U.S. ENVIRONMENTAL PROTECTION AGENCY
CUSTOMER SERVICE ~ INTEGRITY ~ ACCOUNTABILITY
Compliance with the law
Operating efficiently and effectively
EPA Has Not Performed
Agencywide Risk
Assessments, Increasing the
Risk of Fraud, Waste, Abuse,
and Mismanagement
Report No. 22-E-0011
December 15, 2021
Enterprise Risk Management
Framework Model
Response
Design
Context
Identify
Potential
Assess &
Analyze Risk
Evaluate &
Monitor
Strategies
Develop
Alternatives

-------
Report Contributors: Leah Nikaidoh
Margaux Pastuck
Stephen Seifert
John Trefry
Khadija Walker
Abbreviations:
EPA
ERM
FMFIA
GPRA
OCFO
OIG
OMB
U.S.C.
U.S. Environmental Protection Agency
Enterprise Risk Management
Federal Managers' Financial Integrity Act
Government Performance and Results Act
Office of the Chief Financial Officer
Office of Inspector General
Office of Management and Budget
United States Code
Key Definitions:	Enterprise Risk According to OMB Circular A-123, "ERM as a discipline
Management deals with identifying, assessing, and managing risks.
Through adequate risk management, agencies can
concentrate efforts towards key points of failure and
reduce or eliminate the potential for disruptive events."
Internal Control The Government Accountability Office's Standards for
Internal Control in the Federal Government states,
"Internal control is a process affected by an entity's
oversight body, management, and other personnel that
provides reasonable assurance that the objectives of an
entity will be achieved."
Cover Image:	An enterprise risk-management model covers the entire process of
managing risk, from initial design to evaluation and monitoring of the
effectiveness of an agency's systems to manage such risks. (EPA OIG image)
Are you aware of fraud, waste, or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, D.C. 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, D.C. 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates.
Follow us on Twitter @EPAoiq.
Send us your Project Suggestions.

-------
Office of Inspector General
U.S. Environmental Protection Agency
At a Glance
22-E-0011
December 15, 2021
Why We Did This Evaluation
We conducted this evaluation to
determine whether the
U.S. Environmental Protection
Agency's Office of the Chief
Financial Officer is conducting
agencywide entity-level risk
assessments and implementing
internal controls for annual and
supplemental appropriations that
comply with federal and Agency
requirements.
Office of Management and
Budget Circular A-123,
Management's Responsibility for
Enterprise Risk Management and
Internal Control, dated July 2016,
requires federal agencies to
integrate internal control activities
under the umbrella of an
enterprise risk-management
program through a
risk-assessment process. The
U.S. Government Accountability
Office's GAO-14-704G,
Standards for Internal Control in
the Federal Government, dated
September 2014, provides the
overall framework for
establishing and maintaining an
effective internal control system.
This evaluation supports EPA
mission-related efforts:
•	Compliance with the law.
•	Operating efficiently and
effectively.
This evaluation addresses a top
EPA management challenge:
•	Managing infrastructure funding
and business operations.
Address inquiries to our public
affairs office at (202) 566-2391 or
OIG WEBCOMMENTS@epa.gov.
List of OIG reports.
EPA Has Not Performed Agencywide Risk
Assessments, increasing the Risk of Fraud,
Waste, Abuse, and Mismanagement
What We Found
The Agency's Office of the Chief Financial
Officer has been delegated the responsibility
for implementing Office of Management and
Budget Circular A-123. However, the OCFO
has not performed agencywide entity-level
risk assessments over the EPA's annual and
supplemental appropriations. Specifically, the
OCFO has not developed or implemented an
agencywide entity-level risk-assessment process—in which executive officials
are fully engaged in entity-level risk activities—to identify high-priority risks that
cut across individual Agency programs. Such a process would ensure that the
resources received through annual and supplemental appropriations are
strategically targeted.
The OCFO has not updated its financial-management processes, policies, and
procedures to identify and address risks at the agencywide entity level. Rather,
the Agency continues to operate under an outdated division-level
risk-assessment process. As a result, the OCFO cannot provide the direction
necessary for its own office, let alone management and staff across the
Agency, to perform enterprise risk-management responsibilities, including
agencywide entity-level risk assessments for annual and supplemental
appropriations.
Recommendations and Planned Agency Corrective Actions
We modified our draft recommendations based on additional information that
the OCFO provided to us after reviewing our draft report. Our final report
contains two recommendations to the chief financial officer to ensure that the
Agency's senior leaders are aware of their responsibilities for implementing an
enterprise risk-management process that complies with Office of Management
and Budget requirements and that these responsibilities are reflected in the
EPA's policies.
Because the OCFO did not include estimated milestone dates with its corrective
action plan for Recommendation 1, this recommendation is unresolved. In
response to Recommendation 2, the Agency agreed to update its current
policies and procedures by December 31, 2021. Recommendation 2 is resolved
with corrective actions pending.
The OCFO cannot provide
reasonable assurance that
crosscutting risks are
identified and mitigated and
that Agency resources are
directed to the most critical
strategic needs.

-------
^£Dsr/%
' JL \
\«/
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
December 15, 2021
MEMORANDUM
SUBJECT: EPA Has Not Performed Agencywide Risk Assessments, Increasing the Risk of Fraud,
Waste, Abuse, and Mismanagement
Report No. 22-E-0011
This is our report on the subject evaluation conducted by the Office of Inspector General of the
U.S. Environmental Protection Agency. The project number for this evaluation was OA-FY21-0003. This
report contains findings that describe the problems the OIG has identified and the corrective action the
OIG recommends. Final determinations on matters in this report will be made by EPA managers in
accordance with established audit resolution procedures.
The Office of the Chief Financial Officer has the primary responsibility for the issues discussed in this
report.
In accordance with EPA Manual 2750, your office provided a written response to the findings and the
OIG recommendations. Your office provided acceptable corrective actions for Recommendation 2, which
is resolved.
Action Required
Recommendation 1 is unresolved. The resolution process, as described in the EPA's Audit Management
Procedures, begins immediately with the issuance of this report. Furthermore, we request a written
response to the final report within 60 days of this memorandum. Your response will be posted on the
OIG's website, along with our memorandum commenting on your response. Your response should be
provided as an Adobe PDF file that complies with the accessibility requirements of Section 508 of the
Rehabilitation Act of 1973, as amended. The final response should not contain data that you do not want
to be released to the public; if your response contains such data, you should identify the data for redaction
or removal along with corresponding justification.
FROM: Sean W. O'Donnell
TO:
Faisal Amin, Chief Financial Officer
We will post this report to our website at www.epa.gov/oig.

-------
EPA Has Not Performed Agencywide Risk	22-E-0011
Assessments, Increasing the Risk of Fraud,
Waste, Abuse, and Mismanagement
	 Table of 	
Purpose	1
Background	1
Levels of Organizational Structure	2
OMB Guidance Integrates ERM and Budget Requirements	3
Requirements for Risk Profile	3
Responsible Offices	3
Scope and Methodology	3
Prior Reports	4
Results	5
Agencywide Entity-Level Risk Assessments Not Performed	5
EPA Policies and Procedures Related to OMB Circular-123 Lack Agencywide Entity-Level
Requirements	5
Conclusion	6
Recommendations	7
Status of Recommendations	9
Appendixes
A Interdependence Hierarchy of Federal Internal Control Requirements	10
B Prior EPA OIG Reports	11
C Agency Response to Draft Report	13
D Distribution	17

-------
Purpose
The Office of Inspector General initiated this evaluation to determine whether the U.S. Environmental
Protection Agency's Office of the Chief Financial Officer, or OCFO, is conducting agencywide entity-level
risk assessments and implementing internal controls for annual and supplemental appropriations that
comply with federal and Agency requirements.
Top Management Challenge Addressed
This evaluation addresses the following top management challenge for the Agency, as identified in OIG
Report No. 22-N-0004. EPA's Fiscal Year 2022 Top Management Challenges, issued November 12, 2021:
• Managing infrastructure funding and business operations.
Background
Enterprise risk management, or ERM, and internal control are components of a governance framework.
According to Office of Management and Budget Circular A-123, Management's Responsibility for
Enterprise Risk Management and Internal Control,1 "ERM as a discipline deals with identifying, assessing,
and managing risks. Through adequate risk management, agencies can concentrate efforts towards key
points of failure and reduce or eliminate the potential for disruptive events." According to the
U.S. Government Accountability Office's GAO-14-704G, Standards for Internal Control in the Federal
Government, known as the Green Book, "Internal control is a process effected by an entity's oversight
body, management, and other personnel that provides reasonable assurance that the objectives of an
entity will be achieved."
An entity-level risk assessment considers potential overarching or pervasive crosscutting effects on an
agency and results in agencywide and crosscutting risk identification. The purpose of an agencywide risk
assessment is to determine the magnitude of risks, both individually and collectively, to focus senior
management's attention on the most important threats and opportunities and to lay the groundwork
for risk response, which is how an agency's management will respond to identified risks. The
risk-assessment element of ERM measures and prioritizes risks so that risk levels are managed within
defined tolerance thresholds—that is, the amount of risk that the Agency is willing to accept—without
being overcontrolled or forgoing desirable opportunities.
In 2016, the OMB updated OMB Circular A-123 to require agencies to implement an ERM strategy so
that they will have:
[Appropriate risk management processes and systems to identify challenges early,
to bring them to the attention of Agency leadership, and to develop solutions ... to
ensure Federal managers are effectively managing risks an Agency faces toward
achieving its strategic objectives and arising from its activities and operations.
The circular requires agencies to implement an ERM capability that is coordinated with the strategic
planning and review process that the GPRA Modernization Act of 2010 established (GPRA stands for
1 OMB Circular A-123 was revised on July 15, 2016, through OMB Memorandum M-16-17, OMB Circular No. A-123,
Management's Responsibility for Enterprise Risk Management and Internal Control. Throughout our report,
references to OMB Circular A-123 will relate to this version, unless otherwise specified.
22-E-0011
1

-------
Government Performance and Results Act); the internal control processes that the Federal Managers'
Financial Integrity Act of 1982, or FMFIA, requires; and the Green Book.
ERM expands upon an agency's established strategic planning and reporting processes and internal
control systems by providing an enterprisewide, strategically aligned portfolio view of organizational
challenges. This view provides improved insight about how to more effectively prioritize and manage
risks to mission delivery (Table 1).
Table 1: Comparison between traditional risk management and ERM
Traditional risk management
Risk management
(project or program)
Internal controls
Coordinated activities to
direct and control an
organization regarding
risk.
A process affected by an entity's
oversight body, management, and
other personnel that provides
reasonable assurance that the
objectives of the entity will be
achieved.
An effective agencywide approach to
addressing the full spectrum of the
organization's significant risks by considering
the combined array of risks as an interrelated
portfolio, rather than addressing risks only
within programs or silos.
Source: Excerpts from Playbook: Enterprise Risk Management for the U.S. Federal Government, issued by the
U.S. Chief Financial Officers Council and the Performance Improvement Council. (EPA OIG table)
The EPA's FY2018-FY2022 Strategic Plan describes how the Agency works toward its mission to protect
human health and the environment and provides the measures used to evaluate its success. In this plan,
the EPA identifies three overarching strategic goals to achieve its mission: (1) a cleaner, healthier
environment; (2) more effective partnerships; and (3) greater certainty, compliance, and effectiveness.
By implementing ERM, the EPA can effectively achieve results that support its mission and strategic goals
Levels of Organizational Structure
The Green Book identifies the four levels of a federal agency that are responsible for internal control
implementation. The OCFO and the Office of Mission Support established language that bridges the
Agency's structural hierarchy and the Green Book's levels of organizational structure (Table 2).
Table 2: EPA-defined levels of organizational structure
Levels of organizational structure
Entity
Office of the Administrator or a national program office that has been delegated executive-level
duties, such as OCFO's delegation to implement OMB Circular A-123 for the administrator.
Agencywide controls that influence the entire organization, such as budget and human resources.
Division
National program office, such as the Office of Land and Emergency Management. An organization
within the Agency that has national policy oversight responsibilities that are focused on a particular
mission, such as air, water, land, and enforcement.
Operating
unit
Subprogram within national program office or regional office, such as the Office of Land and
Emergency Management's Office of Brownfields and Land Revitalization. An organization within
the division that has the overall responsibility for managing a program and for implementing
national policy.
Function
Service program or local office. Activity performed by a service program or local office, such as
local facilities' management, purchase cards, grant and contract management, and records
management.
Source: OIG summary of Green Book and EPA organizational information. (EPA OIG table)
22-E-0011

-------
OMB Guidance Integrates ERM and Budget Requirements
Together, OMB Circulars A-ll and A-123 comprise the requirements for the ERM policy framework for
the federal government. OMB Circular A-ll, Preparation, Submission, and Execution of the Budget,
incorporates OMB Circular A-123 ERM requirements into federal agency appropriations processes. OMB
Circular A-ll provides all agencies with guidance for the preparation of annual and supplemental
budgets, as well as with instructions on budget execution. Section 200 of OMB Circular A-ll describes the
relationship between key parts of the ERM framework in OMB Circular A-123 and its integration with the
federal performance framework established by the GPRA Modernization Act of 2010, including the
consideration of enterprise risks during the development of agency strategic plans and strategies to
mitigate risks as part of annual strategic review assessments.
Requirements for Risk Profile
OMB Circular A-123, section II, "Establishing Enterprise Risk
Management in Management Practices/' requires each
federal agency to maintain a risk profile. A risk profile is a
prioritized inventory of the agency's most significant risks
identified and assessed through the risk-assessment process.
The risk profile must consider all risks from a portfolio
(crosscutting and interrelationship) perspective. It must be
approved by the agency's ERM governance.
Responsible Offices
The OCFO is responsible for the issues discussed in this report. Specifically, EPA 1200 Delegations
Manual, Chapter 1-16, "Agency Chief Financial Officer/Accounting, Budgeting, and Other Financial
Management Activities," last updated in April 2020, delegates authority for financial management and
integrity activities for program and OCFO operations. It details a variety of accounting, budgeting, and
financial-reporting duties delegated to the chief financial officer, who is the head of the OCFO. The
delegation identifies the duties of the chief financial officer, such as establishing, reviewing, and
enforcing internal control policies. According to the EPA's controller, although OMB Circular A-123 is not
specifically identified in the delegation, the implementation of OMB guidance falls under the
OCFO's internal control responsibilities. Within the OCFO, the Office of the Controller is responsible for:
•	Interpreting fiscal legislation.
•	Leading and managing compliance with OMB Circular A-123.
•	Documenting program offices' internal controls.
Scope and Methodology
We conducted this evaluation from September 2020 to August 2021 in accordance with the Quality
Standards for Inspection and Evaluation, which was published in January 2012 by the Council of the
Inspectors General on Integrity and Efficiency. These standards require that we perform the evaluation
to obtain sufficient, competent, and relevant evidence to provide a reasonable basis for our findings,
Risk Profile
"A portfolio view of risk provides insight into all
areas of organizational exposure to risk (such as
reputational, programmatic performance,
financial, information technology, acquisitions,
human capital, etc.), thus increasing an Agency's
chances of experiencing fewer unanticipated
outcomes and executing a better assessment of
risk associated with changes in the environment."
—OMB Circular A-123
22-E-0011
3

-------
conclusions, and recommendations based on our objectives. We believe that the evidence obtained
provides a reasonable basis for our findings, conclusions, and recommendations.
To address our objective, we:
•	Identified OMB Circular A-123, FMFIA, and Green Book criteria.
•	Assessed OCFO actions and guidance related to annual and supplemental appropriations, risk
assessment, and mitigation of internal controls.
•	Compared the relevant criteria to the Agency's policies, procedures, and documentation to
determine compliance with federal requirements.
•	Reviewed Agency documentation to assess ERM compliance and effectiveness.
•	Conducted interviews with OCFO personnel.
•	Obtained and reviewed supporting ERM documentation, directives, policies, and procedures to
identify and verify key ERM processes that management had in place.
This report is based on the evidence collected and verified from the OCFO's management. We assessed
this evidence to determine whether the Agency's actions were consistent with the:
•	FMFIA requirement to establish an internal control system that provides reasonable assurance
of achieving internal control objectives.
•	OMB Circular A-123 requirement to integrate and coordinate risk management with other
internal control-related activities.
•	Green Book framework to establish and maintain an effective internal control system.
•	Resource Management Directives System Policy Manual 2520 requirement to manage funds
effectively and efficiently while following applicable rules, statutes, and regulations.
•	44 U.S.C. chapter 31, "Records Management by Federal Agencies," requirement to make and
maintain accurate and proper documentation of activities, decisions, policies, and procedures.
•	EPA Records Schedule 1006, Administrative Management, requirement to retain administrative
management records for six years.
Appendix A details the interdependency of the federal internal control requirements.
Prior Reports
From 2017 through 2021, the OIG issued eight reports notifying the Agency of the lack of risk
assessments at both the program and entity level (Appendix B). Two of these reports specifically
identified Agency noncompliance with risk-assessment requirements in OMB Circular A-123:
• Report No. 21-E-0128, EPA Did Not Conduct Agencywide Risk Assessment of CARES Act
Appropriations, Increasing Risk of Fraud, Waste, Abuse, and Mismanagement, issued May 4,
2021. Despite OMB Circular A-123 and Green Book requirements, the OCFO did not conduct an
22-E-0011
4

-------
agencywide risk assessment of funding from the Coronavirus Aid, Relief, and Economic Security
Act to identify risks that could impact the success of the Act's objectives. We also found that
related Agency guidance needed to be updated to reflect the 2016 OMB Circular A-123 ERM
requirements. The OIG made two recommendations to the OCFO. The OCFO agreed to update
its guidance, as well as to perform and document its risk assessment for the Act's supplemental
appropriations. The OCFO certified that all corrective actions were completed as of October 1,
2021.
• Report No. 20-P-0170, EPA Needs to Conduct Risk Assessments When Designing and
Implementing Programs, issued May 18, 2020. The OIG found that the Agency needs to conduct
risk assessments when designing and implementing programs in accordance with the Green
Book and OMB Circular A-123. The OIG made one recommendation, with which the Agency
agreed. The OCFO certified that it completed the corrective actions for this recommendation on
August 13, 2021.
Results
Agencywide Entity-Level Risk Assessments Not Performed
OMB Circular A-123, as revised in 2016, requires that federal agencies conduct agencywide entity-level
risk assessments. OMB Circular A-ll incorporates OMB Circular A-123 ERM requirements into federal
agency appropriations processes. As such, ERM risk assessments aid agencies in the preparation of
annual and supplemental budgets and oversight of resulting appropriations.
However, the EPA has not performed these entity-level risk assessments. Specifically, the OCFO has not
developed or implemented an agencywide entity-level risk-assessment process—in which executive
officials are fully engaged in entity-level risk activities, as outlined previously in Table 2—to identify
high-priority, crosscutting risks. Such a process would ensure that the resources received from annual
and supplemental funding are strategically targeted.
This occurred because the OCFO has not updated its financial-management processes, policies, and
procedures to identify and address risks at the agencywide level as part of the ERM process. The Agency
continues to operate under an outdated, stovepipe-type risk-management process, in which risks are
assessed at the division level without considering whether the identified division-level risks could impact
agencywide operations. Without an annual agencywide entity-level assessment, the OCFO cannot
provide reasonable assurance that it identifies and mitigates crosscutting risks and that it directs Agency
resources to the most critical strategic issues.
EPA Policies and Procedures Related to OMB Circular-123 Lack Agencywide
Entity-Level Requirements
The OCFO's policies and procedures related to OMB Circular A-123, based on its 2004 revisions,
incorporate the provisions of ERM for annual and supplemental appropriations at the division level.
However, these policies and procedures do not incorporate an agencywide entity-level approach per the
2016 version of OMB Circular A-123, as shown in Table 3.
22-E-0011
5

-------
Table 3: ERM deficiencies in key Agency guidance
Title
Effective date
Key requirements
ERM deficiency examples
Resource Management
Directives System Policy
Manual 2520,
Administrative Control of
Appropriated and Other
Funds
December 2015
Provides guidance to Agency
managers on using a variety of
tools to achieve desired
program results. Intended to
implement OMB Circular A-123
and FMFIA.
Describes an OMB
Circular A-123 process that
reflects the traditional
risk-management process and
does not incorporate an
enterprisewide approach.
EPA Order 1000.24
Change 2,
Management's
Responsibility for
Internal Controls,
July 2008
July 2008
Identifies management's
responsibility for internal
control.
Is outdated and does not
implement the 2016 revision of
OMB Circular A-123.
EPA Delegation 1-16,
Agency CFO-Accounting,
Budgeting, and Other
Financial Management
Activities
2020 Update
Delegates authority for financial
management and integrity
activities for programs and
operations of the Agency to the
chief financial officer, including
establishing, reviewing, and
enforcing internal control
policies.
Does not specifically identify
OMB Circular A-123 and does
not include what responsibilities
senior leadership will maintain
to fully implement ERM, which
would include the entity-level
risk-assessment process.
Source: OIG analysis of Agency policies and procedures. (EPA OIG table)
OCFO representatives informed us that the OCFO does not have an agencywide risk profile or similar
document and does not conduct risk assessments for its annual or supplemental appropriations. Rather,
as documented in its policies and procedures, the OCFO assesses programmatic risk at the division level
and has a corresponding risk-response process. The EPA ranks these programmatic risks to develop a
risk profile coordinated with annual strategic reviews at the division level. The OCFO aggregates
information collected from the program offices, but it does not analyze risk at the agencywide entity
level to determine whether agencywide and crosscutting issues may exist. Because the Agency has not
implemented ERM at the agencywide entity level, we are unable to quantify the impact of ERM as it
relates to annual and supplemental appropriations.
Conclusion
The OCFO is responsible for interpreting fiscal legislation, leading and managing compliance with OMB
Circular A-123, and conducting agencywide risk assessments for all appropriations. Risk assessment
should drive internal control activities and should monitor their effectiveness. The OCFO has not fully
implemented the requirements of OMB Circular A-123, specifically the ERM process at the entity level.
Because of its outdated policies, the OCFO relies on division-level offices' assurances that internal
controls are effective and does not audit the information or conduct entity-level risk assessments for
agencywide and crosscutting issues. By following outdated division-level risk-management processes,
the OCFO, as delegated by the Agency, cannot provide the direction necessary for management and
staff to perform their ERM responsibilities, including agencywide entity-level risk assessments for annual
and supplemental appropriations. In addition, the OCFO cannot provide reasonable assurance that
crosscutting risks are identified and mitigated and that Agency resources are directed to the most
critical strategic issues.
22-E-0011
6

-------
Recommendations
We recommend that the chief financial officer:
1.	Improve the Agency's strategy for implementing enterprise risk management by incorporating
and communicating the executive-official engagement needed in risk activities to achieve full
compliance with Office of Management and Budget Circular A-123, Management's
Responsibility for Enterprise Risk Management and Internal Control.
2.	Establish Agency policies and procedures—including updates to Resource Management
Directives System 2520, Administrative Control of Appropriated and Other Funds; EPA
Order 1000.24, Management's Responsibility for Internal Controls; and EPA Delegation 1-16,
Agency CFO-Accounting, Budgeting, and Other Financial Management Activities—to comply
with Office of Management and Budget Circular A-123, Management's Responsibility for
Enterprise Risk Management and Internal Control.
Agency Response and OIG Assessment
The OIG met with the OCFO on October 4, 2021, to discuss our draft report findings and
recommendations. The OCFO provided a response to the draft report on October 12, 2021 (Appendix C).
The OCFO disagreed with Recommendation 1 as drafted but provided corrective actions to address the
recommendation. The OCFO agreed with Recommendation 2.
Our draft Recommendation 1 stated that the chief financial officer should "[d]evelop and communicate
a strategy to implement, direct, and oversee Agencywide enterprise risk management, as required by
the 2016 revision of Office of Management and Budget Circular A-123." The OCFO disagreed that it
needed to develop and communicate a strategy since it initiated ERM as part of its strategic reviews in
2016 and aligned ERM with its internal control program in 2017. The OCFO provided us with additional
information on its actions, and we agree that the Agency has initiated efforts to develop and
communicate an ERM strategy. However, as presented in our report, the Agency's initial efforts relied
upon risk assessments at the senior-leadership or EPA-program level. The OCFO did not demonstrate
that the entity level of the Agency, as defined in Table 2, "EPA-defined levels of organizational
structure," actively participated in the agencywide risk-assessment process through the development of
an entity-level risk inventory and risk profile as part of its executive-level duties.
Although the Agency disagreed with our draft report Recommendation 1 as written, the Agency agreed
that it could improve implementation of its ERM program and provided a corrective action plan, which
included two actions:
•	Strengthen the annual Strategic Review and Internal Control Guidance to ensure Agency senior
managers are aware of their responsibilities for ERM and internal control activities
•	More explicitly communicate ERM and internal controls responsibilities to the Agency.
We agree that these actions would address the intent of our draft report recommendation, as long as
they (1) address the executive-official engagement needed at the entity level to ensure compliance with
OMB Circular A-123 and (2) include a specific completion date. Accordingly, we revised
Recommendation 1. However, because the EPA's corrective action plan did not include estimated
milestone dates, we consider this recommendation unresolved.
22-E-0011
7

-------
The OCFO agreed with our draft Recommendation 2, which stated, "After developing the strategy from
Recommendation 1, establish Agency policies and procedures, including updates to Resource
Management Directives System 2520, Administrative Control of Appropriated and Other Funds, EPA
Order 1000.24, and EPA Delegation 1-16, to comply with Office of Management and Budget
Circular A-123 requirements." According to the OCFO, it has begun updating ERM-related policies and
procedures and plans to complete its corrective actions by December 31, 2021. Since the OCFO provided
evidence of its efforts to develop and communicate an agencywide ERM strategy in response to draft
Recommendation 1, we revised Recommendation 2 to eliminate the reference to the "strategy." We
consider this recommendation to be resolved with corrective actions pending.
22-E-0011
8

-------
Status of Recommendations
RECOMMENDATIONS





Planned
Rec.
Page



Completion
No.
No.
Subject
Status1
Action Official
Date
1	7 Improve the Agency's strategy for implementing enterprise risk U Chief Financial Officer
management by incorporating and communicating the
executive-official engagement needed in risk activities to achieve
full compliance with Office of Management and Budget
Circular A-123, Management's Responsibility for Enterprise Risk
Management and Internal Control.
2	7 Establish Agency policies and procedures—including updates to R Chief Financial Officer 12/31/21
Resource Management Directives System 2520, Administrative
Control of Appropriated and Other Funds] EPA Order 1000.24,
Management's Responsibility for Internal Controls; and EPA
Delegation 1-16, Agency CFO-Accounting, Budgeting, and Other
Financial Management Activities—to comply with Office of
Management and Budget Circular A-123, Management's
Responsibility for Enterprise Risk Management and Internal
Control.
1 C = Corrective action completed.
R = Recommendation resolved with corrective action pending.
U = Recommendation unresolved with resolution efforts in progress.
22-E-0011
9

-------
Appendix A
Interdependence Hierarchy
of Federal Internal Control Requirements
The FMFIA requires each executive federal agency to establish an internal control system that provides
reasonable assurances that:
(i)	obligations and costs are in compliance with applicable law;
(ii)	funds, property, and other assets are safeguarded against waste, loss,
unauthorized use, or misappropriation; and
(iii)	revenues and expenditures applicable to agency operations are properly recorded
and accounted for to permit the preparation of accounts and reliable financial and
statistical reports and to maintain accountability over the assets.
The GPRA Modernization Act of 2010 amended the GPRA of 1993 to require each executive agency to
annually make its strategic plan available on its public website and to the OMB. The GPRA
Modernization Act of 2010 also requires agencies to prepare and submit, as part of their annual budget
submissions, performance plans that include agency priority goals. Agencies will, on a quarterly basis,
assess performance information related to their priority goals identified in the annual performance
plans. As a result, the Act creates a process or framework that clearly links strategic planning to annual
performance goals and results reporting.
The Green Book serves as the framework for federal agencies to develop, implement, and operate an
effective internal control system Through the implementation of Green Book standards, federal agencies
wili have the ability to comply with OMB Circular A-123 assessment and reporting requirements.
The OCFO's Resource Management Directives
System Policy Manual 2520 implements OMB
Circular A-123. The manual provides guidance to
Agency managers on using a variety of tools to
achieve desired program results and meeting the
requirements of the FMFIA. In addition, the manual
identifies the EPA's fund-control principles, as well as
the policies and procedures that apply to all program
offices.
EPA Order 1000.24 identifies management's
requirements to establish and maintain effective
internal controls over program operations.
Together, the FMFIA, OMB Circular A-123, the Green
Book, and EPA policies create an interdependent
hierarchy that emphasizes the risk-assessment
process, both financial and operational, for all levels
of the organization (Figure A-l).
Figure A-1: The interdependent hierarchy of
federal internal control requirements
OMB
Circular
A-123
EPA
Policies
Source: OIG analysis of federal requirements.
(EPA OIG image)
Legend: GPRAMA = Government Performance
and Results Modernization Act of 2010
22-E-0011
10

-------
Appendix B
Prior EPA OIG Reports
The table below lists EPA OIG audit reports issued from 2017 through 2021 that identified deficiencies
related to risk assessments, internal control design, and implementation and monitoring of internal
controls at the program and entity level. The OIG findings and recommendations consistently identified
noncompliance with the FMFIA, OMB Circular A-123, and the Green Book.
Report
number
Title
Date
Findings
17-P-0205
Controls Needed to Track
Changes to EPA's
Compass Financials Data
May 8, 2017
OCFO needs to strengthen internal controls to
certify that any changes made to the Compass
Financials application are implemented based
on management approval. OCFO lacked
documentation to support the approval and
verification of direct modifications made to the
Compass database.
17-P-0407
EPA Needs to Strengthen
Internal Controls Over
Retention Incentives
September 26, 2017
EPA did not perform monitoring reviews due to
a misunderstanding of oversight responsibilities
among various program offices.
18-P-0250
Management Alert: EPA
Oversight of Employee
Debt Waiver Process
Needs Immediate Attention
September 12, 2018
Internal controls failed to detect EPA employee
debt waiver requests, even though the Agency's
payroll provider forwarded this information to
EPA's OCFO. OCFO was not aware of the
missing waivers until OIG brought them to the
office's attention.
20-P-0170
EPA Needs to Conduct
Risk Assessments When
Designing and
Implementing Programs
May 18, 2020
EPA needs to conduct risk assessments when
designing and implementing programs in
accordance with the Green Book and OMB
Circular A-123.
20-P-0194
EPA's Office of the Chief
Financial Officer Lacks
Authority to Make
Decisions on Employee-
Debt Waiver Requests
June 15, 2020
OCFO improperly made decisions on employee
debt waiver requests that resulted in erroneous
overpayments for salary, travel, transportation,
or relocation expenses.
20-P-0200
EPA Needs to Address
Internal Control
Deficiencies in the
Agencywide Quality
System
June 22, 2020
The Office of Mission Support has not fully
implemented internal controls for the mandatory
Agencywide Quality System. It has not
reviewed policies, procedures, and guidance
within required time frames. For example,
reviews of two quality policies were 15 years
overdue. Additionally, the Office of Mission
Support has not conducted required annual
reviews for five years, has not assessed staff
and resource needs since 2008, and has not
performed a programmatic risk assessment.
22-E-0011
11

-------
Report
number
Title
Date
Findings
21-P-0042
EP/4 Needs to Substantially
Improve Oversight of Its
Military Leave Processes to
Prevent improper
Payments
December 28, 2020
EPA has not fully complied with federal laws
related to military leave, reservist differential,
and military offset. This occurred because
Agency management did not establish effective
internal controls to implement these laws. EPA
instead relied on reservists, their supervisors,
and the Agency's federal payroll provider to
comply with federal requirements.
21-E-0128
EPA Did Not Conduct
Agencywide Risk
Assessment of CARES Act
Appropriations, Increasing
Risk of Fraud, Waste,
Abuse, and
Mismanagement
May 4, 2021
Despite OMB Circular A-123 and Green Book
requirements, OCFO did not conduct an
agencywide risk assessment of funding from
the Coronavirus Aid, Relief, and Economic
Security Act to identify risks that could impact
the success of the Act's objectives.
22-E-0011
12

-------
Appendix C
Agency Response to Draft Report

<
73
\
w.
RO^
C
P*
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
October 12, 2021
OFFICE OF THE
CHIEF FINANCIAL OFFICER
MEMORANDUM
SUBJECT:
FROM:
Response to the Office of Inspector General Draft Report, Project No. OA-FY21-0003,
"EPA's Office of the Chief Financial Officer Has Not Performed Agencywide Risk
Assessments, Increasing the Risk of Fraud, Waste, AS use and Mismanagement, " dated
August 26, 2021
Faisal Amin, Chief Financial Officer Amin,
Office of the Chief Financial Officer Faisal
Digitally signed by
Amlri, Faisal
Data 2021.10.12
115720-04W
TO:	Khadija E. Walker, Director
Contract and Assistance Agreement Directorate
Office of Audit
Thank you for the opportunity to respond to the issues and recommendations in the subject draft
report. The following is a summary of the U.S. Environmental Protection Agency's overall
position along with its position on the report's recommendations.
AGENCY'S OVERALL POSITION
The draft report contains two recommendations for the Office of the Chief Financial Officer. The
OCFO agrees with Recommendation 2 and has already established corrective actions; however,
the OCFO disagrees with Recommendation 1, as written, but offers corrective actions based on
our understanding of the intent of the recommendation to improve the EPA's Enterprise Risk
Management program. As discussed at the October 4, 2021, exit conference with your office, the
OCFO agreed to provide suggested language for Recommendation 1 and asks that the OIG also
consider changing language in the report to align with the recommendation:
The OCFO should continue to strengthen its communication and oversight over
agencywide enterprise risk management, as required by the 2016 revision of Office of
Management and Budget's Circular A-123.
During the Office of Inspector General's fieldwork for this engagement, the OIG advised the
OCFO that the focus and objective of this engagement was on risk assessments for supplemental
appropriations. However, based upon the title of this draft report and the findings within, it
22-E-0011
13

-------
appears the OIG has broadened its scope to focus on the agency's implementation of Enterprise
Risk Management rather than risk assessments solely related to annual and supplemental
appropriations.
The draft document states the OCFO did not concur with two recommendations within the OIG's
Report No. 21-E-0128, "EPA Did Not Conduct Agencywide Risk Assessment of CARES Act
Appropriations, Increasing Risk of Fraud, Waste, Abuse, and Mismanagement" dated May 4,
2021. However, on June 28, 2021, the OCFO provided the OIG a response that the OCFO
concurred with the OIG's recommendation to perform and document a risk assessment for the
Coronavirus Aid, Relief, and Economic Security Act and subsequent supplemental
appropriations. To implement this recommendation, the OCFO has coordinated developing
entity-wide risk assessments for the CARES Act and the American Rescue Plan Act of2021 and
is currently preparing to do so for future supplemental appropriations.
The OCFO would like to take this opportunity to briefly describe its management of the EPA's
ERM program, internal controls, and risk assessments for annual and supplemental appropriations.
ENTERPRISE RISK MANAGEMENT
The EPA initiated ERM as an integral part of agency strategic reviews in FY 2016 and aligned it
with the internal control program in FY 2017, following issuance of the OMB's A-123 revision
and updates to A-l 1 on strategic reviews. The OCFO established a systematic risk assessment
process to identify and assess risks to achieve the strategic objectives in the EPA's Strategic Plan.
The OCFO provides annual guidance to agency senior leaders, as well as a tool to support
completing the risk assessments. Agency senior leaders review available data and evidence (e.g.,
performance data trends, program evaluations, strategic foresight horizon scanning, OIG and GAO
reports, internal control reviews, and program risk assessments) and rely on their judgment and
experience in assessing risks to achieve the strategic objectives. The OCFO reviews and analyzes
the results of the strategic objective risk assessments to identify common themes across the
agency's significant risks. The CFO briefs senior leaders on the top significant risks that are then
ranked by agency senior leadership to determine the agency's enterprise risks. This enterprise risk
profile constitutes the most significant risks the agency faces toward achieving its strategic
objectives in the EPA's Strategic Plan. Senior leaders are then responsible for identifying actions
to mitigate the enterprise risks and providing quarterly progress reports to the OCFO and agency
leadership as needed.
INTERNAL CONTROLS
To comply with requirements in the Federal Managers' Financial Integrity Act, the OCFO
provides instructions and tools to senior managers through its annual guidance for preparing the
Assistant Administrators' and Regional Administrators' annual assurance letters. Senior
managers are responsible for identifying and assessing program risks, establishing internal
controls, and attesting to the soundness of internal controls for their respective organization.
During the review and analysis, the OCFO verifies compliance with agency guidance, notes the
status and progress in addressing current weaknesses, and identifies emerging and cross-cutting
issues that require senior management attention.
22-E-0011
14

-------
The OCFO also conducts reviews of cross-agency processes (i.e., travel, payroll, media
programs) to evaluate the effectiveness of internal controls and identify deficiencies that impact
the agency overall. The OCFO provides its assessment of the AAs' and RAs' assurance letters
and identified weaknesses as the basis for developing the Administrator's statement of assurance
on the overall effectiveness of the agency's internal controls. This information also is used to
identify which cross-cutting areas or functions that program offices will be required to evaluate
and report on in the future.
ANNUAL AND SUPPLEMENTAL RISK ASSESSMENTS
As discussed above, the OCFO agreed with the OIG's recommendation to perform and document
risk assessments for supplemental appropriations in its June 28, 2021, CARES Act audit response.
In July, the OCFO coordinated with program and regional offices to conduct the CARES Act and
American Rescue Plan Act risk assessments and developed a format and procedures to assess and
document risks for future supplemental appropriations. The OCFO worked with other offices to
develop a standard format to collect and analyze and assess risks as well as updated its operating
procedures to ensure that risk assessments for appropriations are documented. The standard
format identifies particular risks, the fund involved, estimated risk likelihood, impact and overall
risk ranking, risk functional area (e.g., contracts, grants, finance) and any related internal
controls descriptions and implementation status. The OCFO also updated Standard Operating
Procedures related to appropriations to incorporate these changes.
RESPONSE TO RECOMMENDATIONS
The OCFO disagrees with Recommendation 1 and concurs with Recommendation 2 as described
below.
No.
Recommendation
High-Level Corrective Action(s)
Estimated
Completion Date
1
Develop and communicate a
strategy to implement,
direct, and oversee
agencywide enterprise risk
management, as required by
the 2016 revision of Office
of Management and Budget
Circular A-123.
The OCFO disagrees with the OIG's statement
that the OCFO needs to develop, communicate,
and implement agencywide ERM.
The EPA initiated ERM as an integral part of the
agency's strategic reviews in 2016 and aligned it
with the internal control program in 2017.
Notably, in FY 2020 the agency began
incorporating program risk assessments in its
annual guidance.
However, the OCFO recognized we could
improve the program and will continue to
strengthen the annual Strategic Review and
Internal Control Guidance to ensure agency
senior managers are aware of their
February 2020
Ongoing
22-E-0011
15

-------


responsibilities for ERM and internal control
activities. As part of these efforts, beginning in
FY 2021, the OCFO implemented performing
and documenting risk assessments for all
supplemental appropriations. The OCFO also
will be more explicit in communicating ERM
and internal controls responsibilities to the
agency.

2
After developing the
strategy from
Recommendation 1,
establish agency policies and
procedures, including
updates to Resource
Management Directives
System 2520,
Administrative Control of
Appropriated and Other
Funds, EPA Order 1000.24,
and EPA Delegation 1-16, to
comply with Office of
Management and Budget
Circular A-123
requirements.
The OCFO agrees with the recommendation to
update ERM and internal controls guidance to
reflect the 2016 revisions of the OMB's
Circular A-123. The OCFO already began
updating the Resource Management Directives
System (RMDS) 2520: Administrative Control
of Appropriated and Other Funds; EPA Order
1000.24, Management's Responsibility for
Enterprise Risk Management and Internal
Control; and Delegation 1-16, Agency Chief
Financial Officer Accounting, Budgeting and
Other Financial Management Activities.
12/31/2021
CONTACT INFORMATION
If you have any questions regarding this response, please contact the OCFO's Audit Follow-up
Coordinator, Andrew LeBlanc, at leblanc.andrew@epa.gov or (202) 564-1761.
cc: David Bloom
Carol Terris
Lek Kadeli
Jeanne Conklin
Meshell Jones-Peeler
Richard Gray
OCFO-OC-MANAGERS
Kathy O'Brien
John Hall
Holly Green
Annette Morant
Hayley Gross
Elizabeth Chabkoun
Andrew LeBlanc
Jose Kercado
22-E-0011
16

-------
Appendix D
Distribution
The Administrator
Deputy Administrator
Chief of Staff, Office of the Administrator
Deputy Chief of Staff, Office of the Administrator
Chief Financial Officer
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Deputy Chief Financial Officer
Associate Chief Financial Officer
Associate Chief Financial Officer for Policy
Controller
Deputy Controller
Director, Policy, Training, and Accountability Division, Office of the Controller
Chief, Management, Integrity, and Accountability Branch; Policy, Training, and Accountability Division,
Office of the Controller
Director, Office of Continuous Improvement, Office of the Chief Financial Officer
Audit Follow-Up Coordinator, Office of the Administrator
Audit Follow-Up Coordinator, Office of the Chief Financial Officer
22-E-0011
17

-------