^tDsrx • A v iSi U.S. Environmental Protection Agency Office of Inspector General At a Glance 13-P-0359 August 23, 2013 Why We Did This Review We conducted this audit to determine what steps the U.S. Environmental Protection Agency took to ensure that internal controls over the financial reporting by Compass Financials have been designed appropriately and are operating effectively. We also sought to determine the extent of the EPA's reliance on its service organization to make assertions about the effectiveness of its internal controls over financial reporting. Additionally, we reviewed the EPA's oversight strategy for key Compass processes. In October 2011, the EPA replaced its legacy financial management system. The new system, Compass, was developed and is currently hosted by a third party service provider. During fiscal year 2012, the EPA used Compass to produce its financial statements that were submitted to the Office of Management and Budget and Congress. This report addresses the following EPA Goal or Cross-Cutting Strategy: • Strengthening EPA's workforce and capabilities. For further information, contact our Office of Congressional and Public Affairs at (202) 566-2391. The full report is at: www.epa.qov/oiq/reports/2013/ 20130823-13-P-0359.pdf Controls Over EPA's Compass Financial System Need to Be Improved What We Found Processes were not in place to monitor performance of the EPA Office of the Chief Financial Officer's third party service provider of Compass. Also, OCFO security personnel were not aware of Compass security roles and responsibilities. This lack of oversight: • Inhibits the EPA's ability to achieve agreed-upon performance levels and correctly pay for services rendered. • Decreases the likelihood that an effective security posture will be maintained. Further, disaster recovery exercise plans did not include testing of data replication processes critical to financial reporting, resulting in the EPA having no assurance that Compass will operate as designed during a disaster. Recommendations and Planned Agency Corrective Actions We recommended that the Chief Financial Officer develop a process to monitor and evaluate, on a monthly basis, the service provider's performance and adjust service level requirements accordingly. Further, we recommended that the CFO communicate key roles and responsibilities to designated security personnel, and test Compass data replication during a functional disaster recovery exercise. OCFO did not agree with our recommendations in the draft report. We met with and reviewed documentation provided by OCFO related to recommendations 1 through 3. Our review determined that OCFO made progress in addressing our findings related to management oversight of service provider performance and the OIG has agreed to amend recommendations 1 through 3 to reflect this progress. The OIG also considers corrective actions taken by OCFO prior to the issuance of the draft report in response to recommendation 4 to be sufficient to close this recommendation. We also amended recommendation 5 to reflect agreed-upon alternative corrective actions that OCFO should take to address our findings related to Compass disaster recovery. OCFO concurred with these changes. After these amendments, we recommended that the CFO finalize internal procedures used for reviewing the service provider's performance, continue to review service provider performance on a monthly basis and document results of the monthly meetings, finalize the revised Quality Assurance Surveillance Plan that includes revised service level requirements to accurately assess service provider performance, and test inherent Compass financial reporting capabilities during a functional disaster recovery exercise. ------- |