Air Force:

Enhanced Enterprise Risk Management and Internal Control Assessments Could Improve Accountability over Mission-Critical Assets

GAO-20-332: Published: Jun 18, 2020. Publicly Released: Jun 18, 2020.

Additional Materials:

Contact:

Kristen Kociolek
(202) 512-2989
kociolekk@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Air Force identified more than half of its $398 billion in assets (i.e., aircraft, weapons, vehicles, buildings) as mission-critical in fiscal year 2019. But, for decades, the service has not been accurately tracking and reporting financial information about its mission-critical assets. Without reliable information on this, the Air Force can’t support informed decisions about the condition, cost, or reliability of its assets, or about the need to request more resources.

Our 12 recommendations could help the Air Force strengthen its policies and procedures for overseeing and reporting on its mission-critical assets.

Aerial view of the Pentagon

Aerial view of the Pentagon

Additional Materials:

Contact:

Kristen Kociolek
(202) 512-2989
kociolekk@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Air Force's efforts to implement Enterprise Risk Management (ERM) are in the early stages, and accordingly, it has not fully incorporated ERM into its management practices as outlined in Office of Management and Budget (OMB) Circular No. A-123. As a result, the Air Force is not fully managing its challenges and opportunities from an enterprise-wide view. Until it fully incorporates ERM—planned for some time after 2023—the Air Force will continue to leverage its current governance and reporting structures as well as its existing internal control reviews.

The Air Force has not designed a comprehensive process for assessing internal control, including processes related to mission-critical assets. GAO found that existing policies and procedures that Air Force staff follow to perform internal control assessments do not accurately capture the requirements of OMB Circular No. A-123. For example, the Air Force does not require (1) an assessment of each internal control element; (2) test plans that specify the nature, scope, and timing of procedures to conduct; and (3) validation that the results of internal control tests are sufficiently clear and complete to explain how units tested control procedures, what results they achieved, and how they derived conclusions from those results. Also, Air Force guidance and training was not adequate for conducting internal control assessments.

In addition, GAO found that the Air Force did not design its assessment of internal control to evaluate all key areas that are critical to meeting its mission objectives as part of its annual Statement of Assurance process.

Furthermore, GAO found that procedures the Air Force used to review mission-critical assets did not (1) evaluate whether the control design would serve to achieve objectives or address risks; (2) test operating effectiveness after first determining if controls were adequately designed; (3) use process cycle memorandums that accurately reflected the current business process; and (4) evaluate controls it put in place to achieve operational, internal reporting, and compliance objectives. GAO also found that the results of reviews of mission-critical assets are not formally considered in the Air Force's assessment of internal control.

Without performing internal control reviews in accordance with requirements, the Air Force increases the risk that its assessment of internal control and related Statement of Assurance may not appropriately represent the effectiveness of internal control, particularly over processes related to its mission-critical assets.

Why GAO Did This Study

OMB Circular No. A-123 requires agencies to provide an annual assurance statement that represents the agency head's informed judgment as to the overall adequacy and effectiveness of internal controls related to operations, reporting, and compliance objectives. Although the Air Force is required annually to assess and report on its control effectiveness and to correct known deficiencies, it has been unable to demonstrate basic internal control, as identified in previous audits, that would allow it to report, with reasonable assurance, the reliability of internal controls, including those designed to account for mission-critical assets.

This report, developed in connection with fulfilling GAO's mandate to audit the U.S. government's consolidated financial statements, examines the extent to which the Air Force has incorporated ERM into its management practices and designed a process for assessing internal control, including processes related to mission-critical assets.

GAO reviewed Air Force policies and procedures and interviewed Air Force officials on their process for fulfilling ERM and internal control assessments.

What GAO Recommends

GAO is making 12 recommendations to the Air Force, which include improving its risk management practices and internal control assessments. The Air Force agreed with all 12 recommendations and cited actions to address them.

For more information, contact Kristen Kociolek at (202) 512-2989 or kociolekk@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: The DOD concurred with this recommendation and highlighted steps taken or planned to address this recommendation. Specifically, in FY19, the Air Force assessed the current-state of the risk management programs throughout the Air Force and developed a maturity model, implementation plan, and a governance structure to comply with OMB A-123 requirements. These enhancements will be implemented and formalized in policy in FY20. Further, beginning in FY19, the Air Force Senior Assessment Team (SAT) and the Senior Management Council (SMC) monitored corrective action plans for material weaknesses identified internally and by independent public accountants, including their impact on the Air Force's ability to achieve its enterprise objectives. In addition, the Air Force developed a process for the SAT and the SMC to discuss corrective action plans for material weaknesses on a quarterly basis as opposed to an annual basis, which will be evidenced in the form of board briefings and meeting minutes. Additionally, in FY19 the Air Force engaged the Enterprise Productivity Improvement Council to serve as the Air Force Risk Management Council (RMC) to oversee enterprise risk management as defined by their Charter, which was signed in February 2020. The Air Force will refine its policies and procedures to clearly specify the risks associated with the material weaknesses being addressed by the Air Force governance boards. Due to the need for coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies by September 2020 and publish the policies by September 2021.

    Recommendation: The Secretary of the Air Force should develop and implement procedures for an ERM governance structure that includes oversight responsibilities for identifying, assessing, responding to, and reporting on the risks associated with agency material weaknesses from all relevant sources. These procedures should clearly demonstrate that risks associated with material weaknesses are considered by Air Force governance, as a whole, and are mitigated appropriately to achieve goals and objectives. (Recommendation 1)

    Agency Affected: Department of Defense: Department of the Air Force

  2. Status: Open

    Comments: The DOD concurred with this recommendation and described steps taken or planned to address the recommendation. The Air Force SAF/FM performs both entity-level control assessments against all internal control components and principles and performs process level control assessments for internal controls over financial reporting and financial systems. The Air Force Audit Agency and the Air Force Inspector General have performed assessments related to operations and compliance. The Air Force will document those roles and responsibilities in formal policies. Due to the need for coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies by September 2020 and publish the policies by September 2021.

    Recommendation: The Secretary of the Air Force should develop policies or procedures for assessing internal control to require (1) clearly delineating who within the Air Force is responsible for evaluating the internal control components and principles, how often they are to perform the evaluation, the level (e.g., entity or transactional) of the evaluation, what objectives are covered in the assessment, to whom to communicate the results if they are relevant to others performing assessments of internal control, and what guidance to follow; (2) documenting management's determination of whether each component and principle is designed, implemented, and operating effectively; and (3) documenting management's determination of whether components are operating together in an integrated manner. (Recommendation 2)

    Agency Affected: Department of Defense: Department of the Air Force

  3. Status: Open

    Comments: The DOD concurred with this recommendation and described steps taken or planned to address this recommendation. The Air Force test plans for internal controls over financial reporting and financial systems tie back to their relevant risk frameworks embedded in authoritative audit guidance. The framework used for financial reporting is the Financial Audit Manual, and the framework used for financial systems is the Federal Information Systems Controls Audit Manual, and include the nature, scope and timing of procedures performed. The Air Force's process-level internal control test plans are aligned with business process-level risks and objectives and are not directly associated with the Air Force's strategic objectives. The Air Force Business Operations Plan identifies strategic objectives, not business process-level objectives. Additionally, the Air Force considers previously identified internal control deficiencies in its annual documented internal control assessment scoping process. The Air Force will refine its policies and procedures regarding the use of test plans including operational and compliance controls. Due to the need for policy, procedure, and documentation updates required for operational and compliance controls, and the coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine policies, procedures, and documentation by September 2021 and publish the associated policies by September 2022.

    Recommendation: The Secretary of the Air Force should develop policies or procedures for assessing internal control to require the use of test plans that (1) tie back to specific objectives to be achieved as included in the Business Operations Plan; (2) specify the nature, scope, and timing of procedures to conduct under the OMB Circular No. A-123 assessment process; and (3) reflect a consideration of prior year self-identified control deficiencies and results of internal and external audits. (Recommendation 3)

    Agency Affected: Department of Defense: Department of the Air Force

  4. Status: Open

    Comments: The DOD concurred with this recommendation. The Air Force will design policies and procedures to determine assessable units and verify that results are current on an annual basis. Due to the need to reevaluate the Air Force's assessable unit structure and the associated change management that will be necessary to implement the changes to sustain an effective program, the Air Force plans to refine the policies by September 2021 and publish the policies by September 2022.

    Recommendation: The Secretary of the Air Force should develop policies or procedures for assessing internal control to require SAF/FM to validate (1) the number of organizational units reporting for its overall internal control assessment; (2) how control procedures were tested, what results were achieved, and how conclusions were derived from those results; and (3) whether the results used to compile the current year report are based on current fiscal year's assessments. (Recommendation 4)

    Agency Affected: Department of Defense: Department of the Air Force

  5. Status: Open

    Comments: The DOD concurred with this recommendation. The Air Force will design policies and procedures to consider the impact of waivers to the overall assessment of the system of internal control. Due to the need for coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies by September 2020 and publish the policies by September 2021.

    Recommendation: The Secretary of the Air Force should develop policies or procedures for assessing internal control to require SAF/FM to assess how waivers affect the current year assessment of internal control, the determination of systemic weaknesses, and the compilation of the Air Force's overall Statement of Assurance. (Recommendation 5)

    Agency Affected: Department of Defense: Department of the Air Force

  6. Status: Open

    Comments: The DOD concurred with this recommendation and described steps taken or planned to address the recommendation. Specifically, the Air Force is implementing multiple changes to the Air Force's ERM and internal control program, including improved governance, standardized processes and documentation for enterprise risk management, entity-level and process-level controls, training, fraud risk management, and data quality management. Training content in FY20 was updated to reflect additional information, including definitions for internal controls and considerations for determining material weaknesses for operations. The Air Force will continue to update its the policies, guidance, and training to coincide with the current progress of the program. The Air Force will continue to refine the audience of its training to verify that those responsible for implementing and assessing ERM and internal controls are trained sufficiently. Due to the need for policy, procedure, documentation, and training updates required for operational and compliance controls, and the coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies, procedures, documentation, and training by September 2021 and publish the associated policies by September 2022.

    Recommendation: The Secretary of the Air Force should require that developers of the policy and related guidance associated with designing the procedures for conducting OMB Circular No. A-123 assessments receive recurring training and are appropriately skilled in conducting internal control assessments and are familiar with Standards for Internal Control in the Federal Government. (Recommendation 6)

    Agency Affected: Department of Defense: Department of the Air Force

  7. Status: Open

    Comments: The DOD concurred with this recommendation. The Air Force will verify that all definitions and concepts in its policies are current and consistent with other authoritative guidance. Due to the need for coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies by September 2020 and publish the policies by September 2021.

    Recommendation: The Secretary of the Air Force should analyze all definitions included in Air Force ERM and internal control assessment policy and related guidance to ensure that all definitions and concepts are defined correctly. (Recommendation 7)

    Agency Affected: Department of Defense: Department of the Air Force

  8. Status: Open

    Comments: The DOD concurred with this recommendation and described actions taken or planned to address the recommendation. Specifically, the Air Force performs annual training to Major Commands, Direct Reporting Units, and Functional Executives. In FY20, the Air Force included business process assessable leads in this training. The Air Force plans to continue to refine the audience of its training to verify that those responsible for implementing and assessing ERM and internal controls are trained sufficiently by September 2021.

    Recommendation: The Secretary of the Air Force should require SAF/FM to design recurring training for those who will assess internal control that (1) includes enhancing their skills in evaluating the internal control system and documenting results; (2) reflects all OMB Circular No. A-123 requirements, such as those related to identifying objectives, evaluating deficiencies, and determining material weaknesses; and (3) is provided to all who are responsible for performing internal control assessments. (Recommendation 8)

    Agency Affected: Department of Defense: Department of the Air Force

  9. Status: Open

    Comments: The DOD concurred with this recommendation and described actions taken or planned to address the recommendation. Specifically, the Air Force's scoping procedures, beginning in FY19, consider materiality, both quantitative and qualitative risk, as well as risks identified in the enterprise risk management process. The Air Force assesses internal controls over financial reporting and financial systems using a risk-based approach as evidenced currently in documented procedures and testing templates. The Air Force will refine its procedure documentation to include the assessment of internal controls over operations and compliance using a risk-based approach. Due to the need for policy, procedure, and documentation updates required for operational and compliance controls, and the coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies, procedures, and documentation by September 2021 and publish the associated policies by September 2022.

    Recommendation: The Secretary of the Air Force should develop policy or procedures consistent with OMB Circular No. A-123 to assess the system of internal control using a risk-based approach. (Recommendation 9)

    Agency Affected: Department of Defense: Department of the Air Force

  10. Status: Open

    Comments: The DOD concurred with this recommendation and described actions taken or planned to address the recommendation. The Air Force documents processes and assesses internal controls over financial reporting and financial systems related to mission critical assets that includes determinations as to internal control design, implementation, operating effectiveness and risks. The Air Force will enhance its approach for documenting processes and assessing internal controls over operations and compliance not related to financial reporting and financial systems through policy. Due to the need for policy, procedure, and documentation updates required for operational and compliance controls related to mission-critical assets, and the coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies, procedures, and documentation by September 2021 and publish the associated policies by September 2022.

    Recommendation: The Secretary of the Air Force should develop procedures to assess internal control over processes related to mission-critical assets, including (1) tests of design that evaluate whether controls are capable of achieving objectives, (2) tests of effectiveness only after a favorable assessment of the design of the control, and (3) a baseline that has accurate descriptions of business processes and identifies key internal controls as designed by management to respond to risks. (Recommendation 10)

    Agency Affected: Department of Defense: Department of the Air Force

  11. Status: Open

    Comments: The DOD concurred with this recommendation. The Air Force reports material weaknesses in internal controls over financial reporting and financial systems related to mission critical assets through SAF/FM, but it will solidify its reporting channels for material weaknesses in internal controls over operations and compliance through policy. Due to the need for policy, procedure, documentation, and training updates required to appropriately report deficiencies in internal control over operations and compliance, and the coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies, procedures, documentation, and training by September 2021 and publish the associated policies by September 2022.

    Recommendation: The Secretary of the Air Force should establish a process and reporting lines of all the sources of information, including reviews performed of internal control processes related to mission-critical assets, that will be considered in the Secretary's Statement of Assurance. (Recommendation 11)

    Agency Affected: Department of Defense: Department of the Air Force

  12. Status: Open

    Comments: The DOD concurred with this recommendation. The Air Force will develop procedures to enhance communication between business process leads and Air Force unit managers to verify that deficiencies are reported appropriately in supporting statements of assurance. Due to the need for coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, as well as the change management needed to implement additional communications and protocol processes, the Air Force plans to refine the policies by September 2021 and publish the policies by September 2022.

    Recommendation: The Secretary of the Air Force should develop procedures to require coordination between business process leads and the Air Force's unit managers to ensure that mission-critical asset–related internal control deficiencies are considered in the unit managers' assessments of internal control and related supporting statements of assurance. These procedures should include how, when, and with what frequency the results from the business process internal control reviews should be provided to relevant organizational units for consideration in their respective assurance statements. (Recommendation 12)

    Agency Affected: Department of Defense: Department of the Air Force

 

Explore the full database of GAO's Open Recommendations »

Sep 23, 2020

Aug 20, 2020

Aug 14, 2020

Aug 6, 2020

Jul 30, 2020

Jul 27, 2020

Jul 23, 2020

Jul 22, 2020

Jul 20, 2020

Looking for more? Browse all our products here