United States
Environmental Protection
Agency
Superfund
Office of
Solid Waste and
Emergency Response
Publication 9200.8-05
EP A540/R-94/014
PB94-963232
March 1994
Audit Management Process
Reference Guide
-------�
EPA/540//R-94/014
Directive: 9200.8-05
March 1994
Audit Management Process
Reference Guide
This document is a draft and should not be quoted or cited.
It has not yet been subject to EPA policy review.
Office of Emergency and Remedial Response
U.S. Environmental Protection Agency
Washington, DC 20460
-------�
Table of Contents
I. Introduction 1
II. Participants 2
a. General Accounting Office 2
b. Office of the Inspector General 2
c. Audit Resolution Board and Audit Review Group 3
d. Agency Roles and Responsibilities 4
HI. Ethics 5
IV. Types of Audits 6
a. Performance Audits 6
b. Financial and Compliance Audits 6
c. Other Types of Reviews 7
d. Other Related Documents 7
V. Importance of Timely Response 9
VI. The GAO and OIG Audit Process 10
a. Phase One of the Audit Process 11
b. Phase Two of the Audit Process 13
c. Phase Three of the Audit Process 15
d. Phase Four of the Audit Process 23
Appendix A: Glossary of Audit Terms A-1
-------�
Acronyms
AA Assistant Administrator
AFC Audit Follow-up Coordinator
ARB Audit Resolution Board
ARG Audit Review Group
EPA Environmental Protection Agency
FMFIA Federal Managers' Financial Integrity Act
GAO General Accounting Office
HQ Headquarters
IG Inspector General
10 Immediate Office
MATS Management Audit Tracking System
MTS Milestone Tracking System
OARM Office of Administration and Resources
OASYS Office Automation System
OERR Office of Emergency and Remedial Response
OIG Office of Inspector General
OMB Office of Management and Budget
OPM Office of Program Management
OSWER Office of Solid Waste and Emergency Response
POD Priority Office Director
RA Regional Administrator
RMD Resource Management Division
SRIS Superfund Report Information System
* \ i
-------�
I. Introduction
Audits are a critical way to measure how well EPA is implementing its environmental
programs and carrying out its management responsibilities. Federal law requires
Executive and Federal Branch agencies to institute programs designed to respond to and
follow-up on audits issued by the Agency's Office of Inspector General (OIG) and the
General Accounting Office (GAO), the two main bodies which audit EPA programs and
activities.
The audit management process is comprised of three main activities; cooperating with
auditors to provide information, responding to the audits, and implementing audit
recommendations to correct deficiencies found during the investigation. The Office of
Management and Budget (OMB) issued Circular A-50, "Audit Follow-up" in September,
1982, which provides policies and procedures for Executive Branch agencies when
reviewing, responding to, and implementing recommendations of audit reports. In order
to ensure compliance with OMB Circular A-50 and to clarify roles and responsibilities of
participants in audit response and follow-up, EPA (Resources Management Division,
Office of Comptroller) issued EPA Order 2750 "Management of EPA Audit Reports and
Follow-up Actions" and EPA Order 2780. IB "GAO Audits: Agency Relationships with
GAO and Responsibilities for Follow-up Actions" in 1984.
This reference guide is designed to describe the audit management process, relevant
terms, roles and responsibilities of participants, and helpful hints and tools for full
compliance. General language is used to discuss the overall process within EPA, but this
guide is primarily geared toward Office of Solid Waste and Emergency Response
(OSWER) and Office of Emergency and Remedial Response (OERR) managers and staff.
1
-------�
II. Participants
Within the Federal Government, two officesthe General Accounting Office (GAO)
and the Office of the Inspector General (OIG)are authorized to conduct audits of EPA.
Each office conducts numerous performance and financial audits to promote efficient and
effective operations within Agency programs.
Further, EPA has delineated roles and responsibilities for key individuals responsible
for audit management, including audit arbitrators and Agency audit officials. These
participants are described in more detail in this section.
a. General Accounting Office
The GAO is the investigative arm of Congress responsible for auditing and evaluating
programs, activities, and financial operations of the Executive Branch. The Budget and
Accounting Act of 1921 and the Accounting and Auditory Act of 1950 authorize GAO to
conduct audits and investigations of Executive Branch departments and agencies solely at
the request of individual members of the House and Senate.
Duties and Responsibilities
GAO audits are independent examinations of the effectiveness in which Executive
Branch departments and agencies carry out their mandated programs and financial
responsibilities. GAO conducts examinations to assess the implementation and
effectiveness of Executive Branch programs for compliance with statutory objectives.
The GAO also prepares and delivers Congressional testimonies of its findings,
recommendations, and the corrective actions taken by audited agencies and departments.
GAO provides findings and conclusions, then recommends corrective actions to Congress
and Agency officials in written reports.
b. Office of the Inspector General
Each Executive Branch Agency has an OIG. The OIG is responsible for conducting
independent audits and investigations of Agencies' programs and activities. In addition,
the OIG oversees the work of non-Federal auditors (special interest groups) performed in
connection with Federal Programs.
The Inspector General (IG) Act of 1978 provides statutory authority to establish OIGs
in most departments and major agencies of the Executive Branch. Each IG is a political
appointee, primarily accountable to the President, with very little accountability to the
head of the department or agency. The EPA Administrator established and consolidated
audit and investigative operations into an independent OIG in 1980. The IG Act
Amendments of 1988 mandated new semiannual reporting requirements to Congress for
department and agency management.
2
-------�
Duties and Responsibilities
The OIG for EPA conducts, supervises, and coordinates audits and investigations
relating to programs and operations of the Agency. The OIG also recommends policies
to promote economy, efficiency, and effectiveness, and to detect and prevent waste,
fraud, and abuse. Serious or potentially serious problems of waste, fraud, and abuse are
reported under the Federal Managers' Financial Integrity Act (FMFIA) (see EPA
Publication 9200.9-01, "FMFIA: A Manager's Quick-Reference Guide to the Federal
Managers' Financial Integrity Act"). Finally, the OIG keeps the EPA Administrator and
Congress fully informed of problems related to the operation of programs, and the
necessity for and progress of corrective actions.
c. Audit Resolution Board and Audit Review Group
When proposed measures to correct an identified weakness are not agreed upon by
the OIG and the audited program, they are referred to the Audit Resolution Board (ARB)
and the Audit Review Group (ARG) for review.
The ARB reviews OIG audit cases in which resolution has been disputed or delayed,
and decides the final Agency position for resolving such audits. The Board consists of
the Assistant Administrator (AA) for Administration and Resources Management
(OARM), the EPA General Counsel, and a Regional Administrator serving a one-year,
rotating term.
The ARG serves as the ARB's advisory staff by analyzing the issues, obtaining
additional information, and developing recommendations to the board for cases under
review. ARG members include of the Senior Staff Designee of the AA/OARM for audit
resolution, the Associate General Council for Grants, Contracts, and General Law, and a
Deputy Regional Administrator serving a one-year rotating term. The Assistant Inspector
General for Audit, the Office Director of the audited program, and the Director of the
Office of Administration serve in an advisory role to the group.
The Office of the Assistant IG for Audit refers cases for review by transmitting to the
ARB, ARG, and person assigned for all activities associated with a specific audit (Action
Official) the following documents:
A statement of the issues and the determinations requested
Background information on the audit
A brief description of the auditor's and the Action Official's positions.
Once the ARG has analyzed the case and made recommendations, the ARB convenes a
meeting to decide the case. All ARB decisions are final.
3
-------�
d. Agency Roles and Responsibilities
Several officials within OSWER and OERR are designated audit management roles
and responsibilities. Figure 1 identifies agency officials who conduct audit management
functions, their corresponding audit management title, and their responsibilities in the
audit management process.
Audit Roles
Agency Audit Follow-up Official
AA/OARM
Jonathan Cannon
Agency Audit Follow-up
Coordinator (AFC)
Director RMD, and
Steve Tiber, RMD
Audit Management Officials
RA or ARA
AA or Office Director
Elliot Laws,
Henry Longest
Action Officials
RA or ARA
AA or Office Director
Elliot Laws,
Henry Longest
Audit Follow-up Coordinators
OSWER AFCs
Laurie May
Johnsie Webster
Charlene Dunn
OERR AFC
Sharon Hallinan
Audit Responsibilities
Responsibilities include:
Resolving and implementing corrective actions for audits
agency-wide
Informing the EPA Administrator of significant issues.
The Agency AFC responsibilities include:
Acting as liaison between audit agencies and EPA staff
Providing an early warning of planned audits to HQ and the
Regions
Preparing reports on audit resolution requested by agency
management or external parties.
Responsibilities may be delegated to Office Directors from the
AA. The Audit Management Official is responsible for managing
the office's overall audit responsibilities, including:
Ensuring all managers and staff understand the audit process
Directing the timely and effective resolution of audits
Ensuring the completion of all corrective actions proposed in
response to a specific audit.
Responsibilities may be delegated to Office Directors from the
AA. The Action Official is responsible for all activities
associated with a specific audit, including:
Responding on behalf of the Agency to draft and final reports
Ensuring the completion of all corrective actions proposed in
response to a specific audit.
The OSWER AFC responsibilities include:
Overseeing overall audit management activities with OSWER
Tracking the implementation of audit recommendations
Serving as point of contact between OSWER, OIG, and GAO
Tracking the progress of audits
Tracking the progress of corrective action implementation
Preparing monthly OSWER audit activity reports.
The OERR AFC responsibilities include:
Coordinating OERR audit responses
Training OERR staff in audit management
Serving as audit liaison with OSWER and external offices.
Figure 1: Agency Audits Roles and Responsibilities
4
-------�
III. Ethics
GAO and OIG audits address a program's adherence to applicable laws and
regulations, assess vulnerabilities of government resources, and identify weaknesses in
program controls and operations which must be corrected.
According to the Agency directive "6500: Functions and Activities of the Office of
the Inspector General," the OIG may investigate alleged violations of the government-
wide regulations on ethics and standards of conduct. This directive requires all
employees to promptly report instances of, and information on, any known or suspected
violation of laws, rules or regulations, or mismanagement; gross waste of funds; abuse of
authority; or substantial and specific danger to public health and safety. These
investigations result in an official audit report. In addition, the results of these
investigations may be included in OIG's semiannual report to Congress.
The OIG confidential hotline, listed below, was established for this purpose:
1-800-424-4000 or (202) 260-4977
As part of the Ethics guidelines, managers are responsible for:
Establishing, maintaining, and improving controls over government resources
within their areas of responsibility
Identifying and correcting problem areas prior to GAO and OIG audits
Ensuring all staff are aware of their responsibilities by attending training, working
closely with the FMFIA/Audit follow-up Coordinator, and maintaining open
communication with management.
Ethics in the workplace depends upon an individual's integrity, honesty, and
compliance with Federal laws and Agency policy.
5
-------�
IV. Types of Audits
GAO and OIG conduct several types of audits to measure EPA's effectiveness in
implementing its programs and carrying out its responsibilities. In broad terms, these
audits can be identified in one of two categories: Performance Audits, or Financial and
Compliance Audits.
a. Performance Audits
Performance Audits of EPA programs and operations are conducted to evaluate the
economy, efficiency, and effectiveness of Agency activities and to determine whether the
Agency is meeting or achieving its objectives. Following is a description of two types of
Performance Audits:
Program Audits determine the extent to which the desired results or benefits
established by Congress or other authorizing bodies are being achieved; the
effectiveness of organizations, programs, activities, or functions; and whether the
Agency has complied with laws and regulations applicable to a program.
Economy and Efficiency Audits determine whether the Agency is acquiring,
protecting, and using its resources economically and efficiently; ensure that the
Agency is complying with laws and regulations concerning economy and efficiency;
and identify the causes of found inefficient or uneconomical practices.
b. Financial and Compliance Audits
Financial and compliance audits are conducted to determine how effectively EPA is
complying with the statutes, regulations, or agreements under which Federal funds and
Superfund monies are disbursed. A description of the two types of Financial and
Compliance Audits follows:
Financial Statement Audits determine whether the program has complied with laws
and regulations for those transactions and events that may have a material effect on
financial statements; and whether financial statements of an audited program present
fairly its financial position in accordance with generally accepted accounting
principles.
Financial-Related Audits determine whether financial reports and related items, such
as elements, accounts, or funds, are accurately presented; whether financial
information is presented in accordance with established or stated criteria; and whether
the entity has adhered to specific financial compliance requirements.
6
-------�
Internal versus External Audits
Audits can be categorized as either internal or external audits as described below:
Internal (and Management) Audits are independent reviews of programs and
operations managed and administered internally by EPA Headquarters and the Regions.
External Audits are independent reviews of the records and performance of the
relevant programs and operations of external entities that are financially and/or
programmatically associated with EPA.
A performance audit (also called a program audit) can be further described as either
an internal or external audit. The same is true of financial and compliance audits.
c. Other Types of Reviews
There are several other types of reviews and evaluations that represent audits for
special purposes, limited scope, and timely turnaround. Some of the more frequently
conducted reviews are described below:
Special Reviews: Annual audits typically have statutory mandates requiring their conduct.
However, auditing agencies may decide to investigate related topics as
part of their annual efforts or expand the scope of the audit. These
additional topics and expansions become identified as special reviews
with their own published reports associated with the annual audit.
Annual unannounced audits are conducted at selected removal and
remedial sites. The audits review all activities at each site for
performance, financial state, and compliance. Forewarning of
selection for review is not provided to the chosen sites.
These reviews revisit previously audited subject matter to evaluate
the status of conditions and improvement efforts since the initial audit
was conducted. Further recommendations may result from a follow-up
review.
d. Other Related Documents
In addition to the different types of performance and financial and compliance audits,
EPA managers should be familiar with the following audit-related documents:
Fact Sheet: A short summary of a GAO follow-up study that revisits a previous
audit report, usually without a complete investigation.
Unannounced
Site Visits:
Follow-up
Review:
7
-------�
Position Papers:
An opportunity for Agency managers to comment on the preliminary
findings of an OIG audit. Position papers do not contain
recommendations, and are typically issued prior to the release of the
audit draft report.
Testimony: The witness statements of GAO, EPA, or other expert officials
presented at a Congressional hearing on a specific topic. The
testimony is recorded in a report. Testimonies may move Congress to
initiate an audit to more thoroughly investigate the particular issue.
Capping Report:
A capping report is not actually an audit. It is an effort to consolidate
the results of two or more related audits under one final report. For
example, separate audits of the procurement practices of soil sampling
services may have been conducted in three Regions over several years.
A capping report may be issued to summarize the findings and
recommendations for all three audits.
8
-------�
V. The Importance of Timely Response
The GAO and OIG publish numerous reports throughout the year for which the
Agency is provided an opportunity to comment in both draft and final versions. EPA
defines its responsibilities for implementing the auditor's recommendations in its
comments to the draft report. If EPA fails to provide comments to draft reports in a
timely fashion, the final report is prepared without Agency input regarding the findings
and recommendations. As a result, the final report may contain factual errors and EPA
managers may be held accountable for implementing recommendations for which they
are not actually responsible. Agency comments to draft and final reports are required and
are provided differently for each audit agency. EPA response requirements for GAO and
OIG are described below.
Responding to OIG Audits
EPA has 30 days from the release date to respond to OIG draft reports. The Action
Official for the specific audit coordinates the Agency's written response. If EPA fails to
provide written comments to the OIG draft report within 30 days, the final report is
prepared without Agency input regarding audit findings and recommendations. EPA has
90 days to respond to OIG final reports.
Responding to GAO Audits
GAO's policy is to obtain comments to draft reports, however, the Congressman
requesting the report may ask GAO not to accept written comments from EPA. In this
case, Agency comments are transmitted informally at the Exit Conference. Again, it is
important that the Agency provide comments to the GAO draft report, or the final report
will be prepared without Agency input regarding the factual content of the report. GAO
reports are available to the public, therefore, it is essential that these reports are free of
factual error. Once GAO releases a final report, the audit initiator (Congressman or
Senator) may hold the report for up to 30 days before it is released to EPA. After this 30-
day period, EPA has 30 days in which to respond to the final. The initiator may decide to
release the report within the first 30 days, thus giving EPA up to 60 days to respond to
the final report. Response time varies for GAO reports, and the time allowed for
Division comments is typically less than two weeks. It is critical that Agency responses
to GAO final reports are timely. Specifically, GAO testifies to Congress that the Agency
did not provide a response to a particular audit if the response was late.
To meet audit responsibilities, Agency officials should monitor all audits and be
present at all meetings with GAO and OIG auditors to discuss audit issues. If responses
are submitted late, the Agency forfeits its input opportunity and is responsible for all
findings and recommendations as recorded in the audit report.
9
-------�
VI. The GAO and OIG Audit Process
This section describes the audit process through a discussion of the nine discrete
events which comprise the audit process. To further order this discussion, the audit process
has been divided into four phases. Figure 2 illustrates the sequence of events within these
phases. The following pages describe each of these activities in detail.
Early Warning and Notification
Entrance Conference
Survey Phase
Draft Report
Response Requirement
Exit Conference
Final Report
Response Requirement
Audit Follow-up
and
Reporting
Figure 2: The Four Phases of the GAO and OIG Audit Process
The first phase describes activities that precede the release of a draft report. The
second phase focuses on activities as a result from the release of the draft report,
including a discussion of response requirements for draft GAO and OIG reports. The
third phase outlines activities associated with the release of a final report, including a
discussion of response requirements for final GAO and OIG reports and the correct
format and routing of a response. The final phase summarizes the implementation of
corrective actions during the follow-up process, and the tracking and reporting of these
activities.
10
-------�
a. Phase One of the Audit Process
Early Warning and Notification
Entrance Conference
Survey Phase
Draft Report
Response Requirement
Exit Conference
Final Report
Response Requirement
Audit Follow-up
and
Reporting
Figure 3: The First Phase of the GAO and OIG Audit Process
Early Warning and Notification
Early Warning and Notification allows EPA to prepare for the demands of upcoming
audits. EPA's Audit Follow-up Coordinators (AFCs) provide warning of upcoming
audits by obtaining and distributing audit planning information from GAO and OIG.
Each year, the OIG produces an Annual Audit Plan describing all recurring and planned
special audits to be conducted. In addition, the GAO Audit Liaison informs program
offices of audits that may be conducted by GAO during the fiscal year. Advance
notification of an audit's focus allows OERR Division staff to begin reviewing and
preparing records for these audits, and helps to ensure a timely Agency response.
SRIS is OERR's automated tracking system for Superfund related audits. When the
Agency is made aware of a new audit, SRIS is used to begin tracking the audit. Major
activities or events and Agency responsibilities are recorded throughout the audit's life
cycle. Upon completion, SRIS is used to track the corrective actions that OERR is
responsible for implementing.
SRIS is a valuable resource for EPA managers with audit response and follow-up
responsibilities. For more information about SRIS, please refer to the SRIS System
Overview and Users' Guide (EPA 9200.8-05-1).
Entrance Conference
An Entrance Conference is a meeting held to officially begin an audit. At this
conference, auditors explain the purpose, scope, and objectives of the audit and the
timetable for completing the audit. The auditors also request access to pertinent records
and information, and the names of key program contacts.
11
-------�
The conference is chaired by the audit agency and is attended by key officials of the
activity being audited. In addition to the Action Official and Auditors from the audit
agency, officials from the Office of Administration and Resources Management are
invited to attend all Headquarters Entrance Conferences.
Survey Phase
The Survey Phase of an audit follows the Entrance Conference. During this phase,
auditors investigate the status of a program or activity by collecting data, performing
analyses, and conducting interviews. In order to facilitate this process, auditors have
access to, and the right to examine, all books, documents, papers, and records of the
Agency. The only exceptions are records and information prohibited from release by
regulation, statute, or executive order.
Throughout the Survey Phase, auditors may request additional information to support
their investigation. This information may include written explanations of Agency
practices, justifications for decisions or special statistical summarizations, interviews
with program staff, and copies of internal files or reports. Specifically, EPA is required
by statute to provide information regarding its duties, activities, organization, financial
transactions, and methods of business.
If an Agency official considers it advisable to withhold specific records or
information requested by an audit representative, the official should immediately notify
the OSWER AFC. The OSWER AFC and the agency official will determine if access
should be granted or denied.
12
-------�
b. Phase Two of the Audit Process
Early Warning and Notification
Entrance Conference
Survey Phase
Draft Report
Response Requirement
Exit Conference
Final Report
Response Requirement
Audit Follow-up
and
Reporting
Figure 4: The Second Phase of the GAO and OIG Audit Process
Draft Report and Response Requirement
Following the Survey Phase, auditors prepare draft results of their investigations and
analyses, and address copies of these draft reports to the Agency AFC and the OSWER
AFC. The OSWER AFC distributes them to the Action Official within the appropriate
program offices, where the report is reviewed for accuracy and comments developed.
GAO and OIG prepare different types of draft reports, requiring different types of
Agency responses.
The format and Agency response requirements of GAO and OIG draft reports are
described in the following pages.
GAO Draft Report
The GAO draft report consists of only two basic sections. The first section, the
Preface, provides a brief overview of the background and objective of the audit. A
discussion of each issue and its principal findings follow the Preface. Unlike an OIG
final report, no conclusions or recommendations are included in the draft report. Only
facts are presented in this version.
GAO Response Requirements
The relevant OERR staff and managers are given an opportunity to review the draft
report for factual accuracy. The draft report is made available the day of the exit
conference. Upon review, the Agency is required to return the draft report. These reports
have been provided to the Agency in limited quantity, with each report numbered to
ensure their return to GAO. Congressional requirements typically prevent the Action
13
-------�
Official from providing formal written comments. In such cases, only informal oral
comments may be used to address the accuracy of the findings contained in the draft
report. Because GAO is not allowed to accept written responses to the draft report, it is
not necessary to have a formal time period within which EPA must respond. Agency
comments to draft GAO reports are most often communicated to auditors within a few
days of the receipt of the report (see Exit Conference). In the infrequent occasion in
which Congressional requirements allow written comments to the draft by EPA, the
Agency may have up to 30 days to provide written comments.
01G Draft Report
The OIG draft report more closely follows a final report structure than does its GAO
counterpart. The OIG draft report is divided into two sections, the executive summary
and the main body of the report. The executive summary is a synopsis of the report,
including brief discussions of the purpose, background, and results of the audit. The
main body of the report includes a table of contents, an introduction (purpose and
background), and a detailed chapter for each finding. Unlike GAO's version, the OIG
draft report includes conclusions and recommendations with each finding. In addition,
recommendations can be addressed to an Assistant Administrator, Office Director, or
even a specific division or branch.
OIG Response Requirements
Unlike responses to GAO draft reports, Agency comments to OIG draft reports are
formally solicited. EPA has more latitude in the types of written comments they may
provide to OIG than to GAO. Agency comments should address the factual accuracy of
the report findings, provide response to recommendations and even address the
responsibility assignment of recommendations.
OIG must receive EPA's comments within 30 days of the Agency's receipt of the
draft report. If EPA fails to provide written comments within 30 days, OIG will prepare
the final report without Agency input regarding findings, conclusions, and
recommendations. The format for a response to a draft OIG report is identical to the final
response. Examples of response formats are included later in this section.
For both GAO and OIG reports, the Agency loses the opportunity to influence the
content of the final report if comments are not provided in a timely mariner. As a result,
the final report may contain factual errors or EPA managers may be held accountable for
implementing recommendations for which they are not actually responsible. For a more
detailed discussion of the importance of a timely response, please refer to Section V.
Exit Conference
Scheduled soon after the release of the draft report, the Exit Conference is generally
the last opportunity for all the audit participants to have a face-to-face discussion
14
-------�
concerning the draft report The purpose of these discussions is for all audit participants to
have an understanding of the scope and contents of the draft report. However, the nature
of these discussions differs between GAO and OIG Exit Conferences. These differences
are described in the following pages.
GAO Exit Conference
As mentioned in the previous section, GAO does not typically solicit written
comments to the draft report. Oral comments are addressed at the Exit Conference. In
addition, only comments addressing the factual accuracy of the draft report are accepted
and discussed.
OIG Exit Conference
Discussions at an OIG Exit Conference are more extensive. Like the official written
comments, EPA's discussions with the OIG may question or disagree with any aspect of
the contents of the draft report. As a result, the OIG Exit Conference also serves to allow
EPA and OIG to resolve any major disagreements concerning the draft report.
Early Warning and Notification
Entrance Conference
Survey Phase
Draft Report
Response Requirement
Exit Conference
Final Report
Response Requirement
Audit Follow-up
and
Reporting
Figure 5: The Third Phase of the GAO and OIG Audit Process
c. Phase Three of the Audit Process
Final Report
Once comments to the draft report are received (written or oral), and the Exit
Conference has been held, the auditors publish the final report. Both GAO and OIG
Final Reports include an Executive Summary, main body, and appendices. Both reports
include findings, conclusions, and recommendations in the main body. The reports differ
in that GAO Final Reports typically do not include a written discussion of the Agency's
15
-------�
comments to the draft report (unless special permission was granted allowing EPA to
provide formal comments to the draft report).
The Agency comments to the draft report are separated into specific comments
addressing specific findings, conclusions, or recommendations. In the OIG final report,
OIG includes a summary of the relevant Agency comments at the end of each related
findings chapter. In addition, OIG Final Reports include the written Agency comments
to the draft report in original form as part of the appendix. This allows agreements and
disagreements to be officially recorded.
The final report (GAO or OIG) is an official document. The report is binding insofar
as the Action Official is responsible for ensuring that the report recommendations are
implemented in a timely and effective manner.
Response Requirement
Response preparation requires EPA coordination at several levels. Coordination
begins within OSWER. The OSWER AFC receives and directs audit reports to the
OERR AFC. The OERR AFC notifies the appropriate branch or division of its response
requirements. If more than one branch or division is responsible, the OERR AFC
coordinates their responses and forwards them to the OERR front office for approval. All
responses with Regional implications require Regional review and concurrence prior to
their submission to the OSWER AFC.
For GAO final reports, the GAO Audit Liaison is delegated the responsibility of
coordinating the Agency response. Once the response is prepared, a final review (Red
Border Review) of the response is conducted by all relevant Agency staff and managers
for final concurrence. The AA/OARM is ultimately responsible for the preparation of the
Agency response to a GAO final report. Once the Agency response receives final
approval, it is formally transmitted to the audit agency. Figure 6 depicts the six-step
process OSWER/OERR uses in responding to an audit.
16
-------�
OERR
AFC
OERR
AFC/cc
AA's
Office/
OSWER
AFC
Director's
Office/OERR
AA's Office/
OSWER
AFC
Responsible
Division(s)
All audit reports are directed to the AA/OSWER and
the OSWER AFC. The OSWER AFC attaches a
transmittal memo signed by the Director of OSWER
Organizational Management and Integrity Staff to each
report and forwards the original and copies to the
OERR AFC.
OERR AFC identifies responsible divisions, assigns
Office Automation System (OASYS) Priority, Office
Director (POD) numbers for tracking, attaches POD
Control Sheets to each report, then distributes the report
to the divisions responsible for contributing to the
Agency's response.
Division Directors oversee response preparation.
Division staff prepare responses that address the
findings and recommendations within the report. The
divisions establish achievable corrective actions
(milestones) and include them in the final response.
OERR AFC coordinates division responses, then
reviews responses for adequacy and compliance with
audit response guidelines (see sample response form).
A copy of the response is forwarded to the Director,
OERR for review.
The Director, OERR reviews the audit report and
response for responsiveness and concurrence. Audit
reports and responses are then returned to the OERR
AFC for forwarding to the OSWER AFC and AA's
office.
The OSWER AFC reviews the report and response.
Responses to GAO audit reports include a Red Border
Review of the response. The response is approved and
signed by the AA or Deputy AA. Final signature copy of
the report and response is returned to the audit agency.
Figure 6: OSWERJOERR Audit Response Process
17
-------�
Format of Audit Responses
Audit responses should follow a standard format which includes a header identifying
the relevant report, the response preparer, and the response receiver. In final form, the
response to a GAO final report is addressed from the AA/OARM to GAO. The response
to an OIG final report is addressed from the Action Official (AA/OSWER for OSWER
related audits) and addressed to OIG.
The main text of the response letter includes each recommendation, the response, and
a relevant workplan of milestones to implement the recommendation. Milestones
included in the response should be achievable as determined by the designated Action
Official. All milestones will be tracked until completed, therefore, it is essential to weigh
carefully realistic comments to milestones and specific implementation dates. Divisions
are encouraged to contact the OERR AFC if further assistance is needed.
The audit response should restate the recommendation, indicate the page number of
the report where the recommendation is found, and be followed by a response including
completed and pending milestones. Always include page numbers, starting with page
two, and left-justify all text. If OERR is the sole responder to the report, the response
memorandum should be addressed to the audit originator, from the Assistant
Administrator. For comments prepared for the OIG, use the format shown in Figure 7.
An example of a response prepared for GAO is illustrated in Figure 8.
18
-------�
MEMORANDUM
Subject: OIG Final Audit Report on "Program Review,
EISF61-15,5001"
From: Elliott P. Laws
Assistant Administrator
To: Audit Originator, Title
Office of Inspector General
The purpose of this memorandum is to transmit our
response to the recommendations contained in the subject
audit report.
Recommendation to the AA. QSWER (page 8):
Identify the universe of regulated facilities and
prioritize inspections to ensure that facilities which
pose the greatest threat to the environment are being
inspected.
QSWER Response:
We accept this recommendation, and the AA, OSWER, will
direct the development of a tank inventory and investigate
the use of local inspector resources.
Milestones:
Completed Identified and contacted qualified inspectors
through professional trade group during the
first quarter of 1992.
7/30/92 Develop an approach for identifying and
collecting tank inventory data for prioritized
inspections.
Thank you for the opportunity to comment on this
subject report. If you have any questions, please call
Charlene Dunn, OSWER Audit Follow-up Coordinator, at
(202) 260-9466.
cc : Director, OERR
OSWER Audit Follow-up Coordinator
OERR Audit Follow-up Coordinator
Other program staff, as appropriate
Figure 7: Example of an OIG Response
19
-------�
MEMORANDUM
Subject: GAO Final Audit Report on Program Review, RCED-93-50
From: Elliott P. Laws
Assistant Administrator
To: Jonathan Z. Cannon
Assistant Administrator
Office of Administration and Resources Management
The purpose of this memorandum is to transmit our response
to the recommendations contained in the subject audit report.
Recommendation to the AA. OSWER (page 10):
Encourage and provide support for the Regions in establishing
cost recovery units.
OSWER Response:
We accept this recommendation, and the AA, OSWER, will hold
a telephone conference with the RAs to discuss issues regarding
the establishment of cost recovery units. In addition, we will
provide HQ staff in OERR to act as a clearinghouse for
information regarding the establishment of cost recovery units.
Milestones:
Completed Telephone conference with RAs held on 9/30/90 to
discuss cost recovery unit establishment issues.
5/30/91 OERR support staff will be prepared and on-line to
provide information to the Regions on establishing
¦ cost recovery units.
Thank you for the opportunity to comment on this subject
report. If you have any questions, please call Charlene Dunn,
OSWER Audit Follow-up Coordinator, at (202) 260-9466.
cc: Director, OERR
OSWER Audit Follow-up Coordinator
OERR Audit Follow-up Coordinator
Other program staff, as appropriate
Figure 8: Example of a GAO Response
20
-------�
When preparing either an OIG or GAO response involving several offices, versus
sole responder audits, the following header format should be used:
Subject: Audit Report Title and Number
From: Henry Longest, director
Office of Emergency and Remedial Response
To: Laurie May, Director
Organizational Management and Integrity Staff
Figure 9: Example Header for Responses Requiring more than one Office
If an audit report has Regional implications, Regional review and comment must
occur before forwarding the response to the AA for signature. In addition, the name of
the Regional contact and phone number should be attached to the response.
If an audit report does not require a response, a formal memorandum is not required.
Instead, OPM should address a note to Charlene Dunn, OSWER 10 stating that OERR
has no comments to the subject audit report.
Routing and Distribution of Audit Responses
Once a response to an audit report is prepared in the proper format, the author sends a
copy of the response through the management chain of command. Routing is facilitated
by attaching a routing slip to the Response Package. A sample routing slip is shown in
Figure 10. Before the response is reviewed by the OERR Director and signed by the AA
for OSWER, it is reviewed by the appropriate managers including the Division Director
and the OERR AFC.
In addition to routing audit responses using routing and transmittal slips, response
authors should provide the response electronically on the OERR Local Area Network
(LAN). Responses are copied into a computer file and placed in the OERR LAN shared
directory under subdirectory AUDITFMF.
21
-------�
ROUTING AND TRANSMITTAL SLIP
Date
3/17/92
TO: (Name, office symbol, room number,
building, Agency/Post)
Originator
Initials Date
2. Originator's Section Chief
3. Originator's Branch Chief
4. Originator's Division Director
OERR AFC/Correspondence Control
Action
File
Note and Return
Ad dt oval
Fa Clearance
Per Conversation
As Reauested
For Correction
Prepare Replv
Circulate
For Your Information
See Me
Comment
Investiaate
Sia nature
Coordination
Justifv
REMARKS
6. Director, Office of Emergency and Remedial Response
(OERR)
7 . OSWER AFC
8. Assistant Administrator, Solid Waste and Emergency
Response (Signature)
RE: OSWER Response to Draft Special Report
E1SFF1-11-0015 "Appropriateness of
Accomplishments Claimed in CERCLIS
for Fiscal 1990"
Reference: File Title
DO NOT use this form as a RECORD of approvals, concurrences, disposals,
clearances and similar actions
FROM: (Name, org. symbol, Agency/Post)
Room
No.Bldg.
Originator
Phone No.
5041-102 OPTIONAL FORM 41 (Rev. 7-76)
Prescribed by GSA
~ U.S.G.P.O 1991 281-781/40010 FPMR (41CFR) 101-11.206
Figure 10: Example of Completed Routing and Distribution Slip
22
-------�
d. Phase Four of the Audit Process
Early Warning and Notification
Entrance Conference
Survey Phase
Draft Report
Response Requirement
Exit Conference
^
Final Report
Response Requirement
Audit Follow-up
and
Reporting
Figure 11: The Fourth Phase of the GAO and OIG Audit Process
Audit Follow-up and Reporting
OSWER/OERR has three systems for tracking corrective action implementation and
other audit management activity: the Management audit tracking system (MATS), the
Superfund Response Implementation System (SRIS), and the Milestone Tracking System
(MTS). MATS, SRIS, and MTS together provide the basis for annual milestone
reporting to the GAO, OIG, and OMB.
MATS is the Agency's official audit tracking system. This system focuses on audit
responsibilities at the Assistant Administrator's level. The OSWER AFC is responsible
for updating audit recommendations, milestones, and completion dates in MATS.
OSWER produces the Inventory of Audit Activity report every other month by using the
information recorded in this system. Selected portions from MATS are included in the
OIG Semiannual Report to Congress.
OERR requires additional detail to successfully manage audit activity. As a result,
SRIS was developed to track major events within the life cycle of an audit. SRIS
maintains status information regarding all newly initiated, ongoing, or closed-out audits
and milestones. The OERR AFC uses SRIS to track corrective actions that OERR is
responsible for implementing. This system is used to update the information contained in
the OSWER Inventory Report. For a more detailed description of SRIS functions and
operations, please refer to the accompanying guide, The SRIS System Overview and
Users' Guide (EPA 9200.8-05-1).
OERR Divisions use MTS, accessed through the OERR LAN, to manage corrective
action milestones. When Divisions submit corrective actions in an audit response, a new
23
-------�
workplan is created in MTS. This workplan includes corrective actions, in the form of
milestones, as well as any interim or process milestones.
SRIS tracks the status of milestones reported in MTS through an electronic transfer of
data. SRIS is also used to assist in preparing status reports of upcoming and overdue
milestone completions. If a milestone date must be changed, a memo indicating why the
milestone cannot be completed and its new projected completion date should be attached
to the status reports on upcoming and overdue milestones. Status reports must be
submitted quarterly (or more frequently, if requested) until all milestones are completed.
Figure 12 contains an example of a Status Report Memo.
MEMORANDUM
Subject: Audit Follow-up; Update of Milestone Activity for
OIG Audit of the Sample Management Office
From: Tom Sheckells, Director
Office of Program Management
To: Laurie J. May, Director
Organizational Management and Integrity Staff
The purpose of this memorandum is to transmit an update
of milestone activity for the subject audit report.
Attachment I provides a listing of completed milestones
as well as milestones for which our planned completion
dates have been modified. The remaining attachments serve
as documentation for completed milestones.
If you have any questions, please call Sharon Hallinan
at (703) 603-8894.
Attachments
cc: Charlene Dunn
Howard Fribush
Sharon Hallinan
Figure 12: Status Report Memo
24
-------�
Milestone tracking ends only after all corrective actions are completed. When
preparing a status report on upcoming and overdue milestones for the OSWER AFC, the
milestone information should be taken directly from the OSWER inventory. In addition,
each milestone date and title should be repeated, with either a description of the action
taken and documents produced that satisfy this milestone, or a request for an extension
and a new proposed completion date. Figure 13 contains an example of the Milestone
Update Section.
Exhibit 4-9 OSWER Inventory
04/01/93 Identify problems with the Funding System
This milestone is complete. Attachment II serves as
documentation. This documentation, in chart form, allows
us to determine delays in processing funding documents by
examining the durations between steps in the process.
After determining the point in which the delay occurred, a
solution to process documents more timely can be
determined.
Figure 13: Milestone Update Section
Due to the large number of GAO and OIG on-going audits, it is essential for
managers to closely monitor audit follow-up responsibilities, and maintain milestone
status for reporting.
25
-------�
Appendix A: Glossary of Audit Terms
Action Official:
Audit Agency:
Audit Closeout:
Audit Finding:
Audit Follow-up:
Audit Life Cycle:
The person responsible for all activities associated with a
specific audit. Activities include responding on behalf of the
Agency to draft and final reports.
The agency responsible for investigating and evaluating
programs, activities, and financial operations. For EPA the two
primary audit agencies are GAO and OIG.
The results of OIG accepting EPA's response to the final
report.
Any error, weakness, deficiency, problem, or need for
improvement that is identified and detailed in an audit report.
The process of taking corrective actions to implement
recommendations, monitor corrective actions, and report on
progress made towards implementation of milestones.
The major events in an audit from the Entrance Conference to
the Closeout.
Audit Recommendation: An aspect of a program identified in an audit report with
specific advice to: (1) improve an operation or procedure;
(2) achieve compliance with applicable laws, regulations, and
directives; and/or (3) assure that all costs charged are allowable
under Agency regulations and applicable Federal cost
principles.
A process for resolving disagreements between Agency
management and auditors on corrective action to be taken,
reported findings, or recommendations.
A written document addressing each finding or
recommendation in an audit report by stating agreement/
disagreement and setting forth appropriate corrective action
milestones to implement recommendations.
Corrective Action: Any measure or course of action taken to implement an agreed-
upon audit recommendation.
Correspondence Control: A step in the process of assigning audit reports to specific
managers for response, then assigning a POD number.
A-1
Audit Resolution:
Audit Response:
-------�
Documentation:
Written verification to support a completed corrective action
milestone.
Draft Report:
A preliminary report of the findings and sometimes
recommendations for the purpose of obtaining comments from
the audited program or Agency.
Entrance Conference:
The official meeting held at the beginning of an audit to
explain the purpose, scope, objectives, and a timetable for
completing the audit.
Exit Conference:
A meeting after the draft report has been issued to discuss
findings and recommendations, clarify issues addressed in the
audit, and resolve disagreements.
Final Report:
The report released after the exit conference that contains the
most recent findings and recommendations of the audit agency.
Final reports are official documents.
Management Audit
Tracking System
(MATS):
The official Agency system for tracking corrective actions
and other audit activity. MATS is not available below the
Assistant Administrator level.
Milestone:
An agreed-upon target used to measure the implementation of
corrective actions.
Milestone Closeout:
The step taken when a milestone is accomplished and
adequately documented.
Milestone Tracking
System (MTS):
The system used by OERR Divisions for tracking general
workplans as well as milestones created to implement
corrective actions from audits.
Red Border Review:
A final review of an audit response (to GAO reports only) after
all individual responses have been consolidated into one by the
AA or GAO Liaison officer before it is presented to GAO.
Superfund Report
Information System
(SRIS):
The OERR system used to track major events within the life-
cycle of an audit, to manage audit activity at the program office
level, and to perform ad hoc queries and reports to assist
Superfund managers in their audit responsibilities.
Survey Phase:
The step in the audit process in which the auditors begin to
collect data for the audit.
A-2
-------�
Weakness: An identified error, deficiency, problem, or need for
improvement listed by the audit agency in the audit report.
Some weaknesses, deemed "material," warrant the attention of
Congress and the President.
Workplan: A document written by the responsible division explaining the
steps they will take, including milestones, to implement
corrective actions and recommendations included in the audit
A-3
-------� |