t O \ Uafei V P,oĞG<° U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL EPA Needs to Improve Contract Management Assessment Program Implementation to Mitigate Contracting Vulnerabilities Report No. 14-P-0347 September 2, 2014 ------- Report Contributors: Melinda Burks Anthony Grear Janet Kasper Michael Petscavage Abbreviations CMAP Contract Management Assessment Program EPA U.S. Environmental Protection Agency GAO Government Accountability Office ICP Internal Control Plan OAM Office of Acquisition Management OARM Office of Administration and Resources Management OIG Office of Inspector General OMB U.S. Office of Management and Budget Are you aware of fraud, waste or abuse in an EPA program? EPA Inspector General Hotline 1200 Pennsylvania Avenue, NW (2431T) Washington, DC 20460 (888) 546-8740 (202) 566-2599 (fax) OIG Hotline@epa.gov More information at www.epa.gov/oiq/hotline.html. EPA Office of Inspector General 1200 Pennsylvania Avenue, NW (241OT) Washington, DC 20460 (202) 566-2391 www.epa.gov/oig Subscribe to our Email Updates Follow us on Twitter @EPAoig Send us your Project Suggestions ------- ^tDsr-% B \ U.S. Environmental Protection Agency Office of Inspector General At a Glance 14-P-0347 September 2, 2014 Why We Did This Review The U.S. Environmental Protection Agency (EPA) Office of Inspector General (OIG) conducted an audit evaluating the Office of Acquisition Management's (OAM's) Contract Management Assessment Program (CMAP). CMAP is an integral part of OAM's implementation of the U.S. Office of Management and Budget (OMB) Revised Circular A-123, Management's Responsibility for Internal Control. The objectives of our audit were to answer the following questions: 1. Are contracting offices implementing the CMAP? 2. Are the assessments sufficient to identify weaknesses in internal controls or systemic vulnerabilities? 3. Are follow-up actions sufficient to ensure that weaknesses and vulnerabilities are corrected? This report addresses the following EPA goal or cross-agency strategy: Embracing EPA as a high- performing organization. Send all inquiries to our public affairs office at (202) 566-2391 or visit www.epa.gov/oia. The full report is at: www.epa.gov/oig/reports/2014/ 20140902-14-P-0347.pdf EPA Needs to Improve Contract Management Assessment Program Implementation to Mitigate Contracting Vulnerabilities What We Found CMAP is an integral part of OAM's implementation of OMB Revised Circular A-123 requirements. Multiple factors hinder CMAP implementation, such as ambiguous guidance, the EPA's organizational structure, and lack of resources. The contracting organizations within the EPA are implementing CMAP to varying degrees. Required submissions were not always submitted timely, and some annual reports did not contain all of the required elements. Additionally, the CMAP policy does not incorporate a process to address noncompliance. As a result, it is questionable whether the CMAP program can be fully and optimally implemented until the agency makes needed changes. CMAP will not be fully and optimally implemented until the agency makes needed changes to improve implementation. The EPA follow-up actions in response to peer review findings appear to be sufficient to ensure that weaknesses and vulnerabilities are corrected. However, one plan did not provide dates for the completion of planned corrective actions and OAM does not formally agree to or approve the corrective action plans. Additionally, quarterly update reports are not always submitted timely. OMB Revised Circular A-123 states that agency managers are responsible for taking timely and effective action to correct identified deficiencies. CMAP policy lacks specificity, which creates confusion and hinders follow-up action implementation. As a result, corrective actions may take longer than necessary. Recommendations and Planned Agency Corrective Actions We recommend that the Assistant Administrator for Administration and Resources Management revise the CMAP policy to correct ambiguity and strengthen accountability, implement organizational changes to provide OAM with greater authority and oversight over regional contracting organizations, and evaluate whether the resources allocated to the CMAP are sufficient to ensure adequate internal controls and effective CMAP implementation. The agency agreed to take corrective action for all but one of the recommendations. It disagreed with the recommendation to implement organizational changes. Noteworthy Achievements We found that the assessments contracting organizations are required to perform under the CMAP program are designed to identify weaknesses in internal controls or systemic vulnerabilities. The CMAP components collectively address all five Government Accountability Office standards for internal control. If CMAP is implemented according to its program design, the EPA's internal controls for contracts management should improve overtime. ------- UNITED STATES ENVIRONMENTAL PROTECTION AGENCY WASHINGTON, D.C. 20460 THE INSPECTOR GENERAL September 2, 2014 MEMORANDUM SUBJECT: EPA Needs to Improve Contract Management Assessment Program Implementation to Mitigate Contracting Vulnerabilities Report No. 14-P-0347 This is our report on the subject audit conducted by the Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA). This report contains findings that describe the problems the OIG has identified and corrective actions the OIG recommends. This report represents the opinion of the OIG and does not necessarily represent the final EPA position. Final determinations on matters in this report will be made by EPA managers in accordance with established audit resolution procedures. The office responsible for implementing the recommendations is the Office of Acquisition Management, within the Office of Administration and Resources Management. Action Required In accordance with EPA Manual 2750, you are required to provide a written response to this report within 60 calendar days. You should include planned corrective actions and completion dates for all unresolved recommendations. Your response will be posted on the OIG's public website, along with our memorandum commenting on your response. Your response should be provided as an Adobe PDF file that complies with the accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as amended. The final response should not contain data that you do not want to be released to the public; if your response contains such data, you should identify the data for redaction or removal along with corresponding justification. FROM: Arthur A. Elkins Jr. TO: Nanci Gelb, Acting Assistant Administrator Office of Administration and Resources Management We will post this report to our website at http://www.epa.gov/oig. ------- EPA Needs to Improve Contract Management Assessment Program Implementation to Mitigate Contracting Vulnerabilities 14-P-0347 Table of C Chapters 1 Introduction 1 Purpose 1 Background 1 Responsible Offices 2 Noteworthy Achievements 2 Scope and Methodology 3 2 CMAP Is Implemented Inconsistently Among EPA's Contracting Organizations 5 CMAP Contains Specific Requirements 5 Contracting Organizations Implement CMAP to Varying Degrees 6 Multiple Factors Impact CMAP Implementation 8 Changes Needed to Improve CMAP Implementation 11 Recommendations 12 Agency Response and OIG Evaluation 12 3 Follow-Up Action Implementation Could Be Improved 14 Follow-Up Required to Correct Deficiencies 14 Improvements Needed for Follow-Up Action Implementation 14 CMAP Policy Lacks Specificity 15 Deficiencies May Not Be Corrected Timely 16 Recommendations 16 Agency Response and OIG Evaluation 16 Status of Recommendations and Potential Monetary Benefits 17 Appendices A Agency Response to Draft Report 18 B Distribution 21 ------- Chapter 1 Introduction Purpose The U.S. Environmental Protection Agency's (EPA) Office of Inspector General (OIG) identified contracts management as an internal control weakness in its April 17, 2013, memo "Proposed Fiscal Year 2013 Management Challenges and Internal Control Weaknesses." The EPA disagreed and stated that the Office of Acquisition Management (OAM) had implemented new internal control systems, including OAM's Contract Management Assessment Program (CMAP). We conducted an audit evaluating CMAP. The objectives of our audit were to answer the following questions: 1. Are contracting offices implementing the CMAP? 2. Are the assessments sufficient to identify weaknesses in internal controls or systemic vulnerabilities? 3. Are follow-up actions sufficient to ensure that weaknesses and vulnerabilities are corrected? Background The U.S. Office of Management and Budget (OMB) Revised Circular A-123, Management's Responsibility for Internal Control, defines management's responsibility for internal controls in federal agencies. It provides guidance to federal managers on improving the accountability and effectiveness of federal programs and operations by establishing, assessing, correcting and reporting on internal controls. It also establishes policy, stating that management is responsible for establishing and maintaining internal control to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. The EPA initiated the CMAP in February 2012. OAM chartered the CMAP under the direction of the Senior Procurement Executive. OAM designed CMAP to ensure that contracting organizations operate in an effective and efficient manner and conform to the requirements of the Federal Managers' Financial Integrity Act of 1982 and OMB Circular A-123. The CMAP is a system of controls designed to measure operational awareness and to determine how well the EPA's contracting organizations support their respective mission requirements while meeting their other responsibilities. The CMAP identifies noteworthy practices as well as systemic vulnerabilities and 14-P-0347 1 ------- obstacles to successful mission accomplishment through a holistic approach. CMAP contains four primary components: Internal Control Plans (ICP). Self-Assessments. Annual Reports. CMAP Peer Reviews. Responsible Offices The office responsible for implementing this audit report's recommendations is OAM, within the Office of Administration and Resources Management. The responsibility for CMAP implementation resides within OAM's Policy, Training and Oversight Division, Contract Management Assessment Team. The Contract Management Assessment Team manager has the authority and responsibility for overseeing the successful implementation of the program. The contracting organizations responsible for implementing CMAP throughout the EPA are: Cincinnati Procurement Operations Division. Research Triangle Park Procurement Operations Division. Headquarters Procurement Operations Division. Superfund/RCRA Procurement Operations Division. Nine regional contracting organizations for Regions 1 through 9 (Region 7 performs the contracting function for Region 10). Noteworthy Achievements We found that the assessments contracting organizations are required to perform under the CMAP program are designed to identify weaknesses in internal controls or systemic vulnerabilities. The CMAP program design meets the U.S. Government Accountability Office (GAO) standards for internal control in government, required by the Federal Managers' Financial Integrity Act. Specifically, the CMAP components collectively address all five GAO standards for internal control: Control Environment. Risk Assessment. Control Activities. Information and Communications. Monitoring. CMAP, initiated in 2012, is in the early stages of implementation. The peer review component of the program is based on a 3 to 5 year cycle. Thus, it is too early to determine whether internal control improvements have been achieved. However, other than needing some clarifications and revisions of the program 14-P-0347 2 ------- guidance to correct ambiguity and strengthen accountability, if CMAP is implemented according to its program design, the EPA's internal controls for contracts management should improve over time. Overall, this improvement in internal controls should result in increased compliance with applicable contracting regulations, policies and guidance in the future. Scope and Methodology We conducted this performance audit from November 2013 through May 2014, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. As noted above, CMAP is in its early stages of implementation. We focused our review and analysis on CMAP submissions for the first year of implementation (fiscal year 2012), since submissions for the second year of implementation were not yet due at the time we started the audit. For fiscal year 2013, we received updates from OAM on the status of the submissions as of certain dates. We reviewed relevant agency guidance to obtain an understanding of internal controls related to CMAP. We also interviewed the appropriate staff in OAM and in the different contracting organizations to gain an understanding of CMAP and to discuss any findings. To answer objective 1, we obtained, reviewed and analyzed: (1) ICPs/ Quality Assessment Plans. (2) Self-assessments. (3) Annual reports for each contracting organization. We determined whether they were submitted timely and met the CMAP requirements. We also reviewed the peer reviews that were completed at the time of our audit. To answer objective 2, we compared and analyzed GAO's five internal control standards to the CMAP, and determined whether the CMAP complies with and meets all requirements. For two randomly selected contracting organizations, we determined: (1) Whether the ICP, self-assessment, annual report and peer review complied with and met all requirements of GAO's internal control standards. (2) How useful these documents are in helping to identify weaknesses in internal controls or systemic vulnerabilities. 14-P-0347 3 ------- To answer objective 3, we obtained, reviewed and analyzed the corrective action plans submitted to date to determine whether they were submitted timely and would be sufficient to ensure the weaknesses and vulnerabilities are corrected. We also determined the current status of findings and whether the proposed corrective actions have been or are being implemented. We determined whether quarterly updates on all corrective action plans have been completed until they are closed. Finally, we determined whether a listing of best practices and areas of concern has been compiled and displayed on the Policy, Training and Oversight Division website, and whether best practices have been reviewed for incorporation into existing policies, regulations and systems. There are no prior audit reports on the CMAP program. 14-P-0347 4 ------- Chapter 2 CMAP Is Implemented Inconsistently Among EPA's Contracting Organizations The various contracting organizations within EPA are implementing CMAP to varying degrees. For those that are implementing it, the documentation was not always submitted timely. Further, five of the annual reports did not contain all of the required elements. CMAP is an integral part of OAM's implementation of OMB Circular A-123 requirements. Multiple factors hinder CMAP implementation, such as ambiguous requirements, the EPA's organizational structure, and lack of resources. Additionally, the CMAP policy does not incorporate a process to address noncompliance. As a result, it is questionable whether the CMAP program can be fully and optimally implemented until the agency makes needed changes to improve program implementation. CMAP Contains Specific Requirements CMAP requires the following components: ICP. The overall purpose of the ICP, formerly known as the Quality Assessment Plan, is to be able to identify vulnerabilities, correct them, and verify and validate that the corrective action eliminated the identified vulnerability. The ICP identifies the methodology an organization uses to measure and assess its compliance with Federal Acquisition Regulation, agency policies and procedures, workforce development, etc., in order to identify systemic vulnerabilities and weaknesses. CMAP states that ICPs are dynamic documents that will periodically require revision and may be updated as needed. Self-Assessments. The self-assessment review is an organization's objective self-evaluation of its pre-award and post-award activities through implementation of its ICP, as well as an evaluation of organizational systems such as staffing, internal policies and procedures, and customer outreach. Each organization shall perform assessment review activities utilizing the peer review/self-assessment checklist criteria. The self-assessment review is used to test the effectiveness of an organization's internal control measures for transactional activities. The Part III self-assessment survey is required to be submitted annually, at the same time as the annual report. Annual Reports. After conducting the self-assessment, each organization shall prepare and submit one consolidated report to the CMAP team lead in the first quarter of each fiscal year, no later than the 3rd Friday in November, that will include the following sections: 14-P-0347 5 ------- (1) Organizational self-assessment survey. (2) Organizational retrospective report. (3) Prospective organizational internal review plan. The data from these annual reports is used to identify cross-organizational systemic issues, corrective actions taken, and best practices in support of OAM's knowledge management initiatives; inform the scope of future periodic peer reviews; and conduct peer reviews. CMAP policy states that organizations may choose to use any format for reporting purposes, although an optional template is provided. The retrospective report shall contain, at a minimum, the following information: Introduction/background. Identification of assessment review personnel. Scope of review activities. Trend analysis. Assessment of trade-offs. Identification of management initiatives. Root-cause analysis. Corrective action plans. Prospective plans, at a minimum, shall address the following: Background information. Identification of internal review personnel. Status of prior/current internal review activities. Internal review activities for the upcoming fiscal year. CMAP Peer Reviews. The CMAP peer review is OAM's periodic verification and validation review of an organization's adherence to acquisition policy and procedures, led by qualified persons who are independent of the organization and who do not have any real or apparent conflicts of interest. Contracting Organizations Implement CMAP to Varying Degrees ICPs not Updated Nine of 13 contracting organizations have not updated their ICPs in more than 3 years. The first cycle of OAM's peer reviews, although not complete, resulted in recommendations that ICPs be updated. Table 1 shows a summary of the ICP updates as of December 1, 2013. 14-P-0347 6 ------- Table 1: Status of ICP updates Last ICP update No. of contracting organizations Within the last 3 years 4 More than 3 years 3 More than 4 years 5 More than 5 years 1 Source: OIG analysis of the most recent ICPs, provided by the EPA. Fiscal Year 2012 Submissions Either not Submitted or not Timely Of the 13 contracting organizations, 11 submitted annual reports for fiscal year 2012 and two did not. Further, for the fiscal year 2012 annual reports submitted, the submissions were either not dated or received after the due date of November 17, 2012 (table 2). Table 2: Timeliness of submitted annual reports No. of annual reports Date Submitted by due date 8 Not dated Cannot determine 1 November 23, 2012 No 1 November 30, 2012 No 1 December 2012 No Source: Annual reports for fiscal year 2012, provided by the EPA. The Part III self-assessment survey is required to be submitted annually at the same time as the annual report. For fiscal year 2012, of the 11 contracting organizations that submitted an annual report, six submitted the Part III self- assessment and five did not. Of the five that did not submit the Part III self- assessment, some submitted other self-assessment information. For example, two organizations submitted Part I of the self-assessment, but not Part III as required. For the six Part III self-assessments that were submitted, the submissions were either not dated or not submitted by the due date, as shown in table 3. Table 3: Timeliness of submitted self-assessments No. of self-assessments Date Submitted by due date 3 Not dated Cannot determine 1 November 2012 Cannot determine 1 November 23, 2012 No 1 December 2012 No Source: Self-assessments for fiscal year 2012 provided by the EPA. Fiscal Year 2012 Annual Reports not Complete Of the 11 annual reports submitted for fiscal year 2012, five were not complete. Of those that were not complete, one contracting organization did not complete its assessment activity, and four reports did not cover all of the required annual 14-P-0347 7 ------- report elements. For example, one annual report did not include the following elements: Assessment of trade-offs. Identification of management initiatives. Root-cause analysis. Corrective action plans. These are all required annual report elements, according to the CMAP policy. Table 4 shows a summary of the completeness of the annual reports. Table 4: Completeness of annual reports Annual report complete? No. of contracting organizations Complete and included all required elements 6 Assessment activity not complete 1 Did not include all required elements 4 Source: OIG analysis of submitted annual reports for fiscal year 2012, provided by the EPA. Fiscal Year 2013 Submissions not Timely Some of the fiscal year 2013 submissions (both the self-assessments and annual reports, due in November 2013) were not timely. As of mid-December 2013, only five of 13 contracting organizations had submitted the required data. It was not until February 2014 that OAM received all of the required submissions. Because some organizations were not complying with CMAP requirements, the head of the contracting activity issued a memorandum in January 2014 informing the contracting organizations of their responsibilities regarding internal controls, per OMB Circular A-123. Better Sharing of Trends Needed From Headquarters While the EPA is implementing the peer review component, there can be improvement in sharing of the best practices and trends from the submissions and peer reviews. As of January 2014, there was a listing of trends on one of OAM's website pages. However, the information was based on fiscal year 2012 data and had not been updated to include more recent data. OAM planned to create a knowledge management website page, but it has not yet been established. Multiple Factors Impact CMAP Implementation CMAP Does Not Specify Timeframes for Updating ICPs The CMAP does not require the ICPs to be reevaluated on a regular basis and within a specific timeframe. The CMAP currently states that ICPs will be updated as needed. The peer reviews have identified the need for updating ICPs, indicating that ICPs may not be updated often enough. 14-P-0347 8 ------- Ambiguous Requirements Cause Confusion The CMAP policy in place at the time of the first two submissions of the self- assessments (fiscal years 2012 and 2013) was not clear as far as what was required to be submitted for the self-assessment and when it was due. In some cases, the policy was not specific and allowed for differing formats, which caused inconsistency and confusion. A staff person from one contracting organization indicated it was confusing because there was a lack of understanding about what needed to be submitted. This resulted in inconsistencies as to what was submitted among the different contracting organizations. For example, as discussed above, some organizations did not submit the required Part III self-assessment, but instead submitted other parts of the self-assessment. The staff person noted the need for more training and communication on the process. The following are examples that we noted in the policy that illustrate this ambiguity: The CMAP policy stated that each organization shall perform assessment review activities utilizing the peer review/self-assessment checklist criteria. However, the policy also states that checklist questions serve merely as a reference guide for reviews conducted in each respective criterion and do not require submission of documented responses of each individual question for reporting purposes. These two statements seem to somewhat contradict each other. The CMAP policy stated that flexibility is permitted in the timing of the review. It also states that the checklist questions serve merely as a reference guide for reviews conducted in each respective criterion. Again, this seems contrary to the "shall" requirement statement. The self-assessment checklist itself states that contract managers must annually submit Part III. However, Parts I and II can be completed in part or in whole annually, as long as each system criterion is assessed within a 3- year cycle. The CMAP team lead clarified the self-assessment reporting requirements during our audit, and stated that the Part III self-assessment survey is required to be submitted annually. However, to our knowledge based on our audit, this clarification had not been communicated to the contracting organizations. While the latest CMAP policy, effective December 11, 2013, is somewhat clearer on the requirements, OAM stated that it still wants to give the contracting organizations flexibility. For example, OAM stated that the checklist provided is optional, and that the contracting organizations could submit information in a different format. However, this is contrary to the CMAP policy, which states that the checklist "shall' be used. While OAM is providing flexibility, staff stated that 14-P-0347 9 ------- the requirements were sometimes not as clear as they could be, and that this can cause inefficiencies and confusion because the contracting organizations may not know what is expected. One regional contracting chief noted that CMAP is implemented with a lot of collaboration, and indicated that at some point, direction is needed. Lack of direction causes different interpretations of the requirements among the contracting organizations. Organizational Structure Hindering CMAP Implementation The EPA's current organizational structure is hindering implementation of CMAP, making it questionable whether the program can be fully and optimally implemented. The regional contracting staff do not report directly to OAM, but instead are regional employees and report to regional management. As a result, the head of contracting activity cannot efficiently and effectively direct the regional contracting organizations to comply with the CMAP requirements. Instead, OAM is implementing the program by trying to get regional administrators, program staff and regional contracting chiefs to buy into the program by getting them to understand the importance of internal controls. Under the current structure, OAM does not have sufficient influence over the regional contracting organizations, and regional management and program offices are in a position where they can potentially place more influence over the regional contracting staff. We noted the following examples based on interviews with regional contracting officials and staff. According to a regional contracting staff person, a regional administrator stated that environmental laws are much more important than Federal Acquisition Regulation requirements. According to a regional contracting chief, they informed the regional administrator that they believed they were short of staff, but the regional administrator disagreed. Since the regional administrator signs the self- assessment and annual report submitted to OAM, this casts doubt on the accuracy of that region's CMAP documentation. In discussions with OAM management, they acknowledge that there remains a lack of clear orientation by program and regional staff with respect to the contracting function and responsibilities. The EPA is currently considering various reorganizations that would alter the structure and possibly provide the head of contracting activity with more authority. No final decision has been made regarding reorganization. Providing the head of contracting activity with more authority would help efficiently and effectively implement the CMAP. 14-P-0347 10 ------- Lack of Resources Impacts CMAP Implementation The CMAP program is essentially being implemented and run largely by one person out of headquarters, the CMAP team lead. The CMAP team lead and OAM management acknowledged that lack of resources is a challenge. Resources are needed to analyze trends, review corrective action plans, update the website, etc. Resources are also needed to perform the peer reviews. However, due to the lack of resources, the peer reviews are currently staffed with qualified personnel who volunteer from other contracting offices. CMAP Policy Does not Incorporate Process to Address Noncompliance The CMAP policy does not incorporate a process that ensures that appropriate action is taken when contracting organizations do not comply with CMAP requirements. The head of contracting activity issued a memorandum in January 2014 to explain the importance of internal controls and to explain possible consequences for noncompliance. While this memorandum laid out possible consequences for CMAP noncompliance, this information is not included in the CMAP policy. While the most severe possible outcome, pulling of warrant authority, did not occur in the instances where regional contracting organizations did not comply with CMAP, OAM did have to discuss the noncompliance with regional administrators before the submissions for two of the 13 organizations were finally received. Changes Needed to Improve CMAP Implementation It is questionable whether the CMAP program can be fully and optimally implemented until the agency makes needed changes to improve program implementation. Contract deficiencies noted by both the OIG and in the internal self-assessments and peer reviews may continue in the future. Lack of enough permanent staff could impact the sharing of findings and lessons learned, slow the number of peer reviews that could be performed each year, and impact corrective action follow-up activities. Additionally, lack of submissions causes the performance measurement data to be incomplete and potentially inaccurate. 14-P-0347 11 ------- Recommendations We recommend that the Assistant Administrator for Administration and Resources Management: 1. Revise the CMAP policy to: (a) Be more prescriptive of what exact documents are required to be submitted. (b) Specifically address when ICPs will be reviewed for possible revision (e.g., during annual reporting and peer reviews). (c) Incorporate a process that ensures that appropriate action is taken when contracting organizations do not comply with CMAP. 2. Ensure the organizational changes currently being considered for the contracting function at the EPA provide OAM with greater authority and oversight over regional contracting organizations are implemented, to allow for more effective CMAP implementation. 3. Evaluate whether the resources allocated to the CMAP are sufficient to ensure adequate internal controls and effective CMAP implementation. Agency Response and OIG Evaluation OARM agreed to take corrective action in response to recommendations 1(a), 1(b), 1(c), and 3, and provided a completion date of October 15, 2014, for these recommendations. The proposed corrective actions and planned completion dates meet the intent of the recommendations. These recommendations will remain open pending completion of the proposed corrective actions. OARM disagreed with recommendation 2 to implement organizational changes for the contracting function. OARM stated that the senior procurement executive already has the authority to modify or rescind contracting officer warrants if it is determined that the operational procurement activity does not have effective internal controls in place to identify, correct, and ultimately eliminate systematic vulnerabilities. As a result, OARM stated there is no need for greater authority and oversight over regional contracting organizations as described in the recommendation. The complete agency response to the draft audit report is attached at Appendix A. While the OIG continues to believe that making organizational changes that provide OAM with greater authority and oversight would increase internal controls over the EPA contracting function, we acknowledge that the senior procurement executive does have the authority to modify and rescind contracting officer warrants and that this provides some level of internal control. However, there are no specific policies and procedures that outline exactly when and how 14-P-0347 12 ------- such authority would be used to improve or enforce internal controls, and thus, we are unsure how often and under what circumstances warrants would be modified or rescinded due to internal control issues. The OIG believes this is important because, under the current organizational structure, regional contracting officers report to regional management instead of OAM, and therefore, regional management and program offices are in a position where they can potentially influence contracting officer judgments and impact decisions of the regional contracting chiefs. Therefore, the OIG believes that alternative corrective action is necessary and OAM should establish written policies and procedures that specifically define the circumstances under which warrants would be modified or rescinded due to internal control issues. The audit resolution process will be used to resolve this recommendation. 14-P-0347 13 ------- Chapter 3 Follow-Up Action Implementation Could Be Improved The EPA follow-up actions in response to peer review findings, when implemented, appear to be sufficient to ensure that weaknesses and vulnerabilities are corrected. Three of four corrective action plans were submitted timely. However, one of the three timely plans did not provide dates for the completion of planned corrective actions and OAM does not formally agree to or approve the corrective action plans. Additionally, quarterly update reports are not always being submitted timely. OMB Circular A-123 states that agency managers are responsible for taking timely and effective action to correct identified deficiencies. CMAP policy lacks specificity, which creates confusion and hinders follow-up action implementation. As a result, corrective actions may take longer than necessary and deficiencies may not be corrected timely. Follow-Up Required to Correct Deficiencies OMB Circular A-123 states that agency managers are responsible for taking timely and effective action to correct identified deficiencies. Correcting deficiencies is an integral part of management accountability and must be considered a priority by the agency. OMB Circular A-123 also states that the extent to which the agency tracks corrective actions should be commensurate with the severity of the deficiency. Management should track progress to ensure timely and effective results. For reportable conditions that are not included in the Federal Managers' Financial Integrity Act report, corrective action plans should be developed and tracked internally at the appropriate level. The CMAP peer reviews OAM performs may identify weaknesses and vulnerabilities in a contracting organization's internal controls. The CMAP policy states that any deficiencies require a response in the form of a written corrective action plan within 90 days upon receipt of the final peer review report. Responses are followed by quarterly updates on all corrective action plans until closed. Improvements Needed for Follow-Up Action Implementation Three of four corrective action plans required in response to four fiscal year 2012 peer reviews were submitted timely and did appear to address the deficiencies. However, one plan did not provide dates for the completion of planned corrective actions. OAM does not formally agree to or approve the plans. In addition, quarterly update reports are not always being submitted timely. Corrective Action Plans. Of the four peer reviews completed for fiscal year 2012, three contracting organizations submitted corrective action plans within 90 days of the peer review final report date, as required. The fourth contracting 14-P-0347 14 ------- organization requested and received an extension to December 30, 2013. According to OAM, that contracting organization submitted its corrective action plan in February 2014. One corrective action plan did not contain planned completion dates for the proposed corrective actions. Corrective action plans should contain estimated completion dates to track progress. According to the CMAP team lead, although OAM does look at the corrective action plans, there is no formal approval process. The CMAP team lead indicated that OAM wants to let the contracting organizations come up with their own corrective actions. Subsequently, OAM will determine if corrective actions correct deficiencies based upon future peer review follow-ups. Quarterly Reports. Of the three contracting organizations that were required to submit quarterly reports, one did not submit a report and the other two did not submit reports consistent with regard to the submitted dates. There appears to be confusion on when quarterly updates are due. Table 5 shows a summary of the quarterly report status for the three contracting organizations. Table 5: Status of quarterly reports for three contracting organizations Date(s) quarterly report received Comment No report November 30, 2013 2 months into quarter July 10, 2013 and December 30, 2013 one submitted towards the beginning of the quarter, and one submitted at the end of the quarter Source: Quarterly update reports provided by the EPA. CMAP Policy Lacks Specificity The CMAP does not require OAM to agree with contracting organizations' proposed corrective action plans. It does not provide for procedures to be followed if OAM and the contracting organization disagree with a proposed corrective action. Further, it does not specifically require that the corrective action plans include milestone completion dates. The CMAP policy does not stipulate a specific due date for the quarterly updates. It simply states that corrective action plans are to be followed by quarterly updates. As a result, contracting organizations do not have a specific due date for when to submit their quarterly update reports. 14-P-0347 15 ------- Deficiencies May Not Be Corrected Timely Lack of planned completion dates for proposed corrective actions, lack of a formal approval process for corrective action plans, and uncertainty regarding the quarterly update due dates are all factors that could lead to deficiencies not being corrected at all, or not being corrected timely. For example, lack of planned completion dates makes follow-up and monitoring more difficult. It is unclear how a situation would be handled by headquarters and by the peer-reviewed contracting organization when they do not agree on a proposed corrective action. Inconsistencies with the timing of quarterly update submittals also potentially impact timely correction of deficiencies. Recommendations We recommend that the Assistant Administrator for Administration and Resources Management: 4. Revise the CMAP policy to: (a) Require corrective action plans include planned completion dates so that progress can be tracked. (b) Require OAM approval of corrective action plans, including a process for resolution to address instances when OAM and contracting organizations disagree. (c) Clarify when the quarterly updates are due to be submitted. Agency Response and OIG Evaluation OARM agreed to take corrective action in response to recommendations 4(a), 4(b) and 4(c), with an expected completion date of October 15, 2014, for all corrective actions. The agency's proposed corrective actions and planned completion dates meet the intent of the recommendations. These recommendations will remain open pending completion of the proposed corrective actions. See Appendix A for the complete agency response to the draft audit report. 14-P-0347 16 ------- Status of Recommendations and Potential Monetary Benefits RECOMMENDATIONS POTENTIAL MONETARY BENEFITS (In $000s) Rec. No. No. Subject Status1 Action Official 12 Revise the CMAP policy to: (a) Be more prescriptive of what exact documents are required to be submitted. (b) Specifically address when ICPs will be reviewed for possible revision (e.g., during annual reporting and peer reviews). (c) Incorporate a process that ensures that appropriate action is taken when contracting organizations do not comply with CMAP. 12 Ensure the organizational changes currently being considered for the contracting function at the EPA provide OAM with greater authority and oversight over regional contracting organizations are implemented, to allow for more effective CMAP implementation. 12 Evaluate whether the resources allocated to the CMAP are sufficient to ensure adequate internal controls and effective CMAP implementation. 16 Revise the CMAP policy to: (a) Require corrective action plans include planned completion dates so that progress can be tracked. (b) Require OAM approval of corrective action plans, including a process for resolution to address instances when OAM and contracting organizations disagree. (c) Clarify when the quarterly updates are due to be submitted. Assistant Administrator for Administration and Resources Management Assistant Administrator for Administration and Resources Management Assistant Administrator for Administration and Resources Management Assistant Administrator for Administration and Resources Management Planned Completion Date Claimed Amount Ag reed-To Amount 10/15/14 10/15/14 10/15/14 1 0 = Recommendation is open with agreed-to corrective actions pending. C = Recommendation is closed with all agreed-to actions completed. U = Recommendation is unresolved with resolution efforts in progress. 14-P-0347 17 ------- Appendix A Agency Response to Draft Report July 1, 2014 MEMORANDUM SUBJECT: Response to Office of Inspector General Draft Audit Report No. OA-FY14-0034 "EPA Needs to Improve Contract Management Assessment Program Implementation to Mitigate Vulnerabilities," dated May 22, 2014 FROM: Craig E. Hooks, Assistant Administrator TO: Janet Kasper, Director Contract and Assistant Agreement Audits Office of the Inspector General Thank you for the opportunity to comment on the subject draft report and for recognizing the many noteworthy achievements accomplished under the Contract Management Assessment Program to date. While Office of Administration and Resources Management agrees with all but one of the recommendations contained in the subject draft report, OARM respectfully disagrees with your assessment that the program has not been fully implemented. As noted in your draft report, the CMAP is still in its nascent stages of implementation with the first three year cycle ending September 2014. Any time an organization implements a new program of this magnitude, program maturity issues are expected. Admittedly, there have been challenges associated with standing up this new program. However, since program initiation, the Office of Acquisition Management has collaborated with agency contracting organizations to effectively self-identify vulnerabilities, develop corrective action plans to eliminate future occurrences, and institute processes to verify and validate that the corrections taken eliminate systemic vulnerabilities were identified. These accomplishments are the essence of an effective internal controls program which to date has resulted in many noteworthy accomplishments. For example, many OAM policies have either been updated, revised, or created to provide staff with guidance and procedures to rectify the root causes attributable to systemic vulnerabilities identified in both the annual self-assessment reports and the CMAP peer reviews. In addition to the aforementioned activities, OAM has created a knowledge management website to provide tool kits on identified problematic areas identified under the CMAP, and uses this site to share aggregated systemic vulnerabilities, corrective actions, and identified best practices with all agency contracting organizations. In addition, peer review volunteers share lessons learned and best practices from other organizations that have been reviewed with their colleagues. Based on the foregoing, the OAM CMAP program has yielded positive results, improved performance, and eliminated systemic vulnerabilities. Furthermore, since OAM realizes the CMAP needs to evolve, we are constantly employing continuous improvement initiatives to ensure that the program remains viable, effective and productive. 14-P-0347 18 ------- AGENCY'S overall position Recommendation 1: We recommend the Assistant Administrator for Administration and Resources Management: Revise the CMAP policy to: a. Be more prescriptive of what exact documents are required to be submitted. OARM Response: OARM agrees with the recommendation that more prescriptive language is needed on documentation requirements and due dates in the CMAP policy (Part 6) of the BSC Performance Measurement and Management Program Guide at http ://oamintra. epa. gov/files/OAM/B SC%20Framework%20Guide%20-Revised%2012-11- 13rl.pdf. and will revise the policy accordingly no later than October 15, 2014. b. Specifically address when ICPs will be reviewed for possible revision (e.g.), during annual reporting and peer review. OARM Response: OARM agrees with the recommendation that specific language should be included in the CMAP policy to address review of Internal Control Plans. Accordingly, OAM will revise the policy to require managers to review ICPs at least annually. If necessary, OARM will revise ICPs to address vulnerabilities resulting from self-assessments, peer reviews, OIG audits, Office of Management and Budget initiatives, etc., and submit revisions to the Policy, Training, and Oversight Division Director for approval. OARM will accomplish this revision no later than October 15, 2014. c. Incorporate a process that ensures that appropriate action is taken when contracting organizations do not comply with CMAP. OARM Response: OARM agrees with the recommendation that the CMAP policy should be revised to include the process for taking action when contracting organizations do not comply with CMAP requirements. Specifically, the OAM Director already has the authority to amend existing delegations of contracting authority and/or increase independent reviews of contract transactions as deemed necessary. OARM will accomplish this revision no later than October 15, 2014. Recommendation 2. Ensure the organizational changes currently being considered for the contracting function at the EPA provide OAM with greater authority and oversight over regional contracting organizations are implemented, to allow for more effective CMAP implementation. OARM Response: OARM disagrees with this recommendation. Per the Chapter 1-2 of the OHR Delegations Manual at http://intranet.epa.gov/ohr/rmpolicv/ads/dm/indexl.htm. the Senior Procurement Executive already has the authority to modify or rescind contracting officer warrants if it is determined that the operational procurement activity does not have effective internal controls in place to identify, correct and ultimately eliminate systemic vulnerabilities. 14-P-0347 19 ------- As a result, there is no need for greater authority and oversight over regional contracting organizations as described in the recommendation. Recommendation 3. Evaluate whether the resources allocated to the CMAP are sufficient to ensure adequate internal controls and effective CMAP implementation. OARM Response: OARM agrees with this recommendation and will address this issue in the pending eminent OAM re-organization. OARM anticipates submitting the pending re- organization to the Office of Human Resources by October 15, 2014. Recommendation 4: Revise the CMAP policy to: a. Require corrective action plans to include planned completion dates so that progress can be tracked. OARM Response: OARM agrees with this recommendation and will revise its policy to require planned completion dates for corrective action plans. OARM will accomplish this revision no later than October 15, 2014. b. Require OAM approval of corrective action plans, including a process for resolution to address instances when OAM and contracting organizations disagree. OARM Response: OARM agrees with this recommendation and will revise its policy to require Policy, Training, and Oversight Division approval of corrective action plans, and also include a process to address instances of disagreement between OAM and contracting organizations regarding proposed corrective action plans. OARM will accomplish this revision no later than October 15, 2014. c. Clarify when the quarterly updates are due to be submitted. OARM Response: OARM agrees with this recommendation and will revise its policy to clarify quarterly due dates for corrective action plans. OARM will accomplish this revision no later than October 15, 2014. If you have any questions regarding this response, please contact John Bashista, Director, Office of Acquisition Management at 202-564-4310; or Lisa Maass, Audit Follow-up Coordinator, at 202-564-2498. cc: Nanci Gelb John Showman Steven Blankenship John Bashista Lisa Maass Brandon McDowell 14-P-0347 20 ------- Appendix B Distribution Office of the Administrator Assistant Administrator for Administration and Resources Management Agency Follow-Up Official (the CFO) Agency Follow-Up Coordinator General Counsel Associate Administrator for Congressional and Intergovernmental Relations Associate Administrator for External Affairs and Environmental Education Principal Deputy Assistant Administrator for Administration and Resources Management Director, Office of Acquisition Management, Office of Administration and Resources Management Director, Office of Policy and Resource Management, Office of Administration and Resources Management Deputy Director, Office of Policy and Resource Management, Office of Administration and Resources Management Director, Office of Regional Operations Audit Follow-Up Coordinator, Office of Administration and Resources Management Audit Follow-Up Coordinator, Office of Acquisition Management, Office of Administration and Resources Management 14-P-0347 21 ------- |