At a Glance EPA Should Further Connect the National Program Manager Process With Federal Guidance on Internal Control Risks


tftD STAf>
* J- U.S. Environmental Protection Agency	n-p-oo67
f KM ro	nffironflncnorW^onoral	January 18, 2011
•	U • O • L. I I V 11 UI 111 It? I I LCI I I I UlUl/ll
	 \ Office of Inspector General
sgz??
At a Glance
Why We Did This Review
We conducted this review to
determine how EPA's national
program manager (NPM)
process relates to the internal
control framework under the
Federal Managers" Financial
Integrity Act (FMFIA). We
determined whether the U.S.
Environmental Protection
Agency (EPA) should
improve connections between
the two processes and whether
NPMs and regions coordinate
program management and
address risks and
vulnerabilities.
Background
FMFIA requires federal
agency managers to annually
evaluate and indicate whether
their agencies" internal
controls comply with
prescribed standards. NPM
guidance sets forth goals and
program priorities to support
compliance with the
Government Performance and
Results Act of 1993.
For further information,
contact our Office of
Congressional, Public Affairs
and Management at
(202) 566-2391.
To view the full report,
click on the following link:
www.epa.aov/oia/reports/2011/
20110118-11 -P-0067.pdf
Catalyst for Improving the Environment
EPA Should Further Connect the National
Program Manager Process With Federal
Guidance on Internal Control Risks
What We Found
EPA has not fully integrated FMFIA and the NPM processes. Activities conducted
per the NPM process support internal controls; however, EPA's Office of the
Chief Financial Officer did not connect these processes until midway through
fiscal year 2009 (in supplemental guidance) and in fiscal year 2010 guidance, and
integration efforts are still in their infancy. NPMs already conduct many activities
related to internal control, yet national program offices have separate processes
and staff responsible for each process. Having national program offices primarily
responsible for internal controls over national programs would streamline
reporting and lessen confusion among staff involved in both processes.
NPMs have not linked assessing and evaluating relevant risks associated with
achieving program objectives to internal control requirements. FMFIA requires
managers to define program goals and identify key programs, complete a risk
assessment based on their priorities, and then establish controls to mitigate
identified program risks. National program offices and regions do not appear to
completely understand the risk assessment internal control standard and how to
apply it to program operations. Without consistently conducting risk assessments,
EPA lacks a sound, documented basis for reasonably assuring that programs
implement effective internal controls consistent with federal internal control
standards. Additional training on risk assessment, including how to identify
weaknesses, determining how to manage risks, and how to conduct necessary
internal control reviews, should improve program management.
What We Recommend
We recommend that the Chief Financial Officer assign NPMs primary
responsibility for FMFIA reporting on internal controls for national programs and
rely on the lead regional coordinator process for input from the regions, and direct
regional personnel to report on administrative and financial internal control
activities along with unique geographic and programmatic issues in regional
assurance letters. We also recommend that the Chief Financial Officer develop a
training course on FMFIA and enhance the FMFIA intranet site by providing
links to risk assessment guidance and completed products that offices could use as
best practices. The Agency agreed with our recommendations and began taking
steps to address them.

-------