^eDS*%
* A '
U.S. ENVIRONMENTAL PROTECTION AGENCY
% pro^ OFFICE OF INSPECTOR GENERAL
Operating efficiently and effectively
EPA's Water Infrastructure
Finance and Innovation Act
Program Needs Additional
Internal Controls
Report No. 19-P-0045
December 14, 2018
I
-Eft}
1. King County
Georgetown WWTS
2. San Francisco PUC
Biosoiids Digester Facilities
3. City of MorroBay
Water Reclamation
4. Orange Co. Water District
Groundwater Replenishment System
5. City of San Diego
Pure Water San Diego
6. City of Omaha
Saddle Creek RTB
7. Metro St. Louis Sewer District
Sanitary Tunnel & Relief Projects
8. Indiana Finance Authority
FY2017 SRF Program
9. City of Oak Ridge
Water Treatment Rant
10. Maine Water Co.
Saco River Treatment Plant
11. City of Baltimore
Capital Improvements
12. Miami-Dade County
Ocean Outfall Reduction
S2.3B
WIFIA Loans
-------�
Report Contributors:
Lisa Bergman
Michael Davis
Marcia Hirt-Reigeluth
Randy Holthaus
Abbreviations
CBI
Confidential Business Information
CFR
Code of Federal Regulations
EPA
U.S. Environmental Protection Agency
FISMA
Federal Information Security Modernization Act of 2014
GAO
U.S. Government Accountability Office
GPRA
Government Performance and Results Act of 1993
IT
Information Technology
NIST
National Institute of Standards and Technology
OEI
Office of Environmental Information
OIG
Office of Inspector General
OMB
Office of Management and Budget
OW
Office of Water
OWM
Office of Wastewater Management
U.S.C.
United States Code
WIFIA
Water Infrastructure Finance and Innovation Act
Cover Image: Map showing WIFIA projects the EPA selected in fiscal year 2017.
(WIFIA website)
Are you aware of fraud, waste or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, DC 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, DC 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates
Follow us on Twitter @EPAoig
Send us your Project Suggestions
-------�
^tDsrx
* Q \
U8&J
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
19-P-0045
December 14, 2018
Why We Did This Project
The Office of Inspector General
(OIG) conducted an audit of the
U.S. Environmental Protection
Agency's (EPA's) Water
Infrastructure Finance and
Innovation Act (WIFIA)
program. The objective of this
audit was to determine whether
the EPA has established
effective internal controls for
the WIFIA program.
EPA's Water Infrastructure Finance and Innovation
Act Program Needs Additional Internal Controls
What We Found
The EPA did not prepare a comprehensive program
risk assessment prior to establishing the WIFIA
program. Further, the EPA did not develop program
performance measures to fully identify and capture
financial data and public health benefits to affected
communities. Lastly, we found that the EPA needs
to strengthen its SharePoint access controls for the WIFIA program.
WIFIA managers need to
identify possible risks to
the program and develop
internal controls to
minimize these risks.
Congress enacted the WIFIA
program as part of the Water
Resources Reform and
Development Act of 2014.
A federal credit program
administered by the EPA, the
WIFIA program accelerates
investment in water and
wastewater infrastructure of
national and regional
significance by offering
creditworthy borrowers secured
(direct) loans and loan
guarantees for up to 49 percent
of eligible project costs.
This report addresses the
following:
• Operating efficiently and
effectively.
The EPA did not follow the guidance set forth in Office of Management and
Budget Circular A-123, Management's Responsibility for Enterprise Risk
Management and Internal Control, and the U.S. Government Accountability
Office's Standards for Internal Control in the Federal Government. These
documents state that a comprehensive program risk assessment should be done
when initially establishing a program to examine all possible risks to program
success. By not performing a formal risk assessment at the outset, Office of
Water management cannot be assured that it has identified the overall risks to
the program. Consequently, the necessary internal controls to address such risks
may not be in place, and unnecessary procedures might be implemented for risks
that do not exist, resulting in an ineffective and inefficient program.
By only identifying performance measures for specific projects, the EPA may not
be fully identifying and capturing programmatic financial and public health data.
These data may, in turn, support continuing or expanding the WIFIA program. In
addition, not having a formal process to monitor user accounts puts the WIFIA
SharePoint—as well as other EPA information technology systems that are also
hosted on the EPA intranet—at increased risk for unauthorized access and
disclosure, loss of data, and other hacking activities.
Recommendations and Planned Agency Corrective Actions
Send all inquiries to our public
affairs office at (202) 566-2391
or visit www.epa.gov/oia.
Listing of OIG reports.
We recommend that the Assistant Administrator for Water (1) finalize a
comprehensive program risk assessment that addresses all areas of risk,
(2) develop program performance measures to identify and capture financial data
and public health benefits to affected communities, and (3) develop SharePoint
access controls. We also recommend that the Assistant Administrator for Mission
Support test and assess the WIFIA SharePoint system access controls to
determine whether they function as intended. The EPA provided acceptable
planned corrective actions and estimated completion dates. All recommendations
are resolved with corrective actions pending.
Noteworthy Achievements
We found no issues with three of the five internal control components we
examined: control environment, information and communications, and
monitoring.
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
OFFICE OF
INSPECTOR GENERAL
December 14, 2018
MEMORANDUM
SUBJECT: EPA's Water Infrastructure Finance and Innovation Act Program
Needs Additional Internal Controls
Report No. 19-P-0045
FROM: Charles J. Sheehan, Acting Inspector General
TO:
David P. Ross, Assistant Administrator
Office of Water
Donna J. Vizian, Principal Deputy Assistant Administrator
Office of Mission Support
This is our report on the subject audit conducted by the Office of Inspector General (OIG) of the
U.S. Environmental Protection Agency (EPA). The project number for this audit was OA-FY18-0023.
This report contains findings that describe the problems the OIG has identified and corrective actions the
OIG recommends. This report represents the opinion of the OIG and does not necessarily represent the
final EPA position.
The offices with primary responsibilities for the issues discussed in this report are the Office of
Wastewater Management within the Office of Water and the Office of Environmental Information
within the Office of Mission Support.
In accordance with EPA Manual 2750, your office provided acceptable corrective actions and milestone
dates in response to OIG recommendations. All recommendations are resolved, and no final response to
this report is required. However, if you submit a response, it will be posted on the OIG's website, along
with our memorandum commenting on your response. Your response should be provided as an Adobe
PDF file that complies with the accessibility requirements of Section 508 of the Rehabilitation Act of
1973, as amended. The final response should not contain data that you do not want to be released to the
public; if your response contains such data, you should identify the data for redaction or removal along
with corresponding justification.
We will post this report to our website at www.epa.gov/oig.
-------�
EPA's Water Infrastructure Finance
and Innovation Act Program
Needs Additional Internal Controls
19-P-0045
Table of C
Chapters
1 Introduction 1
Purpose 1
Background 1
Responsible Offices 5
Scope and Methodology 5
Noteworthy Achievements 6
2 EPA Did Not Perform a Formal Risk Assessment
for the WIFIA Program 7
Federal Requirements and Guidance on Risk Assessment 7
WIFIA Program Details Established Before Identifying Risks 8
Conclusion 9
Recommendation 10
Agency Response and OIG Evaluation 10
3 WIFIA Program Has Project-Specific Measures but No
Long-Term Program Measures 11
Federal Requirements and Guidance on Performance Measures 11
Management Relied Only on Short-Term, Limited Performance
Measures in Loan Agreements and from Other EPA Programs 12
Conclusion 14
Recommendation 14
Agency Response and OIG Evaluation 14
4 WIFIA Program Needs Stronger SharePoint Access Controls 15
Federal Law and Standards, Agency Procedures Require
Information Security Access Controls 15
Background on WIFIA SharePoint, Users and User Access 16
EPA Needs Controls to Remove User Access to WIFIA
SharePoint in a Timely Manner 17
Actions Taken During Our Audit 17
Conclusion 18
Recommendations 18
Agency Response and OIG Evaluation 19
Status of Recommendations and Potential Monetary Benefits 20
- continued -
-------�
EPA's Water Infrastructure Finance
and Innovation Act Program
Needs Additional Internal Controls
19-P-0045
Appendices
A Details on Scope and Methodology 21
B OW and OEI Response to Draft Report 23
C Distribution 28
-------�
Chapter 1
Introduction
Purpose
The Office of Inspector General (OIG) conducted an audit of the
U.S. Environmental Protection Agency's (EPA's) Water Infrastructure Finance
and Innovation Act (WIFIA) program. The objective of this audit was to
determine whether the EPA has established effective internal controls for the
WIFIA program in accordance with the U.S. Government Accountability Office's
(GAO's) five internal control standards: (1) control environment, (2) risk
assessment, (3) control activities, (4) information and communication, and
(5) monitoring.
Background
In 2014, WIFIA established a federal credit program (hereafter referred to as the
WIFIA program) administered by the EPA. The WIFIA program, a 5-year pilot
program, accelerates investment in water and wastewater infrastructure of
national and regional significance by offering creditworthy borrowers loans1 for
up to 49 percent of eligible project costs. In addition to existing State Revolving
Fund programs,2 WIFIA provides another source of low-cost capital to help meet
the United States' water infrastructure needs and address key priorities.
Congress enacted the WIFIA program as part of the Water Resources Reform and
Development Act of 2014.3 WIFIA was subsequently amended by the Fixing
America's Surface Transportation Act of 20154 and the Water Infrastructure
Improvements for the Nation Act of 2016.5 Chapter 52 of Title 33 of the United
States Code6 codifies WIFIA, with supporting regulations appearing in 40 CFR
Part 35, Subpart Q.
The EPA is authorized under WIFIA to provide direct secured loans to borrowers,
such as municipalities and state entities, for eligible water infrastructure projects.
Under WIFIA, the EPA publishes Notices of Funding Availability, and
1 WIFIA authorizes the EPA to provide loans or loan guarantees. For the purposes of this report, the term loans will
hereafter refer to both loans or loan guarantees.
2 The Clean Water State Revolving Fund and Drinking Water State Revolving Fund programs are federal-state
partnerships that provide communities with permanent, independent sources of low-cost financing for a wide range
of water quality infrastructure projects.
3 Public Law U3-121, §§ 5021-5035.
4 Public Law 114-94.
5 Public Law 114-322.
6 33 U.S.C. §§ 3901-3914.
19-P-0045
1
-------�
prospective borrowers submit letters of interest that demonstrate their projects'
eligibility, financial creditworthiness, engineering feasibility and alignment with
the EPA's policy priorities. Using the basic information provided by the
prospective borrowers, the EPA evaluates and selects which projects may be
eligible for funding based on the weighted criteria established in the Notice of
Funding Availability. Following project selection, the EPA invites the appropriate
prospective borrowers to complete applications for loans. The EPA uses the
application materials to underwrite the proposed WIFIA loans and to develop
individual credit agreements with the prospective borrowers.
In July 2017, after the agency received responses to its first Notice of Funding
Availability published in January 2017, the EPA selected 12 prospective
borrowers to apply for loans ranging from $22 million to $625 million and
totaling $2.3 billion (Figure 1). As of November 13, 2017, two of the 12
borrowers had submitted complete applications, and as of August 1, 2018, four of
the 12 loans had been issued by the EPA.
Figure 1: EPA WIFIA loan selections
EPA's 2017 WIFIA LOANS ARE HELPING TO
REBUILD AMERICA'S WATER INFRASTRUCTURE
The Water Infrastructure Finance and Innovation Act I WIFIA) program accelerate* investment
in our nation's wafer infrastructure. Here's how WIFIA is transforming America «n 2017;
$2.3 B
IN WIFIA LOANS
$5.1 B
IN PROJECT COSTS
12
PROJECTS SELECTED
to]
¦|n|i
|®=X|
20 M
PEOPLE IMPACTED
Kill
6EFA Learn more: epa.gov/WIFIA #WIFIA
Source: WIFIA Fiscal Year 2017 Selected Projects-Summary Factsheets website.
WIFIA Program Project Examples
The following three WIFIA program projects exemplify those that have been
selected by the EPA:
• A $135 million loan was issued to King County, Washington, on
April 20, 2018, to finance the construction of a new Wet Weather
Treatment Station to treat and convey combined sewer overflows during
storm events. The new station, which will serve 1.7 million people, will
be able to treat up to 70 million gallons of combined rain and
wastewater per day that would otherwise have discharged directly to the
19-P-0045
2
-------�
Lower Duwamish Waterway without treatment. This project is expected
to create 1,400 jobs and will also redevelop a Brownfields site.
• On August 1, 2018, a $135 million loan was issued to the Orange
County Water District, Fountain Valley, California. The loan will enable
the Orange County Water District to produce an
additional 30 million gallons per day of drought-
proof drinking water supply for its service area,
replenishing the Orange County Groundwater
Basin and reducing the need for imported water
The project is expected to create 700 jobs and
serve a community of 2.5 million people. The
project will include expanding the existing
treatment facility, constructing a pump station,
rehabilitating pipelines and reconfiguring the
treatment process.
• The Indiana Finance Authority has applied for a $436 million loan that
has not yet been issued. The loan will enable the Indiana Finance
Authority to expand the reach of its Clean Water and Drinking Water
State Revolving Fund programs and fund dozens of additional projects
in communities across the state. The project will serve 6.4 million
people.
Program Risk Assessment and Performance Measures
The GPRA Modernization Act of 20107 states that an agency's strategic
plans shall identify key factors external to the agency that could
significantly affect the achievement of the agency's general goals and
objectives. Further, agencies are required to prepare annual performance
plans that establish performance goals to be achieved during the year. The
performance plans must describe how the performance goals contribute to
the general goals and objectives established in the agency's strategic plan.
The law also requires agencies to "establi sh a balanced set of performance
indicators to be used in measuring or assessing progress toward each
performance goal, including, as appropriate, customer service, efficiency,
output and outcome indicators."
Office of Management and Budget (OMB) Circular A-123, Management \s
Responsibility for Enterprise Risk Management and Internal Control, dated
July 15, 2016, defines management's responsibilities in implementing a risk
assessment process based on the GAO's Standards for Internal Control in the
Federal Government, GAO-14-704G, dated September 2014. When establishing a
new program, it is management's responsibility to identify and achieve objectives
7 Public Law 111-352. GPRA stands for Government Performance and Results Act.
A $135 million WIFIA loan issued to the Orange
County Water District will expand the area's drinking
water supply. (Orange County Water District photo)
19-P-0045
3
-------�
and goals for the program, as well as implement practices that identify, assess,
respond to and report on risks.
Furthermore, the GAO's Standards for Internal Control defines internal control
as the following:
a process effected by an entity's oversight body, management and
other personnel that provides reasonable assurance that the
objectives of an entity will be achieved. Internal control comprises
the plans, methods, policies and procedures used to fulfill the
mission, strategic plan, goals and objectives of the entity. Internal
control serves as the first line of defense in safeguarding assets.
In short, internal control helps managers achieve desired results
through effective stewardship of public resources.
There are five components and 17 principles of internal control, as outlined in
Table 1.
Table 1: Internal control components and principles
Components
Principles
Control Environment
1. Demonstrate Commitment to Integrity and
Ethical Values.
2. Exercise Oversight Responsibility.
3. Establish Structure, Responsibility and
Authority.
4. Demonstrate Commitment to Competence.
5. Enforce Accountability.
Risk Assessment
6. Define Objectives and Risk Tolerances.
7. Identify, Analyze and Respond to Risks.
8. Assess Fraud Risk.
9. Identify, Analyze and Respond to Change.
Control Activities
10. Design Control Activities.
11. Design Activities for Information Systems.
12. Implement Control Activities.
Information and Communication
13. Use Quality Information.
14. Communicate Internally.
15. Communicate Externally.
Monitoring
16. Perform Monitoring Activities.
17. Remediate Deficiency.
Source: GAO, Standards for Internal Control, GAO-14-704G, September 2014.
WIFIA SharePoint Access Controls
The WIFIA SharePoint is an EPA website designed to allow sharing of
documents and information. It is used by WIFIA staff, prospective applicants and
contractors to place and store applicant data, such as letters of interest and
financial information. The WIFIA SharePoint site administrator manages access
19-P-0045
4
-------�
to the WIFIA SharePoint for EPA staff, contractor personnel and applicant
personnel. We provide more details about the WIFIA SharePoint in Chapter 4.
Responsible Offices
Two EPA offices have primary responsibility for the issues discussed in this report:
• The Office of Water (OW) ensures that drinking water is safe. The OW
also restores and maintains oceans, watersheds and their aquatic
ecosystems to protect human health; support economic and recreational
activities; and provide healthy habitat for fish, plants and wildlife. The
OW is responsible for implementing the Federal Water Pollution Control
Act, commonly known as the Clean Water Act; the Safe Drinking Water
Act; and other water-related statutes. Within the OW, the Office of
Wastewater Management (OWM) supports the Clean Water Act by
promoting effective and responsible water use, treatment, disposal and
management; and by encouraging the protection and restoration of
watersheds. The OWM also manages the WIFIA program.
• The Office of Environmental Information (OEI) within the Office of
Mission Support8 leads the EPA's information management and
information technology (IT) programs to provide the information,
technology and services necessary to advance the protection of human
health and the environment. Within the OEI, the EPA's Chief Information
Security Officer is responsible for the EPA's information security
program. Additionally, the Chief Information Security Officer is
responsible for developing an agencywide information security program
that complies with related information security laws, regulations,
directives, policies and guidelines.
Scope and Methodology
We conducted our audit from October 2017 to September 2018 in accordance
with generally accepted government auditing standards. Those standards require
that we plan and perform the audit to obtain sufficient, appropriate evidence to
provide a reasonable basis for our findings and conclusions based on our audit
objective. We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objective.
We examined the WIFIA program's establishment of internal controls and other
applicable activities from October 2014 to March 2018. Our audit focused on the
GAO's five internal control standards outlined in Table 1: control environment,
8 Effective November 26, 2018, the OEI and the Office of Administration and Resources Management were merged
into the new Office of Mission Support. We will continue to refer to the OEI in this report because the OEI remains
an office within the new Office of Mission Support. However, recommendations for action are made to the Assistant
Administrator for Mission Support.
19-P-0045
5
-------�
risk assessment, control activities, information and communication, and
monitoring. Specifically, we reviewed whether:
• The EPA complied with OMB Circular A-123 and the GAO's Standards
for Internal Control when establishing the program.
• Loan applicants and WIFIA staff complied with WIFIA federal guidelines.
Appendix A contains more details on activities we conducted.
Noteworthy Achievements
The EPA's OWM management has established a solid and positive control
environment of support for the WIFIA program. WIFIA staff and managers have
received strong support from upper-level management as well as from OW staff,
other EPA offices, EPA Administrators (former and current) and other federal
agencies. Using the U.S. Department of Transportation's existing Transportation
Infrastructure Finance and Innovation Act program as a model, the OWM
recruited highly experienced personnel from that program and other OW offices
to staff the WIFIA program. As a result, the EPA was able to expeditiously
establish the WIFIA program. In December 2014, Congress provided funding to
establish the WIFIA program, and the OWM began recruiting staff and setting up
support contracts. In January 2017, the EPA announced the first Notice of
Funding Availability. In July 2017, the EPA selected 12 of 43 prospective
borrowers to apply for loans. In April 2018, the EPA issued the first WIFIA loan.
Since the program is new and just issued its first loan in April 2018, there has
been limited activity. Based on our review of these limited activities, we found no
issues with three of the five GAO internal control components outlined in
Table 1: control environment, information and communication, and monitoring.
19-P-0045
6
-------�
Chapter 2
EPA Did Not Perform a Formal Risk Assessment
for the WIFIA Program
The WIFIA management team did not conduct a formal risk assessment in
accordance with OMB Circular A-123 and the GAO's Standards for Internal
Control prior to establishing the WIFIA program. According to WIFIA managers,
the EPA established the WIFIA program based on the framework required by
OMB Circular A-129, Policies for Federal Credit Programs and Non-Tax
Receivables, dated January 2013, which sets out key
requirements for federal credit programs. However,
OMB Circular A-129, Section 1(D)(6), also requires
that departments and agencies "[ejstablish
appropriate internal controls over programmatic
functions and operations, in accordance with ...
OMB Circular A-123." While WIFIA management
did prepare "risk appetite" statements for the program in accordance with OMB
Circular A-129, management did not prepare a risk assessment in accordance with
OMB Circular A-123 as required. Without a formal and comprehensive risk
assessment based on OMB Circular A-123 requirements, OW management cannot
provide reasonable assurance that it has identified the internal and external risks
to the program. Consequently, the necessary internal controls to address existing
risks may not be in place, and unnecessary procedures might be implemented for
risks that do not exist, resulting in an ineffective and inefficient program.
Federal Requirements and Guidance on Risk Assessment
OMB Circular A-123, Management's Responsibility for Enterprise Risk
Management and Internal Control', is one of the central federal requirements to
improve accountability in federal programs and operations. It defines
management's responsibilities for overall risk management and internal control,
and it establishes an assessment process that management must implement to
properly assess and improve internal controls over operations, reporting and
compliance based on the GAO's Standards for Internal Control. OMB
Circular A-123 also emphasizes management's responsibility, when establishing a
new program, to integrate risk management and internal control functions into the
governance structure of a program or entity; identify and achieve objectives and
goals for the program; and implement practices that identify, assess, respond to
and report on risks.
OMB Circular A-123 states that, after the control environment for a program is
established, identifying and assessing risk is the next critical step in building the
program's risk profile. Assessing risk includes three important principles:
This finding addresses the
Risk Assessment
component of internal
control, as defined in the
GAO's Standards for
Internal Control and outlined
previously in Table 1.
19-P-0045
7
-------�
1. Ensuring that there is a clearly structured process in which both likelihood
and impact are considered for each risk.
2. Recording the assessment of risk in a way that facilitates monitoring and
the identification of risk priorities.
3. Being clear about the difference between inherent and residual risks.
The GAO's Standards for Internal Control states that "Having established an
effective control environment, management assesses the risks facing the entity as
it seeks to achieve its objectives" (see inset box). According to the GAO,
management should follow the following key risk assessment principles:
• Defining objectives clearly to enable the
identification of risks and define risk
tolerances.
• Identifying, analyzing and responding to
risks related to achieving the defined
objectives.
• Considering the potential for fraud when
identifying, analyzing and responding to
risks.
• Identifying, analyzing and responding to
significant changes that could impact the
internal control system.
OMB Circular A-129, Policies for Federal Credit Programs and Non-Tax
Receivables, addresses financial internal controls for federal credit programs.
Section III(B) lists the internal controls for credit programs as separation of
duties, establishing a communications policy and outsourcing programmatic
functions to contractors. Section 1(D)(6) states that for agencies and management
to achieve these objectives, agencies shall "[establish appropriate internal
controls over programmatic functions and operations, in accordance with the
standards established in this Circular, and OMB Circular A-123, Management's
Responsibility for Internal Control"
WIFIA Program Details Established Before Identifying Risks
When establishing the WIFIA program, WIFIA management did not complete a
formal and comprehensive risk assessment as required by OMB Circular A-123.
The WIFIA Program Director said that an OMB Circular A-123 risk assessment
was not done but that WIFIA staff planned to prepare one in the future. In the
interim, the program staff prepared risk appetite statements for the WIFIA
program's mission risk, credit risk and project risk. These statements concluded
that the WIFIA program's mission risk was low and that its credit and project risk
were moderate. However, a risk appetite analysis is only one part of risk
management. According to OMB Circular A-123, Section II, risk appetite "is the
broad-based amount of risk an organization is willing to accept in pursuit of its
Per the GAO's Standards
for Internal Control:
"Having established an
effective control environment,
management assesses the
risks facing the entity as it
seeks to achieve its
objectives. This assessment
provides the basis for
developing appropriate risk
responses. Management
assesses the risks the entity
faces from both external and
internal sources."
19-P-0045
8
-------�
mission/vision. It is established by the organization's most senior level leadership
and serves as the guidepost to set strategy and select objectives."
WIFIA management and staff initially focused on financial risks in accordance
with OMB Circular A-129 and did not recognize the immediate need for a formal
OMB Circular A-123 risk assessment in determining what control activities
should be established. OWM management told us that it recognizes that it must
complete an OMB Circular A-123 assessment and implement detailed internal
controls for the WIFIA program. However, these managers also said that "it is not
possible to do that until detailed processes and procedures are identified."
After several discussions among the OIG, the OWM and WIFIA management,
WIFIA staff provided us in March 2018 their draft programmatic risk
assessment. The assessment focused on project selection, application and
approval processes.
According to OMB Circular A-123, after establishing operational objectives, a
risk assessment is the critical next step when setting up a new program and
building its risk profile. A risk assessment identifies and assesses all of the
potential risks facing an entity as it seeks to achieve its objectives. A
comprehensive risk assessment should address, for example, areas of risk that
may exist within policies (or the lack thereof), staffing, processes, training,
communications, records and reporting, data, and IT. By not performing a risk
assessment when the WIFIA program was established, management cannot be
certain that it has identified the overall risks to the program.
Conclusion
WIFIA and EPA managers need to complete a risk assessment of the WIFIA
program to fully identify and analyze the possible risks to the program, to
determine the program's risk exposure, and to plan risk response strategies. The
risk assessment should consider what policies and procedures might be needed to
protect the program from possible risks, such as funding, fraud, creditworthiness
and legal risks, as well as risks related to areas such as staffing, communications,
records and data.
In establishing the WIFIA program, EPA management initially focused on the
possible financial risks as set forth in OMB Circular A-129, but it did not prepare
a formal risk assessment for the
program, as required by OMB
Circular A-123. In March 2018,
WIFIA provided a draft OMB
Circular A-123 risk assessment that
did not provide sufficient coverage.
Without a complete OMB
Circular A-123 risk assessment, OW
Why Perform a Risk Assessment?
A risk assessment fully identifies and
analyzes the possible risks to the program,
determines the program's risk exposure,
and plans risk response strategies. The risk
assessment should consider what policies
and procedures might be needed to protect
the program from possible risks.
19-P-0045
9
-------�
management cannot be certain that it has identified the overall internal and
external risks to the program in achieving its objectives.
Consequently, the necessary internal controls to address existing risks may not be
in place, and unnecessary procedures might be implemented for risks that do not
exist, thereby resulting in an ineffective and inefficient program. Based on OMB
Circulars A-129 and A-123 requirements, WIFIA management should identify
and try to mitigate all possible areas of risks that might impact the WIFIA
program, not just those related to the loan process.
Recommendation
We recommend that the Assistant Administrator for Water:
1. Finalize a formal and comprehensive risk assessment for the Water
Infrastructure Finance and Innovation Act program in accordance with
Office of Management and Budget Circular A-123, Management's
Responsibility for Enterprise Risk Management and Internal Control.
Agency Response and OIG Evaluation
The OW concurred with Recommendation 1 and provided an acceptable
corrective action and estimated completion date that meet the intent of the
recommendation. Recommendation 1 is resolved with corrective actions pending.
To address Recommendation 1, the OW agreed to update and complete an OMB
Circular A-123 risk assessment for the WIFIA program by December 31, 2018. In
its response, the OW reiterated that WIFIA complied with OMB Circular A-129,
which addresses key risks to credit programs, and that it had prepared a risk
appetite report. While the OW's efforts were positive initial steps, OMB
Circular A-123 also contains critical federal requirements for improving
accountability in federal programs and operations. OMB Circular A-123
establishes an assessment process that management must implement to properly
assess and improve internal controls over operations, reporting and compliance
based on the GAO's Standards for Internal Control. OMB Circular A-123 also
defines management's responsibilities for overall risk management and internal
control.
The agency's detailed response is in Appendix B.
19-P-0045
10
-------�
Chapter 3
WIFIA Program Has Project-Specific Measures
but No Long-Term Program Measures
The EPA has developed project-specific performance measures for the WIFIA
program but still needs to develop long-term program performance measures to
facilitate reporting of the program's status in the agency's Annual Performance
Report. As of March 2018, the performance measures that had been identified by
WIFIA management were limited to individual
projects. Although the Draft OWAgency Priority
Goal Action Plan addresses a few short-term
programmatic milestones in calendar years 2017-
2018 that are related to loan issuance and interactions
with the water infrastructure community, all other
proposed performance measures we identified look at
the short-term financial, scientific and engineering aspects of specific projects.
According to the WIFIA Director, WIFIA staff intend to rely on performance
measures included in the respective loan agreements and the State Revolving
Fund agreements to track individual projects. However, these short-term measures
do not comply with the GPRA of 19939 or the GPRA Modernization Act of
2010,10 which require agencies to develop performance plans to track overall
annual goals and measures and to report annually to Congress on program
performance. In addition, performance-based metrics are crucial both to
understanding the impact of agency programs and to proactively identifying areas
of risk.11 As a result, WIFIA staff may not be able to satisfactorily answer
Congress' concerns about the success or failure of this pilot program.
Federal Requirements and Guidance on Performance Measures
The GPRA of 1993 requires that each agency evaluate and report to Congress the
results of its activities each fiscal year. The act requires agencies to develop
strategic plans with outcome-related goals, performance plans with annual goals
and measures, and performance reports on prior-year performance.
The GPRA Modernization Act of 2010 states that an agency's strategic plans shall
contain "an identification of key factors external to the agency and beyond its
control that could significantly affect the achievement of its general goals and
objectives."12 The law also requires agencies to establish a balanced set of
performance indicators within their performance plans to measure or assess
9 Public Law 103-62.
10 Public Law 111-352.
11 Council of the Inspectors General on Integrity and Efficiency, Top Management and Performance Challenges
Facing Multiple Federal Agencies, April 2018.
12 As codified at 5 U.S.C. § 306(a)(7).
This finding addresses the
Risk Assessment
component of internal
control, as defined in the
GAO's Standards for
Internal Control and outlined
previously in Table 1.
19-P-0045
11
-------�
progress toward each performance goal, including customer service, efficiency,
output and outcome indicators, as appropriate.
As discussed earlier in this report, OMB Circular A-123, Management's
Responsibility for Enterprise Risk Management and Internal Control, defines
management's responsibilities and includes a risk assessment process, based on
the GAO's Standards for Internal Control, that management must implement. In
establishing a new program, it is management's responsibility to identify and
achieve objectives and goals for the program and to
implement practices that identify, assess, respond to and
report on risks. As part of efforts to manage risk, OMB
Circular A-123, Section II states that management should
consider "the relative importance of the related objectives
and align risk tolerance with risk appetite." Further,
managers should evaluate and monitor "performance to
determine whether the implemented risk management
options actually achieved the stated goals and objectives." For those risks it
identifies, management must establish "a formal system of internal control to
provide reasonable assurance that objectives are achieved." As part of that formal
system, managers must include a process for monitoring the organization's
performance in relation to various measures.
Pursuant to the GPRA Modernization Act of 2010 and Section 200 of OMB
Circular A-l 1, Preparation, Submission, and Execution of the Budget, dated
July 26, 2013, the EPA must document its assessment of internal control and may
use a variety of information sources, including annual performance plans, reports,
strategic reviews and program evaluations.
The GAO's Standards for Internal Control states that "management assesses the
risks facing the entity as it seeks to achieve its objectives. This assessment
provides the basis for developing appropriate risk responses." In addition, Risk
Assessment Principle 6.07 includes the following statement:
Management determines whether performance measures for the
defined objectives are appropriate for evaluating the entity's
performance in achieving those objectives. For quantitative
objectives, performance measures may be a targeted percentage or
numerical value. For qualitative objectives, management may need
to design performance measures that indicate a level or degree of
performance, such as milestones.
Management Relied Only on Short-Term, Limited Performance
Measures in Loan Agreements and from Other EPA Programs
WIFIA management and staff did not consider it crucial when initially
establishing the WIFIA program to create short- and long-term program
Per OMB Circular A-123:
In establishing a new program, it is
management's responsibility to
identify and achieve objectives and
goals for the program and to
implement practices that identify,
assess, respond and report on risks.
19-P-0045
12
-------�
performance measures; rather, they concentrated on developing project-specific
performance measures to track each project. When we reviewed the proposed
performance measures provided to us by WIFIA staff, we determined that they
are project-specific and do not address the program's long-term performance. The
following are examples of project-specific measures we identified:
• The number of jobs created by the project on an annual basis for the
period between the effective date and substantial completion.
• The amount by which the project will increase the volume of potable
water produced.
• The amount by which the project will increase the volume of water
recycled, recharged or redirected as of substantial completion.
During the application process, applicants were required to provide a project
description, including an assessment of the current condition of all water facilities
relating to the project and a summary of what the project would accomplish.
According to the WIFIA Director, in the project selection phase, WIFIA staff
used this information to evaluate loan applicants based on the extent to which
they met statutory and regulatory selection criteria, many of which address
environmental and public health benefits. This information was also used to create
project-specific performance measures.
In the course of our audit, the WIFIA Director said that the information provided
by WIFIA applicants will be used to develop long-term performance measures for
each project. In addition, information reported to the agency for other programs
will be used to measure WIFIA project results. For example, WIFIA loan
applicants and recipients may also receive funds from the State Revolving Fund
programs, and data from these programs may be used to develop WIFIA
performance measures. However, these performance measures would still be
limited in scope, tracking the suitability and success of each proposed project.
They would not measure the WIFIA program's overall performance.
By only identifying performance measures that are limited in scope, WIFIA staff
may not fully identify and capture data about finances and public health benefits
to affected communities. These data would, in turn, support continuing or
expanding the program. We understand that
many of the project-specific performance
measures are unique, which is useful for internal
purposes and to track each project's
accomplishment toward its stated goals.
However, much of this information may be too
detailed and project-specific to be included in the
EP A's Annual Performance Report for Congress.
WIFIA management needs to consider what
information should be included in the Annual
Performance Report and should develop
Why Are Overall Performance
Measures Needed?
By only identifying performance measures that
are limited in scope, the EPA may not fully
identify and capture data about finances and
public health benefits to affected communities.
These data would, in turn, support continuing or
expanding the program. In addition, project-
specific information may be too detailed to be
included in the EPA's Annual Performance
Report for Congress.
19-P-0045
13
-------�
quantitative and qualitative performance measures that will track the program's
overall, long-term performance.
Conclusion
More quantitative and qualitative long-term measures would benefit the WIFIA
program. These measures could include improvements in water quality,
reductions in the number of impaired water bodies, or improvements in the public
health of those served by a water system that is part of a WIFIA project. Without
such measures, WIFIA managers may not be able to fully identify and capture
financial and public health benefit information that would, in turn, support
continuing or expanding the program.
Recommendation
We recommend that the Assistant Administrator for Water:
2. Develop program performance measures to assess the effectiveness of the
Water Infrastructure Finance and Innovation Act program and finalize the
measures for each Water Infrastructure Finance and Innovation Act loan.
Agency Response and OIG Evaluation
To address Recommendation 2, the OW stated that it would develop future
program performance measures to assess the effectiveness of the WIFIA program.
The OW noted that the OWM is currently reviewing existing measures and
proposing new measures as part of the EPA's ongoing effort to implement its
"Lean" program.13 While the OW initially did not provide an estimated
completion date for developing such measures in its formal response, the office
subsequently provided an acceptable completion date of September 30, 2019.
Recommendation 2 is resolved with corrective actions pending.
The OW's formal response also noted that, in April 2018, it finalized the
measures to be included in each specific WIFIA loan. As a result, we consider
corrective action for that portion of Recommendation 2 to be completed.
The agency's detailed response is in Appendix B.
13 Per the EPA's "About Lean Government" webpage, "Lean is a set of principles and methods used to identify and
eliminate waste in any process. Lean helps organizations improve the speed and quality of their processes by getting
rid of unnecessary activity such as document errors, extra process steps, and waiting time."
19-P-0045
14
-------�
Chapter 4
WIFIA Program Needs Stronger SharePoint
Access Controls
WIFIA managers were unable to identify external users who no longer needed
access to the WIFIA SharePoint and to disable the accounts of such users in a
timely manner. In addition, WIFIA program procedures allowed staff to maintain
accounts for internal EPA users for up to 2 weeks beyond their need for access,
instead of disabling their accounts immediately. These conditions occurred
because WIFIA managers did not have formal processes in place to monitor user
accounts, identify when users no longer needed access, and immediately disable
those accounts. Instead of establishing required
access controls, WIFIA managers primarily focused
on establishing the new WIFIA program and
reviewing a greater-than-anticipated number of initial
letters of interest with limited staff. However,
without these access controls in place, the WIFIA
program could be exposed to credibility problems if
applicant data are obtained by unauthorized entities. These security deficiencies
also put both the WIFIA SharePoint and other EPA IT systems hosted on the EPA
intranet at increased risk for unauthorized access and disclosure, loss of data, and
other hacking activities.
Federal Law and Standards, Agency Procedures Require
Information Security Access Controls
Under the Federal Information Security Modernization Act of 2014 (FISMA),14
agency heads are responsible for "providing information security protections
commensurate with the risk and magnitude of the harm resulting from the
unauthorized access, use, disclosure, disruption, modification, or destruction" of
information and information systems. FISMA requires that agencies comply with
security control standards issued by the National Institute of Standards and
Technology (NIST).
NIST Special Publication 800-53, Revision 4,15 provides detailed information on
security control standards, their function and their purpose. Security controls are
safeguards or countermeasures employed within an organizational information
system to protect the confidentiality, integrity and availability of the system and
its information. The NIST access controls provide for account managers to create
This finding addresses the
Control Activities
component of internal
control, as defined in the
GAO's Standards for
Internal Control and outlined
previously in Table 1.
14 Public Law 113-283.
15 NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and
Organizations, was issued in April 2013 and updated through January 22, 2015.
19-P-0045
15
-------�
information system accounts for users, monitor the use of these accounts, and
remove user access when it is no longer needed.
The EPA Information Security - Access Control Procedure, CIO 2150-P-01.2,
provides detailed requirements for implementing the NIST access controls. These
requirements include that account managers review, at least monthly, system
accounts to provide proper access levels to appropriate personnel. This procedure
also specifies that when a user's official association with the EPA or a user's
authorization to access EPA information systems is terminated, all accounts
associated with that user be disabled immediately.
Background on WIFIA SharePoint, Users and User Access
The WIFIA SharePoint allows the placement and storage of documents and
financial information that are used throughout the WIFIA process. WIFIA
SharePoint internal EPA users include WIFIA program staff, agency staff from
other EPA offices who support the WIFIA program, WIFIA mission support
contractors and WIFIA contractors supporting specific
loans. SharePoint external users include employees and
contractors of prospective borrowers who submit letters of
interest and loan applications. WIFIA staff, mission
support contractors and external applicants inform the
SharePoint site administrator of those individuals who need
SharePoint access. When we began our audit in
October 2017, one WIFIA staff member performed the
daily management of SharePoint user access in a collateral-
duty capacity as the site administrator.
When applicant data contain confidential business
information (CBI), the applicant is to inform WIFIA staff
so that the CBI can be appropriately marked and protected,
per EPA procedures. Before receiving SharePoint access,
potential users must read the Protecting Confidential Business Information (CBI)
in the WIFIA Program -Procedures and Rides and sign the WIFIA CBI
Confidentiality Agreement. Upon receiving a signed confidentiality agreement,
the site administrator activates the user's account and grants access to only those
SharePoint folders applicable to the user's position or role. For example, an
external user employed by a local government that applied for WIFIA funding
would be granted access to that entity's folders and data but no others. Some
internal EPA users, such as WIFIA team members and mission support
contractors, are granted access to add and update documents in any site folder.
Users of the WIFIA SharePoint:
Internal:
WIFIA program staff.
Agency staff from other EPA
offices who support the WIFIA
program.
WIFIA mission support
contractors.
WIFIA contractors supporting
specific loans.
External:
Employees and contractors of
prospective borrowers who
submit letters of interest and
loan applications.
19-P-0045
16
-------�
EPA Needs Controls to Remove User Access to WIFIA SharePoint in a
Timely Manner
WIFIA managers were unable to identify external users who no longer needed
SharePoint access and to disable the accounts of such users in a timely manner.
Further, while the EPA has access controls in place to remove system access for
internal EPA users who are leaving the agency on their final day of employment,
WIFIA managers have no access controls in place to immediately disable the
accounts of internal EPA users who remain employed by the EPA but who no
longer work on the WIFIA program. According to WIFIA program procedures,
accounts of these EPA users were allowed to remain active for up to 2 weeks past
their need for access instead of their access being removed immediately.
Although the WIFIA SharePoint site administrator said that EPA employees or
external applicant staff who no longer needed SharePoint access were discussed
during meetings, these discussions occurred on an ad hoc basis. Further, the site
administrator relied on other parties, such as external applicants, to self-report
when individuals left their organization or no longer needed access to the WIFIA
SharePoint.
These conditions occurred because WIFIA managers did not have formal
processes in place to monitor user accounts, identify when users no longer needed
access, and immediately disable the accounts for those users. These required
access controls were not established because WIFIA managers were focused on
setting up the new WIFIA program and reviewing a greater-than-anticipated
number of initial letters of interest with limited staff. As discussed in Chapter 2,
had WIFIA managers conducted a formal programmatic risk assessment at the
outset of the program, they should have next identified what types of data would
be needed to manage the program and what types of IT controls would be needed
to safeguard such data. Lastly, the WIFIA employee serving as the SharePoint site
administrator was the only person managing access requests and was performing
the function as a collateral duty.
Actions Taken During Our Audit
In February 2018, the WIFIA program migrated its SharePoint to a new website
to have more space for the anticipated increase in applicants and associated
documents. WIFIA managers developed a standard operating procedure for
managing the SharePoint website, including user access controls. One control
established was to disable the access of external users as the phases of the WIFIA
process are completed. Another control was to disable the access of internal EPA
users within 5 days to 2 weeks of when they stop working on the WIFIA program
(i.e., when they return to other EPA projects or work). This standard operating
procedure was approved by the WIFIA Director in March 2018.
19-P-0045
17
-------�
In addition, WIFIA managers assigned an EPA staff member on detail to the
WIFIA program to be a second site administrator so that there are two employees
serving in that role: a primary and an alternate. The staff member on detail was
permanently reassigned to the WIFIA program as of April 15, 2018.
These actions, in part, correct the site administrator management and access
control conditions identified above. However, the WIFIA program still lacks a
formal process to identify external SharePoint users who no longer require access
and to disable their access in a timely manner. In addition, the EPA still needs a
formal process to immediately remove the access of internal EPA users who no
longer work on the WIFIA program.
Conclusion
If a user leaves employment or no longer needs access to the WIFIA SharePoint,
the applicable entity's management should notify WIFIA team members or
contractors so that the site administrator can immediately disable the user's
account. Not having a formal process in place to monitor user accounts and
routinely identify whose access should be disabled creates an IT security risk and
could expose the WIFIA program to credibility problems if CBI is obtained by
unauthorized entities. These security control deficiencies do not comply with
FISMA, NIST and EPA IT access control requirements. In addition, these
deficiencies put the WIFIA SharePoint and other EPA IT systems linked on the
EPA intranet at an increased risk for unauthorized access and disclosure, loss of
data, and other hacking activities.
Recommendations
We recommend that the Assistant Administrator for Water:
3. Develop and implement Water Infrastructure Finance and Innovation Act
SharePoint system access controls for monitoring user accounts and access
that comply with the Federal Information Security Modernization Act of
2014, National Institute of Standards and Technology, and EPA
requirements.
We recommend that the Assistant Administrator for Mission Support:
4. Test and assess the implemented Water Infrastructure Finance and
Innovation Act SharePoint system access controls to determine whether
the controls are functioning as intended and comply with federal
requirements and the EPA's information technology security program.
19-P-0045
18
-------�
Agency Response and OIG Evaluation
The OW agreed with Recommendation 3, and the OEI agreed with
Recommendation 4. Both offices provided acceptable planned corrective actions
and estimated completion dates. Recommendations 3 and 4 are resolved with
corrective actions pending.
For Recommendation 3, the OW agreed that the WIFIA program will share the
SharePoint system access controls it develops and implements with the OEI by
December 31, 2018. As a part of updating its OMB Circular A-123 risk
assessment, the WIFIA program will also identify what types of data are needed
to manage the program and what types of IT controls are needed to safeguard
such data.
For Recommendation 4, the OEI agreed to test and assess the implemented
WIFIA SharePoint system access controls by March 30, 2019, to determine
whether the controls are functioning as intended and comply with federal
requirements and the EPA's IT security program.
The agency's detailed response is in Appendix B.
19-P-0045
19
-------�
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
Potential
Planned
Monetary
Rec.
Page
Completion
Benefits
No.
No.
Subject
Status1
Action Official
Date
(in $000s)
10 Finalize a formal and comprehensive risk assessment for the
Water Infrastructure Finance and Innovation Act program in
accordance with Office of Management and Budget
Circular A-123, Management's Responsibility for Enterprise Risk
Management and Internal Control.
14 Develop program performance measures to assess the
effectiveness of the Water Infrastructure Finance and Innovation
Act program and finalize the measures for each Water
Infrastructure Finance and Innovation Act loan.
18 Develop and implement Water Infrastructure Finance and
Innovation Act SharePoint system access controls for monitoring
user accounts and access that comply with the Federal
Information Security Modernization Act of 2014, National Institute
of Standards and Technology, and EPA requirements.
18 Test and assess the implemented Water Infrastructure Finance
and Innovation Act SharePoint system access controls to
determine whether the controls are functioning as intended and
comply with federal requirements and the EPA's information
technology security program.
Assistant Administrator for 12/31 /18
Water
Assistant Administrator for 9/30/19
Water
Assistant Administrator for 12/31 /18
Water
Assistant Administrator for 3/30/19
Mission Support
1 C = Corrective action completed.
R = Recommendation resolved with corrective action pending.
U = Recommendation unresolved with resolution efforts in progress.
19-P-0045
20
-------�
Appendix A
Details on Scope and Methodology
We reviewed the following relevant laws, policies and procedures:
• Government Performance and Results Act of 1993, Public Law 103-62.
• GPRA Modernization Act of 2010, Public Law 111-352.
• Water Resources Reform and Development Act of 2014, Public Law 113-121,
§§ 5021-5035.
• Fixing America's Surface Transportation Act, Public Law 114-94, § 1445.
• Water Infrastructure Improvements for the Nation Act, Public Law 114-322, § 5008.
• Federal Information Security Modernization Act of 2014, Public Law 113-283.
• OMB Circular A-l 1, Preparation, Submission, and Execution of the Budget, Section 200,
Federal Performance Framework, July 26, 2013.
• OMB Circular A-123, Management's Responsibility for Enterprise Risk Management
and Internal Control, July 15, 2016.
• OMB Circular A-129, Policies for Federal Credit Programs and Non-Tax Receivables,
January 2013.
• GAO, Standards for Internal Control in the Federal Government, GAO-14-704G,
September 2014.
• NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal
Information Systems and Organizations, April 2013 (updated January 22, 2015).
• EPA Information Procedure, Information Security - Access Control Procedure,
CIO 2150-P-01.2, September 21, 2015.
• EPA, WIFIA website.
• EPA, WIFIA Program Handbook, July 2017.
19-P-0045
21
-------�
To determine whether the EPA has established effective internal controls for the WIFIA program
in accordance with the GAO's five internal control components, we performed the following
actions:
• Identified, collected and analyzed all applicable criteria related to the five internal control
standards required by the GAO's Standards for Internal Control.
• Performed a site visit and interviewed all WIFIA staff members as of November 2017 to
gain an understanding of the program and how it works, as well as to determine whether
the program complies with the GAO's Standards for Internal Control.
• Interviewed EPA personnel who assisted in establishing the WIFIA program or who are
currently involved in developing performance measures.
• Interviewed OEI personnel about the EPA's IT security measures and requirements.
• Judgmentally selected and reviewed documents submitted by the two loan applicants as
of January 31, 2018, to determine the following:
o Whether the applicants and the WIFIA team complied with federal guidelines.
o Whether the WIFIA program was compliant with the milestones set forth in the
WIFIA Deliverables - FY 2018 workbook and with the WIFIA program's stated
review process.
o Whether WIFIA staff used any of its checklists for reviewing project loan
applications.
19-P-0045
22
-------�
Appendix B
OW and OEI Response to Draft Report
sr.,
I.SE2 /
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON. D C 20460
MEMORAMMM
SUBJECT: Response to Office of Inspector General Draft No. OA-FY18-0023 EPA's Water
Infrastructure linancc and Innovation Act Program Scats Additional Internal t ontrols
dated September 12. 2018
FROM: David F. Ross. Assistant Administrator
Office of Water
Vaughn Noga. Principal Deputy Assistant Adminislrator^X"
Office of Environmental Information 'ft—'^V V
TO: Michael D. Davis. Director. Efficiency Directorate
Office of Audit and Evaluation
KS\
Thank you for the opportunity to respond to the issues and recommendations in the Office of
Inspector General's (OIG) draft report EPA's Water Infrastructure Finance and Innovation Act
Program Needs Additional Internal Controls. The following is a summary of the U.S.
Environmental Protection Agency's (EPA) overall position, along with its position on each of the
report recommendations. For the report recommendations with which the EPA agrees, the
Agency has provided high-level intended actions and estimated completion dates. For the report
recommendation with which the EPA does not agree, we have explained our position and
proposed alternatives to the recommendations.
AGENCY'S OVERALL POSITION
The EPA appreciates the Office of the Inspector General (OIG) acknowledgment that the
Agency established a solid and positive control environment and found no issues with three of
the five Government Accountability Office (GAO) control components: control environment,
information and communications, and monitoring. The OIG makes four recommendations
related to the two other GAO control components: risk assessment and control activities. Three
recommendations are for the Assistant Administrator for Water and one is for the Principal
Deputy Assistant Administrator for Environmental Information. The EPA and the Water
Infrastructure Finance and Innovation Act (WIFIA) program have done significant work to
19-P-0045
23
-------�
establish this new program with extensive internal controls. The EPA will continue to build upon
program success by incorporating many of the OIG's recommendations. However, the EPA
disagrees that the measures included in the WIFIA credit agreements cannot track the program's
overall, long-term performance. The EPA values receiving the OIG's input early in the WIFIA
program's development and the opportunity to proactively address these recommendations so
that the Agency can continue the program's positive track record of achieving results.
AGENCY'S RESPONSE TO REPORT RECOMMENDATIONS
No.
Recommendation
High-Level Intended
Action(s)
Estimated
Completion Date
1
Finalize a formal and
comprehensive risk assessment
for the Water Infrastructure
Finance and Innovation Act
program in accordance with
Office of Management and
Budget Circular A-123,
Management's Responsibility
for Enterprise Risk
Management and Internal
Control.
Prior to establishing the
WIFIA program, the EPA
complied with Office of
Management and Budget
(OMB) Circular A-129,
Policies for Federal Credit
Programs and Non-Tax
Receivables, dated January
2013, which addresses key
risks to credit programs,
including separation of duties,
communications policy,
outsourcing of programmatic
functions, and risk thresholds.
The WIFIA program also
completed a Risk Appetite
Assessment and Report in
2017. The Risk Appetite
Report addresses risks and
mitigants/controls in the
following areas: public health
risk, environmental risk,
strategic risk, branding risk,
litigation risk, default risk, loss
given default risk, legal risk,
funding risk, loan tenor risk,
interest rate risk, regulatory
risk, development risk,
innovation risk, completion
risk, performance risk.
While risk to the program has
been comprehensively
assessed and addressed with
mitigants and controls, the
December 31, 2018
19-P-0045
24
-------�
EPA recognizes that it must
also complete an A-123 risk
assessment and implement
detailed internal controls for
the program. In March 2018,
the WIFIA program
established internal controls
for the project selection,
application review, and loan
approval processes. The OIG
has identified several
additional areas for the EPA to
address including staffing,
records, and data. The EPA
will update that programmatic
A-123 risk assessment to
consider policies and
procedures needed to protect
the program risks in these
areas.
2
Develop program performance
measures to assess the
effectiveness of the Water
Infrastructure Finance and
Innovation Act program and
finalize the measures for each
Water Infrastructure Finance
and Innovation Act loan.
The EPA disagrees that the
measures included in the
WIFIA credit agreements
cannot track the program's
overall, long-term
performance.
The WIFIA program finalized
the following measures to be
included in each WIFIA loan
in April 2018 and included
them in its first four credit
agreements:
(i) the estimated interest
savings the borrower is
realizing through the use of the
WIFIA loan compared to
comparable market rate
financing;
(ii) the number of jobs created
by the project on an annual
basis during the period
between the effective date and
substantial completion;
(iii) whether the project will
assist the borrower in
WIFIA loan
measures: The
WIFIA program will
continue its current
approach for future
loans.
Program performance
measures: In time for
the next budget
formulation exercise.
19-P-0045
25
-------�
complying with applicable
regulatory requirements, and if
so, a narrative description
describing such enhancements.
Additional environmental
measures are consistent across
projects of the same type (i.e.,
drinking water treatment,
wastewater management,
combined sewer overflow
control).
Since three measures are
consistent across credit
agreements and others are
consistent across project types,
the WIFIA program can
aggregate individual borrower
responses to demonstrate
program impact.
As part of the EPA's effort to
implement LEAN, the Office
of Wastewater Management is
reviewing current measures
and proposing new measures.
WIFIA management will
propose quantitative and
qualitative performance
measures to be included.
3
Develop and implement Water
Infrastructure Finance and
Innovation Act SharePoint
system access controls for
monitoring user accounts and
access that comply with the
Federal Information Security
Modernization Act of 2014,
National Institute of Standards
and Technology, and EPA
requirements.
As the OIG notes, the WIFIA
program has developed and
implemented SharePoint
system access controls. The
WIFIA program will share
these controls with the Office
of Environmental Information
(OEI) to ensure access controls
function as intended and
comply with federal
requirements and the EPA's
information technology
security program.
December 31, 2018
19-P-0045
26
-------�
The WIFIA program will
identify what types of data are
needed to manage the program
and what types of information
technology controls are needed
to safeguard such data as a part
of updating its A-123 risk
assessment.
4
Test and assess the
implemented Water
Infrastructure Finance and
Innovation Act SharePoint
system access controls to
determine whether the controls
are functioning as intended
and comply with federal
requirements and the EPA's
information technology
security program.
OEI, in conjunction with the
Office of Water's (OW)
testing schedule, will test and
assess the implemented WIFIA
SharePoint system access
controls to determine whether
the controls are functioning as
intended and comply with
federal requirements and the
EPA's information technology
security program.
March 30, 2019
CONTACT INFORMATION
If you have any questions regarding this response, please contact Jorianne Jernberg, WIFIA
Program Director at (202) 566-1831, Karen Fligger at (202) 564-2992 or Robert McKinney,
Chief Information Security Officer, Office of Environmental Information, at (202) 564-0921
cc: Benita Best-Wong, OW
Andrew Sawyers, OW
Raffael Stein, OW
Jorianne Jernberg, OW
Steven Moore, OW
Karen Fligger, OW
Ann Campbell, OW
Andrea Drinkard, OW
Harvey Simon, OEI
Robert McKinney, OEI
Carrie Hallum, OEI
Shakeba Carter-Jenkins, OEI
19-P-0045
27
-------�
Appendix C
Distribution
The Administrator
Deputy Administrator
Special Advisor, Office of the Administrator
Chief of Staff
Chief of Operations
Assistant Administrator for Water
Assistant Administrator for Mission Support
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Deputy Assistant Administrator for Water
Deputy Assistant Administrator for Environmental Information, Office of Mission Support
Principal Deputy Assistant Administrator for Mission Support
Principal Deputy Assistant Administrator for Water
Director, Office of Continuous Improvement, Office of the Administrator
Director, Office of Wastewater Management, Office of Water
Senior Information Officer, Office of Mission Support
Chief Information Security Officer, Office of Mission Support
Director, Water Infrastructure Finance and Innovation Act Program, Office of Water
Audit Follow-Up Coordinator, Office of the Administrator
Audit Follow-Up Coordinator, Office of Water
Audit Follow-Up Coordinator, Office of Mission Support
Audit Follow-Up Coordinators, Regions 1-10
19-P-0045
28
-------� |