Signature The EPA Complied with the Payment Integrity Information Act for Fiscal Year 2023 but Needs to Improve Its Oversight Efforts for Improper and Unknown Payment Activities BILL TO xxxxxxxx May 29, 2024 | Report No. 24-P-0041 payment stream DESCRIPTION Commoames Contracts CWSRF dwsrf Grants payroll Purchase Card Travel WIFIA Grartd Total $19t,484,025-00 S1,254.895.459-91 S2.30B.914,696-31 SI .378.109.325.54 SI.895.957,326.51 $2,795,720-882.37 $29,281,832.53 $41,503,035.46 5299.420,390-29 ,195,266.975.92 \tlSPEC ITAL PR©1 ------- Report Contributors Katelyn Bell Ryan Dzakovic LaTanya Furdge Daljit Loh Gloria Taylor-Upshaw Selina Yu Alexandra Zapata-Torres Abbreviations AFR Agency Financial Report EPA U.S. Environmental Protection Agency FY Fiscal Year OCFO Office of the Chief Financial Officer OGD Office of Grants and Debarment OIG Office of Inspector General OMB Office of Management and Budget PI IA Payment Integrity Information Act of 2019 Key Definitions Improper Payment Proper Payment Quantitative Risk Assessment Qualitative Risk Assessment Unknown Payment A payment made in an incorrect amount or to the wrong recipient. A payment made to the right recipient for the right amount. A statistical or nonstatistical assessment to assess the probability of improper payments. A technique used to quantify the risk associated with improper payments and unknown payments. A payment that was made without sufficient documentation for the agency to determine whether the payment falls into the proper or improper category. Cover Image The EPA's payment streams or programs with annual outlays greater than $10 million for fiscal year 2023. (EPA OIG image) Are you aware of fraud, waste, or abuse in an EPA program? EPA Inspector General Hotline 1200 Pennsylvania Avenue, NW (2431T) Washington, D.C. 20460 (888) 546-8740 (202) 566-2599 (fax) OIG.Hotline@epa.qov Learn more about our OIG Hotline. EPA Office of Inspector General 1200 Pennsylvania Avenue, NW (2410T) Washington, D.C. 20460 (202) 566-2391 www.epaoiq.gov Subscribe to our Email Updates. Follow us on X (formerly Twitter) @EPAoiq. Send us your Project Suggestions. ------- 24-P-0041 May 29, 2024 At a Glance The EPA Complied with the Payment Integrity Information Act for Fiscal Year 2023 but Needs to Improve Its Oversight Efforts for Improper and Unknown Payment Activities Why We Did This Audit To accomplish this objective: The U.S. Environmental Protection Agency Office of Inspector General conducted this audit to determine whether the EPA complied with the Payment Integrity Information Act of 2019 for fiscal year 2023 reporting and to evaluate the EPA's corrective action plans and efforts to prevent and reduce improper payments from prior audit recommendations. The Payment Integrity Information Act of 2019 requires inspectors general to determine and report their agencies' compliance with the Act every fiscal year. The Act also requires the heads of each agency to periodically review and identify all programs and activities with costs exceeding the $10 million statutory threshold to determine whether they are susceptible to significant improper payments. The Payment Integrity Information Act of 2019 and Office of Management and Budget Circular A-123, Appendix C, require each agency to publish payment integrity information with its annual financial statements. Agency inspectors general are to review payment integrity reporting for compliance and issue an annual report. To support this EPA mission-related effort: • Compliance with the law. What We Found The EPA complied with the requirements of the Payment Integrity Information Act of 2019, or PIIA, and the applicable Office of Management and Budget guidance for its fiscal year 2023 reporting. Pursuant to the PIIA, the EPA is required to comply with three of the ten requirements for its FY 2023 reporting: • Publish payment integrity information in its Agency financial statement. • Post the Agency financial statement on its website. • Conduct risk assessments at least once every three years for each program with annual outlays greater than $10 million. The EPA has made progress in resolving corrective action plans and efforts to prevent and reduce improper payments from prior audit recommendations, but Agency corrective actions are still in process. We will review the corrective actions in the FY 2024 PIIA compliance audit. The Agency satisfied these requirements for PIIA compliance for FY 2023 but has an opportunity to improve internal controls to provide better oversight of its payment integrity activities. Specifically, we found that the EPA lacked (1) documentation to support its conclusions for determining payment stream susceptibility to improper payments and (2) proper monitoring of the resolution of the unknown payments from the grant payment stream and agencywide payment integrity performance. By not having documentation to support conclusions and proper monitoring, the EPA's risk for ineffective management is increased. The EPA needs to improve its internal controls to better document and monitor payment integrity activities; maximize the likelihood of preventing, reducing, and recovering improper payments; and reduce its risk of ineffectively managing payment integrity activities. Recommendations and Planned Agency Corrective Actions We recommend that the chief financial officer develop guidance for generating and maintaining documentation to support risk assessment determinations of whether EPA programs are susceptible to significant improper payments. Also, the EPA should develop oversight guidance and mechanisms to monitor the resolution of unknown payments, as well as develop processes and tools to periodically collect and analyze agencywide payment integrity activities and related information for preventing and reducing improper and unknown payments. The Office of the Chief Financial Officer agreed with our recommendations. We agree with the Agency's planned corrective actions for all recommendations, and we will evaluate the Agency's responses during our next fiscal year audit. We consider the recommendations resolved with corrective actions pending. Address inquiries to our public affairs office at (202) 566-2391 or OIG.PublicAffairs@epa.gov. List of OIG reports. ------- U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL May 29, 2024 MEMORANDUM SUBJECT: The EPA Complied with the Payment Integrity Information Act for Fiscal Year 2023 but Needs to Improve Its Oversight Efforts for Improper and Unknown Payment Activities Report No. 24-P-0041 This is our report on the subject audit conducted by the U.S. Environmental Protection Agency Office of Inspector General. The project number for this audit was QA-FY24-0021. This report contains findings that describe the problems the OIG has identified and corrective actions the OIG recommends. Final determinations on matters in this report will be made by EPA managers in accordance with established audit resolution procedures. The Office of the Chief Financial Officer is responsible for the issues discussed in this report. In accordance with EPA Manual 2750, your office provided acceptable planned corrective actions and estimated milestone dates in response to the OIG recommendations. All recommendations are resolved, and no final response to this report is required. If you submit a response, however, it will be posted on the OIG's website, along with our memorandum commenting on your response. Your response should be provided as an Adobe PDF file that complies with the accessibility requirements of section 508 of the Rehabilitation Act of 1973, as amended. The final response should not contain data that you do not want to be released to the public; if your response contains such data, you should identify the data for redaction or removal along with corresponding justification. We will post this report to our website at www.epaoig.gov. To report potential fraud, waste, abuse, misconduct, or mismanagement, contact the OIG Hotline at (888) 546-8740 or OIG.Hotline@epa.gov. FROM: Sean W. O'Donnell, Inspector General TO: Faisal Amin, Chief Financial Officer ------- Table of Contents 1. Introduction 1 Purpose 1 Background 1 Responsible Offices 4 Scope and Methodology 4 Prior Reports 5 2. The EPA Complied with Payment Integrity Requirements for FY 2023, but Prior Recommendations Are Unimplemented 7 The EPA Addressed a Concern and Is Compliant with OMB Payment Integrity Improvement Requirements 7 The EPA Still Must Complete Corrective Actions to Address EPA OIG Prior Recommendations from FY 2021 PI IA Compliance Audit 9 3. The EPA Needs to Improve Its Oversight of Its Payment Integrity Activities 11 Qualitative Risk Assessments Lacked Documentation to Support Susceptibility Conclusions 11 The EPA Is At Risk of Ineffectively Managing Payment Integrity Performance 13 Recommendations 13 Agency Response and OIG Assessment 14 Status of Recommendations 15 A Agency Response to Draft Report 16 B Distribution 19 i ------- Chapter 1 Introduction Purpose The U.S. Environmental Protection Agency Office of Inspector General initiated this audit to determine whether the EPA complied with the Payment Integrity Information Act of 2019, or PIIA, for fiscal year 2023 reporting and to evaluate the EPA's corrective action plans and efforts to prevent and reduce improper payments from prior audit recommendations. Background Congress enacted the PIIA on March 2, 2020, to improve efforts to identify and reduce governmentwide improper payments. Appendix C, "Requirements for Payment Integrity Improvement/' of Office of Management and Budget Circular A-123, dated March 5, 2021, sets forth requirements for agencies and OIGs to comply with the PIIA. According to Appendix C, an agency must meet up to ten specific criteria to comply with the Act depending on the agency's current stage of improper payments reporting. Appendix C requires the Agency to conduct a risk assessment at least once every three years for any programs or activities that exceed $10 million in annual outlays. The EPA divides its programs and activities into payment streams for its improper payments reporting. Since the Agency conducted risk assessments for eight payment streams exceeding $10 million in annual outlays in its FY 2021 reporting, the EPA was not required to conduct risk assessments for those payment streams until its FY 2024 reporting. The PIIA and Federal Guidance for Improper Payments The PIIA directs the head of each executive branch agency to periodically review all programs and activities with annual outlays greater than $10 million and to identify those that may be susceptible to significant improper payments. Agency heads must conduct these periodic reviews, referred to as risk assessments, at least once every three years. As described in Appendix C of OMB Circular A-123, these risk assessments can be either qualitative or quantitative but must reasonably determine whether a program is susceptible to significant improper payments. According to the OMB's Appendix C guidance, all program payments fall into one of three payment categories: proper, improper, or unknown. A proper payment is made to the right recipient for the right amount; an improper payment is an incorrect amount or made to the wrong recipient; and an unknown payment is made without sufficient documentation so the agency cannot determine, without further information, whether the payment is proper or improper. Unknown payments "will eventually be determined to be proper or improper," and an agency may be required to report those improper payments in future years. 1 ------- Appendix C of OMB Circular A-123 states that a program is susceptible to significant improper payments if the total annual improper and unknown payment amount exceeds the statutory threshold. The statutory threshold for a program is either (1) 1.5 percent of program outlays and $10 million of all program payments made during the fiscal year or (2) $100 million. Additionally, Appendix C states that programs should consider causes of improper payments and unknown payments and "the likelihood of their occurrence in their process of identifying and monitoring payment integrity risks to the program." Examples of identifying payment integrity risks include identifying trends, patterns, and anomalies within data. The PI IA requires each agency's inspector general to annually determine the agency's compliance with the PI IA and to issue a report on that determination. Furthermore, Appendix C of OMB Circular A-123 requires each inspector general to: • Evaluate the risk assessments to determine whether they adequately conclude whether the programs are likely to make improper and unknown payments above or below the statutory threshold. • Evaluate the agency's efforts to prevent and reduce improper and unknown payments. • Recommend changes to the agency's improper payment risk-assessment methodology if the OIG determines that a risk assessment incorrectly identified whether a program or activity was likely to make improper and unknown payments above or below the statutory threshold. Appendix C requires that agencies proactively manage the payment integrity risk of their programs to prevent improper and unknown payments. Appendix C further says that even if the OIG determines that the agency program is in overall compliance with the PI I A, "[a] recommendation for improvement should be considered any time an OIG identifies an action that if taken would improve the program as it relates to a specific evaluation criterion." Federal Guidance Requires Internal Controls According to Appendix C of OMB Circular A-123, the main requirements to comply with the PI IA and to prevent and reduce improper payments include the following: • Agencies are responsible for establishing and maintaining effective internal controls, such as mechanisms, rules, policies, and procedures implemented by an agency to ensure the integrity of financial information as well as the detection and prevention of improper payments and unknown payments. • Programs, to be effective, should prioritize efforts toward preventing improper payments from occurring. • Management must establish and conduct monitoring activities to assess the quality of performance overtime. 2 ------- • Agencies are responsible for maintaining documentation of meeting the requirements set forth in Appendix C. EPA Policies and Procedures Regarding Grants Require Resolution in a Timely Manner The Office of the Chief Financial Officer's Standard Operating Procedure Grants Improper Payment Review, dated October 2022, states that for improper payment reporting purposes, all questioned costs under review must be resolved each year by June 30th. Costs that are not resolved by June 30th should be reported as improper payments. Also, the Office of Grants and Debarment's, or OGD's, Policy Notice No. PN-2013-G03, Improper Payments Elimination and Recovery Improvement Act of 2012 Reporting, holds grants management officers responsible for ensuring the resolution of questioned costs in a timely manner and the OGD's National Policy, Training, and Compliance Division responsible for reminding grants management officers to complete reviews and update the Grantee Compliance and Recipient Activity database or grantee compliance database entries. The OCFO's Standard Operating Procedure Grants Improper Payment Review states that the timeline to reconcile all identified improper payments and to report improper payments in the Agency Financial Report, or AFR, is from August through September of each reporting year. The EPA's FY 2023 Reporting and Risk Assessments To facilitate its payment integrity assessment process for determining improper payments risks, the OCFO stated that it obtains information from the EPA's Compass Business Objects Reporting database and questionnaires completed by the payment streams leads who oversee payment activities throughout the Agency. According to Appendix C of OMB Circular A-123, when conducting a qualitative assessment for risk of improper payments and unknown payments, "the agency should ensure that proper consideration has been given to relevant factors." The OCFO uses 13 risk factors, which include the 11 risk factor examples listed in Appendix C of OMB Circular A-123 for its qualitative risk assessments and risk factor categories for PI IA audit results and other risks not covered. Appendix C of OMB Circular A-123 example risk factors include whether the program is new to the agency; the complexity of the program reviewed; recent major changes in program funding, authorities, practices, or procedures and the accuracy and reliability of improper payment and unknown payment estimates previously reported for the program; or other indicators of potential susceptibility to improper payments and unknown payments identified. According to the EPA's AFR for FY 2023 reporting, the qualitative risk assessments determined that eight of the nine payment streams with outlays exceeding $10 million were not likely to be susceptible to significant improper payments. The risk assessment for the grants payment stream determined that the stream is susceptible to significant improper payments. As a result, the EPA will perform statistical sampling as part of the quantitative risk assessment in FY 2024. Table 1 outlines the susceptibility of the EPA's FY 2023 qualitative risk assessments performed on its nine payment streams. 3 ------- Table 1: Summary of the EPA's FY 2023 assessment of improper payment susceptibility Payment stream Likely to be susceptible to significant improper payments 1 Commodities No 2 Contracts No 3 Clean Water State Revolving Fund No 4 Drinking Water State Revolving Fund No 5 Grants Yes 6 Payroll No 7 Purchase Cards No 8 T ravel No 9 Water Infrastructure Finance and Innovation Act No Source: EPA FY 2023 AFR. (EPA OIG table) Responsible Offices The OCFO formulates the EPA's annual budget and performance plan; coordinates the EPA's strategic planning efforts; develops guidance to support reporting requirements in the EPA's AFR; provides financial services for the EPA; and makes payments to grant recipients, contractors, and other vendors. The OCFO is responsible for creating policies for, issuing reports on and overseeing the EPA's financial operations. The Office of the Controller, which is located within the OCFO, is responsible for overseeing the Agency's payment integrity program. The Office of the Controller develops, manages, and supports the Agency's financial management program by interpreting fiscal legislation, maintaining fiscal operations, and implementing governmentwide external reporting reforms. Within the Office of the Controller, the Policy, Training and Accountability Division oversees the EPA's efforts at preventing, identifying, and recovering improper payments. Scope and Methodology We conducted this performance audit from November 2023 to May 2024 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We assessed the internal controls necessary to satisfy our audit objectives.1 In particular, we assessed the internal control components—as outlined in the U.S. Government Accountability Office's Standards for Internal Control in the Federal Government— significant to our audit objectives. Any internal control deficiencies we found are discussed in this report. Because our audit was limited to the internal control 1 An entity designs, implements, and operates internal controls to achieve its objectives related to operations, reporting, and compliance. The U.S. Government Accountability Office sets internal control standards for federal entities in GAO-14-704G, Standards for Internal Control in the Federal Government, issued September 10, 2014. 4 ------- components deemed significant to our audit objectives, it may not have disclosed all internal control deficiencies that may have existed at the time of the audit. To answer our objectives, we assessed the Agency's payment integrity activities against Appendix C of OMB Circular A-123, which sets forth requirements for agencies and the OIGs to comply with the PI I A. In this audit of the EPA's FY 2023 reporting, we reviewed three of the ten requirements for overall compliance and did not review the other seven requirements because they were not applicable to include because the EPA is not required to conduct risk assessments until its FY 2024 reporting. We verified that the EPA (1) published payment integrity information with the annual financial statement, (2) posted the annual financial statement and accompanying materials on the Agency's website, and (3) conducted improper payment risk assessments for each program with annual outlays greater than $10 million at least once in the last three years. We detail the ten requirements as set forth in Appendix C and the EPA's compliance in Table 2. We also reviewed the EPA's grant policies and procedures relating to improper and unknown payments. Additionally, we assessed the EPA's implementation of corrective actions and efforts in response to prior audit recommendations by obtaining and analyzing the supporting documentation for these actions. We also sought to understand the procedures, oversight, and controls that management put in place to report improper and unknown payments, as well as the controls surrounding the risk assessment compilation. To accomplish this, we reviewed the EPA's FY 2023 AFR and its accompanying materials, and we verified that the EPA posted the report on its website. We also interviewed the OCFO staff to obtain an understanding of the processes, procedures, and controls used for improper payment reporting across the EPA. We evaluated the OCFO's qualitative risk assessments and supporting documentation. We also analyzed payment activity data for each payment stream that the EPA reported for its FY 2023 reporting. Additionally, we reviewed the Agency's Enterprise Audit Management System to determine the status of our prior PI IA audit recommendations and to examine the EPA's results of its grants payment stream unknown payments totaling about $10.3 million, which we identified in the EPA's FY 2021 improper payments risk assessment. We also retrieved grant information from the EPA's grantee compliance database and the Compass Data Warehouse database to verify the results of the grant unknown payments that we identified in our audit of FY 2021 reporting. Prior Reports In EPA OIG Report No. 22-P-0050. The EPA Was Not Compliant with the Payment Integrity Information Act for Fiscal Year 2021, issued June 27, 2022, we found that the EPA was not compliant with the PI IA for its FY 2021 reporting and needed to improve risk assessments to adequately conclude whether the program's improper and unknown payments exceeded the compliance threshold. We issued four recommendations, and the EPA recorded all the recommendations as complete in its Enterprise Audit Management System. 5 ------- In EPA OIG Report No. 23-P-0017. The EPA Complied with the Payment Integrity Information Act for Fiscal Year 2022, issued May 16, 2023, we found that the EPA was compliant with the PIIA and related OMB guidance for its FY 2022 reporting. We made no recommendations in the report. Chapter 2 contains a discussion of the status of the recommendations from the FY 2021 PI IA compliance report. 6 ------- Chapter 2 The EPA Complied with Payment Integrity Requirements for FY 2023, but Prior Recommendations Are Unimplemented The EPA is compliant with the PIIA and related OMB guidance for its FY 2023 improper payments reporting. For FY 2023 reporting, the EPA needed to satisfy three of the ten requirements outlined in Appendix C of OMB Circular A-123. The EPA published its payment integrity information with the annual financial statements and submitted its AFR to the OMB. The Agency posted its annual financial statements and accompanying materials on its website on November 15, 2023. Additionally, the EPA conducted improper payment risk assessments at least once in the last three years for each payment stream with annual outlays that exceeded the $10 million threshold. While reviewing for compliance, we noted a potential OMB compliance concern that was resolved immediately. Additionally, the EPA is still in the process of resolving recommendations from the FY 2021 PI IA compliance report. The EPA Addressed a Concern and Is Compliant with OMB Payment Integrity Improvement Requirements As shown in Table 2, the EPA is compliant with the PI IA and related OMB guidance for its FY 2023 improper payments reporting. However, during our audit we found a potential compliance concern, and the EPA resolved it immediately. When the EPA initially published its FY 2023 AFR, the report was missing a link to PaymentAccuracy.gov, which provides the Agency's accompanying materials to the financial statements. Appendix C to OMB Circular A-123 requires agencies to include a link to PaymentAccuracy.gov within its AFR and post it on the agency's website. When we identified that the link was missing, the OCFO acknowledged that the omission was because of an editorial oversight and immediately revised its FY 2023 AFR to include the link. We determined that the OCFO's actions satisfied the OMB compliance requirement. In response to the omission, the OCFO created a checklist to ensure that required information will be included in the Agency's AFR. The checklist includes areas that note the required contents of the AFR, analysis of systems, controls and legal compliance, summary of the financial statement audit with management assurances, and PI IA reporting. The OCFO finalized the checklist during our fieldwork to use in FY 2024 reporting. 7 ------- Table 2: PIIA compliance reporting for EPA payment streams No. Compliance requirement Commodities Contracts Clean Water SRF Drinking Water SRF Grants Payroll Purchase Cards T ravel WIFIA 1 Published payment integrity information with the annual financial statement ~ ~ ~ ~ ~ ~ ~ ~ ~ 2 Posted the annual financial statement and accompanying materials on the agency website V ~ ~ V ~ V ~ y ~ 3 Conducted improper payment risk assessments for each program with annual outlays greater than $10 million at least once in the last three years V ~ ~ V ~ V ~ y ~ 4 Adequately concluded whether the program is likely to make improper and unknown payments above or below the statutory threshold n/a n/a n/a n/a n/a n/a n/a n/a n/a 5 Published improper and unknown payment estimates for programs susceptible to significant improper payments in the accompanying materials to the annual financial statement n/a n/a n/a n/a n/a n/a n/a n/a n/a 5 Published corrective action plans for each program for which an estimate above the statutory threshold was published in the accompanying materials to the annual financial statement n/a n/a n/a n/a n/a n/a n/a n/a n/a 7 Published improper and unknown payment reduction target for each program for which an estimate above the statutory threshold was published in the accompanying materials to the annual financial statement n/a n/a n/a n/a n/a n/a n/a n/a n/a 8 Demonstrated improvements to payment integrity or reached a tolerable improper and unknown payment rate n/a n/a n/a n/a n/a n/a n/a n/a n/a 9 Developed a plan to meet the improper and unknown payment reduction target n/a n/a n/a n/a n/a n/a n/a n/a n/a 10 Reported an improper and unknown payment estimate of less than 10% for each program for which an estimate was published in the accompanying materials to the annual financial statement n/a n/a n/a n/a n/a n/a n/a n/a n/a Notes: V = Compliant; n/a = not applicable; SRF = state revolving fund; WIFIA = Water Infrastructure Finance and Innovation Act. Source: OIG analysis of the EPA's FY 2023 AFR payment integrity data and accompanying financial materials. (EPA OIG table) 8 ------- The EPA Still Must Complete Corrective Actions to Address EPA OIG Prior Recommendations from FY 2021 PIIA Compliance Audit According to the EPA, it completed all four recommendations for EPA OIG Report No. 22-P-0050. The recommendations are outlined in Table 3. During our review of the FY 2022 reporting, we found that the corrective actions for Recommendations 1 and 4 met the intent of our recommendations. The planned corrective actions for Recommendation 2 were not due to be completed until November 2023. In response to Recommendation 2, the EPA performed off-cycle qualitative risk assessments for its nine payment streams exceeding $10 million in annual outlays in FY 2023 and included its payment integrity reporting for fiscal year 2023 in its FY 2023 AFR. Table 3: EPA OIG Report No. 22-P-0050 recommendations No. Recommendation 1 Review the OIG-identified questioned costs for the grants payment stream, determine the payment allowability, recover costs as appropriate, and recalculate the error rate. 2 Conduct an off-cycle risk assessment, applying the Standard Operating Procedure Grants Improper Payment Review, dated September 2021, and include the risk assessments in the Agency's Fiscal Year 2023 Agency Financial Report, ensuring that the risk assessments contain: a. An assessment of all programs and activities with outlays greater than $10 million. b. An identification of which programs and activities with annual outlays exceeding the statutory threshold are included in each risk assessment. c. A mechanism for identifying, accounting for, estimating, and reporting improper and unknown payments and for detailing efforts taken to prevent and reduce such payments. 3 For payment streams other than the grants payment stream, update standard operating procedures so that they establish a sufficient methodology for programs and activities with outlays of more than $10 million to adequately conclude whether they are susceptible to significant improper payments. The standard operating procedure should identify which programs or activities are included. 4 Periodically train Agency personnel on and provide completed course training certificates for: a. The Standard Operating Procedure Grants Improper Payment Review, dated September 2021, which includes the Payment Integrity Information Act Review Checklist. Such training should include any updates to these documents and emphasize the application of the cost-allowance principles and the adherence to the terms and conditions of federal awards. b. All standard operating procedures, as well as any updates to them, implemented for other payment streams. Source: EPA OIG Report No. 22-P-0050. (EPA OIG table) During this audit, we reviewed the EPA's corrective actions for Recommendation 2 from EPA OIG Report No. 23-P-0017 and found that the Agency conducted qualitative risk assessments for nine payment streams using its standard operating procedure titled Payment Integrity Qualitative Risk Assessments, dated June 2023,2 for all payment streams that exceed $10 million in annual outlays which addresses Recommendation 2a. Using this procedure, the EPA determined that the grants payment stream is likely 2 In EPA OIG Report No. 23-P-0017, in which we audited the EPA's PIIA FY 2022 reporting, we previously reported that the Agency planned to conduct qualitative risk assessments for FY 2023 reporting by administering questionnaires and not use the September 2021 operating procedure to meet the intent of Recommendation 2 from EPA OIG Report No. 22-P-0050. 9 ------- to be susceptible to significant improper payments. Beginning in FY 2024, the OCFO advised us that it plans to conduct a quantitative risk assessment to determine whether the grants payment stream exceeds the threshold for susceptibility of significant improper payments, which will address Recommendations 2b and 2c. We will review the Agency's quantitative risk assessment in our audit of its FY 2024 reporting and determine whether Recommendation 2 is completed. We found that the Agency's corrective actions for Recommendation 3 did not meet the intent of our recommendation as stated in our FY 2022 PIIA compliance report. In Recommendation 3, we proposed updates to the EPA's standard operating procedure for payment streams other than grants, which should identify which programs or activities are included. In our FY 2022 PI IA compliance report, we noted that the procedure was missing program-specific risk methodologies to adequately determine whether a specific payment stream is susceptible to significant improper payments. In October 2022, the EPA reported completing Recommendation 3 in its Enterprise Audit Management System. The Agency updated its qualitative risk assessment standard operating procedure in June 2023. We will review the EPA's implementation of corrective actions for Recommendation 3 after the Agency completes its risk assessments for payments streams in its FY 2024 reporting. 10 ------- Chapter 3 The EPA Needs to Improve Its Oversight of Its Payment Integrity Activities The EPA needs effective internal controls to improve its oversight of its payment integrity activities to ensure compliance with PI IA and Appendix C of OMB Circular A-123. The EPA needs to improve (1) documenting its risk assessment conclusions to support its determinations for payment stream susceptibility resolution and (2) proper monitoring of the resolution of unknown payments from the grant payment stream and agencywide payment integrity performance. Specifically, the OCFO did not have sufficient documentation that would enable us to evaluate the Agency's conclusions for its qualitative risk assessment determinations. Also, as the overseer of the EPA's payment integrity program, the OCFO needs to improve its oversight of the grant unknown payments to ensure that they are resolved and accurately reported. In addition, the OCFO needs to monitor the Agency's payment integrity performance to ensure its efforts in preventing improper payments and unknown payments are effective. By increasing agencywide payment integrity performance monitoring, the OCFO could assist the Agency in obtaining information to support its efforts to prevent and reduce improper payments. Qualitative Risk Assessments Lacked Documentation to Support Susceptibility Conclusions The OCFO's supporting documentation for its qualitative risk assessments did not enable us to evaluate the methodology used to determine whether payment streams are likely to make improper payments and unknown payments above or below the statutory threshold. The EPA's 13 risk factors in the risk assessment questionnaire includes yes or no questions followed by related multiple-choice questions. The questionnaire includes space for a justification after each risk factor. We found that some questionnaire responses did not include a justification or that the justification did not include enough information for the selected response in the questionnaire. The risk assessment is then scored and reported by the OCFO. Appendix C to the OMB Circular A-123 states that the OIG's compliance report must also include an evaluation of agency efforts to prevent and reduce improper payments and unknown payments. The OCFO did not have documentation to support how it considers payment stream risk assessment justifications or whether the characteristics of the activities included in each payment stream were incorporated or considered in the OCFO's conclusions regarding a payment stream's susceptibility. As a result, we could not evaluate the methodology that the OCFO used for its qualitative risk assessment determinations. 11 ------- The OCFO lacks sufficient controls for documenting management conclusions related to the improper payment qualitative risk assessment determinations and monitoring the resolution of grant unknown payments and agencywide payment integrity performance of the EPA's effectiveness in preventing and reducing improper payments. The OCFO has not implemented guidance requiring staff to document qualitative risk assessment conclusions or determinations of improper payment susceptibility. Delayed Resolution of Grant Unknown Payments Needs Monitoring The OCFO needs to develop and implement guidance and mechanisms to monitor the OGD's review of grant unknown payments because of the delay in resolving unknown payments. The EPA questions the costs of a grant claim when the required documentation to support the claimed costs is missing or inaccurate. While the OGD's grants management officers are responsible for resolving questioned costs in a timely manner, the OCFO oversees the Agency's payment integrity program including monitoring program performance. The OGD and the OCFO are still working to resolve costs questioned in the OIG's FY 2021 PI IA compliance report. As of this audit, the OGD is still working to resolve the OIG's FY 2021 questioned costs totaling about $10.3 million. The OCFO indicated that the EPA disallowed $384,410 and recovered about $265,129. The OGD noted in March 2023 that it will issue a cost disallowance letter totaling about $119,281 the week of March 6; however, emails noted that as of November 2023, the grants management officer still had not sent the disallowance letter. On March 6, 2024, an OGD official stated that Region 9 would notify the recipient of the FY 2021 improper payment within the next 15 days. We accessed the EPA's financial management system and was able to verify that the Agency documented $265,129 as improper and for recovery. The OCFO does not have a policy specific for monitoring the management and resolutions of unknown payments. Pursuant to Appendix C, establishing and maintaining effective internal controls to prevent and detect improper payments and unknown payments should be a priority. The EPA's improper payment reporting requirements document states that the OCFO oversees the EPA's payment integrity program and several offices within the Agency must implement and monitor internal control activities for their associated payment streams, with the goal of preventing, identifying, and recovering improper payments. The OCFO has the oversight responsibility for monitoring program performance and developing agencywide guidance in support of ongoing annual payment integrity activities and reporting requirements. The OCFO Needs to Monitor Agencywide Payment Integrity Performance The OCFO does not monitor agencywide payment integrity performance. While the OCFO performed the activities necessary to comply with PI IA reporting requirements, it did not perform any monitoring activities. The OCFO stated that it had not formally reviewed agencywide improper payment and unknown payment trend information from 2019 through 2023 because of the high recovery rate for improper payments. The OCFO also stated that it uses qualitative risk assessments of the programs and payment streams to assess the effectiveness of its efforts to prevent and reduce improper payments. 12 ------- EPA OIG Report No. 22-P-0050 states that in FY 2021, the Agency conducted improper payment risk assessments, which the PIIA requires to be done at least every three years. The EPA also conducted off-cycle risk assessments for its FY 2023 reporting in response to Recommendation 2 in EPA OIG Report No. 22-P-0050. However, the risk assessments use the same criteria for each payment stream and does not consider new and changing risks, which should be considered as part of prevention according to Appendix C of OMB Circular A-123. The circular also states that "[a] 11 programs should have a structured and systematic approach to recognizing where the potential for [improper and unknown payments] can arise." The OCFO recognized that more agencywide oversight is necessary because of the increase in EPA funding from the Infrastructure Investment and Jobs Act and the Inflation Reduction Act, which provide approximately $100 billion to fund EPA programs, the majority of which will be distributed in the form of grants. During the audit, the OCFO informed us that it is in the process of planning and designing internal procedures and developing mechanisms to improve its oversight of the EPA's payment integrity efforts to prevent and reduce improper payments. The EPA Is At Risk of Ineffectively Managing Payment Integrity Performance The EPA increases its risks of ineffectively managing payment integrity if the Agency does not make internal control improvements. By not ensuring sufficient documentation of its conclusions, the OCFO hinders its ability to demonstrate that its qualitative risk assessments address the susceptibility of its payment streams or programs. Also, if the OCFO provides more monitoring of the OGD's grant unknown payment review and results, the Agency may improve the time it takes to resolve unknown payments and increase the likelihood of recovering any improper payments. Lastly, if the OCFO is monitoring agencywide payment integrity performance, improved controls would assist the Agency in its oversight of preventing and reducing improper payments and unknown payments. During our audit, the OCFO stated that it was beginning to develop mechanisms to monitor agencywide payment integrity performance, such as meeting with payment streams individually to discuss payment integrity efforts and developing a payment integrity checklist. Recommendations We recommend that the chief financial officer: 1. Develop guidance for generating and maintaining documentation to support risk assessment determinations of whether EPA programs or payment streams are identified to be susceptible to significant improper payments. 2. Develop oversight guidance and mechanisms to monitor the resolution of unknown payments to make sure they are resolved in a timely manner. 13 ------- 3. Develop processes and tools to periodically collect and analyze agencywide payment integrity activities and related information for preventing and reducing improper and unknown payments. Agency Response and OIG Assessment The OCFO agreed with our recommendations, provided planned corrective actions, and established milestone dates. The OCFO stated that "ensuring for payment integrity that proper controls are in place to safeguard the agency's resources is critical to preventing fraud, waste, and abuse and reflects the agency's historical commitment." Appendix A includes the Agency's response to our draft report. For Recommendation 1, the Office of the Controller plans to update standard operating procedures for performing qualitative risk assessments. We agree with the Agency's planned corrective actions for Recommendation 1 and will review implementation of these planned actions in our FY 2024 EPA PI IA compliance audit. For Recommendation 2, the Office of the Controller updated its guidance document for improper payments and unknown payments. We reviewed the updated guidance, which detailed monthly reporting requirements for all payment streams related to payments reviewed, payments with questioned costs or with identified improper payments, prior year overpayment recovery status, and transaction testing results. We agree with the Agency's planned corrective actions for Recommendation 2, and we will further evaluate the Agency's corrective action for this recommendation in the FY 2024 EPA PI IA compliance audit. For Recommendation 3, the Office of the Controller said that it developed a standard reporting template to gather improper and unknown payment data elements across the Agency's payment streams on a monthly basis. The Agency also said that information collected will include the cause for the improper payment or unknown payment and the status for recapturing these funds. We agree with the Agency's planned corrective actions for Recommendation 3 and will review implementation of these planned actions in our FY 2024 EPA PI IA compliance audit. 14 ------- Status of Recommendations Rec. No. Page No. Recommendation Status* Action Official Planned Completion Date 1 13 Develop guidance for generating and maintaining documentation to support risk assessment determinations of whether EPA programs or payment streams are identified to be susceptible to significant improper payments. R Chief Financial Officer 6/30/24 2 13 Develop oversight guidance and mechanisms to monitor the resolution of unknown payments to make sure they are resolved in a timely manner. R Chief Financial Officer 5/13/24 3 14 Develop processes and tools to periodically collect and analyze agencywide payment integrity activities and related information for preventing and reducing improper and unknown payments. R Chief Financial Officer 5/31/24 * C = Corrective action completed. R = Recommendation resolved with corrective action pending. U = Recommendation unresolved with resolution efforts in progress. 15 ------- Appendix A Agency Response to Draft Report i * "< PRO^ THE CHIEF FINANCIAL OFFICER WASHINGTON, D.C. 20460 May 20, 2024 MEMORANDUM SUBJECT: Response to the Office of Inspector General Draft Report, Project No. OA-FY24-0021, "The EPA Complied With the Payment Integrity Information Act for FY 2023, but Needs to Improve Its Oversight Efforts for Improper and Unknown Payment Activities," dated May 10, 2024 FROM: for Faisal Amin, Chief Financial Officer Office of the Chief Financial Officer GREGG TREML Digitally signed by GREGG TREML Date: 2024.05.20 12:15:06 -04W TO: Gloria Taylor-Upshaw, Director Business Operations Directorate Office of Audit Thank you for the opportunity to respond to the issues and recommendations in the subject draft report. The following is a summary of the U.S. Environmental Protection Agency's overall position, along with its position on the report's recommendations. AGENCY'S OVERALL POSITION The draft report contains three recommendations for the Office of the Chief Financial Officer. The EPA agrees with the Office of Inspector General's recommendations. Ensuring for payment integrity that proper controls are in place to safeguard the agency's resources is critical to preventing fraud, waste, and abuse and reflects the agency's historical commitment. OCFO Payment Integrity Oversight Prior to the OIG beginning this audit, the OCFO was developing and implementing measures to enhance payment integrity oversight, operations, and stakeholder engagement. These efforts include providing training to the responsible payment stream offices on the requirements outlined in the Payment Integrity Information Act and the Office of Management and Budget's Circular A-123, Appendix C, Requirements for Payment Integrity Improvement. In March 2024, the OCFO developed a Payment Integrity Checklist to assist offices with identifying and documenting controls and mechanisms in place to detect, prevent, and recapture improper payments. 16 ------- The OCFO also established quarterly stakeholder meetings to discuss the EPA's ongoing payment integrity efforts, discuss best practices used throughout the federal government, and to provide a forum for payment streams to engage on various topics and approaches to prevent improper payments. For newer payment streams, such as the Clean School Bus Rebate Program, and the Greenhouse Gas Reduction Fund Grants Program, the OCFO developed additional payment integrity resources, such as a reporting requirements overview document, to assist in preparing these payment streams to effectively prevent, monitor, and report improper and unknown payments, and coordinates frequent engagement and coordination to ensure the proper measures are in place to prevent improper payments. The increased engagement and additional resources are examples of the OCFO's commitment to create additional monitoring of the controls in place to prevent and detect improper payments. FY 2021 OIG PIIA Compliance Report - Recommendation No. 3 Regarding the OIG's position on the agency's corrective action provided for Recommendation 3 from the OIG's Fiscal Year 2021 PI IA Compliance Audit (Report No. 22-P-0050), the OCFO interpreted the OIG's position to be that the corrective action the OCFO provided did not meet the intent of the OIG's recommendation. As the OCFO provided agreed-upon corrective actions to close this recommendation in FY 2023, we also recognize the OIG's prudent work to ensure the enhancements to the payment integrity standard operating procedures for qualitative risk assessments has the intended impact on the results of future qualitative risk assessments. However, after further discussion between my staff and your office, it is EPA's understanding the OIG agrees the agency provided the agreed-upon corrective action and the OIG will assess the adequacy of the corrective action meeting the intent of the recommendation during your FY 2024 PI IA compliance audit. Thus, no further action is required from the OCFO at this time. I look forward to the OIG's review during the FY 2024 PI IA compliance audit. AGENCY RESPONSE TO DRAFT REPORT RECOMMENDATIONS Recommendation Office High-Level Intended Corrective Action(s) Planned Date 1. Develop guidance for generating and maintaining documentation to support risk assessment determinations of whether EPA programs or payment streams are identified to be susceptible to significant improper payments. OCFO Concur. The OCFO's Office of the Controller will update the Standard Operating Procedures for performing qualitative risk assessments to include detailed instructions on generating and maintaining documentation to support risk assessment determinations for susceptibility to significant improper payments. 6/30/2024 17 ------- 2. Develop oversight guidance and mechanisms to monitor the resolution of unknown payments to make sure they are resolved in a timely manner. OCFO Concur. The OCFO's Office of the Controller has updated it's "Improper Payment Reporting Guidance" document to include a requirement for monthly updates on improper payments and unknown payments. Completed 5/13/2024 3. Develop processes and tools to periodically collect and analyze agencywide payment integrity activities and related information for preventing and reducing improper and unknown payments. OCFO Concur. The OCFO's Office of the Controller has developed a standard reporting template to gather improper payment and unknown payment data elements across the agency's payment streams on a monthly basis. Information collected will also include the cause for the IP or UP and the status for recapturing these funds. 5/31/2024 CONTACT INFORMATION If you have any questions regarding this response, please contact the OCFO's Audit Follow-up Coordinator, Andrew LeBlanc, at leblanc.andrew@epa.gov or (202) 564-1761. cc: Gregg Treml Lek Kadeli Meshell Jones-Peller Adil Gulamli OCFO-OC-MANAGERS Katelyn Bell Ryan Dzakovic Brian Webb Nikki Wood Jovandra Sanderlin Mark T. Howard Eric Fox Susan Perkins Andrew LeBlanc Jose Kercado 18 ------- Appendix B Distribution The Administrator Deputy Administrator Chief of Staff, Office of the Administrator Deputy Chief of Staff for Management, Office of the Administrator Chief Financial Officer Agency Follow-Up Coordinator General Counsel Associate Administrator for Congressional and Intergovernmental Relations Associate Administrator for Public Affairs Audit Follow-Up Coordinator, Office of the Administrator Deputy Chief Financial Officer Associate Chief Financial Officer Senior Advisor, Office of the Chief Financial Officer Controller Deputy Controller Director, Office of Continuous Improvement, Office of the Chief Financial Officer Director, Policy, Training, and Accountability Division, Office of the Controller Chief, Management, Integrity and Accountability Branch; Policy, Training, and Accountability Division, Office of the Controller Office of Policy OIG Liaison Office of Policy GAO Liaison Audit Follow-Up Coordinators, Office of the Controller 19 ------- Whistleblower Protection U.S. Environmental Protection Agency The whistleblower protection coordinator's role is to educate Agency employees about prohibitions against retaliation for protected disclosures and the rights and remedies against retaliation. For more information\, please visit the OlG's whistleblower protection webpage. Contact us: Congressional Inquiries: OIG.CongressionalAffairs(5>epa.gov Media Inquiries: OIG.PublicAffairs@epa.gov line EPA OIG Hotline: OIG.Hotlline(5>epa gov -pnr Web: epaoig.gov Follow us: X (formerly Twitter): ffiepaoig Linkedln: linkedin.com/company/epa-oig YouluDe: voutube.com/epaoig [01 Instagram: (S)epa.ig.on.ig ------- |