Office of Inspector General
U.S. Environmental Protection Agency
At a Glance
December 15, 2021
Why We Did This Evaluation
We conducted this evaluation to
determine whether the
U.S. Environmental Protection
Agency's Office of the Chief
Financial Officer is conducting
agencywide entity-level risk
assessments and implementing
internal controls for annual and
supplemental appropriations that
comply with federal and Agency
Office of Management and
Budget Circular A-123,
Management's Responsibility for
Enterprise Risk Management and
Internal Control, dated July 2016,
requires federal agencies to
integrate internal control activities
under the umbrella of an
enterprise risk-management
program through a
risk-assessment process. The
U.S. Government Accountability
Office's GAO-14-704G,
Standards for Internal Control in
the Federal Government, dated
September 2014, provides the
overall framework for
establishing and maintaining an
effective internal control system.
This evaluation supports EPA
mission-related efforts:
•	Compliance with the law.
•	Operating efficiently and
This evaluation addresses a top
EPA management challenge:
•	Managing infrastructure funding
and business operations.
Address inquiries to our public
affairs office at (202) 566-2391 or
List of OIG reports.
EPA Has Not Performed Agencywide Risk
Assessments, increasing the Risk of Fraud,
Waste, Abuse, and Mismanagement
What We Found
The Agency's Office of the Chief Financial
Officer has been delegated the responsibility
for implementing Office of Management and
Budget Circular A-123. However, the OCFO
has not performed agencywide entity-level
risk assessments over the EPA's annual and
supplemental appropriations. Specifically, the
OCFO has not developed or implemented an
agencywide entity-level risk-assessment process—in which executive officials
are fully engaged in entity-level risk activities—to identify high-priority risks that
cut across individual Agency programs. Such a process would ensure that the
resources received through annual and supplemental appropriations are
strategically targeted.
The OCFO has not updated its financial-management processes, policies, and
procedures to identify and address risks at the agencywide entity level. Rather,
the Agency continues to operate under an outdated division-level
risk-assessment process. As a result, the OCFO cannot provide the direction
necessary for its own office, let alone management and staff across the
Agency, to perform enterprise risk-management responsibilities, including
agencywide entity-level risk assessments for annual and supplemental
Recommendations and Planned Agency Corrective Actions
We modified our draft recommendations based on additional information that
the OCFO provided to us after reviewing our draft report. Our final report
contains two recommendations to the chief financial officer to ensure that the
Agency's senior leaders are aware of their responsibilities for implementing an
enterprise risk-management process that complies with Office of Management
and Budget requirements and that these responsibilities are reflected in the
EPA's policies.
Because the OCFO did not include estimated milestone dates with its corrective
action plan for Recommendation 1, this recommendation is unresolved. In
response to Recommendation 2, the Agency agreed to update its current
policies and procedures by December 31, 2021. Recommendation 2 is resolved
with corrective actions pending.
The OCFO cannot provide
reasonable assurance that
crosscutting risks are
identified and mitigated and
that Agency resources are
directed to the most critical
strategic needs.