£
-------�
Report Contributors:
Patrick Gilbride
Erin Barnes-Weaver
Raul Adrian
Monica Brym
Abbreviations
ASB
Analytical Services Branch
CID
Criminal Investigation Division
CLP
Contract Laboratory Program
COR
Contracting Officer's Representative
EPA
U.S. Environmental Protection Agency
EXES
Electronic Data Exchange and Evaluation System
FY
Fiscal Year
GAO
U.S. Government Accountability Office
OAM
Office of Acquisition Management
OCEFT
Office of Criminal Enforcement, Forensics and Training
OECA
Office of Enforcement and Compliance Assurance
OEI
Office of Environmental Information
OI
Office of Investigations
OIG
Office of Inspector General
OLEM
Office of Land and Emergency Management
OMB
Office of Management and Budget
OSRTI
Office of Superfund Remediation and Technology Innovation
QA
Quality Assurance
QATS
Quality Assurance Technical Support
QC
Quality Control
SMO
Sample Management Office
Cover image: EPA OIG graphic depicting fraud risk.
Are you aware of fraud, waste or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, DC 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, DC 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates
Follow us on Twitter @EPAoig
Send us your Project Suggestions
-------�
x^fcD ST/ff.
* *- U.S. Environmental Protection Agency 17-P-0119
March 6, 2017
. u.o. tiiviiuiimeiucM riuicuu
< ftA \ Office of Inspector General
IWJ
At a Glance
Why We Did This Review
We conducted this review to
determine whether the U.S.
Environmental Protection
Agency's (EPA's) Contract
Laboratory Program (CLP) has
the controls to detect or prevent
fraudulent analytical services or
data produced by CLP
laboratories, and whether those
controls provide reasonable
assurance that the potential for
fraud is minimized. We also
sought to identify how the EPA
monitors laboratory fraud cases
across the agency to inform its
system of controls.
The CLP is a national network
of EPA-approved contract
laboratories whose primary
service is the provision of
analytical data of known and
documented quality. Since the
1980 inception of the CLP, 180
CLP labs have performed over
3.7 million analyses on
samples from more than
20,900 sites, at an expense of
approximately $431.5 million.
This report addresses the
following EPA goals or
cross-agency strategies:
• Protecting human health
and the environment by
enforcing laws and
assuring compliance.
• Embracing EPA as a high-
performing organization.
Send all inquiries to our public
affairs office at (202) 566-2391
or visit www.epa.gov/oia.
Listing of OIG reports.
Fraud Controls for EPA's Contract Laboratory Program
Are Adequate, but Can Be Strengthened With Formal
Risk Assessment and Investigative Information Sharing
The impacts of lab fraud
include risks to human
health and the
undermining of EPA
regulatory programs.
What We Found
The CLP has demonstrated the effectiveness of four
of five internal controls that provide reasonable
assurance that the potential for laboratory fraud is
minimized. One component—risk assessment—has
not been formally documented. Rather, one CLP
manager said they address fraud risks informally but
on a continual basis, which results in the development of new tools and updated
guidance documents. Formal risk assessment would provide the CLP assurance
that its controls address risks, as well as provide a clear picture of efforts to
address lab performance deficiencies.
Policies for EPA investigative offices do not require them to share information
with program offices, or explain how or why lab fraud occurred. According to
investigative units, there are additional reasons as to why they do not share
information: a small caseload of lab fraud for them to data-mine trends; the
inability to share sensitive information until a case closes; and resource
limitations. Stakeholders we interviewed agreed with the merit of having
investigative offices share relevant aspects of lab fraud findings, including
methods and techniques used to commit the fraud. Stakeholders also agreed that
investigative offices should share information to help program and regional
offices strengthen and update their internal control systems for preventing and
detecting lab fraud.
Recommendations and Planned Agency Corrective Actions
We recommend that the Assistant Administrator for the Office of Land and
Emergency Management (OLEM) conduct and document a formal risk assessment
of the CLP to determine whether additional internal controls are needed to mitigate
detected risks. We also recommend that the Office of Enforcement and
Compliance Assurance (OECA), and the Office of Inspector General (OIG), require
investigative units to share pertinent information from laboratory fraud findings with
relevant program and regional offices. Recommendations for OLEM and OECA are
agreed-to with corrective actions pending. The OIG completed its corrective action.
Noteworthy Achievements
OLEM developed an electronic laboratory data validation package—the
Electronic Data Exchange and Evaluation System (EXES)—that is being made
available to other agency programs via pilot implementations. A new version of
EXES is in the works, which will incorporate added controls based on a current
CLP lab fraud case. This demonstrates OLEM's view of EXES as a dynamic
system that will be periodically updated to reflect changes in the program.
-------�
^£DSX
s JHt? ^ UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
| j? WASHINGTON, D.C. 20460
% d?
PRO**4,
OFFICE OF
INSPECTOR GENERAL
March 6, 2017
MEMORANDUM
SUBJECT: Fraud Controls for EPA's Contract Laboratory Program Are Adequate, but Can Be
Strengthened With Formal Risk Assessment and Investigative Information Sharing
Report No. 17-P-0119
FROM: Charles J. Sheehan, Deputy Inspector General
TO: Barry Breen, Acting Assistant Administrator
Office of Land and Emergency Management
[JaJvUuJ .
Lawrence Starfield, Acting Assistant Administrator
Office of Enforcement and Compliance Assurance
Arthur A. Elkins Jr., Inspector General
This is our report on the subject evaluation conducted by the Office of Inspector General (OIG) of
the U.S. Environmental Protection Agency (EPA). The project number for this evaluation was
OPE-FY16-0022. This report contains findings that describe the problems the OIG has identified and
corrective actions the OIG recommends. This report represents the opinion of the OIG and does not
necessarily represent the final EPA position. Final determinations on matters in this report will be made
by EPA managers in accordance with established audit resolution procedures.
Action Required
In accordance with EPA Manual 2750, your offices provided planned corrective actions in response to
our recommendations. All recommendations are considered resolved. You are not required to provide a
written response to this final report because you provided agreed-to corrective actions and planned
completion dates for the report recommendations. Should you choose to provide a final response, we
will post your response on the OIG's public website, along with our memorandum commenting on your
response. Your response should be provided as an Adobe PDF file that complies with the accessibility
requirements of Section 508 of the Rehabilitation Act of 1973, as amended. The final response should
not contain data that you do not want to be released to the public; if your response contains such data,
you should identify the data for redaction or removal along with corresponding justification.
We will post this report to our website at www.epa.gov/oig.
-------�
Fraud Controls for EPA's Contract Laboratory Program Are
Adequate, but Can Be Strengthened With Formal Risk
Assessment and Investigative Information Sharing
17-P-0119
Table of Contents
Chapters
1 Introduction 1
Purpose 1
Background 1
Responsible Offices 7
Noteworthy Achievements 7
Scope and Methodology 7
2 CLP's Internal Control System Addresses Four of Five Components
and Should Formally Assess Program Risks 10
CLP's Internal Control System Meets Most of the Principles for
Effective Internal Controls 10
Federal Guidance and EPA Policy Require Risk Assessment 12
Conclusion 13
Recommendation 13
Agency Response and OIG Evaluation 13
3 Investigative Units Should Formally Share Information From
Lab Fraud Investigations With Affected Organizations 14
No Formal Requirement to Share Information 14
Few Lab Fraud Cases, Resource Limitations and Sensitive
Information Limit Information Sharing 16
Stakeholders Agree on the Need for Information Concerning
Lab Fraud Methods/Techniques 16
Conclusion 19
Recommendations 19
Agency Response and OIG Evaluation 19
Status of Recommendations and Potential Monetary Benefits 20
Appendices
A Office of Land and Emergency Management Response to Draft Report 21
B Office of Enforcement and Compliance Assurance
Response to Draft Report 25
C Office of Inspector General Response to Draft Report 27
D Distribution 28
-------�
Chapter 1
Introduction
Purpose
We conducted this review to determine whether the U.S. Environmental
Protection Agency's (EPA's) Contract Laboratory Program (CLP) has the
controls to detect or prevent fraudulent analytical services or data produced by
CLP laboratories, and whether those controls provide reasonable assurance that
the potential for fraud is minimized. We also sought to identify how the EPA
monitors laboratory fraud cases across the agency to inform its system of controls.
Background
Contract Laboratory Program
The CLP is located within the EPA's Office of
Land and Emergency Management (OLEM).
The CLP is a national network of EPA-approved
contract laboratories whose primary service is
the provision of analytical data of known and
documented quality to support Superfund site decisions. All analytical services are
performed by EPA-approved contract laboratories who meet stringent requirements
and standards in order to be a part of the CLP. The reliability and accuracy of CLP
lab data is important for monitoring environmental and public health issues.
The Analytical Services Branch (ASB) within OLEM's Office of Superfund
Remediation and Technology Innovation (OSRTI) manages and supports the
CLP. There are 17 participant laboratories in the CLP (as of April 2016). The
EPA has a four-tier strategy for acquiring laboratory analytical services for
Superfund site sample analyses.1
Tier 1 EPA regional and state laboratories.
Tier 2 CLP and other national analytical services contracts.
Tier 3 Region-specific analytical services contracts.
Tier 4 Analytical services interagency agreements and regional field
contracts/ subcontracts.
Since the 1980 inception of
the CLP, 180 CLP labs have
performed over 3.7 million
analyses from more than
20,900 sites, at an expense of
approximately $431.5 million.
1 In March 1998, the Field and Analytical Services Teaming Advisory Committee (comprised of headquarters and
regional Superfund program managers) was convened to promote coordination enhance customer service and
improve the quality assurance program with an emphasis on field activities. The committee recommended using a
decision tree for selecting laboratory analytical service providers in order of preference, based on evaluating
available analytical sources and considering the following parameters: quality, timeliness, cost,
efficiency/availability (on-board resources), and potential vulnerabilities.
17-P-0119
1
-------�
In general, there is increased cost for analyses and quality reviews when using a
higher tier. Tiers 1 and 2 are considered the most preferred; Tier 4 the least
preferred.
Quality Assurance/Quality Control Processes
The quality assurance (QA) process consists of management review and
oversight at the three stages of the environmental data collection: planning,
implementation and completion. This process is intended to ensure that the
data provided are of known and documented quality. The quality control (QC)
process includes those activities required during data collection to produce
data suitable for decision-making. Each contract lab has a Quality
Management Plan and a Quality Assurance Project Plan. Some labs combine
these two documents into one. Each lab must also include the QA/QC
activities designed to achieve the data quality requirements in the contract.
Additionally, each CLP analytical
method, identified by its respective
statement of work, has a corresponding
set of guidelines (called the National
Functional Guidelines) for the review and
evaluation of the data. The National
Functional Guidelines are intended to
assist in the technical review of analytical
data generated by the respective CLP
statement of work. The National
Functional Guidelines are not intended to
be used alone in determining the ultimate
usability of the data; rather, the
guidelines are intended to aid in the
formal data review process, along with other sources of guidance, information
and professional judgment.
The ASB and EPA regions conduct primary lab performance monitoring
activities to ensure that contract labs produce appropriate, quality data.
Monitoring activities include the following: on-site lab evaluations, electronic
data audits, data package audits, and lab evaluations through the use of blind
performance evaluation samples. Additionally, "proficiency testing" audits are
used to evaluate a laboratory's ability to identify and quantify target analytes
in performance evaluation samples provided by the EPA. The agency then
uses the results to assess and verify a CLP laboratory's continuing ability to
produce acceptable analytical data in accordance with contractual
requirements. CLP laboratories analyze proficiency testing audit samples
several times per year under direction from the ASB. The CLP laboratory is
not informed of either the analytes or sample concentrations.
Laboratories are used to analyze
soil, water and other media to
determine their chemical
composition, to assess whether
such chemicals pose human
health risks, and to determine
whether such media are
contaminated and in need of
remedial treatment. In light of this
role, maintenance of the integrity
of laboratory sample tests, results
and reports is critical for providing
communities accurate information
about their environment and
potential health risks.
17-P-0119
2
-------�
Quality staff in the Office of Environmental Information (OEI) are responsible
for issuing agencywide QA/QC policies and procedures. Quality staff have
liaisons in every EPA program office and region, although titles may vary by
location (e.g., QA Managers, Directors or Coordinators).
CLP Key Entities
Personnel from all 10 EPA regions play a vital role in CLP activities as the
primary users of the CLP and as a key part of analytical program
management. The regional CLP Contracting Officer's Representative (COR)
serves as the primary coordinator for CLP activities within each region;
provides feedback on data quality, usability and CLP laboratory performance
to ASB; and contacts the laboratory if there are questions or issues that arise
during data validation. The regional CLP COR leads on-site laboratory audits
and may visit the CLP laboratory if there are serious performance problems.
The Office of Acquisition Management (OAM) is responsible for all
contracting-related activities. OAM's Laboratory Analysis Service Center
manages CLP contracts. OAM's Contracting Officer is the only person with
the authority to enter into, administer and terminate contracts. The Contracting
Officer has the authority to approve CLP laboratories exceeding their monthly
capacity and place CLP laboratories on "suspension of work" status.
As noted earlier, CLP labs fall under Tier 2 in the EPA's decision tree when
selecting analytical service providers. CLP labs are supported by two support
contracts: the Sample Management Office (SMO) contract, and the Quality
Assurance Technical Support (QATS) contract.
• SMO—The contractor-operated SMO provides management,
operations and administrative support to the CLP. The SMO receives
regional analytical requests, coordinates and schedules sample
analyses, and tracks sample shipments. The SMO also receives and
checks data for completeness and compliance, performs automated
data assessment, processes laboratory invoices, and maintains a
repository of sampling records and program data. The SMO's online
portal offers CLP users one central location for available tools that
support the CLP.
• QATS —This is the CLP support contractor directed and tasked by the
ASB on behalf of OAM. The QATS provides QA and audit support, as
well as technical expertise to assist in evaluating CLP data quality. The
primary objective of QATS is to provide a data package and
electronic, on-site and special investigative audit2 support; develop,
2 The QATS "special investigative audits" are small, targeted and focused audits of particular data from multiple
sample delivery groups. These investigative audits are different from the lab fraud investigations we describe in
Chapter 3.
17-P-0119
3
-------�
maintain, distribute and scope proficiency testing samples; and provide
technical feedback to ASB on required CLP deliverables and data
quality. The ASB's QATS contracting officer's representative
schedules on-site audits, initiates routing and special investigative
audits, oversees the proficiency testing audit program, and gives final
approval to all reports produced by QATS in support of the CLP.
Key entities in the CLP are shown in Figure 1.
Figure 1: Major entities in the CLP
Source: OLEM-OSRTI-ASB presentation to the EPA's
Office of Inspector General (OIG) on 06/22/16.
CLP Resources
Table 1 presents the headquarters-level CLP budget and full-time equivalent
information for fiscal years (FYs) 2005, 2010 and 2015.
According to data provided by the ASB, the budget for the CLP has decreased
by over 16 percent from FY 2005 levels, and a near 24-percent decrease from
FYs 2010 through 2015. Staff have decreased 36 percent from FY 2005
levels.
17-P-0119
4
-------�
Table 1: Headquarters CLP resources
FY 05
FY 10
FY 15
Cost of CLP Lab Contracts
9,723,855
10,343,788
6,237,383
Cost of Blanket Purchase Agreements
0
670,425
367,360
Subtotals
9,723,8551"
11,014,2131
6,604", 743!
Cost of CLP support contracts:
QATS
3.484,469
3,754,715
4,217,841
SMO
10,703,329
11,519,629
9.182,590
Subtotals
14,187,7981
15,274.3441
13.400,431:
Grand Total
23,911,653
2:6,288,557
20,005,174
Total Full-Time Equivalents
--
7.3
6.4
Notes: Data for Blanket Purchase Agreements in FY 2005 were not readily available. FY 2005 full-
time equivalent data were also unavailable.
Source: OIG analysis of CLP data.
Lab Fraud Allegations
The ASB defines inappropriate laboratory practices as "a technical unjustified
omission, manipulation, or alteration of data that bypasses the required QC
parameters, making the results appear acceptable." Lab fraud investigations focus
on the manipulation of data or equipment, and the falsification of analytical and
quality assurance results, where failed methods and contractual requirements are
made to appear acceptable. Fraud can involve the backdating of test data,
manipulating test samples, or not performing analysis in accordance with
established methods among other things.
Lab fraud allegations are investigated
either independently or jointly by the
EPA OIG's Office of Investigations (01);
and/or the agency's Office of
Enforcement and Compliance
Assurance (OECA), Office of Criminal
Enforcement, Forensics and Training
(OCEFT), Criminal Investigation
Division (CID), according to statutory authorities (see box) of each office3 and the
terms of an OIG/OECA 2006 Memorandum of Understanding. The EPA's
contract labs are at potentially high-risk for fraud because profits are based on the
volume of analytical work produced.
Primary investigative
responsibilities
• OIG/OI: Fraud, waste and abuse
in EPA programs or operations.
• OCEFT/CID: Criminal violations of
federal environmental laws.
3 The Inspector General Act of 1978, as amended, gives OIG Special Agents law enforcement authority to conduct
investigations relating to the programs and operations of the EPA. Law enforcement authority is granted to
OCEFT/CID Special Agents by 18 U.S.C. § 3063.
17-P-0119
5
-------�
Internal Control Standards
The U.S. Government Accountability Office (GAO) defines internal control in the
following manner:
[A] process effected by an entity's oversight body, management,
and other personnel that provides reasonable assurance that the
objectives of an entity will be achieved. Internal control comprises
the plans, methods, policies and procedures used to fulfill the
mission, strategic plan, goals and objectives of the entity. Internal
control is not one event, but a series of actions that occur
throughout an entity's operations. Management is responsible for
an effective internal control system. As part of this responsibility,
management sets the entity's objectives, implements controls, and
evaluates the internal control system.4
Internal control has five components:
1. Control Environment. The foundation for an internal control system. The
control environment provides the discipline and structure to help an entity
achieve objectives.
2. Risk Assessment. Assesses the risks facing the entity as it seeks to
achieve its objectives. This assessment provides the basis for developing
appropriate risk responses.
3. Control Activities. Actions that management establishes through policies
and procedures to achieve objectives and respond to risks in the internal
control system, which includes the entity's information system.
4. Information and Communication. Quality information that management
and personnel communicate and use to support the internal control system.
5. Monitoring. Activities that management establishes and operates to assess
the quality of performance over time, and to promptly resolve audit
findings and other reviews.
GAO notes that 17 principles support the effective design, implementation and
operation of the associated components, and represent the requirements necessary
to establish an effective internal control system.
Office of Management and Budget (OMB) Circular A-123, Management's
Responsibility for Enterprise Risk Management and Internal Control (July 2016),
defines obligations for risk management and internal control in federal agencies.
EPA Order 1000.24 CHG 2, "Management's Responsibility for Internal Control,"
4 GAO, Standards for Internal Control in the Federal Government, GAO-14-704G, September 2014.
17-P-0119
6
-------�
requires all EPA organizations to establish and maintain internal controls to
achieve the objectives of effective and efficient program operations, including
evaluating internal controls on an on-going basis and taking prompt actions to
correct any vulnerabilities identified.
Responsible Offices
The CLP is administered by the Analytical Services Branch within the Office of
Land and Emergency Management, Office of Superfund Remediation and
Technology Innovation. Allegations of fraudulent laboratory data and analysis are
handled by the Criminal Investigation Division within the Office of Enforcement
and Compliance Assurance, Office of Criminal Enforcement, Forensics and
Training; as well as by the OIG's Office of Investigations.
Noteworthy Achievements
The ASB developed an electronic data validation package—the Electronic Data
Exchange and Evaluation System (EXES)—which assesses data within 24 to 48
hours after receipt. The ASB is now making EXES available to other agency
programs (e.g., the Great Lakes program) via pilot implementations. A new
version of EXES is in the works and will incorporate added controls based on the
ASB's experience with a current CLP lab fraud case. The new version of EXES
demonstrates the ASB's view of EXES as a dynamic system periodically updated
to reflect changes in the program.
Scope and Methodology
We conducted our performance audit from April to November 2016. With the
exception described below, our work was conducted in accordance with generally
accepted government auditing standards. Those standards require that we plan and
perform the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objectives.
Two entities within the EPA are responsible for investigating lab fraud:
OCEFT/CID and OIG/OI. To address our objectives, we were required to obtain
information and interview employees in both OCEFT/CID and OIG/OI.
Because the staff that conducted this review and the OIG/OI fall structurally
within the OIG, there could be the perception of a lack of independence. To
address the issue of independence, we developed and adhered to the same
procedures to obtain and review information and conduct interviews with both
offices. We also adhered to the OIG's quality assurance procedures. We believe
these actions mitigate and provide adequate safeguards that reflect our
independence.
17-P-0119
7
-------�
We analyzed numerous documents pertaining to the CLP,5 QA, laboratory fraud
and internal controls, including policies, procedures and guidance documents.
In addition to document reviews, and to address our first objective, we
interviewed key staff and managers responsible for CLP program implementation,
oversight and quality assurance in ASB, OEI, and OAM. We also interviewed all
10 EPA regional CLP CORs (users of the CLP). We developed an internal control
checklist to assist us in assessing whether controls we identified within the CLP
provide reasonable assurance that the potential for fraud is minimized. We used
documentary and testimonial evidence to validate implementation of controls and
whether controls were understood across CLP program managers, implementers
and users. Our conclusions on the adequacy of CLP's controls do not include an
evaluation of the effectiveness of the controls.
To address our second objective we interviewed EPA investigative staff and
managers within OIG/OI and OCEFT/CID. We interviewed the OIG's Deputy
Counsel on the terms of the 2006 Memorandum of Understanding between the
two offices. We also interviewed the EPA's Scientific Integrity Official to
understand her role in addressing laboratory fraud as it relates to instances of
research misconduct.6
Prior Audit Reports
Three prior reports relate to our review on laboratory fraud or managing fraud
risks (though none specifically on the CLP):
• A 2006 EPA OIG report.7 The EPA OIG conducted the review to
identify vulnerabilities in the drinking water sample analysis process and
promising techniques to improve laboratory integrity. The EPA OIG found
hundreds of vulnerabilities not addressed by the EPA's process—
vulnerabilities that could compromise the integrity of the analysis process
and the quality of data produced. The EPA OIG included appendices that
listed vulnerabilities identified by error type and severity (see image on
next page), and promising techniques based on a literature search. The
EPA OIG made 10 recommendations, all of which the EPA completed.
5 We did not review other Superfund contract programs, such as those that are a part of the Superfund Technical
Assessment and Response Team, Emergency and Rapid Response Services, or Remedial Action Contracts; rather,
we focused solely on the CLP.
6 The EPA's Scientific Integrity Official does not investigate allegations of laboratory fraud. Instead, she focuses on
research falsification fabrication and plagiarism. She does not have a role in investigating laboratory fraud
allegations. If she does receive any allegations of fraud, she said she refers them to the OIG.
7 EPA OIG, Promising Techniques Identified to Improve Drinking Water Laboratory Integrity and Reduce Public
Health Risks. Report No. 2006-P-00036, September 21, 2006.
17-P-0119
8
-------�
Vulnerabilities Identified by
EPA Team
Sequenced based on the 13 steps in the drinking water sample analysis process (see Figure 2.1)
and ordered within each step from most to least severe.
Error Type: U= Unintentional Severity Rating: 5= Most Severe
i = Intentional 1 = Least Severe
B = Both
Description of Vulnerability
Error
Type
Severity
Rating
a) Sample Collection
• Sample is mislabeled
B
4
• Sample not preservedtor no dechlorinating agent/a duIteration of sample
B
4
b) Sample Tracking and Recording
• Holding time/temp. exceeded
B
4
c) Adherence to Standard Operating Procedures (SOPs) for Analytical Methods
• Adherence so SOP
B
4
• OA manager/lab mgmt. not knowledgeable about approved methodology
B
4
• Untrained/inexperienced analysts
B
4
d) Preparation of Samples and Standard Solutions
• Incorrect preparations/inappropriate standards (i.e.. no traeeability;
conta mi nated/ex pi red)
B
4
| e) Instrument Performance
| • Instrument response/sensitivity-needs documentation
B
4
| f) Instrument Maintenance
• Analysti'QA officer doesn't understand repair needs
U
4
• No repairs-maintenance log maintenance
u
4
• Repaired incorrectly
u
4
| g) Instrument Calibration
• Calibration curve incorrect-data biased high or low
B
4
• Calibration verification not performed
1
4
• Out of date reference materials
B
3
| h) Lab Technician Performance
| • Trained analysts can falsify data
r
5
| i) Adherence to Quality Assurance/Quality Control (QA/QC) Plan
| • Analysts can falsify/not performing QA/QC data
(
5 I
| j) Data Validation and Verification
• Not flagging data outside of acceptance criteria
t
5
• Selection of inappropriate QC acceptance criteria
i
4
• A 2014 EPA OIG report.8
The EPA OIG reviewed the
due diligence process, which
included the procedures used
by the EPA, other federal
agencies and states to manage
the communication of, and
appropriate action on,
laboratory data determined to
be fraudulent.
The EPA OIG found that the
EPA lacked a due diligence
process for potential
fraudulent environmental
data. The agency had three
policies and procedures that
addressed how to respond to
instances of fraudulent data,
but they were out of date or
unimplemented when the
report was issued. The OIG
made six recommendations,
all of which were agreed to
and will be completed by
March 2017.
Image from EPA OIG Report No. 2006-P-00036, September 21, 2006.
• A 2015 GAO report.9 GAO reported on the importance of evaluating
outcomes using a risk-based approach and adapting activities to improve
fraud risk management. GAO said to collect and analyze data from
reporting mechanisms and instances of detected fraud for real-time
monitoring of fraud trends; and to use the results of moni toring,
evaluations and investigations to improve fraud prevention, detection and
response.
8 EPA OIG, EPA Has Not Implemented Adequate Management Procedures to Address Potential Fraudulent
Em'ironmental Data, Report No. 14-P-0270, May 29, 2014.
9 GAO, A Framework for Managing Fraud Risks in Federal Programs, GAO-15-593SP. July 28, 2015.
17-P-0119
9
-------�
Chapter 2
CLP's Internal Control System Addresses
Four of Five Components and Should
Formally Assess Program Risks
The CLP has a system of controls in place that provides reasonable assurance that
the potential for fraud is minimized. Based on our analysis, the CLP has
sufficiently demonstrated the effectiveness of four of five internal controls,
whereas one element—risk assessment—has not been formally documented.
Rather, one CLP manager said they address risk assessment informally but on a
continual basis, which results in the development of new tools and updated
guidance documents that address any potential risks identified.
Federal standards and EPA Order 1000.24 CHG 2 require that federal entities
conduct risk assessments and emphasize the responsibility of government
managers in managing risk. A formal risk assessment would provide the program
with assurance that its controls address risks, help determine whether controls are
implemented and operating effectively, and provide a picture (to regional CLP
leads and others) of efforts the program undertakes to address performance
deficiencies by CLP labs.
CLP's Internal Control System Meets Most of the Principles for
Effective Internal Controls
We reviewed the CLP's system of internal controls and assessed whether the
system met the intent of GAO internal control principles.
Table 2 summarizes our assessment and illustrates that the CLP has controls to
detect or prevent fraudulent analytical services; and that, with one exception,
those controls provide reasonable—though not absolute—assurance that the
potential for fraud is minimized.
OMB Circular A-123, Management's Responsibility for Enterprise Risk
Management and Internal Control (July 2016), notes that no matter how well
designed, implemented or operated, an internal control system cannot provide
absolute assurance that all of an organization's objectives are met. Factors outside
the control or influence of management can affect the entity's ability to achieve
all of its objectives—factors that could be identified through formal risk
assessment.
17-P-0119
10
-------�
Table 2: Summary of CLP controls that meet GAP internal control principles
Internal control components and principles Met Partially Not
met met
Control Environment
1. The oversight body and management should
demonstrate a commitment to integrity and ethical
values.
2. The oversight body should oversee the entity's internal
control system.
•
3. Management should establish an organizational
structure, assign responsibilities, and delegate
authority to achieve the entity's objectives.
*
4. Management should demonstrate a commitment to
recruit, develop and retain competent individuals.
•
5. Management should evaluate performance and hold
individuals accountable for their internal control
responsibilities.
*
Risk Assessment
6. Management should define objectives clearly to
enable the identification of risks and define risk
tolerances.
7. Management should identify, analyze and respond to
risks related to achieving the defined objectives.
8. Management should consider the potential for fraud
when identifying, analyzing and responding to risks.
9. Management should identify, analyze and respond to
significant changes that could impact the internal
control system.
Control Activities
10. Management should design control activities to
achieve objectives and respond to risks.
•
11. Management should design the entity's information
system and related control activities to achieve
objectives and respond to risks.
*
12. Management should implement control activities
through policies.
•
Information and Communication
13. Management should use quality information to achieve
the entity's objectives.
•
14. Management should internally communicate the
necessary quality information to achieve the entity's
objectives.
*
15. Management should externally communicate the
necessary quality information to achieve the entity's
objectives.
*
Monitoring
16. Management should establish and operate monitoring
activities to monitor the internal control system and
evaluate the results.
17. Management should remediate identified internal
control deficiencies on a timely basis.
•
Totals
13
4 0
Source: OIG analysis based on interviews and document reviews.
17-P-0119 11
-------�
Federal Guidance and EPA Policy Require Risk Assessment
OMB Circular A-123, Management's
Responsibility for Enterprise Risk
Management and Internal Control, requires
that federal programs conduct and document
a risk assessment10 based on GAO's
Standards for Internal Control in the
Federal Government. The aim of the
assessment is to identify the major risks
facing the entity as it seeks to achieve its
objectives. This assessment provides the basis
responses.
EPA Order 1000.24 CHG 2, Management's Responsibility for Internal Control
(July 18, 2008), states that in accordance with GAO standards, a risk assessment
is the identification and analysis of relevant risk associated with achieving the
agency's mission. The EPA order further states that program managers should
identify internal and external risks that may prevent the organization from
efficiently and effectively meeting its objectives.
In discussing fraud risk, the GAO standards state that management consider the
following factors:
• Incentive/pressure. Management or other personnel have an incentive or
are under pressure, which provides a motive to commit fraud.
• Opportunity. Circumstances exist, such as the absence of controls,
ineffective controls, or the ability of management to override controls, and
this provides an opportunity to commit fraud.
• Attitude/rationalization. Individuals involved are able to rationalize
committing fraud (i.e., possess an attitude, character or ethical values that
allow them to knowingly and intentionally commit a dishonest act).
Because the CLP operates in an environment characterized by high volume and
quick turnaround analysis requests, the CLP should consider the above factors
when determining the types of laboratory fraud risks the program faces. The CLP
should formulate an approach for risk management based on its mission to
provide data of known and documented quality, and decide on the internal
controls required to mitigate identified risks. Additionally, CLP program
managers should incorporate regional CLP leads into any risk assessment
approach since EPA regions are data end users.
A precondition to risk assessment is
the establishment of clear, consistent
agency goals and objectives at both
the entity and activity levels. Internal
control should provide for an
assessment of the risks the agency
faces from both internal and external
sources.
for developing appropriate risk
111 The OMB circular refers to this as a "risk profile."
17-P-0119
12
-------�
One CLP manager stated that although they try to identify program risks on a
continual basis, they have not conducted or documented a formal risk assessment
process. The manager cited their recent updates to the EXES electronic data
validation program, where they incorporated information obtained from an
ongoing laboratory fraud investigation (in addition to ongoing updates to the CLP
Roles and Responsibilities Guidance Document), as examples of their continued
vigilance. We directed CLP program managers to appropriate sources containing
information on how to conduct a risk assessment, including OMB Circular A-123
(July 2016), the GAO Internal Control Management and Evaluation Tool
(August 2001), and other materials developed internally within the agency.
Conclusion
Our analysis indicates that the CLP's system of internal controls provides
reasonable assurance that the potential for fraud is minimized. Even though the
CLP's system of controls has been informed by the program's substantial history
and experience in the field of laboratory analytical services, as well as its
demonstrated willingness to continually improve and update the program, the
CLP would benefit from a structured risk assessment process that reaffirms the
strength of the controls already in place and, possibly, uncovers any gaps in the
system.
Recommendation
We recommend that the Assistant Administrator for Land and Emergency
Management:
1. Conduct and document a formal risk assessment of the EPA's Contract
Laboratory Program to determine the adequacy of internal controls
currently in place, and determine whether any additional controls are
needed to mitigate detected risks.
Agency Response and OIG Evaluation
OLEM agreed with our recommendation and provided a planned completion date.
Recommendation 1 is considered resolved with corrective actions pending. OLEM
plans to conduct and document a formal risk assessment of the CLP by the fourth
quarter of FY 2017. Appendix A contains OLEM's full response to our official
draft report.
OLEM also provided technical comments, which we considered and included in
Appendix A.
17-P-0119 13
-------�
Chapter 3
Investigative Units Should Formally Share
Information From Lab Fraud Investigations
With Affected Organizations
We found that while Special Agents handling lab fraud cases share information
with affected offices on an informal, ad hoc basis, investigative units do not have
a formal, regular process for sharing relevant information from lab fraud
investigations with other program and regional offices whose responsibilities
include laboratory analytical services/data. GAO's 2015 fraud risk framework11
recommends that agencies collect and analyze data from reporting mechanisms
and instances of detected fraud for real-time monitoring of fraud trends, and use
the results of monitoring, evaluations and investigations to improve fraud
prevention, detection and response.
The EPA has various mechanisms to report allegations of laboratory fraud from
program and regional staff to OIG/OI and OCEFT/CID (as well as the agency's
Scientific Integrity Official). However, investigative office policies do not address
or require formal information-sharing with EPA program offices and regions that
could benefit from information concerning how and why fraud occurred.
According to the two investigative units, there are additional reasons as to why
they do not share information: the lab fraud caseload is too small for them to data-
mine for trends or lessons learned; the inability to share sensitive case information
outside of the affected program; and resource limitations in both offices. As a
result, program and regional offices with laboratory-related responsibilities do not
always receive the information they need to strengthen their internal controls
based on lab fraud findings.
No Formal Requirement to Share Information
OIG/OI and OCEFT/CID policies include guidance on coordinating with one
another. However, the policies do not address sharing the root cause analyses
about how or why fraud occurred with program and regional offices whose
responsibilities include laboratory analytical services/data. There is no formal,
consistent process in place for debriefing program offices; rather, each
investigative office does so informally.
• OCEFT/CID updated its policy, Investigative Process (2015), OCEFT-I-
002R1, in response to a 2014 OIG report recommendation to "develop
guidelines outlining response steps when fraudulent laboratory data is
11 See our summary of this report in Chapter 1.
17-P-0119
14
-------�
discovered in ongoing criminal investigations," but this does not address
sharing information with other offices as a routine practice. However, the
CID policy does provide guidance for sharing lab fraud allegations that
potentially present a threat to human health or the environment.
OCEFT/CID said it does not have an internal procedure for briefing
offices and does not conduct briefings on a regular basis. During the
course of an investigation, OCEFT/CID might gather information from the
affected office (e.g., through meetings, emails, etc.) as it develops the
case. OCEFT/CID said post-case analysis is not its focus. OCEFT/CID
stated, "There is no post-mortem lessons learned aside from what might
happen naturally during the investigation in terms of back and forth with
the offices." OCEFT/CID also added there is no debrief or formal report
drawn up after a prosecution.
• OIG/OI Policy and Procedure 206, Case Administration (2016),
encompasses administrative aspects of handling complaints and reporting
results, but does not address information-sharing with the agency. OIG/OI
said its special agents discuss lab fraud matters with Contracting Officers
and others (e.g., the EPA's Suspension and Debarment Division).
However, unlike the OIG/OI's investigative reports that are provided to
the EPA concerning employee cases, OIG/OI does not send formal reports
on lab fraud investigations. Like OCEFT/CID, OIG/OI said its agents are
responsible for communicating relevant information with the affected
program office while the case is ongoing, and that Special Agents-In-
Charge are responsible for ensuring that this occurs.
The purpose of the 2006 Memorandum of Understanding between OIG/OI and
OCEFT/CID is to clarify each office's respective areas of investigative
responsibility. The memo included general obligations of cooperation and
information sharing with one another and stated, "Both OIG and CID must
immediately notify the other as to any criminal violations that fall within the other
organization's area of independent investigative authority." Beyond these
requirements, investigative office policies do not address sharing fraud techniques
with program and regional offices with laboratory responsibilities. However,
offices could use this information to strengthen internal control systems for
preventing and detecting lab fraud.
17-P-0119 15
-------�
Few Lab Fraud Cases, Resource Limitations and Sensitive
Information Limit Information Sharing
Lab fraud investigations comprise a small percentage of the total caseload for
OIG/OI and OCEFT/CID—just over 1 percent in each office from 2010 to 2016,12
as shown in Table 3.
Table 3: OIG/OI and OCEFT/CID data on lab fraud from 2010 to 201613
Total
Lab fraud
Percent lab
caseload
investigations opened
fraud
OIG/OI
1905
21
1.1%
OCEFT/CID
1883
2514
1.3%
Source: OIG summary of OIG/OI and OCEFT/CID information.
Each office described resource limitations that would limit detailed analysis of lab
fraud investigations and the formal sharing of information outside of the affected
program office. For example, OCEFT/CID said it does not have a large analytical
group, and its staff numbers are down 20 percent or so over the past 6 to 8 years.
OIG/OI said it conducted trend analyses when it had a lab fraud directorate;
however, that group has since disbanded and now OIG/OI does not monitor or
analyze proactively. Both offices noted that declining resources means they have
to prioritize and shuffle workloads accordingly.
Additionally, staff in each office noted that there could be some instances where
information-sharing would be delayed; for example, when a case is in prosecution
or in grand jury proceedings. Thus, the formal sharing of information depends on
the nuances involved in each case or situation.
Stakeholders Agree on the Need for Information Concerning Lab
Fraud Methods/Techniques
As noted above, neither OCEFT/CID nor OIG/OI do trend analyses on lab fraud
investigations. Staff in both offices questioned the value of formal information-
sharing. One OIG/OI Special Agent said there is no benefit because convictions,
suspensions and debarments stand on their own. An OCEFT/CID staff person said
they are not hearing program offices ask for lessons learned. An OIG/OI Special
Agent noted the benefit and said, "We are not required to brief the program [staff]
but it's a good practice."
12 Of these, per our first objective summarized in Chapter 2, only one CLP lab fraud investigation has been
conducted.
13 Table 3 captures lab fraud cases opened and investigated from 2010-2016, specifically January 2010 through May
2016 for OIG/OI, and January 2010 through September 2016 for OCEFT/CID. This does not include cases opened
prior to 2010 still under investigation during the 2010-2016 timeframe.
14 According to the CID, seven of its 25 lab fraud investigations are still ongoing. Four of those seven investigations
are being worked jointly with the OIG.
17-P-0119
16
-------�
Stakeholders we interviewed on the CLP's lab fraud controls agreed that learning
lab fraud case results would be useful:
• Headquarters CLP Staff in OLEM. ASB staff stated that they do not
receive information from OIG/OI or OCEFT/CID on cases they are
working or have worked on and were resolved, other than those cases that
pertain to CLP where information is shared during the course of the
investigation. They said such information would be very useful to them for
strengthening their controls.
• Headquarters Quality Staff in OEI. The Director of OEI's Enterprise
Quality Management Division said that when they learn about a situation
of non-conformance, they share that information with the QA community
through established communication channels (e.g., monthly QA meetings,
annual conference and on the OEI website). The Director stated that they
do not get information on fraud cases, but she indicated they would share
the information if received.
• Regional CLP CORs. All EPA regions confirmed that it would be useful
to receive more information on the techniques detected by lab fraud
investigations. Eight regions said it would be useful to receive specific
information on improper laboratory practices. Some of these regions said
information could, for example, be utilized in their own monitoring and
review of laboratory data. Three regions were not aware of the results of
OIG/OI or OCEFT/CID investigations but would like to learn about the
fraud techniques discovered. Four regions noted that past lab fraud
briefings provided by OIG/OI were useful.
Because lab fraud cuts across so many of the EPA's functions, broad coordination
is essential in addressing it.15
Moreover, impacts of lab fraud are significant,16 potentially risking human health
and undermining the foundations of the EPA's regulatory programs. For example,
drinking water regulations require testing for a list of potential contaminants to
protect the public from harmful exposures. Testing under hazardous waste
regulations may determine harm and responsible parties. Entities incur harm
through receipt and reliance on fraudulent test data. The resultant harm may be to
the environment (i.e., through the release of what was thought to be safe
15 EPA, OCEFT, Report of the Laboratory Fraud Work Group. September 2001, with June 2002 update, at page 39.
16 Though not specific to lab fraud, OMB Circular A-123 notes that fraud jeopardizes agency missions by diverting
scarce resources from their intended purposes. A single case of fraud can undermine programmatic mission, disrupt
services, and force management to expend valuable time and resources to resolve and recover property lost due to
fraud. Reputational risks of fraud can damage the perception of an agency, impact employee morale, and create
public distrust.
17-P-0119
17
-------�
material), a specific community or the government.17 (See examples of impacts of
lab fraud in the following box.)
Examples of Lab Fraud Impacts
• A recent CLP lab fraud case led OLEM to determine that the quality of the data could not be
assessed and should not be used for any site cleanup decisions. OLEM issued a recall of all
the data produced by the lab. The recall covered all 10 EPA regions and impacted a total of
237 sites. Funds expended on the analysis of the recalled data were approximately
$2.3 million.
• Three former employees of a drinking water laboratory were found to have falsified QA/QC
lab data over a 3-year period. Customers affected included schools, day care facilities,
government entities, restaurants and mobile home communities.
• The operator of a mass spectrometer, located in a U.S. Geological Survey laboratory
responsible for conducting coal and water quality assessments in projects both in the U.S.
and abroad, was accused of scientific misconduct and manipulating data. The agency's
review revealed far-ranging impacts: retracted or delayed publications due to inaccurate
information, diminished employee morale, and reduced public trust in agency-generated
information. Moreover, the agency found that 24 research and assessment projects of
national and global interest were potentially affected, and that the projects represented
about $108 million in funding.
• A lab president was sentenced to serve 48 months incarceration and pay a $50,000 fine
stemming from concealing and falsifying pesticide residue tests used by the EPA to
determine whether levels of pesticide residues in foods are safe and protective of public
health. The lab was sentenced to pay a $15.4 million fine. The president and the company
also each paid $3.7 million in restitution to defrauded pesticide manufacturers and the EPA.
The defendants falsified the results of their tests in order to save time and money that would
have been necessary to repeat tests that did not meet calibration or QC requirements.
GAO's 2015 fraud risk framework18
describes the importance of using the
results of investigations and prosecutions
to adapt fraud risk management activities,
such as incorporating new information
like changing risks or the effect of actions
taken to mitigate risks and address
vulnerabilities. This point is particularly
important considering that a current CLP
lab fraud investigation revealed new
techniques that offices need to inform
their systems of controls. Sharing this
information would inform the
development and modification of risk
assessments and other control activities
described in Chapter 2.
17 EPA, OCEFT, Report of the Laboratory Fraud Work Group. September 2001, with June 2002 update, at pages 4,
24 and 25.
18 GAO.. I Framework for Managing Fraud Risks in Federal Programs, GAO-15-593SP, July 28, 2015.
OECA's Office of Site Remediation
Enforcement (which manages
Superfund enforcement) indicated it
needs to know about fraud when a
program office is contemplating a
decision to recall data. The OECA
office can then determine any impact
of lab fraud on the EPA's
enforcement actions.
For example, the current CLP lab
fraud investigation impacted agency
enforcement and cost recovery
actions, and enforcement staff said
prompt notification would help
mitigate impacts.
17-P-0119
18
-------�
Conclusion
Broad agency coordination is important to address fraudulent laboratory data and
analysis. Although the EPA's investigative groups report few laboratory fraud
cases, impacts from any lab fraud remain significant. As OMB has identified, fraud
jeopardizes agency missions; and reputational risks of fraud can damage agency
perceptions, employee morale and public trust. Information identified in
investigations about the methods used to conduct fraudulent laboratory data
analysis would be useful for program managers' assessments of existing internal
controls.
Agency stakeholders have expressed interest in receiving information on
methods/techniques used to perpetrate fraud in order to tighten their internal control
systems. Collective agency efforts, such as increased information-sharing on fraud
methods, would help the agency to further prevent and detect lab fraud.
Recommendations
We recommend that the Assistant Administrator for Enforcement and Compliance
Assurance:
2. Require the Criminal Investigation Division to share pertinent information
from laboratory fraud findings with relevant EPA program and regional
offices. Pertinent information includes the fraudulent method or technique
used to commit fraud.
We recommend that the Inspector General:
3. Require the Office of Investigations to share pertinent information from
laboratory fraud findings with relevant EPA program and regional offices.
Pertinent information includes the fraudulent method or technique used to
commit fraud.
Agency Response and OIG Evaluation
OECA agreed with Recommendation 2 and provided a planned completion date.
Recommendation 2 is considered resolved with corrective actions pending. OECA
suggested changes to the report, which we made where appropriate. Appendix B
contains OECA's full response to our official draft report.
While OIG/OI did not explicitly agree or disagree with Recommendation 3, the
OIG completed its corrective action prior to our final report issuance. Appendix C
contains OIG/OI's full response to our official draft report.
17-P-0119 19
-------�
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
Rec.
No.
Page
No.
Subject
Status1
Action Official
Planned
Completion
Date
Potential
Monetary
Benefits
(in $000s)
1
13
Conduct and document a formal risk assessment of the EPA's
Contract Laboratory Program to determine the adequacy of
internal controls currently in place, and determine whether any
additional controls are needed to mitigate detected risks.
R
Assistant Administrator for
Land and Emergency
Management
9/30/17
2
19
Require the Criminal Investigation Division to share pertinent
information from laboratory fraud findings with relevant EPA
program and regional offices. Pertinent information includes the
fraudulent method or technique used to commit fraud.
R
Assistant Administrator for
Enforcement and
Compliance Assurance
12/31/17
3
19
Require the Office of Investigations to share pertinent
information from laboratory fraud findings with relevant EPA
program and regional offices. Pertinent information includes the
fraudulent method or technique used to commit fraud.
C
Inspector General
1/30/17
C = Corrective action completed.
R = Recommendation resolved with corrective action pending.
U = Recommendation unresolved with resolution efforts in progress.
17-P-0119
20
-------�
Appendix A
Office of Land and Emergency Management
Response to Draft Report
' % UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON. D C. 20460
OFFICE OF
SOLID WASTE AND
EMERGENOV RESPONSE
NOW THE
OFFICE OF LAND AMO
EMERGCNCV MANAGEMENT
IVir.MOKAMHM
JAM 1 3 2017
SUBJECT: Response to Office of Inspector General Report. EPAs C'ontract Laboratory Program
Includes Adequate Fraud Controls Thai Can lie Strengthened with Formal Risk
Assessment and Investigative Information Sharing (Report ti OPE-FY16-0022: December
13. 2016)
FROM: Mulhy Stanislaus
Assistant Administrator
TO: Arthur A. F.lkins. Jr.
Inspector General
Thank you for the opportunity to respond to the recommendation in the subject audit report. The
following is a summary of the Office of Land and Emergency Management's (OLEM's) overall
position, along with its position on the report recommendation. We have also provided a high-level
corrective action and estimated completion date, l or your consideration, we have included a Technical
Comments Attachment to supplement this response.
OFFICE Ol LAND AND EMERGENCY MANAGEMENT'S OVERALL POSITION
OLEM agrees with the recommendation that the OLEM Assistant Administrator conduct and document
a lormul risk assessment of the EPA's Contract Laboratory Program (CLP) to determine whether
additional internal controls arc needed to mitigate detected risks.
1 he Analytical Services Branch (ASB) within OLEM's Office of Superfund Remediation and
Technology Innovation (OSRTI) administers the Contract Laboratory Program (CI P). To that end, ASB
has initiated a formal CLP risk assessment and will provide the results to OLEM and the Office of the
Inspector General by Fiscal Year 2017's fourth quarter.
As noted in the OIG report's Chapter 2 ("CLP's Internal Control System Addresses l our of Five
Components and Should Formally Assess Program Risks"), the CLP has documented risk assessment on
an informal but continual basis. I his ongoing effort resulted in the development of new tools and updated
guidance documents to address any potential risks identified. Going forward ASB will formally document
risk assessment as part of its quality assurance process.
Interne! Address lllRLi • My .aw* pfia gov
RtcyclwVR^cyclable • Primed with Vege<2fc4t 0< Based inks on lOCTi Posreonsumec Process C«onne Frre Recycled Paper
17-P-0119
21
-------�
RESPONSE TO REPORT K HC' OM M H \ D ATI OX S
Agreements
No,
Recommendation
High-Level Intended
Corrective A eti a ti(s)
Estimated Completio n
by Quarter and FY
l
Conduct and document a
formal risk assessment of
the ERA'S CLP to
determine the adequacy of
internal controls currently
in place, and determine
whether any additional
controls are needed to
mitigate detected risks.
The EPA will conduct and
document a formal risk
assessment of the CLP
•I1* Quarter FY 2017
CONTACT lNf'ORMATIQIM
If you have any questions regarding this response, please contact Kccia Thornton, OLEM OIO Audit
Follow up Coordinator, at (202) 566-1913.
Attachment: Technical Comments
cc: Carolyn Copper, OfG
Patrick Gilbride. OIG
Erin Barnes-Weaver, OIC
Barry Breen
Nitin Natarajan
Jim Wooltbrd
[Jan Powell
Keith Upah
Daniel Ciinsburg
17-P-0119
22
-------�
Technical Comments Attachment
Audit Objectives
I he Analytical Services liranch welcomes the opportunity lo be the subject of (his review because
we continuously strive to maintain a thorough and effective capabi lity to detect improper practices,
and to provide relevant information lo our stakeholders in a timely manner concerning the impacts
of improper practices and fraud. ASB is always re-evaluating our processes to maintain a high
level of effectiveness and efficiency, and we are grateful tor the opportunity to learn from the
experience of others.
Comment 1: Chanter 1, Quality Assurance ! Quality Control Processes (paragraph 2)
ASB has included guidelines for evaluating and documenting data quality since the early days ol
[he CLP through (he National Functional Guidelines (NFG). These guidance documents (posted
on the CLP website, along with the Statements of Work (SOW). The NFG are intended to provide
a logical, stepwise approach to evaluating data quality, and a set of recommendations for
documenting those findings for the data users. We recognize that data quality requirements are
usually project-specific, depending on the project purpose and scope, and that project data
reviewers should use our guidelines in conjunction with the project Quality Assurance Project I'lan
(QAPP).
The ASB and our EPA Regional counterparts conduct laboratory performance monitoring,
heginninu prior lo contract award with prc-award on-site audits and pre-award performance
evaluation samples (PES). On-site audits are also conducted post-contract award on an annual
basis, and PES testing is routinely done, both on a quarterly basis, and as an optional pan oi
Regional sample shipments.
Chanter I. CLP Kn Kntilks (paragraph 3, bullet 2)
The Quality Assurance and Technical Support (QATS) contractor is directed and tasked by the
ASB. The QATS team provides a wide range ol QA support to the CLP, and more broadly to the
EPA in general, including conducting on-site laboratory audits, reviewing laboratory quality
system documents; performing the development, preparation, management, distribution,
evaluation, and reporting of performance evaluation samples for ASB and the EPA Regions to
support Superfund activities, designing and conducting method validation studies, evaluating new
sample preparation and analysis techniques, mid conducting in-depth hard-copy and electronic data
package audits. This latter task has proven most useful to AS EL in several Special Audit
Investigations, to identity improper practices.
Chanter I, Lab Fraud Allegations
The ASB strives to pursue all instances of improper practices identified either by our QA I S team
during their on-site or electronic data package auditing activities, or by our LP A Regional data
review teams. To our knowledge, there is no regulatory authority involved with these activities,
only the responsibility for contract administration. These monitoring activities focus on the
17-P-0119
-------�
Technical Comments Attachment
question of whether or not the requirements of the contract and the SOW have been followed, and
occasionally instances of improper practice arc found and are documented. ASB will then seek to
discover whether the instance noted was a simple error, or is more common among a laboratory s
product. Data, submitted by the labs, which resides in the SMO database, and the investigative
tools and skills of the QATS team are our primary tools in this effort. anJ the information gained
is communicated to our management, to QAM, our customers, and to the OIG at the appropriate
time.
C'hantyr 2, Internal Control S\stems
The ASB agrees that formal documentation of our assessment of nsk. subjected to the type of
periodic review and re-evaluation that is a normal part ol our current operation, could make our
system of internal controls more robust.
Chanter 3, Stakeholders Agree on the INwl for Information C oncerning Lab I raud
Methods/Techniques (paragraph 2, hullet 3)
ASH has presented information on its own experience with monitoring for and detecting improper
laboratory practices to the CLP Regional stakeholders (most recently, at the C LP conference.
November 2016); the Headquarters Quality Stall in QKI and the community of Regional QA
Managers (on their monthly call. November 2016); and to the NELA( I Nl analytical chemistn
community (National Environmental Monitoring Conference. August 2016)). fhese included
evaluating the scope and temporal extent of improper practices, as well as the impacts of any
subsequent data recall on the community of data users, including cost and delays in completion of
FPA projects. In addition. OIG investigator Susan Chandler presented several examples of the
types of improper practices her office had been investigating at the CLP Conference in 2d 14.
17-P-0119
-------�
Appendix B
Office of Enforcement and Compliance Assurance
Response to Draft Report
\Sz}
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTOM. D C. 20460
JAN 11 201)
Off\Oc. Of
ENFORCEMENT AND
COMPLIANCE ASSURANCE
MEMORANDUM
SUBJECT:
FROM:
TO:
Response to Office of Inspector General Draft Report No OPE-FY16-0022, "EPA's
Contract Laboratory Program Includes Adequate Fraud Controls That Can Be
Strengthened with Formal Risk Assessment and Investigative Information Sharing" dated
December 13, 2016
Cynthia Giles
Assistant Administ
Office of Enforcetne
Arthur A. Elkins, Jr,
Inspector General
Compliance Assurance
Thank you for the opportunity to respond to the issues and recommendations in the subject audit
report OECA generally agrees with the report's findings and recommendations, with one suggested edit
to the report and one suggested edit to Recommendation No 2
Specifically, OECA suggests striking the statement on pages 5-6, which states, "According to OCEFT, the
EPA's regulatory authority to inspect environmental labs is limited to labs that participate in the CLP" as
that does not accurately reflect EPA's regulatory authority.
Additionally, OECA suggests revising Recommendation No. 2 to state, "Require the Office of Criminal
Enforcement, Forensics and Training (OCEFT) to share pertinent information from laboratory fraud
investigations with relevant EPA program, regional and enforcement offices and for the Analytical
Services Branch within the Office of Land and Emergency Management, Office of Superfund
Remediation and Technology Innovation to share pertinent information concerning laboratory fraud
with EPA's regional and headquarters enforcement offices. Pertinent information, at a minimum,
includes the fraudulent method or technique used to commit fraud."
17-P-0119
25
-------�
Agreements
No.
Recommendation
High-level Intended
Corrective Action(s)
Estimated Completion
by Quarter and FY
2
Require the Criminal Investigation
Division to share pertinent
information from laboratory fraud
findings with relevant EPA program
and regional offices Pertinent
information includes the fraudulent
method or technique used to
commit fraud.
Review current
information
dissemination policies
and practices and meet
with relevant EPA
program, regional and
enforcement offices to
determine how to best
communicate that
information.
December 31, 2017
(1st Quarter FY 2018)
CONTACT INFORMATION
If you have any questions regarding this response, please contact Gwendolyn Spriggs, OECA's Audit
Follow Up Coordinator on 202-564-2439, or via email spriggs.gwendolyn@epa.gov.
17-P-0119
26
-------�
Appendix C
Office of Inspector General
Response to Draft Report
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D C 20460
THE INSPECTOR GENERAL
LJAN 13 2u 17
MEMORANDUM
SUBJECT: Office of Inspector General Comments on OIG's Draft Report,
EPA's Contract Laboratory Program Includes Adequate Fraud Controls That Can Be
Strengthened With Formal Risk Assessment and Investigative Information Sharing,
Project No. OPE-FY16-0022
FROM: Arthur A. Elkins Jr. ; • J A
TO: Dr. Carolyn Copper, Assistant Inspector General
Office of Program Evaluation
This memorandum is in response to the subject Office of Inspector General (OIG) draft report. The OIG
appreciates the evaluation of the Contract Laboratory Program. The OIG Office of Investigations has
read the draft report's Recommendation 3, addressed to the Inspector General, that involves action to be
taken by the Office of Investigations. The recommendation and OIG response are as follows:
Recommendation 3: Require the Office oflnvestigations to share pertinent information from laboratory
fraud findings with relevant EPA program and regional offices. Pertinent information includes the
fraudulent method or technique used to commit fraud.
OIG Response: OIG Office of Investigations management believes pertinent information from
laboratory fraud cases is already being shared with the relevant EPA program and regional
offices at the appropriate times. However, to ensure that there is no misunderstanding, the
Assistant Inspector General for Investigations will send an email message reminding the staff of
this requirement. Moreover, the Office of Investigations will continue conducting fraud
awareness briefings for its EPA stakeholders, as well as other federal, state, local and tribal
partners.
Timeframe: OIG will have the Assistant Inspector General for Investigations' email completed
by January 30, 2017. The fraud awareness briefings will continue as needed.
If you have any questions regarding the OIG response, please contact Craig Ulmer, Deputy Assistant
Inspector General for Investigations, at (202) 566-0943.
cc: Charles Sheehan, Deputy Inspector General
Patrick Sullivan, Assistant Inspector General for Investigations
Attachment
^DSr^
$ Ck \
Uas/
17-P-0119
27
-------�
Appendix D
Distribution
The Administrator
Assistant Administrator for Land and Emergency Management
Assistant Administrator for Enforcement and Compliance Assurance
Inspector General
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Deputy Assistant Administrator, Office of Land and Emergency Management
Deputy Assistant Administrator, Office of Enforcement and Compliance Assurance
Audit Follow-Up Coordinator, Office of the Administrator
Audit Follow-Up Coordinator, Office of Land and Emergency Management
Audit Follow-Up Coordinator, Office of Enforcement and Compliance Assurance
17-P-0119
28
-------� |