^tDsrx
• A v
iSi
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
13-P-0359
August 23, 2013
Why We Did This Review
We conducted this audit to
determine what steps the
U.S. Environmental Protection
Agency took to ensure that
internal controls over the
financial reporting by Compass
Financials have been designed
appropriately and are operating
effectively. We also sought to
determine the extent of the
EPA's reliance on its service
organization to make assertions
about the effectiveness of its
internal controls over financial
reporting. Additionally, we
reviewed the EPA's oversight
strategy for key Compass
processes.
In October 2011, the EPA
replaced its legacy financial
management system. The new
system, Compass, was
developed and is currently
hosted by a third party service
provider. During fiscal year
2012, the EPA used Compass to
produce its financial statements
that were submitted to the Office
of Management and Budget and
Congress.
This report addresses the
following EPA Goal or
Cross-Cutting Strategy:
• Strengthening EPA's
workforce and capabilities.
For further information, contact
our Office of Congressional and
Public Affairs at (202) 566-2391.
The full report is at:
www.epa.qov/oiq/reports/2013/
20130823-13-P-0359.pdf
Controls Over EPA's Compass Financial
System Need to Be Improved
What We Found
Processes were not in place to monitor performance of the EPA Office of the
Chief Financial Officer's third party service provider of Compass. Also, OCFO
security personnel were not aware of Compass security roles and
responsibilities. This lack of oversight:
•	Inhibits the EPA's ability to achieve agreed-upon performance levels and
correctly pay for services rendered.
•	Decreases the likelihood that an effective security posture will be
maintained.
Further, disaster recovery exercise plans did not include testing of data
replication processes critical to financial reporting, resulting in the EPA having
no assurance that Compass will operate as designed during a disaster.
Recommendations and Planned Agency Corrective Actions
We recommended that the Chief Financial Officer develop a process to monitor
and evaluate, on a monthly basis, the service provider's performance and adjust
service level requirements accordingly. Further, we recommended that the CFO
communicate key roles and responsibilities to designated security personnel,
and test Compass data replication during a functional disaster recovery
exercise.
OCFO did not agree with our recommendations in the draft report. We met with
and reviewed documentation provided by OCFO related to recommendations 1
through 3. Our review determined that OCFO made progress in addressing our
findings related to management oversight of service provider performance and
the OIG has agreed to amend recommendations 1 through 3 to reflect this
progress. The OIG also considers corrective actions taken by OCFO prior to the
issuance of the draft report in response to recommendation 4 to be sufficient to
close this recommendation. We also amended recommendation 5 to reflect
agreed-upon alternative corrective actions that OCFO should take to address
our findings related to Compass disaster recovery. OCFO concurred with these
changes.
After these amendments, we recommended that the CFO finalize internal
procedures used for reviewing the service provider's performance, continue to
review service provider performance on a monthly basis and document results
of the monthly meetings, finalize the revised Quality Assurance Surveillance
Plan that includes revised service level requirements to accurately assess
service provider performance, and test inherent Compass financial reporting
capabilities during a functional disaster recovery exercise.

-------