At a Glance: EPA Needs to Conduct Risk Assessments When Designing and Implementing Programs


^tDsrx
I®!
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
20-P-0170
May 18, 2020
Why We Did This Project
The Office of Inspector General
conducted an audit to determine
whether the U.S. Environmental
Protection Agency complied with the
U.S. Government Accountability
Office's Standards for Internal
Control in the Federal Government
(Green Book) and the Office of
Management and Budget's
Circular A-123, Management's
Responsibility for Enterprise Risk
Management and Internal Control, in
preparing program-level risk
assessments when designing and
implementing EPA programs.
The Green Book states in its second
standard, Risk Assessment, that
management needs to prepare a risk
assessment for its entities and its
programs, which should provide the
basis for developing appropriate
responses to address the identified
risks. OMB Circular A-123 states that
identifying risk requires (1) that an
initial risk assessment be prepared
for a new component, activity, or
project within an agency, as well as
(2) a continuous identification of new
or emerging risks, or changes in
existing risks.
This report addresses the
following:
• Operating efficiently and
effectively.
Address inquiries to our public affairs
office at (202) 566-2391 or
OIG WEBCOMMENTS@epa.gov.
EPA Needs to Conduct Risk Assessments
When Designing and Implementing Programs
What We Found
The EPA needs to conduct risk assessments
when designing and implementing programs, in
accordance with the GAO Green Book and OMB
Circular A-123. Although the Agency has been
proactive in evaluating risks at the strategic level,
individual program offices did not conduct
program-level risk assessments. Both the GAO
and the OMB confirmed that program-level risk
assessments are required. We also found that
program offices were unable to distinguish
between the GAO's requirement to assess risk at
the program level and the OMB's requirement to
address risk strategically using the Enterprise Risk
Management process. We found that the Agency's Enterprise Risk
Management guidance did not address the Green Book requirements for
performing program-level risk assessments, which we discussed with EPA
management. The EPA agreed, during our audit, to revise its guidance to
address the need to conduct program-level risk assessments for new and
existing programs. The EPA issued revised guidance in February 2020.
We found that personnel who directly execute EPA programs need
additional training in both GAO Green Book requirements and the
Enterprise Risk Management process. Also, without a formal and
comprehensive risk assessment performed at the program level, the
internal controls may be inadequate or nonexistent, resulting in an
ineffective and inefficient program.
Recommendation and Planned Agency Corrective Actions
We recommend that the chief financial officer require management and
staff who directly execute EPA programs to be trained on the GAO Green
Book, with emphasis on program-level risk assessments. The EPA agreed
with our recommendation and provided acceptable planned corrective
actions and estimated completion dates. The recommendation is resolved
with corrective actions pending.
By not conducting
risk assessments
for 20 programs that
collectively cost
over $5.7 billion in
fiscal year 2018, the
EPA cannot be
certain it has the
proper procedures
in place to address
internal and external
risks to these
programs.
List of OIG reports.

-------