and abuse. EPA Order 1000.24 requires that OPAA "develop
and implement a strategy for validating Agency-wide compliance with FMFIA." The signed
letters of assurance to the Administrator are the cornerstone of this strategy. OPAA staff use
a checklist to review annual assurance letters for completeness, ensuring that AAs and RAs
have adequately addressed all elements set out in annual guidance, as well as to identify
potential weaknesses or areas of concern for the Administrator's attention. OPAA's strategy
for fostering compliance with FMFIA also includes issuing annual guidance, conducting
regular meetings with senior managers to review roles and responsibilities, and providing
training and technical assistance to Agency staff and managers.
OCFO believes EPA Order 1000.24 was never intended to require that OCFO independently
validate the content of each of 13 program office and 10 regional office assurance letters, a
mandate which would require wide-ranging, detailed programmatic knowledge and technical
expertise as well as substantial resources. OCFO does not agree that the responsibility for
developing and implementing a strategy to validate the Agency's compliance with FMFIA
requires OCFO to "verify that offices reported all internal and external reviews" and the
"results of those reviews related to programmatic controls" (p. 10). However, OPAA staff do
carefully review letters to ensure that "offices addressed all elements in the checklist OCFO
provided along with its' FY 2008 and 2009 guidance (p. 10)," and we rely on AAs' and RAs'
statements of assurance that they have reviewed internal controls in compliance with GAO
standards.
OIG's statement that "OCFO has one project lead—supported by additional staff—to oversee
EPA's management integrity program, including extensive administrative and financial
reporting activities" is misleading. In fact, OCFO relies on a team within OPAA to focus on
17
-------�
Report No. 09-P-0203
the overall Agency FMFIA implementation process and, in particular, the programmatic
aspect, and a team within its Office of Financial Management to focus on Agency-wide
financial activities, including controls over financial reporting. In addition, in reviewing
assurance letters, OCFO collaborates with appropriate program offices, such as the Office of
Administration and Resource Management and the Office of Environmental Information, to
assess such components of assurance letters as discussion of grants and contracts, human
capital, or data quality/information reporting systems.
OCFO does, however, acknowledge the need to strengthen compliance with FMFIA and
improve monitoring. Beginning in late July/early August 2009, OPAA will be initiating a
series of Program Compliance Reviews in selected headquarters and regional offices. To
augment OPAA efforts, contractor staff with expertise in FMFIA and internal controls will
conduct on-site visits to assess offices' documentation for their assurance letters and assist
them in improving their FY 2010 FMFIA process. These activities will support efforts to
ensure that assurance letters adequately reflect and validate Agency-wide compliance with
FMFIA.
4. Announcing the FY 2010 FMFIA process that describes the significance of annual FMFIA
reporting and certification that programs comply with GAO's Standards.
Concur. OCFO will work with the Office of the Administrator to develop an announcement
or other communication from the Administrator to help launch the FY 2010 FMFIA process.
The Administrator's message will stress the importance of the integrity process and of AAs'
and RAs' assurance statements certifying compliance with GAO standards.
5. Requiring all Senior Executive Service members, GS-15 managers, and Management
Integrity Advisors to attend OCFO's initial FMFIA training course and annual updates.
Concur. OCFO will work with OA to incorporate such a direction from the Administrator as
part of its strategy for tiered, Agency-wide FMFIA training.
18
-------�
Report No. 09-P-0203
Appendix B
Distribution
Office of the Administrator
Agency Follow-up Official (the CFO)
Agency Follow-up Coordinator
Acting General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Audit Follow-up Coordinator, Office of the Administrator
Audit Follow-up Coordinator, Office of the Chief Financial Officer
Acting Inspector General
19
-------� |