t O \
Uafei
V P,oĞG<°
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
EPA Needs to Improve
Contract Management
Assessment Program
Implementation to Mitigate
Contracting Vulnerabilities
Report No. 14-P-0347
September 2, 2014

-------
Report Contributors:
Melinda Burks
Anthony Grear
Janet Kasper
Michael Petscavage
Abbreviations
CMAP	Contract Management Assessment Program
EPA	U.S. Environmental Protection Agency
GAO	Government Accountability Office
ICP	Internal Control Plan
OAM	Office of Acquisition Management
OARM	Office of Administration and Resources Management
OIG	Office of Inspector General
OMB	U.S. Office of Management and Budget
Are you aware of fraud, waste or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, DC 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
More information at www.epa.gov/oiq/hotline.html.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (241OT)
Washington, DC 20460
(202) 566-2391
www.epa.gov/oig
Subscribe to our Email Updates
Follow us on Twitter @EPAoig
Send us your Project Suggestions

-------
^tDsr-%
• B \
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
14-P-0347
September 2, 2014
Why We Did This Review
The U.S. Environmental
Protection Agency (EPA) Office
of Inspector General (OIG)
conducted an audit evaluating
the Office of Acquisition
Management's (OAM's)
Contract Management
Assessment Program (CMAP).
CMAP is an integral part of
OAM's implementation of the
U.S. Office of Management and
Budget (OMB) Revised
Circular A-123, Management's
Responsibility for Internal
Control. The objectives of our
audit were to answer the
following questions:
1.	Are contracting offices
implementing the CMAP?
2.	Are the assessments
sufficient to identify
weaknesses in internal
controls or systemic
vulnerabilities?
3.	Are follow-up actions
sufficient to ensure that
weaknesses and
vulnerabilities are
corrected?
This report addresses the
following EPA goal or
cross-agency strategy:
• Embracing EPA as a high-
performing organization.
Send all inquiries to our public
affairs office at (202) 566-2391
or visit www.epa.gov/oia.
The full report is at:
www.epa.gov/oig/reports/2014/
20140902-14-P-0347.pdf
EPA Needs to Improve Contract Management
Assessment Program Implementation to
Mitigate Contracting Vulnerabilities
What We Found
CMAP is an integral part of OAM's implementation of
OMB Revised Circular A-123 requirements. Multiple
factors hinder CMAP implementation, such as
ambiguous guidance, the EPA's organizational
structure, and lack of resources. The contracting
organizations within the EPA are implementing CMAP
to varying degrees. Required submissions were not always submitted timely, and
some annual reports did not contain all of the required elements. Additionally, the
CMAP policy does not incorporate a process to address noncompliance. As a
result, it is questionable whether the CMAP program can be fully and optimally
implemented until the agency makes needed changes.
CMAP will not be fully
and optimally
implemented until the
agency makes needed
changes to improve
implementation.
The EPA follow-up actions in response to peer review findings appear to be
sufficient to ensure that weaknesses and vulnerabilities are corrected. However,
one plan did not provide dates for the completion of planned corrective actions
and OAM does not formally agree to or approve the corrective action plans.
Additionally, quarterly update reports are not always submitted timely. OMB
Revised Circular A-123 states that agency managers are responsible for taking
timely and effective action to correct identified deficiencies. CMAP policy lacks
specificity, which creates confusion and hinders follow-up action implementation.
As a result, corrective actions may take longer than necessary.
Recommendations and Planned Agency Corrective Actions
We recommend that the Assistant Administrator for Administration and
Resources Management revise the CMAP policy to correct ambiguity and
strengthen accountability, implement organizational changes to provide OAM
with greater authority and oversight over regional contracting organizations, and
evaluate whether the resources allocated to the CMAP are sufficient to ensure
adequate internal controls and effective CMAP implementation. The agency
agreed to take corrective action for all but one of the recommendations. It
disagreed with the recommendation to implement organizational changes.
Noteworthy Achievements
We found that the assessments contracting organizations are required to perform
under the CMAP program are designed to identify weaknesses in internal
controls or systemic vulnerabilities. The CMAP components collectively address
all five Government Accountability Office standards for internal control. If CMAP
is implemented according to its program design, the EPA's internal controls for
contracts management should improve overtime.

-------
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
September 2, 2014
MEMORANDUM
SUBJECT: EPA Needs to Improve Contract Management Assessment Program Implementation to
Mitigate Contracting Vulnerabilities
Report No. 14-P-0347
This is our report on the subject audit conducted by the Office of Inspector General (OIG) of the
U.S. Environmental Protection Agency (EPA). This report contains findings that describe the problems
the OIG has identified and corrective actions the OIG recommends. This report represents the opinion of
the OIG and does not necessarily represent the final EPA position. Final determinations on matters in
this report will be made by EPA managers in accordance with established audit resolution procedures.
The office responsible for implementing the recommendations is the Office of Acquisition Management,
within the Office of Administration and Resources Management.
Action Required
In accordance with EPA Manual 2750, you are required to provide a written response to this report
within 60 calendar days. You should include planned corrective actions and completion dates for all
unresolved recommendations. Your response will be posted on the OIG's public website, along with our
memorandum commenting on your response. Your response should be provided as an Adobe PDF file
that complies with the accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as
amended. The final response should not contain data that you do not want to be released to the public;
if your response contains such data, you should identify the data for redaction or removal along with
corresponding justification.
FROM: Arthur A. Elkins Jr.
TO:
Nanci Gelb, Acting Assistant Administrator
Office of Administration and Resources Management
We will post this report to our website at http://www.epa.gov/oig.

-------
EPA Needs to Improve Contract Management Assessment
Program Implementation to Mitigate Contracting Vulnerabilities
14-P-0347
Table of C
Chapters
1	Introduction		1
Purpose		1
Background		1
Responsible Offices		2
Noteworthy Achievements		2
Scope and Methodology		3
2	CMAP Is Implemented Inconsistently Among EPA's Contracting
Organizations		5
CMAP Contains Specific Requirements		5
Contracting Organizations Implement CMAP to Varying Degrees		6
Multiple Factors Impact CMAP Implementation		8
Changes Needed to Improve CMAP Implementation		11
Recommendations		12
Agency Response and OIG Evaluation		12
3	Follow-Up Action Implementation Could Be Improved		14
Follow-Up Required to Correct Deficiencies		14
Improvements Needed for Follow-Up Action Implementation		14
CMAP Policy Lacks Specificity		15
Deficiencies May Not Be Corrected Timely		16
Recommendations		16
Agency Response and OIG Evaluation		16
Status of Recommendations and Potential Monetary Benefits		17
Appendices
A Agency Response to Draft Report	 18
B Distribution	 21

-------
Chapter 1
Introduction
Purpose
The U.S. Environmental Protection Agency's (EPA) Office of Inspector General
(OIG) identified contracts management as an internal control weakness in its
April 17, 2013, memo "Proposed Fiscal Year 2013 Management Challenges and
Internal Control Weaknesses." The EPA disagreed and stated that the Office of
Acquisition Management (OAM) had implemented new internal control systems,
including OAM's Contract Management Assessment Program (CMAP). We
conducted an audit evaluating CMAP. The objectives of our audit were to answer
the following questions:
1.	Are contracting offices implementing the CMAP?
2.	Are the assessments sufficient to identify weaknesses in internal controls
or systemic vulnerabilities?
3.	Are follow-up actions sufficient to ensure that weaknesses and
vulnerabilities are corrected?
Background
The U.S. Office of Management and Budget (OMB) Revised Circular A-123,
Management's Responsibility for Internal Control, defines management's
responsibility for internal controls in federal agencies. It provides guidance to
federal managers on improving the accountability and effectiveness of federal
programs and operations by establishing, assessing, correcting and reporting on
internal controls. It also establishes policy, stating that management is responsible
for establishing and maintaining internal control to achieve the objectives of
effective and efficient operations, reliable financial reporting, and compliance
with applicable laws and regulations.
The EPA initiated the CMAP in February 2012. OAM chartered the CMAP under
the direction of the Senior Procurement Executive. OAM designed CMAP to
ensure that contracting organizations operate in an effective and efficient manner
and conform to the requirements of the Federal Managers' Financial Integrity Act
of 1982 and OMB Circular A-123.
The CMAP is a system of controls designed to measure operational awareness
and to determine how well the EPA's contracting organizations support their
respective mission requirements while meeting their other responsibilities. The
CMAP identifies noteworthy practices as well as systemic vulnerabilities and
14-P-0347
1

-------
obstacles to successful mission accomplishment through a holistic approach.
CMAP contains four primary components:
•	Internal Control Plans (ICP).
•	Self-Assessments.
•	Annual Reports.
•	CMAP Peer Reviews.
Responsible Offices
The office responsible for implementing this audit report's recommendations is
OAM, within the Office of Administration and Resources Management. The
responsibility for CMAP implementation resides within OAM's Policy, Training
and Oversight Division, Contract Management Assessment Team. The Contract
Management Assessment Team manager has the authority and responsibility for
overseeing the successful implementation of the program. The contracting
organizations responsible for implementing CMAP throughout the EPA are:
•	Cincinnati Procurement Operations Division.
•	Research Triangle Park Procurement Operations Division.
•	Headquarters Procurement Operations Division.
•	Superfund/RCRA Procurement Operations Division.
•	Nine regional contracting organizations for Regions 1 through 9 (Region 7
performs the contracting function for Region 10).
Noteworthy Achievements
We found that the assessments contracting organizations are required to perform
under the CMAP program are designed to identify weaknesses in internal controls
or systemic vulnerabilities. The CMAP program design meets the U.S.
Government Accountability Office (GAO) standards for internal control in
government, required by the Federal Managers' Financial Integrity Act.
Specifically, the CMAP components collectively address all five GAO standards
for internal control:
•	Control Environment.
•	Risk Assessment.
•	Control Activities.
•	Information and Communications.
•	Monitoring.
CMAP, initiated in 2012, is in the early stages of implementation. The peer
review component of the program is based on a 3 to 5 year cycle. Thus, it is too
early to determine whether internal control improvements have been achieved.
However, other than needing some clarifications and revisions of the program
14-P-0347
2

-------
guidance to correct ambiguity and strengthen accountability, if CMAP is
implemented according to its program design, the EPA's internal controls for
contracts management should improve over time. Overall, this improvement in
internal controls should result in increased compliance with applicable contracting
regulations, policies and guidance in the future.
Scope and Methodology
We conducted this performance audit from November 2013 through May 2014, in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence obtained
provides a reasonable basis for our findings and conclusions based on our audit
objectives.
As noted above, CMAP is in its early stages of implementation. We focused our
review and analysis on CMAP submissions for the first year of implementation
(fiscal year 2012), since submissions for the second year of implementation were
not yet due at the time we started the audit. For fiscal year 2013, we received
updates from OAM on the status of the submissions as of certain dates. We
reviewed relevant agency guidance to obtain an understanding of internal controls
related to CMAP. We also interviewed the appropriate staff in OAM and in the
different contracting organizations to gain an understanding of CMAP and to
discuss any findings.
To answer objective 1, we obtained, reviewed and analyzed:
(1)	ICPs/ Quality Assessment Plans.
(2)	Self-assessments.
(3)	Annual reports for each contracting organization.
We determined whether they were submitted timely and met the CMAP
requirements. We also reviewed the peer reviews that were completed at the time
of our audit.
To answer objective 2, we compared and analyzed GAO's five internal control
standards to the CMAP, and determined whether the CMAP complies with and
meets all requirements. For two randomly selected contracting organizations, we
determined:
(1)	Whether the ICP, self-assessment, annual report and peer review complied
with and met all requirements of GAO's internal control standards.
(2)	How useful these documents are in helping to identify weaknesses in
internal controls or systemic vulnerabilities.
14-P-0347
3

-------
To answer objective 3, we obtained, reviewed and analyzed the corrective action
plans submitted to date to determine whether they were submitted timely and
would be sufficient to ensure the weaknesses and vulnerabilities are corrected. We
also determined the current status of findings and whether the proposed corrective
actions have been or are being implemented. We determined whether quarterly
updates on all corrective action plans have been completed until they are closed.
Finally, we determined whether a listing of best practices and areas of concern has
been compiled and displayed on the Policy, Training and Oversight Division
website, and whether best practices have been reviewed for incorporation into
existing policies, regulations and systems.
There are no prior audit reports on the CMAP program.
14-P-0347
4

-------
Chapter 2
CMAP Is Implemented Inconsistently
Among EPA's Contracting Organizations
The various contracting organizations within EPA are implementing CMAP to
varying degrees. For those that are implementing it, the documentation was not
always submitted timely. Further, five of the annual reports did not contain all of
the required elements. CMAP is an integral part of OAM's implementation of
OMB Circular A-123 requirements. Multiple factors hinder CMAP
implementation, such as ambiguous requirements, the EPA's organizational
structure, and lack of resources. Additionally, the CMAP policy does not
incorporate a process to address noncompliance. As a result, it is questionable
whether the CMAP program can be fully and optimally implemented until the
agency makes needed changes to improve program implementation.
CMAP Contains Specific Requirements
CMAP requires the following components:
•	ICP. The overall purpose of the ICP, formerly known as the Quality
Assessment Plan, is to be able to identify vulnerabilities, correct them, and
verify and validate that the corrective action eliminated the identified
vulnerability. The ICP identifies the methodology an organization uses to
measure and assess its compliance with Federal Acquisition Regulation,
agency policies and procedures, workforce development, etc., in order to
identify systemic vulnerabilities and weaknesses. CMAP states that ICPs
are dynamic documents that will periodically require revision and may be
updated as needed.
•	Self-Assessments. The self-assessment review is an organization's
objective self-evaluation of its pre-award and post-award activities
through implementation of its ICP, as well as an evaluation of
organizational systems such as staffing, internal policies and procedures,
and customer outreach. Each organization shall perform assessment
review activities utilizing the peer review/self-assessment checklist
criteria. The self-assessment review is used to test the effectiveness of an
organization's internal control measures for transactional activities. The
Part III self-assessment survey is required to be submitted annually, at the
same time as the annual report.
•	Annual Reports. After conducting the self-assessment, each organization
shall prepare and submit one consolidated report to the CMAP team lead
in the first quarter of each fiscal year, no later than the 3rd Friday in
November, that will include the following sections:
14-P-0347
5

-------
(1)	Organizational self-assessment survey.
(2)	Organizational retrospective report.
(3)	Prospective organizational internal review plan.
The data from these annual reports is used to identify cross-organizational
systemic issues, corrective actions taken, and best practices in support of
OAM's knowledge management initiatives; inform the scope of future
periodic peer reviews; and conduct peer reviews. CMAP policy states that
organizations may choose to use any format for reporting purposes,
although an optional template is provided.
The retrospective report shall contain, at a minimum, the following
information:
•	Introduction/background.
•	Identification of assessment review personnel.
•	Scope of review activities.
•	Trend analysis.
•	Assessment of trade-offs.
•	Identification of management initiatives.
•	Root-cause analysis.
•	Corrective action plans.
Prospective plans, at a minimum, shall address the following:
•	Background information.
•	Identification of internal review personnel.
•	Status of prior/current internal review activities.
•	Internal review activities for the upcoming fiscal year.
• CMAP Peer Reviews. The CMAP peer review is OAM's periodic
verification and validation review of an organization's adherence to
acquisition policy and procedures, led by qualified persons who are
independent of the organization and who do not have any real or apparent
conflicts of interest.
Contracting Organizations Implement CMAP to Varying Degrees
ICPs not Updated
Nine of 13 contracting organizations have not updated their ICPs in more than 3
years. The first cycle of OAM's peer reviews, although not complete, resulted in
recommendations that ICPs be updated. Table 1 shows a summary of the ICP
updates as of December 1, 2013.
14-P-0347
6

-------
Table 1: Status of ICP updates
Last ICP update
No. of contracting organizations
Within the last 3 years
4
More than 3 years
3
More than 4 years
5
More than 5 years
1
Source: OIG analysis of the most recent ICPs, provided by the EPA.
Fiscal Year 2012 Submissions Either not Submitted or not Timely
Of the 13 contracting organizations, 11 submitted annual reports for fiscal year
2012 and two did not. Further, for the fiscal year 2012 annual reports submitted,
the submissions were either not dated or received after the due date of
November 17, 2012 (table 2).
Table 2: Timeliness of submitted annual reports
No. of annual reports
Date
Submitted by due date
8
Not dated
Cannot determine
1
November 23, 2012
No
1
November 30, 2012
No
1
December 2012
No
Source: Annual reports for fiscal year 2012, provided by the EPA.
The Part III self-assessment survey is required to be submitted annually at the
same time as the annual report. For fiscal year 2012, of the 11 contracting
organizations that submitted an annual report, six submitted the Part III self-
assessment and five did not. Of the five that did not submit the Part III self-
assessment, some submitted other self-assessment information. For example, two
organizations submitted Part I of the self-assessment, but not Part III as required.
For the six Part III self-assessments that were submitted, the submissions were
either not dated or not submitted by the due date, as shown in table 3.
Table 3: Timeliness of submitted self-assessments
No. of self-assessments
Date
Submitted by due date
3
Not dated
Cannot determine
1
November 2012
Cannot determine
1
November 23, 2012
No
1
December 2012
No
Source: Self-assessments for fiscal year 2012 provided by the EPA.
Fiscal Year 2012 Annual Reports not Complete
Of the 11 annual reports submitted for fiscal year 2012, five were not complete.
Of those that were not complete, one contracting organization did not complete its
assessment activity, and four reports did not cover all of the required annual
14-P-0347
7

-------
report elements. For example, one annual report did not include the following
elements:
•	Assessment of trade-offs.
•	Identification of management initiatives.
•	Root-cause analysis.
•	Corrective action plans.
These are all required annual report elements, according to the CMAP policy.
Table 4 shows a summary of the completeness of the annual reports.
Table 4: Completeness of annual reports
Annual report complete?
No. of contracting organizations
Complete and included all required elements
6
Assessment activity not complete
1
Did not include all required elements
4
Source: OIG analysis of submitted annual reports for fiscal year 2012, provided by the EPA.
Fiscal Year 2013 Submissions not Timely
Some of the fiscal year 2013 submissions (both the self-assessments and annual
reports, due in November 2013) were not timely. As of mid-December 2013, only
five of 13 contracting organizations had submitted the required data. It was not
until February 2014 that OAM received all of the required submissions. Because
some organizations were not complying with CMAP requirements, the head of the
contracting activity issued a memorandum in January 2014 informing the
contracting organizations of their responsibilities regarding internal controls, per
OMB Circular A-123.
Better Sharing of Trends Needed From Headquarters
While the EPA is implementing the peer review component, there can be
improvement in sharing of the best practices and trends from the submissions and
peer reviews. As of January 2014, there was a listing of trends on one of OAM's
website pages. However, the information was based on fiscal year 2012 data and
had not been updated to include more recent data. OAM planned to create a
knowledge management website page, but it has not yet been established.
Multiple Factors Impact CMAP Implementation
CMAP Does Not Specify Timeframes for Updating ICPs
The CMAP does not require the ICPs to be reevaluated on a regular basis and
within a specific timeframe. The CMAP currently states that ICPs will be updated
as needed. The peer reviews have identified the need for updating ICPs, indicating
that ICPs may not be updated often enough.
14-P-0347
8

-------
Ambiguous Requirements Cause Confusion
The CMAP policy in place at the time of the first two submissions of the self-
assessments (fiscal years 2012 and 2013) was not clear as far as what was
required to be submitted for the self-assessment and when it was due. In some
cases, the policy was not specific and allowed for differing formats, which caused
inconsistency and confusion. A staff person from one contracting organization
indicated it was confusing because there was a lack of understanding about what
needed to be submitted. This resulted in inconsistencies as to what was submitted
among the different contracting organizations. For example, as discussed above,
some organizations did not submit the required Part III self-assessment, but
instead submitted other parts of the self-assessment. The staff person noted the
need for more training and communication on the process.
The following are examples that we noted in the policy that illustrate this
ambiguity:
•	The CMAP policy stated that each organization shall perform assessment
review activities utilizing the peer review/self-assessment checklist
criteria. However, the policy also states that checklist questions serve
merely as a reference guide for reviews conducted in each respective
criterion and do not require submission of documented responses of each
individual question for reporting purposes. These two statements seem to
somewhat contradict each other.
•	The CMAP policy stated that flexibility is permitted in the timing of the
review. It also states that the checklist questions serve merely as a
reference guide for reviews conducted in each respective criterion. Again,
this seems contrary to the "shall" requirement statement.
•	The self-assessment checklist itself states that contract managers must
annually submit Part III. However, Parts I and II can be completed in part
or in whole annually, as long as each system criterion is assessed within a
3- year cycle.
The CMAP team lead clarified the self-assessment reporting requirements during
our audit, and stated that the Part III self-assessment survey is required to be
submitted annually. However, to our knowledge based on our audit, this
clarification had not been communicated to the contracting organizations.
While the latest CMAP policy, effective December 11, 2013, is somewhat clearer
on the requirements, OAM stated that it still wants to give the contracting
organizations flexibility. For example, OAM stated that the checklist provided is
optional, and that the contracting organizations could submit information in a
different format. However, this is contrary to the CMAP policy, which states that
the checklist "shall' be used. While OAM is providing flexibility, staff stated that
14-P-0347
9

-------
the requirements were sometimes not as clear as they could be, and that this can
cause inefficiencies and confusion because the contracting organizations may not
know what is expected. One regional contracting chief noted that CMAP is
implemented with a lot of collaboration, and indicated that at some point,
direction is needed. Lack of direction causes different interpretations of the
requirements among the contracting organizations.
Organizational Structure Hindering CMAP Implementation
The EPA's current organizational structure is hindering implementation of
CMAP, making it questionable whether the program can be fully and optimally
implemented. The regional contracting staff do not report directly to OAM, but
instead are regional employees and report to regional management. As a result,
the head of contracting activity cannot efficiently and effectively direct the
regional contracting organizations to comply with the CMAP requirements.
Instead, OAM is implementing the program by trying to get regional
administrators, program staff and regional contracting chiefs to buy into the
program by getting them to understand the importance of internal controls.
Under the current structure, OAM does not have sufficient influence over the
regional contracting organizations, and regional management and program offices
are in a position where they can potentially place more influence over the regional
contracting staff. We noted the following examples based on interviews with
regional contracting officials and staff.
•	According to a regional contracting staff person, a regional administrator
stated that environmental laws are much more important than Federal
Acquisition Regulation requirements.
•	According to a regional contracting chief, they informed the regional
administrator that they believed they were short of staff, but the regional
administrator disagreed. Since the regional administrator signs the self-
assessment and annual report submitted to OAM, this casts doubt on the
accuracy of that region's CMAP documentation.
In discussions with OAM management, they acknowledge that there remains a
lack of clear orientation by program and regional staff with respect to the
contracting function and responsibilities. The EPA is currently considering
various reorganizations that would alter the structure and possibly provide the
head of contracting activity with more authority. No final decision has been made
regarding reorganization. Providing the head of contracting activity with more
authority would help efficiently and effectively implement the CMAP.
14-P-0347
10

-------
Lack of Resources Impacts CMAP Implementation
The CMAP program is essentially being implemented and run largely by one
person out of headquarters, the CMAP team lead. The CMAP team lead and
OAM management acknowledged that lack of resources is a challenge. Resources
are needed to analyze trends, review corrective action plans, update the website,
etc. Resources are also needed to perform the peer reviews. However, due to the
lack of resources, the peer reviews are currently staffed with qualified personnel
who volunteer from other contracting offices.
CMAP Policy Does not Incorporate Process to Address
Noncompliance
The CMAP policy does not incorporate a process that ensures that appropriate
action is taken when contracting organizations do not comply with CMAP
requirements. The head of contracting activity issued a memorandum in January
2014 to explain the importance of internal controls and to explain possible
consequences for noncompliance. While this memorandum laid out possible
consequences for CMAP noncompliance, this information is not included in the
CMAP policy. While the most severe possible outcome, pulling of warrant
authority, did not occur in the instances where regional contracting organizations
did not comply with CMAP, OAM did have to discuss the noncompliance with
regional administrators before the submissions for two of the 13 organizations
were finally received.
Changes Needed to Improve CMAP Implementation
It is questionable whether the CMAP program can be fully and optimally
implemented until the agency makes needed changes to improve program
implementation. Contract deficiencies noted by both the OIG and in the internal
self-assessments and peer reviews may continue in the future. Lack of enough
permanent staff could impact the sharing of findings and lessons learned, slow the
number of peer reviews that could be performed each year, and impact corrective
action follow-up activities. Additionally, lack of submissions causes the
performance measurement data to be incomplete and potentially inaccurate.
14-P-0347
11

-------
Recommendations
We recommend that the Assistant Administrator for Administration and
Resources Management:
1.	Revise the CMAP policy to:
(a)	Be more prescriptive of what exact documents are required to be
submitted.
(b)	Specifically address when ICPs will be reviewed for possible revision
(e.g., during annual reporting and peer reviews).
(c)	Incorporate a process that ensures that appropriate action is taken when
contracting organizations do not comply with CMAP.
2.	Ensure the organizational changes currently being considered for the
contracting function at the EPA provide OAM with greater authority and
oversight over regional contracting organizations are implemented, to
allow for more effective CMAP implementation.
3.	Evaluate whether the resources allocated to the CMAP are sufficient to
ensure adequate internal controls and effective CMAP implementation.
Agency Response and OIG Evaluation
OARM agreed to take corrective action in response to recommendations 1(a),
1(b), 1(c), and 3, and provided a completion date of October 15, 2014, for these
recommendations. The proposed corrective actions and planned completion dates
meet the intent of the recommendations. These recommendations will remain
open pending completion of the proposed corrective actions.
OARM disagreed with recommendation 2 to implement organizational changes
for the contracting function. OARM stated that the senior procurement executive
already has the authority to modify or rescind contracting officer warrants if it is
determined that the operational procurement activity does not have effective
internal controls in place to identify, correct, and ultimately eliminate systematic
vulnerabilities. As a result, OARM stated there is no need for greater authority
and oversight over regional contracting organizations as described in the
recommendation. The complete agency response to the draft audit report is
attached at Appendix A.
While the OIG continues to believe that making organizational changes that
provide OAM with greater authority and oversight would increase internal
controls over the EPA contracting function, we acknowledge that the senior
procurement executive does have the authority to modify and rescind contracting
officer warrants and that this provides some level of internal control. However,
there are no specific policies and procedures that outline exactly when and how
14-P-0347
12

-------
such authority would be used to improve or enforce internal controls, and thus, we
are unsure how often and under what circumstances warrants would be modified
or rescinded due to internal control issues. The OIG believes this is important
because, under the current organizational structure, regional contracting officers
report to regional management instead of OAM, and therefore, regional
management and program offices are in a position where they can potentially
influence contracting officer judgments and impact decisions of the regional
contracting chiefs. Therefore, the OIG believes that alternative corrective action is
necessary and OAM should establish written policies and procedures that
specifically define the circumstances under which warrants would be modified or
rescinded due to internal control issues. The audit resolution process will be used
to resolve this recommendation.
14-P-0347
13

-------
Chapter 3
Follow-Up Action Implementation Could Be Improved
The EPA follow-up actions in response to peer review findings, when
implemented, appear to be sufficient to ensure that weaknesses and vulnerabilities
are corrected. Three of four corrective action plans were submitted timely.
However, one of the three timely plans did not provide dates for the completion of
planned corrective actions and OAM does not formally agree to or approve the
corrective action plans. Additionally, quarterly update reports are not always
being submitted timely. OMB Circular A-123 states that agency managers are
responsible for taking timely and effective action to correct identified
deficiencies. CMAP policy lacks specificity, which creates confusion and hinders
follow-up action implementation. As a result, corrective actions may take longer
than necessary and deficiencies may not be corrected timely.
Follow-Up Required to Correct Deficiencies
OMB Circular A-123 states that agency managers are responsible for taking
timely and effective action to correct identified deficiencies. Correcting
deficiencies is an integral part of management accountability and must be
considered a priority by the agency. OMB Circular A-123 also states that the
extent to which the agency tracks corrective actions should be commensurate with
the severity of the deficiency. Management should track progress to ensure timely
and effective results. For reportable conditions that are not included in the Federal
Managers' Financial Integrity Act report, corrective action plans should be
developed and tracked internally at the appropriate level.
The CMAP peer reviews OAM performs may identify weaknesses and
vulnerabilities in a contracting organization's internal controls. The CMAP policy
states that any deficiencies require a response in the form of a written corrective
action plan within 90 days upon receipt of the final peer review report. Responses
are followed by quarterly updates on all corrective action plans until closed.
Improvements Needed for Follow-Up Action Implementation
Three of four corrective action plans required in response to four fiscal year 2012
peer reviews were submitted timely and did appear to address the deficiencies.
However, one plan did not provide dates for the completion of planned corrective
actions. OAM does not formally agree to or approve the plans. In addition,
quarterly update reports are not always being submitted timely.
Corrective Action Plans. Of the four peer reviews completed for fiscal year
2012, three contracting organizations submitted corrective action plans within 90
days of the peer review final report date, as required. The fourth contracting
14-P-0347
14

-------
organization requested and received an extension to December 30, 2013.
According to OAM, that contracting organization submitted its corrective action
plan in February 2014.
One corrective action plan did not contain planned completion dates for the
proposed corrective actions. Corrective action plans should contain estimated
completion dates to track progress.
According to the CMAP team lead, although OAM does look at the corrective
action plans, there is no formal approval process. The CMAP team lead indicated
that OAM wants to let the contracting organizations come up with their own
corrective actions. Subsequently, OAM will determine if corrective actions
correct deficiencies based upon future peer review follow-ups.
Quarterly Reports. Of the three contracting organizations that were required to
submit quarterly reports, one did not submit a report and the other two did not
submit reports consistent with regard to the submitted dates. There appears to be
confusion on when quarterly updates are due. Table 5 shows a summary of the
quarterly report status for the three contracting organizations.
Table 5: Status of quarterly reports for three contracting organizations
Date(s) quarterly report received
Comment
No report

November 30, 2013
2 months into quarter
July 10, 2013 and December 30, 2013
one submitted towards the beginning of the
quarter, and one submitted at the end of
the quarter
Source: Quarterly update reports provided by the EPA.
CMAP Policy Lacks Specificity
The CMAP does not require OAM to agree with contracting organizations'
proposed corrective action plans. It does not provide for procedures to be
followed if OAM and the contracting organization disagree with a proposed
corrective action. Further, it does not specifically require that the corrective action
plans include milestone completion dates.
The CMAP policy does not stipulate a specific due date for the quarterly updates.
It simply states that corrective action plans are to be followed by quarterly
updates. As a result, contracting organizations do not have a specific due date for
when to submit their quarterly update reports.
14-P-0347
15

-------
Deficiencies May Not Be Corrected Timely
Lack of planned completion dates for proposed corrective actions, lack of a
formal approval process for corrective action plans, and uncertainty regarding the
quarterly update due dates are all factors that could lead to deficiencies not being
corrected at all, or not being corrected timely. For example, lack of planned
completion dates makes follow-up and monitoring more difficult. It is unclear
how a situation would be handled by headquarters and by the peer-reviewed
contracting organization when they do not agree on a proposed corrective action.
Inconsistencies with the timing of quarterly update submittals also potentially
impact timely correction of deficiencies.
Recommendations
We recommend that the Assistant Administrator for Administration and
Resources Management:
4. Revise the CMAP policy to:
(a)	Require corrective action plans include planned completion dates so
that progress can be tracked.
(b)	Require OAM approval of corrective action plans, including a process
for resolution to address instances when OAM and contracting
organizations disagree.
(c)	Clarify when the quarterly updates are due to be submitted.
Agency Response and OIG Evaluation
OARM agreed to take corrective action in response to recommendations 4(a), 4(b)
and 4(c), with an expected completion date of October 15, 2014, for all corrective
actions. The agency's proposed corrective actions and planned completion dates
meet the intent of the recommendations. These recommendations will remain
open pending completion of the proposed corrective actions. See Appendix A for
the complete agency response to the draft audit report.
14-P-0347
16

-------
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
POTENTIAL MONETARY
BENEFITS (In $000s)
Rec.
No.
No.
Subject
Status1
Action Official
12 Revise the CMAP policy to:
(a)	Be more prescriptive of what exact
documents are required to be submitted.
(b)	Specifically address when ICPs will be
reviewed for possible revision (e.g., during
annual reporting and peer reviews).
(c)	Incorporate a process that ensures that
appropriate action is taken when contracting
organizations do not comply with CMAP.
12 Ensure the organizational changes currently being
considered for the contracting function at the EPA
provide OAM with greater authority and oversight
over regional contracting organizations are
implemented, to allow for more effective CMAP
implementation.
12 Evaluate whether the resources allocated to the
CMAP are sufficient to ensure adequate internal
controls and effective CMAP implementation.
16 Revise the CMAP policy to:
(a)	Require corrective action plans include
planned completion dates so that progress
can be tracked.
(b)	Require OAM approval of corrective action
plans, including a process for resolution to
address instances when OAM and
contracting organizations disagree.
(c)	Clarify when the quarterly updates are due to
be submitted.
Assistant Administrator for
Administration and
Resources Management
Assistant Administrator for
Administration and
Resources Management
Assistant Administrator for
Administration and
Resources Management
Assistant Administrator for
Administration and
Resources Management
Planned
Completion
Date
Claimed
Amount
Ag reed-To
Amount
10/15/14
10/15/14
10/15/14
1 0 = Recommendation is open with agreed-to corrective actions pending.
C = Recommendation is closed with all agreed-to actions completed.
U = Recommendation is unresolved with resolution efforts in progress.
14-P-0347	17

-------
Appendix A
Agency Response to Draft Report
July 1, 2014
MEMORANDUM
SUBJECT: Response to Office of Inspector General Draft Audit Report No. OA-FY14-0034
"EPA Needs to Improve Contract Management Assessment Program
Implementation to Mitigate Vulnerabilities," dated May 22, 2014
FROM: Craig E. Hooks, Assistant Administrator
TO:	Janet Kasper, Director
Contract and Assistant Agreement Audits
Office of the Inspector General
Thank you for the opportunity to comment on the subject draft report and for recognizing the
many noteworthy achievements accomplished under the Contract Management Assessment
Program to date. While Office of Administration and Resources Management agrees with all but
one of the recommendations contained in the subject draft report, OARM respectfully disagrees
with your assessment that the program has not been fully implemented.
As noted in your draft report, the CMAP is still in its nascent stages of implementation with the
first three year cycle ending September 2014. Any time an organization implements a new
program of this magnitude, program maturity issues are expected. Admittedly, there have been
challenges associated with standing up this new program. However, since program initiation, the
Office of Acquisition Management has collaborated with agency contracting organizations to
effectively self-identify vulnerabilities, develop corrective action plans to eliminate future
occurrences, and institute processes to verify and validate that the corrections taken eliminate
systemic vulnerabilities were identified. These accomplishments are the essence of an effective
internal controls program which to date has resulted in many noteworthy accomplishments. For
example, many OAM policies have either been updated, revised, or created to provide staff with
guidance and procedures to rectify the root causes attributable to systemic vulnerabilities
identified in both the annual self-assessment reports and the CMAP peer reviews.
In addition to the aforementioned activities, OAM has created a knowledge management website
to provide tool kits on identified problematic areas identified under the CMAP, and uses this site
to share aggregated systemic vulnerabilities, corrective actions, and identified best practices with
all agency contracting organizations. In addition, peer review volunteers share lessons learned
and best practices from other organizations that have been reviewed with their colleagues. Based
on the foregoing, the OAM CMAP program has yielded positive results, improved performance,
and eliminated systemic vulnerabilities. Furthermore, since OAM realizes the CMAP needs to
evolve, we are constantly employing continuous improvement initiatives to ensure that the
program remains viable, effective and productive.
14-P-0347
18

-------
AGENCY'S overall position
Recommendation 1: We recommend the Assistant Administrator for Administration and
Resources Management:
Revise the CMAP policy to:
a.	Be more prescriptive of what exact documents are required to be submitted.
OARM Response: OARM agrees with the recommendation that more prescriptive language is
needed on documentation requirements and due dates in the CMAP policy (Part 6) of the BSC
Performance Measurement and Management Program Guide at
http ://oamintra. epa. gov/files/OAM/B SC%20Framework%20Guide%20-Revised%2012-11-
13rl.pdf. and will revise the policy accordingly no later than October 15, 2014.
b.	Specifically address when ICPs will be reviewed for possible revision (e.g.), during
annual reporting and peer review.
OARM Response: OARM agrees with the recommendation that specific language should be
included in the CMAP policy to address review of Internal Control Plans. Accordingly, OAM
will revise the policy to require managers to review ICPs at least annually. If necessary, OARM
will revise ICPs to address vulnerabilities resulting from self-assessments, peer reviews, OIG
audits, Office of Management and Budget initiatives, etc., and submit revisions to the Policy,
Training, and Oversight Division Director for approval. OARM will accomplish this revision no
later than October 15, 2014.
c.	Incorporate a process that ensures that appropriate action is taken when
contracting organizations do not comply with CMAP.
OARM Response: OARM agrees with the recommendation that the CMAP policy should be
revised to include the process for taking action when contracting organizations do not comply
with CMAP requirements. Specifically, the OAM Director already has the authority to amend
existing delegations of contracting authority and/or increase independent reviews of contract
transactions as deemed necessary. OARM will accomplish this revision no later than October 15,
2014.
Recommendation 2. Ensure the organizational changes currently being considered for the
contracting function at the EPA provide OAM with greater authority and oversight over
regional contracting organizations are implemented, to allow for more effective CMAP
implementation.
OARM Response: OARM disagrees with this recommendation. Per the Chapter 1-2 of the
OHR Delegations Manual at http://intranet.epa.gov/ohr/rmpolicv/ads/dm/indexl.htm. the Senior
Procurement Executive already has the authority to modify or rescind contracting officer
warrants if it is determined that the operational procurement activity does not have effective
internal controls in place to identify, correct and ultimately eliminate systemic vulnerabilities.
14-P-0347
19

-------
As a result, there is no need for greater authority and oversight over regional contracting
organizations as described in the recommendation.
Recommendation 3. Evaluate whether the resources allocated to the CMAP are sufficient
to ensure adequate internal controls and effective CMAP implementation.
OARM Response: OARM agrees with this recommendation and will address this issue in the
pending eminent OAM re-organization. OARM anticipates submitting the pending re-
organization to the Office of Human Resources by October 15, 2014.
Recommendation 4: Revise the CMAP policy to:
a.	Require corrective action plans to include planned completion dates so that progress
can be tracked.
OARM Response: OARM agrees with this recommendation and will revise its policy to require
planned completion dates for corrective action plans. OARM will accomplish this revision no
later than October 15, 2014.
b.	Require OAM approval of corrective action plans, including a process for resolution
to address instances when OAM and contracting organizations disagree.
OARM Response: OARM agrees with this recommendation and will revise its policy to require
Policy, Training, and Oversight Division approval of corrective action plans, and also include a
process to address instances of disagreement between OAM and contracting organizations
regarding proposed corrective action plans. OARM will accomplish this revision no later than
October 15, 2014.
c.	Clarify when the quarterly updates are due to be submitted.
OARM Response: OARM agrees with this recommendation and will revise its policy to clarify
quarterly due dates for corrective action plans. OARM will accomplish this revision no later
than October 15, 2014.
If you have any questions regarding this response, please contact John Bashista, Director, Office
of Acquisition Management at 202-564-4310; or Lisa Maass, Audit Follow-up Coordinator, at
202-564-2498.
cc: Nanci Gelb
John Showman
Steven Blankenship
John Bashista
Lisa Maass
Brandon McDowell
14-P-0347
20

-------
Appendix B
Distribution
Office of the Administrator
Assistant Administrator for Administration and Resources Management
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for External Affairs and Environmental Education
Principal Deputy Assistant Administrator for Administration and Resources Management
Director, Office of Acquisition Management, Office of Administration and Resources
Management
Director, Office of Policy and Resource Management, Office of Administration and
Resources Management
Deputy Director, Office of Policy and Resource Management, Office of Administration and
Resources Management
Director, Office of Regional Operations
Audit Follow-Up Coordinator, Office of Administration and Resources Management
Audit Follow-Up Coordinator, Office of Acquisition Management, Office of Administration and
Resources Management
14-P-0347
21

-------