OFFICE OF INSPECTOR GENERAL U.S. ENVIRONMENTAL PROTECTION AGENCY May 4, 2021 Report No. 21 E 0128 EPA Did Not Conduct Agencywide Risk Assessment of CARES Act Appropriations, Increasing Risk of Fraud, Waste, Abuse, and Mismanagement EPA OIG's response to the COVID-19 pandemic Source: Centers for Disease Control and Prevention image. Evaluation Purpose: Document and assess the internal controls that the EPA implemented to mitigate risks of fraud, waste, abuse, and mismanagement over the CARES Act appropriations. This evaluation addresses the following: • Compliance with the law, • Operating efficiently and effectively. This evaluation addresses these top EPA management challenges: • Maintaining operations during pandemic responses, • Complying with key internal control requirements (risk assessments). • Fulfilling mandated reporting requirements. Address inquiries to our public affairs office at (202) 566-2391 or OIG WEBCOMMENTS@epa.aov. Full list of EPA OIG reports. Why We Did This Evaluation In response to the coronavirus pandemic—that is, the SARS-CoV-2 virus and resultant COVID-19 disease—the Office of Inspector General for the U.S. Environmental Protection Agency initiated an evaluation under Project No. OA&E-FY2Q-Q234 of the Agency's internal controls for the emergency supplemental appropriations provided to the EPA in the Coronavirus Aid,, Relief, and Economic Security Act, known as the CARES Act. The objectives of this evaluation were to document and assess the internal controls that the EPA implemented to mitigate risks of fraud, waste, abuse, and mismanagement over the CARES Act appropriations. Background In March 2020, the Agency was appropriated $7.23 million in supplemental funds to "prevent, prepare for, and respond to coronavirus, domestically or internationally." All Agency CARES Act funds expire on September 30, 2021. As of March 31, 2021, the EPA had $2.81 million (38.9 percent) of unspent CARES Act funds. Funds were allocated to three EPA program offices (Table 1), and all appropriations were designated as an "emergency requirement" under the Balanced Budget and Emergency Deficit Control Act of 1985. Table 1: Allocation of CARES Act appropriations CARES Act funding requirements Appropriation (millions) Responsible program office Researching methods to reduce the risks from environmental transmission of coronavirus via contaminated surfaces or materials $1.50 Office of Research and Development Expediting registration and other actions related to pesticides to address coronavirus 1.50 Office of Chemical Safety and Pollution Prevention Cleaning and disinfecting EPA equipment and facilities® 4.23 Office of Mission Support TOTAL $7.23 Source: OIG analysis of Agency data. (EPA OIG table) a Includes operational continuity of EPA programs and related activities. 21-E-Q128 1 ------- EPA's CARES Act funding total CARES Act appropriations Research. Pesticide registration and other actions. Cleaning and disinfecting EPA facilities and equipment. Source: OIG analysis of EPA information. (EPA OIG image) Interdependence of federal internal control requirements Source: OIG analysis. (EPA OIG image) *Federal Managers' Financial Integrity Act. """Resource Management Directive System. Guidance for Supplemental Funding On April 10, 2020, the Office of Management and Budget issued Memorandum M-20-21, Implementation Guidance for Supplemental Funding Provided in Response to the Coronavirus Disease 2019 (COVID- 19). This guidance highlights the importance of rapidly spending funds while requiring transparency and regular reporting for accountability purposes and safeguarding taxpayer dollars. Agencies receiving these supplemental funds are reminded that they must review progress as part of their performance, evidence-building, and enterprise risk management responsibilities to the maximum extent possible, consistent with guidance included in OMB Circular A-ll, Preparation, Submission and Execution of the Budget, and OMB Circular A-123, Management's Responsibility for Enterprise Risk Management and Internal Control. Reporting on Use of CARES Act Funds The Agency is required to report to the OMB any obligations and expenditures on a monthly basis, per Section 15011(b)(1)(A) of the CARES Act. Section 15011(b)(1)(B) requires the Agency to submit a plan describing how the funds will be used to the Pandemic Response Accountability Committee, an independent oversight committee within the Council of the Inspectors General on Integrity and Efficiency, within 90 days of the March 27, 2020 enactment. Federal Internal Control Requirements The Federal Managers' Financial Integrity Act of 1982 requires each executive federal agency to establish an internal control system that provides reasonable assurance of achieving three objectives: (1) obligations and costs comply with applicable law; (2) funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation; and (3) revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the asset. On July 15, 2016, OMB Circular A-123 modernized the Federal Managers' Financial Integrity Act's requirements by integrating risk management and agency internal control systems in an Enterprise Risk Management framework. The circular establishes specific requirements for federal agencies to assess and implement internal controls for identified risks. It also provides guidance for addressing risk at the strategic level and defines management's responsibilities for the ERM process to integrate and coordinate internal control assessments. Further, OMB Circular A-123 documentation processes require an audit trail and verifiable results, as well as specify documentation retention periods so that anyone can understand the risk assessment process. The U.S. Government Accountability Office's Standards for Internal Control in the Federal Government, known as the Green Book, serves as the framework for federal agencies to develop, implement, and operate 21-E-0128 •FMFIA OMB Circular A 123 EPA *RMDS 2520 Policy ------- Responsible program offices: • The Office of the Chief Financial Officer at the agencywide entity level. • The Office of Mission Support at the cross-program entity level. • The Office of Research and Development at the division level. • The Office of Chemical Safety and Pollution Prevention at the division level. The OIG assessed whether the EPA acted consistently with the: • CARES Act. • Federal Managers' Financial Integrity Act. • OMB Circular A-123. • GAO Green Book. • OCFO's Resource Management Directives System Policy Manual 2520, Administrative Control of Appropriated and Other Funds. CARES Act funds are high risk The Pandemic Response Accountability Committee's June 2020 report, Top Challenges Facing Federal Agencies: COVID-19 Emergency Relief and Response Efforts, identified the CARES Act appropriations to be high risk for fraud, waste, abuse, and mismanagement governmentwide. The report also identified various challenges that the EPA faces in implementing the CARES Act, including preexisting organizational risks in its programs and operations and maintaining a safe and productive work force. an effective internal control system. The GAO Green Book identifies five major components and underlying principles that are relevant for an effective internal control system. Through the implementation of Green Book standards, federal agencies will have the ability to comply with OMB Circular-123 assessment and reporting requirements. The OCFO's Resource Management Directives System Policy Manual 2520, Administrative Control of Appropriated and Other Funds (effective December 2015), implements OMB Circular A-123. The policy manual provides guidance to Agency managers on using a variety of tools to achieve desired program results and meeting the requirements of the Federal Managers' Financial Integrity Act. It also details what is classified as a supplemental appropriation and the EPA's processes for risk management and internal controls, based on OMB Circular A-123. The EPA policy manual identifies the EPA's fund control principles, as well as the policies and procedures that apply to all program offices. The Federal Managers' Financial Integrity Act, OMB Circular A-123, GAO Green Book, and the EPA policy manual together emphasize the risk assessment process, both financial and operational, for all levels of the organization. Appendix A of OMB Circular A-123 states, "ERM includes strategic, operations, reporting, and compliance objectives, and is an effective agency-wide approach to addressing the full spectrum of significant risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos." Levels of Organizational Structure The GAO Green Book identifies the four levels of a federal agency that are responsible for internal control implementation. The OCFO and the Office of Mission Support established language that bridges the Agency's structural hierarchy and the GAO Green Book levels of organizational structure (Table 2). Table 2: GAO Green Book internal control organizational hierarchy Levels of organizational structure Entity EPA administrator or national program office delegated entity level duties. Agencywide controls that influence the entire organization (executive level), such as budget and human resources. Division National program office. An organization within the Agency that has national policy oversight responsibilities that is focused on a particular mission, such as Air, Water, Land, and Enforcement. Program or regional office. An organization within the division that has overall responsibility for managing a program and is responsible for implementing national policy. Program or regional office. Activity performed by a program or regional office, such as local facilities' management, regional tribal programs, purchase cards, grant and contract management, and records management. Source: OIG summary of GAO Green Book and EPA organizational information. (EPA OIG table) Operating unit Function 21-E-0128 3 ------- Office of the Chief Financial Officer Entity Level (agencywide) Lack of oversight by not conducting a risk assessment. Office of Mission Support Entity Level (cross-program) Completed a risk assessment and established internal controls. Office of Research and Development Division Level (program specific) Completed a risk assessment and established internal controls. Office of Chemical Safety and Pollution Prevention Division Level (program specific) Completed a risk assessment and established internal controls. Source: OIG analysis of EPA information. (EPA OIG image) Responsible Offices The OCFO, the Office of Mission Support, the Office of Research and Development, and the Office of Chemical Safety and Pollution Prevention are responsible for the issues discussed in this report. Scope and Methodolo See Appendix A for a description of our scope and methodology in conducting this evaluation. What We Found Our evaluation of the EPA's CARES Act appropriations determined that the Agency did not fully comply with federal laws, OMB Circular A-123, and the GAO Green Book. Specifically, the OCFO, which is responsible for agencywide ERM and internal controls, does not have processes to develop, communicate, and mitigate any entity-level risks through implementation of internal controls related to the CARES Act supplemental appropriations. The OCFO stated that it manages the ERM and internal control process but that the individual program offices are responsible for designing, implementing, and monitoring internal controls. The OCFO did not conduct an agencywide risk assessment of internal controls for the CARES Act's supplemental appropriations or document its rationale for relying on the internal control risk assessments conducted by the program offices at the division level. Instead, the OCFO followed the procedures identified in Resource Management Directive System 2520, which has not been updated to reflect the July 2016 OMB Circular A-123's ERM requirements. Therefore, the Agency's approach did not incorporate OMB Circular A-123 ERM requirements and the GAO Green Book entity-level internal control requirements. There is no process in place at the entity level to perform risk assessments on supplemental appropriations, which increases the risk of fraud, waste, abuse, and mismanagement. As a result, program offices in the Office of Mission Support (at the cross-program entity level), the Office of Research and Development (at the division level), and the Office of Chemical Safety and Pollution Prevention (at the division level) designed internal controls to identify and mitigate fraud, waste, abuse, and mismanagement regarding the CARES Act's funds. OCFO Did Not Conduct Agencywide Risk Assessment Despite OMB Circular A-123 and GAO Green Book requirements, the OCFO did not conduct an agencywide risk assessment of CARES Act funding to identify risks that could impact the success of CARES Act objectives. By not having processes in place to conduct agencywide risk assessments on a high-risk emergency supplemental appropriation, the risk of fraud, waste, abuse, and mismanagement increases due to the 21-E-0128 4 ------- Results of evaluation: • The OCFO does not have processes in place to conduct an agencywide risk assessment on supplemental appropriations, which is a significant oversight. • The OCFO did not comply with CARES Act reporting requirements. • The Office of Mission Support, the Office of Research and Development, and the Office of Chemical Safety and Pollution Prevention complied with federal and external Agency requirements. Missed reporting deadline The Agency missed the 90-day congressionally mandated reporting requirement on CARES Act spending, which was due June 25, 2020. June 2020 Su Mo Tti Wr lh ft Sb 1 2 3 4 5 6 7 e 9 10 11 12 13 Id IS 16 17 IS 19 20 21 22 23 24 25 26 27 28 29 JO Source: OIG summary of EPA data. (EPA OIG image) lack of consideration of internal controls. OMB Circular A-123 requires an integrated approach to ERM because the silo approach does not consider the combined impact of program office risks. Instead, the OCFO relied on the individual program offices that received CARES Act funds to conduct an internal control risk assessment of only their own program's objectives. By not performing an agencywide risk assessment, internal cross-division control gaps could not be identified. For example, the OCFO did not identify any cross-divisional risks, even though the CARES Act contained three separate supplemental appropriations for cleaning and disinfecting EPA facilities, and each location could have different logistical considerations and requirements for using the funding. Without assessing risk for the use of these funds across its various program offices and physical locations, the Agency cannot be sure it is maximizing the use of these funds. OCFO Did Not Comply with CARES Act Reporting Requirements The CARES Act has specific statutory reporting requirements, including reporting to the OMB any obligations and expenditures on a monthly basis and submitting a plan to the Pandemic Response Accountability Committee on the Agency's use of the appropriated funds within 90 days after the Act was passed. The OCFO has been providing the OMB with monthly funds reports. Because the OCFO does not have a process in place to conduct an agencywide risk assessment and because division-level program offices are not responsible for interpreting fiscal legislation, the Agency missed the 90-day reporting requirement, which was due on June 25, 2020. The OCFO said missing the statutory requirement was "an oversight." The Pandemic Response Accountability Committee notified the OCFO on July 29, 2020, that it missed the statutory deadline. The OCFO sent the required plan on July 31, 2020. Three Program Offices Complied with Federal and Agency Requirements We found that, at the cross-program entity level and the division levels, the Office of Mission Support, the Office of Research and Development, and the Office of Chemical Safety and Pollution Prevention completed risk assessments and established internal controls. Upon notification of the CARES Act supplemental appropriations, each of the key program offices conducted a risk assessment related to its program objectives. By designing, implementing, and monitoring the effectiveness of the internal controls, the three offices are in compliance with OMB Circular A-123 and the GAO Green Book. 21-E-0128 5 ------- CARES Act fund availability 38.9% 61.1% ¦ Expended, obligated, and coininitted funds ($4.41 million). Available uncommitted CARES Act funds [$2.31). Source: OIG analysis of EPA information. (EPA OIG image) Conclusions The OCFO is responsible for interpreting fiscal legislation, leading and managing compliance with OMB Circular A-123, and conducting agencywide risk assessments for all appropriations. Risk assessment should drive internal control activities and monitor their effectiveness. The OCFO delegated all CARES Act risk assessment and internal control development to the lower levels of the EPA without documenting how the cross-program entity-level and division-level internal controls address federal and Agency requirements. While the risk assessment can be delegated, the entity-level organization must document its determination that the established controls are sufficient to assure compliance with federal and Agency requirements. With 38.9 percent of its supplemental appropriations still available, it is important that the Agency take steps to manage risks and maximize the use of its CARES Act funds. Recommendations We recommend that the chief financial officer: 1. Perform a risk assessment for the Coronavirus Aid, Relief, and Economic Security Act supplemental appropriations at the entity level. Based upon the results of the risk assessment, either (a) design, implement, and monitor mitigating agencywide internal controls or (b) document that the existing controls at the cross-program entity and division levels are sufficient to assure compliance with federal and Agency requirements. 2. Revise Resource Management Directives System Policy Manual 2520, Administrative Control of Appropriated and Other Funds, to require the Office of the Chief Financial Officer to perform and document risk assessments of emergency supplemental appropriations (a) when these funds are received and (b) if there is a subsequent change in the level of risk(s) in order to design, implement, and monitor internal controls for these inherently high-risk funds. In cases where the Agency determines that an entity-level risk assessment is not necessary, document how the other program offices' internal controls will mitigate agencywide risks. Agency Comments and OIG Assessment The OCFO provided its initial response to the draft report on January 29, 2021, in which it nonconcurred with the two recommendations. During a subsequent meeting to discuss the draft report and the Agency response, the OIG clarified the intent of the recommendations and agreed to modify specific language in the draft report, based upon the OCFO's technical comments. The OCFO provided a revised response on March 29, 2021, which is in Appendix B. 21-E-0128 ------- The Agency's response to our recommendations and our assessment is as follows: 1. For Recommendation 1, the Agency asserted that it completed the corrective actions in June 2020. However, during our fieldwork, and in response to the draft report, the Agency did not provide records to support its conclusion that it conducted these actions in June 2020 or after. Recommendation 1 is unresolved with resolution efforts in progress. 2. For Recommendation 2, the Agency stated that it would update the Resource Management Directive System 2520 requirements to perform entity-level risk assessments of emergency supplemental appropriations and document the results of these assessments by September 30, 2021. We consider this recommendation resolved with corrective actions pending. 21-E-0128 7 ------- Status of Recommendations and Potential Monetary Benefits RECOMMENDATIONS Potential Planned Monetary Rec. Page Completion Benefits No. No. Subject Status1 Action Official Date (In $000s) 1 6 Perform a risk assessment for the Coronavirus Aid, Relief, and U Chief Financial Officer Economic Security Act supplemental appropriations at the entity level. Based upon the results of the risk assessment, either (a) design, implement, and monitor mitigating agencywide internal controls or (b) document that the existing controls at the cross- program entity and division levels are sufficient to assure compliance with federal and Agency requirements. 2 6 Revise Resource Management Directives System Policy R Chief Financial Officer 9/30/21 Manual 2520, Administrative Control of Appropriated and Other Funds, to require the Office of the Chief Financial Officer to perform and document risk assessments of emergency supplemental appropriations (a) when these funds are received and (b) if there is a subsequent change in the level of risk(s) in order to design, implement, and monitor internal controls for these inherently high-risk funds. In cases where the Agency determines that an entity-level risk assessment is not necessary, document how the other program offices' internal controls will mitigate agencywide risks. 1 C = Corrective action completed. R = Recommendation resolved with corrective action pending. U = Recommendation unresolved with resolution efforts in progress. 21-E-0128 8 ------- Appendix A Scope and Methodology We conducted this evaluation from June to December 2020. We analyzed the Agency's CARES Act spending as of March 31, 2021, and updated this information accordingly. This evaluation was conducted in accordance with the Quality Standards for Inspection and Evaluation published in January 2012 by the Council of the Inspectors General on Integrity and Efficiency. These standards require that we perform the evaluation to obtain sufficient, competent, and relevant evidence to provide a reasonable basis for our findings, conclusions, and recommendations based on our objectives. We believe that the evidence obtained provides a reasonable basis for our findings, conclusions, and recommendations. To address our objectives, we assessed the actions taken by the Agency's program offices and the guidance they issued related to the CARES Act appropriations, risk assessment, and mitigating internal controls. This report is based on the evidence collected and verified from each program office's management, which we assessed to determine whether the Agency's actions were consistent with: • The CARES Act statutory requirements. • The Federal Managers' Financial Integrity Act requirements for the Agency to establish an internal control system that provides reasonable assurance of achieving internal control objectives. • The OMB Circular A-123 requirement that the Agency integrate and coordinate internal control assessments with other internal control-related activities. • The GAO Green Book framework to establish and maintain an effective internal control system. • The Resource Management Directives System Policy Manual 2520 requirement to manage funds effectively and efficiently while following applicable rules, statutes, and regulations. We interviewed Agency representatives and evaluated the processes the Agency followed for compliance with applicable federal requirements and Agency policies and procedures. The key challenges faced by the Agency are complying with the requirements of the CARES Act, which include designing, implementing, and monitoring internal controls over the CARES Act funds and meeting statutory deadlines. 21-E-0128 9 ------- Appendix B Agency Response to Draft Report UNITED STATES ENVIRONMENTAL PROTECTION AGENCY WASHINGTON, D C. 20460 March 29, 2021 OFFICE OF THE CHIEF FINANCIAL OFFICER MEMORANDUM SUBJECT: Revised Response to the Office of Inspector General Draft Report, Project No. OA&E-FY20-0234 "EPA Did Not Conduct an Agencywide Risk Assessment of the CARES Act Appropriations, Increasing the Risk of Fraud, Waste, Abuse, and Mismanagement, " dated December 15, 2020 I \ \ 35/ V , pro^ FROM: David A. Bloom, Acting Chief Financial Officer DAVID Digitally signed by david Office of the Chief Financial Officer BLOOM ^p202103 2910 58 56 TO: John Trefry, Director Forensic Audits Directorate Office of Audit Thank you for the opportunity to respond to the issues and recommendations in the subject draft report.This is a revised response, which reflects continued cooperation and the results of ongoing communication between the Office of Inspector General and the Office of the Chief Financial Officer. Both parties have worked together to acknowledge and address mutual concerns regarding the draft report. The following is a summary of the U.S. Environmental Protection Agency's revised overall position, along with its position on each of the report's recommendations. AGFNCY S OVFRATJL POSITION The draft report contained two recommendations for the OCFO. The OCFO concurs with the OIG'sfindings and recommendations. 21-E-0128 10 ------- AGENCY'S RESPONSE TO DRAFT REPORT RECOMMEND A TT ON S Agreements No. Recommendation Assigned to: High-Level Corrective Action(s) Estimated Completion Date 1 Perform a risk assessment for the Coronavirus Aid, Relief, and Economic Security Act supplemental appropriations at the entity level. Based upon theresults of the risk assessment, either (a) design, implement, and monitor mitigating agencywide internal controls; or (b) document that the existing controls at the cross-program entity and division levels are sufficient to assure compliance with federal and Agency requirements. OCFO The OCFO agrees in principle with the OIG's recommendation and has completed corrective actions consistent with the OIG's recommendation as described below. The agency should document high-level risk assessments for supplemental appropriations. The OCFO's evaluation on the CARES Act supplemental appropriation did notcategorize these funds as having high-level risk. For the CARES Act supplemental appropriation, the OCFO worked closely with theOffice of Congressional and Intergovernmental Relations, Office of General Counsel, and program offices to identify requirements for additional tracking, reporting, and internal controls for these funds. In addition, the OCFO provided guidance documenting how the appropriation will be managed, highlighting specific issues, and providing financial coding and related instructions. In addition to following ResourceManagement Directives System Policy Manual 2520, the OCFO will also adhere to practices and procedures discussing requirements for risk assessments associated with supplemental appropriations. When the agency receives additional supplemental appropriations, the OCFO June 28, 2020 21-E-0128 11 ------- updatesfinancial coding within the agency's financial system and develops reports for managers to use for tracking and reporting purposes. 2 Revise Resource ManagementDirectives System Policy Manual 2520, Administrative Control of Appropriated and Other Funds, to require the Office of the Chief Financial Officer to perform and document entity-level risk assessments of emergency supplemental appropriations (a) when these funds are received and (b) if there is asubsequent change in the risk(s) in order to design, implement, and monitor internal controls for these inherently high- risk funds. In cases where the Agency determines that an entity-levelrisk assessment is not necessary, document how the other program offices' internal controls will mitigate agencywide risks. OCFO The OCFO will update RMDS Policy Manual 2520, Administrative Control of Appropriated and Other Funds, to require OCFO to perform and document risks assessment of emergency supplemental appropriations (a) when these funds are received, or (b) if there is a subsequent change in the risk(s). In addition, the OCFO will updateRMDS 2520 to incorporate the updates to the Office of Management and Budget's Circular A-123 regarding federal agencies requirements to fully implement Enterprise Risk Management (2016) and updated Improper Payment reporting review and compliance requirements (2021). September 30, 2021 CONTACT INFORMATION If you have any questions regarding this response, please contact the OCFO Audit Follow-up Coordinator, Andrew LeBlanc, at leblanc.andrew@epa.gov or (202) 564-1761. cc: Carol Terris Lek Kadeli Jeanne Conklin Maria Williams Charles Sheehan Edward Shields Katherine Trimble James Hatfield 21-E-0128 12 ------- Meshell Jones-Peeler Angel Robinson Richard Gray OCFO-OC MANAGERS Leah Nikaidoh Stephen Seifert Andrew LeBlanc Jose Kercado Deleon 21-E-0128 13 ------- Appendix C Distribution The Administrator Deputy Administrator Associate Deputy Administrator Assistant Deputy Administrator Chief of Staff, Office of the Administrator Deputy Chief of Staff, Office of the Administrator Chief Financial Officer Assistant Administrator for Chemical Safety and Pollution Prevention Assistant Administrator for Mission Support Assistant Administrator for Research and Development Agency Follow-Up Coordinator General Counsel Associate Administrator for Congressional and Intergovernmental Relations Associate Administrator for Public Affairs Deputy Chief Financial Officer Associate Deputy Chief Financial Officer Associate Deputy Chief Financial Officer for Policy Controller Deputy Controller Director, Policy, Training, and Accountability Division, Office of the Controller Chief, Management, Integrity, and Accountability Branch; Policy, Training, and Accountability Division, Office of the Controller Director, Office of Continuous Improvement, Office of the Chief Financial Officer Audit Follow-Up Coordinator, Office of the Administrator Audit Follow-Up Coordinator, Office of the Chief Financial Officer 21-E-0128 ------- |