^'osrx
f A 't.
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
EPA Needs to Conduct Risk
Assessments When
Designing and
Implementing Programs
Report No. 20-P-0170
No risk
assessment
at program level
$5.7 billion
in taxpayer
dollars at risk
2018
-------�
Report Contributors: Michael Davis
Ryan Dzakovic
Marcia Hirt-Reigeluth
Randy Holthaus
Abbreviations
EPA U.S. Environmental Protection Agency
ERM Enterprise Risk Management
FY Fiscal Year
GAO U.S. Government Accountability Office
OCFO Office of the Chief Financial Officer
OIG Office of Inspector General
OMB Office of Management and Budget
Cover Image: The EPA had not prepared program-level risk assessments for the 20 highest
dollar value programs in fiscal year 2018, resulting in $5.7 billion taxpayer
dollars at risk. (EPA OIG image)
Are you aware of fraud, waste, or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue. NW (2431T)
Washington. D.C. 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, D.C. 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates
Follow us on Twitter @EPAoig
Send us your Project Suggestions
-------�
^tDsrx
IŪ!
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
20-P-0170
May 18, 2020
Why We Did This Project
The Office of Inspector General
conducted an audit to determine
whether the U.S. Environmental
Protection Agency complied with the
U.S. Government Accountability
Office's Standards for Internal
Control in the Federal Government
(Green Book) and the Office of
Management and Budget's
Circular A-123, Management's
Responsibility for Enterprise Risk
Management and Internal Control, in
preparing program-level risk
assessments when designing and
implementing EPA programs.
The Green Book states in its second
standard, Risk Assessment, that
management needs to prepare a risk
assessment for its entities and its
programs, which should provide the
basis for developing appropriate
responses to address the identified
risks. OMB Circular A-123 states that
identifying risk requires (1) that an
initial risk assessment be prepared
for a new component, activity, or
project within an agency, as well as
(2) a continuous identification of new
or emerging risks, or changes in
existing risks.
This report addresses the
following:
Operating efficiently and
effectively.
Address inquiries to our public affairs
office at (202) 566-2391 or
OIG WEBCOMMENTS@epa.gov.
EPA Needs to Conduct Risk Assessments
When Designing and Implementing Programs
What We Found
The EPA needs to conduct risk assessments
when designing and implementing programs, in
accordance with the GAO Green Book and OMB
Circular A-123. Although the Agency has been
proactive in evaluating risks at the strategic level,
individual program offices did not conduct
program-level risk assessments. Both the GAO
and the OMB confirmed that program-level risk
assessments are required. We also found that
program offices were unable to distinguish
between the GAO's requirement to assess risk at
the program level and the OMB's requirement to
address risk strategically using the Enterprise Risk
Management process. We found that the Agency's Enterprise Risk
Management guidance did not address the Green Book requirements for
performing program-level risk assessments, which we discussed with EPA
management. The EPA agreed, during our audit, to revise its guidance to
address the need to conduct program-level risk assessments for new and
existing programs. The EPA issued revised guidance in February 2020.
We found that personnel who directly execute EPA programs need
additional training in both GAO Green Book requirements and the
Enterprise Risk Management process. Also, without a formal and
comprehensive risk assessment performed at the program level, the
internal controls may be inadequate or nonexistent, resulting in an
ineffective and inefficient program.
Recommendation and Planned Agency Corrective Actions
We recommend that the chief financial officer require management and
staff who directly execute EPA programs to be trained on the GAO Green
Book, with emphasis on program-level risk assessments. The EPA agreed
with our recommendation and provided acceptable planned corrective
actions and estimated completion dates. The recommendation is resolved
with corrective actions pending.
By not conducting
risk assessments
for 20 programs that
collectively cost
over $5.7 billion in
fiscal year 2018, the
EPA cannot be
certain it has the
proper procedures
in place to address
internal and external
risks to these
programs.
List of OIG reports.
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
May 18, 2020
MEMORANDUM
SUBJECT: EPA Needs to Conduct Risk Assessments When Designing and Implementing Programs
Report No. 20-P-0170
This is our report on the subject audit conducted by the Office of Inspector General of the
U.S. Environmental Protection Agency. The project number for this audit was OA&E-FY19-0034. This
report contains findings that describe the problems the OIG has identified and corrective actions the OIG
recommends. Final determinations on matters in this report will be made by EPA managers in accordance
with established audit resolution procedures.
The Office of the Chief Financial Officer has the primary responsibility for the issues discussed in this
report.
In accordance with EPA Manual 2750, your office provided acceptable corrective actions and estimated
milestone dates in response to OIG recommendations. All recommendations are resolved, and no final
response to this report is required. However, if you submit a response, it will be posted on the OIG's website,
along with our memorandum commenting on your response. Your response should be provided as an Adobe
PDF file that complies with the accessibility requirements of Section 508 of the Rehabilitation Act of 1973,
as amended. The final response should not contain data that you do not want to be released to the public; if
your response contains such data, you should identify the data for redaction or removal along with
corresponding justification.
FROM
Sean W. O'Donnell
TO
David Bloom, Deputy Chief Financial Officer
We will post this report to our website at www.epa.gov/oig.
-------�
EPA Needs to Conduct Risk Assessments
When Designing and Implementing Programs
20-P-0170
Table of C
Chapters
1 Introduction 1
Purpose 1
Background 1
Responsible Office 3
Scope and Methodology 4
Prior Audit Reports 4
2 EPA Needs to Conduct Risk Assessments When Designing and
Implementing Programs 5
Federal Requirements and Guidance on Risk Assessment 5
GAO and OMB Confirm Need for Program-Level
Risk Assessments 6
EPA Did Not Conduct Required Program-Level Risk Assessments 6
EPA Revised ERM Guidance During Our Audit to Address
Identified Deficiency 8
Training Is Needed in Green Book Program-Level Risk
Assessment Requirements 8
Conclusions 9
Recommendation 9
Agency Response and OIG Assessment 9
Status of Recommendation and Potential Monetary Benefits 10
Appendices
A Details on Scope and Methodology 11
B Agency Response to Draft Report 13
C Distribution 15
-------�
Chapter 1
Introduction
Purpose
The Office of Inspector General conducted an audit to determine whether the
U.S. Environmental Protection Agency complied with the U.S. Government
Accountability Office's Standards for Internal Control in the Federal
Government (commonly referred to as the Green Book) and the Office of
Management and Budget Circular A-123, Management's Responsibility for
Enterprise Risk Management and Internal Control', in preparing program-level
risk assessments when establishing and maintaining EPA programs.
Background
Identifying and assessing risk is a necessary step prior to developing appropriate
internal control procedures. Without conducting a risk assessment, internal
control procedures can be inefficient, ineffective, or unnecessary and can fail to
address significant risks. This audit focused on Risk Assessment, the second
standard of internal control as defined in the GAO Green Book. This standard,
established in November 1999, should be the second step that federal program
managers perform while establishing and maintaining a program or entity.
Our audit did not focus on the Enterprise Risk Management process, which is an
OMB-directed initiative that federal agencies were mandated to use starting in
fiscal year 2017. Unlike the risk assessment process defined in the GAO Green
Book, which focuses at the program level, the ERM process considers major risks
that can cut across an agency and may hinder the organization from achieving its
strategic objectives. The EPA uses the risk assessment tool and program review
strategies in the ERM process to evaluate the risks to strategic objectives, which is
different from complying with or preparing a program-level risk assessment as
defined in the Green Book. For example, preparing program-level risk
assessments for EPA programs such as the Great Lakes Restoration program or
the EPA's program to protect the environment from pesticide risk is different than
the ERM process for identifying risk at the strategic level.
A program review strategy analyzes and assesses, by strategic objective, the
effectiveness of internal controls; detects weaknesses and deficiencies; and
provides a sound, documented basis for the annual Federal Managers' Financial
Integrity Act assurance letters, which program offices submit to the EPA
administrator.
20-P-0170
1
-------�
GAO's Standards for Internal Control in the Federal Government
The Federal Managers' Financial Integrity Act of 1982 required the OMB, in
consultation with the GAO's comptroller general, to issue standards for internal
control in government. In 1983, the GAO issued the original Green Book. In
November 1999, the GAO updated the Green Book and established five internal
control standards that federal agencies must follow when setting up new programs
(Table 1).
Table 1: Five standards for internal control for the federal government
Control environment
This is the foundation for an internal control system.
Management should establish a control environment that
affirms a commitment to integrity and ethical values. The
control environment provides the discipline and structure to
help an agency achieve its objectives.
Risk assessment
Managers assess risks facing the entity as it seeks to execute
its programs and achieve its objectives. This assessment is the
foundation for developing appropriate risk responses.
Control activities
After assessing the risks, the control activities are the actions
management establishes through policies and procedures to
achieve objectives and respond to risks.
Information and
communication
Management should use, and internally and externally
communicate, quality information to achieve the entity's
objectives.
Monitoring
Management should establish and implement activities to
monitor agency performance, evaluate results, and promptly
resolve identified deficiencies.
Source: OIG-created table based on the Green Book.
The five standards represent the highest level of internal control standards in the
federal government and must be effectively designed, implemented, and operated
in an integrated manner to be effective. These standards are the foundation for
establishing and maintaining internal control and identifying and addressing
significant management challenges and areas at greatest risk for fraud, waste,
abuse, and mismanagement. The revised Green Book, issued in September 2014
and effective in FY 2016, added 17 principles to the five internal control
standards. The four principles that management officials should use when
designing and implementing the risk assessment control standard are:
Defining objectives clearly to identify risks and define risk tolerances.
Identifying, analyzing, and responding to risks related to achieving the
defined objectives.
Considering the potential for fraud when identifying, analyzing, and
responding to risks.
Identifying, analyzing, and responding to significant changes that could
impact the internal control system.
20-P-0170
2
-------�
OMB Circular A-123
OMB Circular A-123 provides guidance for management to establish internal
controls for identified risks. It states that the standards outlined in the Green Book
"provide the internal control framework and criteria Federal managers must use in
designing, implementing, and operating an effective system of internal control." It
also provides guidance for addressing risk at the strategic level and defines
management's responsibilities for the ERM process.
Enterprise Risk Management
OMB Circular A-123 defines the ERM process as:
An effective Agency-wide approach to addressing the full
spectrum of the organization's external and internal risks by
understanding the combined impact of risks as an interrelated
portfolio, rather than addressing risks only within silos.
[emphasis added]
According to EPA officials, the Agency began implementing the ERM process in
2016. EPA personnel told us that this process helped identify strategic risks to
achieving the objectives in the FY 2018-2022 U.S. EPA Strategic Plan, which is
the basis for identifying the EPA's enterprise risks. According to the EPA, some
of these strategic risks may reflect program-level risks.
The FY 2017 Guidance for Enterprise Risk-Based Decision Making at EPA:
Integrating Strategic Reviews and Management Integrity Internal Controls
required programs and offices to assess controls at the strategic goal and objective
level based on the FY 2018-2022 Strategic Plan and to document the
effectiveness of internal controls and compliance with the GAO's five standards
and 17 principles. The FY 2018 guidance noted that the standards and principles
help determine whether internal controls are designed, implemented, and
operating effectively. Using the risk assessment tool will help offices identify
risks that could prevent them from achieving the strategic objectives listed in the
Strategic Plan, it adds.
The FY 2019 Guidance for Strategic Reviews and Internal Controls clarified the
internal control responsibilities of program and regional managers and required
offices to maintain documentation to support management's decision on the
effectiveness of controls.
Responsible Office
The Office of the Chief Financial Officer is primarily responsible for the issues
discussed in this report. The OCFO leads the Agency's ERM and strategic
planning and performance management efforts.
20-P-0170
3
-------�
Scope and Methodology
We conducted this performance audit from December 2018 to March 2020 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objective. We believe that the evidence obtained
provides a reasonable basis for our findings and conclusions based on our audit
objective.
Initially, we attempted to obtain risk assessments from EPA headquarters for the
top 20 Agency programs by dollar value in FY 2018. When the Agency could not
provide this information, we asked for risk assessments for the five newest
congressionally authorized programs and projects, which were created from
FY 2016 through FY 2018.
During this audit, we contacted the GAO's Strategic Issues Mission Team and the
OMB's assistant general counsel to obtain their input on the internal control risk
assessment standard and the ERM risk assessment process. Appendix A contains
more details on our audit activities.
Prior Audit Reports
In the past six years, the EPA OIG has issued reports recommending that the EPA
prepare risk assessments for various programs:
Report No. 13-P-0271. Improved Internal Controls Needed in the Gulf
of Mexico Program Office, dated May 30, 2013. The OIG found that the
program had not assessed its strategic objectives and performance
measures, as required by governmentwide internal control standards. As
a result of our audit, the EPA completed its Gulf of Mexico Program
Office risk assessment for its FY 2014 performance measures and a
program review strategy.
Report No. 19-P-0045. EPA's Water Infrastructure Finance and
Innovation Act Program Needs Additional Internal Controls, dated
December 14, 2018. The OIG found that the EPA did not prepare a
comprehensive program risk assessment prior to establishing the
program. Further, the EPA did not develop program performance
measures to fully identify and capture financial data and public health
benefits to affected communities. Lastly, the Agency needed to
strengthen its SharePoint access controls for the Water Infrastructure
Finance and Innovation Act program. During the audit, the OIG
discussed the importance of having a comprehensive program risk
assessment with the program managers. The Agency agreed and
provided its risk assessment and control matrix to the OIG on
December 20, 2018.
20-P-0170
4
-------�
Chapter 2
EPA Needs to Conduct Risk Assessments When
Designing and Implementing Programs
The EPA needs to conduct risk assessments when designing and implementing
programs, in accordance with the GAO Green Book and OMB Circular A-123.
Although the Agency has been proactive in evaluating risks at the strategic level,
individual program offices within the Agency did not conduct or provide
program-level risk assessments. In addition, we found that program office
personnel were unable to distinguish between the GAO Green Book requirement
to assess risk at the program level and the requirements of the ERM process as
stated in the OMB Circular. The EPA's guidance did not clearly differentiate
between program-level risk assessments and the agencywide risk assessment of
strategic objectives. The EPA considers program risk broadly across the Agency
through the ERM process, despite the GAO's emphasis that risks must also be
identified at the individual program level. Without a risk assessment at the
program level, internal controls to address existing risks may be inadequate or
nonexistent, resulting in an ineffective and inefficient program.
Federal Requirements and Guidance on Risk Assessment
The GAO Green Book's second standard, Risk Assessment, requires management
to assess the risks facing the entity from both external and internal sources as it
seeks to achieve its objectives. This assessment provides the basis from which
management should develop appropriate risk responses, such as standard
operating procedures to mitigate such risks.
OMB Circular A-123 defines management's responsibilities for the ERM process
and internal control. The circular provides Green Book implementation guidance
for managers "on improving the accountability and effectiveness of Federal
programs and operations by identifying and managing risks." It establishes an
assessment process based on the Green Book that can enable management to
properly assess and improve internal controls over operations, reporting, and
compliance. Federal managers and leaders are responsible for integrating the
ERM process and internal control functions into the governance structure of a
program or entity. When establishing a new program, it is management's
responsibility to identify objectives and goals for the program and to implement
practices that identify, assess, respond, and report risks.
OMB Circular A-123, Section II, B2, Identification of Risk, states that a critical
step in building the agency's risk profile is identifying risks. The first phase in
that process is initial risk identification, which is for agencies that have not
identified risks in a structured way or for new components, programs, or activities
20-P-0170
5
-------�
that have not yet identified risks. The second phase involves identifying changes
in existing risks and new and emerging risks on a continuous basis.
Since FY 2017, the EPA has annually issued comprehensive guidance that
integrated strategic reviews and management integrity while incorporating risk
considerations into Agency planning and budgeting decisions. Technical training
on the Green Book standards and principles was provided in March 2018, as
stated in the guidance issued in FY 2018. Managers and strategic planners were
encouraged to attend.
The guidance in FY 2019 noted that face-to-face training, by strategic objective,
would be provided for planners in the national program offices and for
management integrity advisors. A goal of these sessions, the guidance stated, was
to strengthen the connection between risks and internal controls and to ensure that
the EPA has valid internal controls for strategic risks. However, the training
discussed and provided to senior management in both the FY 2018 and FY 2019
guidance was not given to the program office personnel who directly execute EPA
programs.
GAO and OMB Confirm Need for Program-Level Risk Assessments
GAO personnel stated that even with the ERM process, agencies should still
conduct program-level risk assessments. The GAO views the ERM process as a
tool to determine and evaluate agencywide strategic risks. The ERM process
addresses risks to the entire agency, but the GAO emphasizes that unique risks to
individual programs need to be identified and addressed for each specific program
as well.
The OMB stated that assessing risk for a program's internal control needs is
different than broadly assessing risk under the ERM process, which looks
agencywide. The OMB explained that the risk assessment process in the Green
Book could be leveraged to inform the ERM process, although program-level risk
assessment addresses different risks.
EPA Did Not Conduct Required Program-Level Risk Assessments
The EPA needs to conduct program-level risk assessments when designing and
implementing programs, in accordance with the GAO Green Book and OMB
Circular A-123, Section II. The EPA program managers did not prepare program-
level risk assessments, which the GAO and the OMB criteria require, when
designing and implementing their respective programs. Further, none of the
EPA's previously issued ERM guidance explained that program managers should
follow Green Book guidance when preparing program-level risk assessments.
20-P-0170
6
-------�
We requested copies of program-level risk
assessments for the top 20 programs by dollar
value in FY 2018 (Appendix A), which totaled
$5.7 billion or approximately 71 percent of the
EPA's $8.1 billion budget (Figure 1). However,
the EPA stated that it did not have any program-
level risk assessments for these programs.
Subsequently, we obtained a list of the five
newest congressionally authorized programs
from the Agency to determine whether the EPA
had complied with the GAO Green Book
requirement to conduct risk assessments when
those programs were established. The EPA's
five newest programs, by year initially funded,
were:
1. Water Infrastructure Finance and Innovation Act (FY 2016).
2. Gold King Mine Monitoring (FY 2017).
3. Lead Testing in Schools (FY 2018).
4. Reducing Lead in Drinking Water (FY 2018).
5. Safe Water for Small and Disadvantaged Communities (FY 2018).
The total funding was $15.3 million in FY 2018 for the first two programs listed
above and $117 million in FY 2019 for all five programs listed above.
In May 2019, we requested copies of the program-level risk assessments for four
of the five programs. We obtained a program-level risk assessment for the Water
Infrastructure Finance and Innovation Act program in December 2018 from a
prior audit we conducted. In response to our request, we met with Office of Water
personnel and concluded that there were no program-level risk assessments
prepared for those four programs. However, they did provide us with a program
review strategy, dated June 2018, related to Water Infrastructure Finance and
Innovation Act activities.
Program review strategies focus on risk at the agencywide strategic level, which
is different from the Green Book's requirements to focus on risk at the individual
program level. While the program review strategy document identified only two
risks for three control objectives, the risk assessment for the Water Infrastructure
Finance and Innovation Act program was much more specific, identifying 58
specific risks to the program, the parties responsible for taking actions to address
risks, and the time frames for doing so. The level of detail included in the
program review strategy document compared to the level of detail in the program-
level risk assessment illustrates the differences between the strategic-level focus
of the ERM process and the program-level focus of the Green Book.
Figure 1: 20 highest dollar
value programs in FY 2018
20 PROGRAMS
$5.7 billion
(71% of FY 2018 budget)
0 program-level
risk assessments
Source: EPA OIG graphic.
20-P-0170
7
-------�
In June 2019, personnel in the Office of Water stated that they were preparing a
program-level risk assessment for the Gold King Mine Monitoring program and
provided it to the OIG in January 2020. The Office of Water subsequently
provided program-level risk assessments for the remaining three programs to the
OIG also in January 2020. We reviewed all the risk assessments and concluded
that they were consistent with Green Book principles.
EPA Revised ERM Guidance During Our Audit to Address Identified
Deficiency
None of the EPA's previously issued ERM guidance explained that the GAO
Green Book should be used to prepare program-level risk assessments when
designing and implementing programs. During our interviews with EPA program
managers, we were told that they thought the ERM process satisfied GAO and
OMB requirements to implement practices that identify, assess, respond, and
report on risks within a program. The EPA guidance did not explain the difference
between an ERM risk assessment of strategic objectives and the GAO Green
Book requirements for individual program-level risk assessments. Agency
guidance also did not emphasize the importance of preparing program-level risk
assessments as an integral part of program design.
In August 2019, we met with personnel from the OCFO, including the director of
Planning, Analysis, and Accountability, to discuss this deficiency with the
Agency's ERM guidance that we identified. We explained that the guidance did
not have instructions for when and how the Agency should conduct program-level
risk assessments. In response, the director stated that the Agency's FY 2020 ERM
guidance, which the OCFO planned to issue in December 2019, would address the
requirement that program offices should prepare program-level risk assessments
for new programs. The director stated that an office should prepare a risk
assessment for a new program if it received funding for the program.
On February 19, 2020, the OCFO published its FY 2020 Guidance for Strategic
Reviews and Internal Controls. In it, the Agency addressed the GAO Standards
for Internal Control as it pertains to conducting program-level risk assessments
for new and existing programs by stating, "As appropriate, program and regional
offices should conduct risk assessments for current and/or newly established
programs or projects to determine whether current controls are effective in
achieving the stated goals and objectives."
Training Is Needed in Green Book Program-Level Risk Assessment
Requirements
The EPA considers the ERM process as its principal tool to satisfy OMB
Circular A-123 requirements to identify and mitigate risk at the agencywide
enterprise level. The EPA considers its internal control process the principal
approach to satisfy the GAO Green Book requirements to mitigate risk at the
20-P-0170
8
-------�
lowest program level. We found that program office personnel could not
sufficiently distinguish between the responsibilities of the ERM process and the
GAO Green Book requirement to assess risk at the program level. As noted
earlier, the training provided on these topics was intended for strategic planners,
not for those who directly execute EPA programs. Personnel from the Office of
Air and Radiation told us that they would be interested in such training.
Conclusions
Without information from program-level risk assessments, the EPA may not be
able to identify significant risks to individual programs. As a result, the Agency
might not establish the necessary internal control procedures to address risks,
potentially resulting in an ineffective and inefficient program.
Recommendation
We recommend that the chief financial officer:
1. Require management and staff who directly execute EPA programs to take
mandatory annual training on the U.S. Government Accountability
Office's Standards for Internal Control in the Federal Government (Green
Book) with emphasis on program-level risk assessments.
Agency Response and OIG Assessment
The EPA agreed with our recommendation and provided acceptable planned
corrective actions and estimated completion dates. The recommendation is
resolved with corrective actions pending.
The OCFO stated that it will revise and update the senior managers' and
management integrity advisors' online training courses to include relevant
information on the GAO Green Book by December 30, 2020. The OCFO also
stated that it will require assistant administrators and regional administrators to
certify in their annual assurance letters by August 30, 2021, that all appropriate
staff have taken the training.
In our April 8, 2020 meeting with OCFO personnel, they said that our draft report
recommendation was confusing and suggested a revision for clarity. In its official
response dated April 14, 2020, the OCFO commented that the EPA currently does
not have guidance titled Guidance for Enterprise Risk-based Decision Making at
EPA. Instead, the OCFO stated that the EPA issues annual guidance titled Strategic
Reviews and Internal Controls and provides stakeholders with an overview of the
guidance. Therefore, the OCFO suggested that, for clarity, the OIG revise the
recommendation in the final report to refer solely to the training needed relating to
the Green Book. The OIG agreed with the OCFO's suggestion, and we revised the
recommendation accordingly. The complete Agency response to the draft report is
in Appendix B.
20-P-0170
9
-------�
Status of Recommendation and
Potential Monetary Benefits
RECOMMENDATIONS
Potential
Planned
Monetary
Rec.
Page
Completion
Benefits
No.
No.
Subject
Status1
Action Official
Date
(in $000s)
1 9 Require management and staff who directly execute EPA R Chief Financial Officer 8/30/21
programs to take mandatory annual training on the
U.S. Government Accountability Office's Standards for Internal
Control in the Federal Government (Green Book) with emphasis
on program-level risk assessments.
1 C = Corrective action completed.
R = Recommendation resolved with corrective action pending.
U = Recommendation unresolved with resolution efforts in progress.
20-P-0170
10
-------�
Appendix A
Details on Scope and Methodology
The policies and procedures we reviewed include:
GAO, Standards for Internal Control in the Federal Government,
GAO-14-704G, September 2014.
OMB Circular A-123, Management's Responsibility for Enterprise Risk
Management and Internal Control, July 15, 2016.
EPA, FY 2017 Guidance for Enterprise Risk-Based Decision Making at
EPA: Integrating Strategic Reviews and Management Integrity Internal
Controls, March 17, 2017.
EPA, FY 2018 Guidance for Enterprise Risk-Based Decision Making at
EPA: Strategic Reviews and Management Integrity Internal Controls,
March 9, 2018.
EPA, FY 2019 Guidance for Strategic Reviews and Internal Controls,
March 13, 2019.
We performed the following actions to determine whether the EPA prepared risk
assessments for programs in accordance with the GAO's second internal control
standard:
Reviewed and summarized prior OIG and GAO audits and evaluations
that were relevant to this audit.
Reviewed EPA regional and program office Annual Assurance Letters
issued from FY 2016 through FY 2018.
Assessed management and internal controls as they related to preventing
and detecting fraud, waste, and abuse.
Interviewed staff from the Office of Water, the Office of Land and
Emergency Management, and the Office of Air and Radiation to gather
information that would assist us in understanding, documenting, and
analyzing the risk assessments developed to manage the respective EPA
programs and safeguard resources.
Reviewed a sample of EPA program review strategies for 21 Office of
Water programs.
20-P-0170
11
-------�
We identified the top 20 programs by dollar value totaling $5.7 billion, which equaled
approximately 71 percent of the $8.1 billion total of Annualized Continuing Resolution
Funds for FY 2018. We requested that the EPA provide us with the program-level risk
assessments for these programs:
1. Brownfields Projects.
2. Categorical Grant: Nonpoint Source (Sec. 319).
3. Categorical Grant: Pollution Control (Sec. 106).
4. Categorical Grant: Public Water System Supervision.
5. Categorical Grant: State and Local Air Quality Management.
6. Civil Enforcement.
7. Compliance Monitoring.
8. Drinking Water Programs.
9. Facilities Infrastructure and Operations.
10. Federal Support for Air Quality Management.
11. Great Lakes Restoration.
12. Infrastructure Assistance: Clean Water State Revolving Fund.
13. Infrastructure Assistance: Drinking Water State Revolving Fund.
14. Information Technology /Data Management.
15. Research: Safe and Sustainable Water Resources.
16. Research: Sustainable and Healthy Communities.
17. Superfund: Remedial.
18. Superfund: Emergency Response and Removal.
19. Superfund: Enforcement.
20. Surface Water Protection.
We identified the five newest congressionally authorized programs, which totaled
$15.3 million for two programs in FY 2018 and $117 million for all five programs in
FY 2019. We reviewed the risk assessment, which was provided to us in
December 2018, for the Water Infrastructure Finance and Innovation Act program, one
of the five newest programs. We requested program-level risk assessments for these
four programs and reviewed them in January 2020:
1. Gold King Mine Monitoring.
2. Lead Testing in Schools.
3. Reducing Lead in Drinking Water.
4. Safe Water for Small and Disadvantaged Communities.
20-P-0170
12
-------�
Appendix B
Agency Response to Draft Report
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON. D,C 20460
April 14, 2020
t" I ! <1
' I II i r If. \N! ' V i HI it-E R
MEMORANDUM
SUBJECT: Response to the Office of Inspector General Draft Audit Report, Proj ect No.
OA&E-FY19-0034, "EPA Needs to Conduct Risk Assessments When Designing
and Implementing Programs, " dated March 18, 2020
Thank you for the opportunity to respond to the issues and recommendations in the subject draft
audit report. The following is a summary of the U.S. Environmental Protection Agency's overall
position, along with its position on each of the report recommendations. We have provided high-
level intended corrective actions and estimated completion dates.
AGENCY'S OVERALL POSITION
The Office of the Chief Financial Officer agrees with the intent of the recommendation in the
report and has established a corrective action to address the Office of Inspector General's
concerns.
AGENCY'S RESPONSE TO DRAFT AUDIT RECOMMENDATIONS
The OCFO requests the OIG to revise the recommendation to only include a reference to training
on the Government Accountability Office's Standards for Internal Control in the Federal
Government (Green Book). Currently, there is no guidance entitled, Guidance for Enterprise
Risk-based Decision Making at EPA. The EPA issues annual guidance on Strategic Reviews and
Internal Controls and, upon issuance, engages with stakeholders to provides an overview of the
guidance. As stated in the table below, the agency plans to update the on-line management
20-P-0170 13
FROM: David A. Bloom, Deputy Chief Financial Officer
Office of the Chief Financial Officer
DAVID
BLOOM
Digitally signed by DAVID
BLOOM
Date. 2020.04.14 09:20:53
-04'00'
TO:
Michael D. Davis, Director, Efficiency Directorate
Office of Audit and Evaluation
-------�
integrity courses and require certification of completion from Assistant Administrators and
Regional Administrators in their annual assurance letter.
Agreements
No.
Recommendation
High-Level Intended Corrective
Action(s)
Estimated
Completion
Date
1
Require management and
staff who directly execute
EPA programs to take
mandatory annual training on
the U.S. Government
Accountability Office's
Standards for Internal Control
in the Federal Government
(Green Book) and the current
Guidance for Enterprise Risk-
based Decision Making at
EPA, with emphasis on the
differences between the
Enterprise Risk Management
and the Green Book's
requirements for program-
level risk assessments.
1.1 The OCFO will revise and
update the senior managers and
management integrity advisors on-
line training courses to include
relevant information on the GAO's
Standards for Internal Control in
the Federal Government (Green
Book).
1.2 The OCFO will require
AAs/RAs to certify completion of
the training for all appropriate staff
in their annual assurance letters.
December 30,
2020
August 30,
2021
CONTACT INFORMATION
If you have any questions regarding this response, please contact the OCFO's Audit Follow-up
Coordinator, Andrew LeBlanc, at leblanc.andrew@epa.gov or (202) 564-1761.
cc: Carol Terris
C. Paige Hanson
Charlie Dankert
Jeanne Conklin
Istanbul Yusuf
Aileen Atcherson
Randy Holthaus
Annette Morant
Andrew LeBlanc
20-P-0170
14
-------�
Distribution
The Administrator
Assistant Deputy Administrator
Associate Deputy Administrator
Chief of Staff
Deputy Chief of Staff/Operations
Chief Financial Officer
Deputy Chief Financial Officer
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Director, Office of Continuous Improvement, Office of the Administrator
Associate Chief Financial Officer
Associate Chief Financial Officer for Policy
Controller
Audit Follow-Up Coordinator, Office of the Administrator
Audit Follow-Up Coordinator, Office of the Chief Financial Officer
20-P-0170
-------� |