^tDsrx
* Q \
U8&J
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
19-P-0045
December 14, 2018
Why We Did This Project
The Office of Inspector General
(OIG) conducted an audit of the
U.S. Environmental Protection
Agency's (EPA's) Water
Infrastructure Finance and
Innovation Act (WIFIA)
program. The objective of this
audit was to determine whether
the EPA has established
effective internal controls for
the WIFIA program.
EPA's Water Infrastructure Finance and Innovation
Act Program Needs Additional Internal Controls
What We Found
The EPA did not prepare a comprehensive program
risk assessment prior to establishing the WIFIA
program. Further, the EPA did not develop program
performance measures to fully identify and capture
financial data and public health benefits to affected
communities. Lastly, we found that the EPA needs
to strengthen its SharePoint access controls for the WIFIA program.
WIFIA managers need to
identify possible risks to
the program and develop
internal controls to
minimize these risks.
Congress enacted the WIFIA
program as part of the Water
Resources Reform and
Development Act of 2014.
A federal credit program
administered by the EPA, the
WIFIA program accelerates
investment in water and
wastewater infrastructure of
national and regional
significance by offering
creditworthy borrowers secured
(direct) loans and loan
guarantees for up to 49 percent
of eligible project costs.
This report addresses the
following:
• Operating efficiently and
effectively.
The EPA did not follow the guidance set forth in Office of Management and
Budget Circular A-123, Management's Responsibility for Enterprise Risk
Management and Internal Control, and the U.S. Government Accountability
Office's Standards for Internal Control in the Federal Government. These
documents state that a comprehensive program risk assessment should be done
when initially establishing a program to examine all possible risks to program
success. By not performing a formal risk assessment at the outset, Office of
Water management cannot be assured that it has identified the overall risks to
the program. Consequently, the necessary internal controls to address such risks
may not be in place, and unnecessary procedures might be implemented for risks
that do not exist, resulting in an ineffective and inefficient program.
By only identifying performance measures for specific projects, the EPA may not
be fully identifying and capturing programmatic financial and public health data.
These data may, in turn, support continuing or expanding the WIFIA program. In
addition, not having a formal process to monitor user accounts puts the WIFIA
SharePoint—as well as other EPA information technology systems that are also
hosted on the EPA intranet—at increased risk for unauthorized access and
disclosure, loss of data, and other hacking activities.
Recommendations and Planned Agency Corrective Actions
Send all inquiries to our public
affairs office at (202) 566-2391
or visit www.epa.gov/oia.
Listing of OIG reports.
We recommend that the Assistant Administrator for Water (1) finalize a
comprehensive program risk assessment that addresses all areas of risk,
(2) develop program performance measures to identify and capture financial data
and public health benefits to affected communities, and (3) develop SharePoint
access controls. We also recommend that the Assistant Administrator for Mission
Support test and assess the WIFIA SharePoint system access controls to
determine whether they function as intended. The EPA provided acceptable
planned corrective actions and estimated completion dates. All recommendations
are resolved with corrective actions pending.
Noteworthy Achievements
We found no issues with three of the five internal control components we
examined: control environment, information and communications, and
monitoring.
-------� |