Air Force: Enhanced Enterprise Risk Management and Internal Control Assessments Could Improve Accountability over Mission-Critical Assets
GAO-20-332
Published: Jun 18, 2020. Publicly Released: Jun 18, 2020.
The Air Force identified more than half of its $398 billion in assets (i.e., aircraft, weapons, vehicles, buildings) as mission-critical in fiscal year 2019. But, for decades, the service has not been accurately tracking and reporting financial information about its mission-critical assets. Without reliable information on this, the Air Force can’t support informed decisions about the condition, cost, or reliability of its assets, or about the need to request more resources.
Our 12 recommendations could help the Air Force strengthen its policies and procedures for overseeing and reporting on its mission-critical assets.
Aerial view of the Pentagon
What GAO Found
The Air Force's efforts to implement Enterprise Risk Management (ERM) are in the early stages, and accordingly, it has not fully incorporated ERM into its management practices as outlined in Office of Management and Budget (OMB) Circular No. A-123. As a result, the Air Force is not fully managing its challenges and opportunities from an enterprise-wide view. Until it fully incorporates ERM—planned for some time after 2023—the Air Force will continue to leverage its current governance and reporting structures as well as its existing internal control reviews.
The Air Force has not designed a comprehensive process for assessing internal control, including processes related to mission-critical assets. GAO found that existing policies and procedures that Air Force staff follow to perform internal control assessments do not accurately capture the requirements of OMB Circular No. A-123. For example, the Air Force does not require (1) an assessment of each internal control element; (2) test plans that specify the nature, scope, and timing of procedures to conduct; and (3) validation that the results of internal control tests are sufficiently clear and complete to explain how units tested control procedures, what results they achieved, and how they derived conclusions from those results. Also, Air Force guidance and training was not adequate for conducting internal control assessments.
In addition, GAO found that the Air Force did not design its assessment of internal control to evaluate all key areas that are critical to meeting its mission objectives as part of its annual Statement of Assurance process.
Furthermore, GAO found that procedures the Air Force used to review mission-critical assets did not (1) evaluate whether the control design would serve to achieve objectives or address risks; (2) test operating effectiveness after first determining if controls were adequately designed; (3) use process cycle memorandums that accurately reflected the current business process; and (4) evaluate controls it put in place to achieve operational, internal reporting, and compliance objectives. GAO also found that the results of reviews of mission-critical assets are not formally considered in the Air Force's assessment of internal control.
Without performing internal control reviews in accordance with requirements, the Air Force increases the risk that its assessment of internal control and related Statement of Assurance may not appropriately represent the effectiveness of internal control, particularly over processes related to its mission-critical assets.
Why GAO Did This Study
OMB Circular No. A-123 requires agencies to provide an annual assurance statement that represents the agency head's informed judgment as to the overall adequacy and effectiveness of internal controls related to operations, reporting, and compliance objectives. Although the Air Force is required annually to assess and report on its control effectiveness and to correct known deficiencies, it has been unable to demonstrate basic internal control, as identified in previous audits, that would allow it to report, with reasonable assurance, the reliability of internal controls, including those designed to account for mission-critical assets.
This report, developed in connection with fulfilling GAO's mandate to audit the U.S. government's consolidated financial statements, examines the extent to which the Air Force has incorporated ERM into its management practices and designed a process for assessing internal control, including processes related to mission-critical assets.
GAO reviewed Air Force policies and procedures and interviewed Air Force officials on their process for fulfilling ERM and internal control assessments.
Recommendations
GAO is making 12 recommendations to the Air Force, which include improving its risk management practices and internal control assessments. The Air Force agreed with all 12 recommendations and cited actions to address them.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of the Air Force | The Secretary of the Air Force should develop and implement procedures for an ERM governance structure that includes oversight responsibilities for identifying, assessing, responding to, and reporting on the risks associated with agency material weaknesses from all relevant sources. These procedures should clearly demonstrate that risks associated with material weaknesses are considered by Air Force governance, as a whole, and are mitigated appropriately to achieve goals and objectives. (Recommendation 1) |
DOD concurred with this recommendation and highlighted steps taken or planned to address the recommendation. Specifically, in fiscal year 2019, the Air Force assessed the current-state of the risk management programs throughout the Air Force and developed a maturity model, implementation plan, and a governance structure to comply with OMB Circular A-123 requirements. Further, beginning in fiscal year 2019, the Air Force Senior Assessment Team (SAT) and the Senior Management Council (SMC) monitored corrective action plans for material weaknesses identified internally and by independent public accountants, including their impact on the Air Force's ability to achieve its enterprise objectives. The Air Force developed a process for the SAT and the SMC to discuss corrective action plans for material weaknesses on a quarterly basis as opposed to an annual basis, which will be evidenced in the form of board briefings and meeting minutes. Additionally, in fiscal year 2019, the Air Force engaged the Enterprise Productivity Improvement Council to serve as the Air Force Risk Management Council to oversee enterprise risk management as defined by their Charter, which was signed in February 2020. The Air Force will refine its policies and procedures to specify the risks associated with the material weaknesses being addressed by the Air Force governance boards. Due to the need for coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to publish the policies by September 2021. In December 2021, Air Force informed us that by September 2022 they will update applicable directives to address the intent of our recommendation. We will continue to monitor efforts to address this recommendation.
|
| Department of the Air Force | The Secretary of the Air Force should develop policies or procedures for assessing internal control to require (1) clearly delineating who within the Air Force is responsible for evaluating the internal control components and principles, how often they are to perform the evaluation, the level (e.g., entity or transactional) of the evaluation, what objectives are covered in the assessment, to whom to communicate the results if they are relevant to others performing assessments of internal control, and what guidance to follow; (2) documenting management's determination of whether each component and principle is designed, implemented, and operating effectively; and (3) documenting management's determination of whether components are operating together in an integrated manner. (Recommendation 2) |
DOD concurred with this recommendation and described steps taken or planned to address the recommendation. Specifically, the Air Force's Assistant Secretary of the Air Force, Financial Management and Comptroller (SAF/FM) performs both entity-level control assessments against all internal control components and principles and performs process level control assessments for internal controls over financial reporting and financial systems. The Air Force Audit Agency and the Air Force Inspector General have performed assessments related to operations and compliance. The Air Force will define roles and responsibilities for entity-level control assessments, which will include compliance elements within them. The Air Force will document the entity-level control assessment process and requirements in its formal policies. Due to the need for coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to publish the policies by September 2021. In December 2021, Air Force informed us that they have completed implementation of corrective actions for this recommendation. However, the support provided was a letter outlining topics that they plan to include in the next update to their policy. We will review the revised policy and procedures once they have been formalized. We will continue to monitor efforts to address this recommendation.
|
| Department of the Air Force | The Secretary of the Air Force should develop policies or procedures for assessing internal control to require the use of test plans that (1) tie back to specific objectives to be achieved as included in the Business Operations Plan; (2) specify the nature, scope, and timing of procedures to conduct under the OMB Circular No. A-123 assessment process; and (3) reflect a consideration of prior year self-identified control deficiencies and results of internal and external audits. (Recommendation 3) |
DOD concurred with this recommendation and described steps taken or planned to address the recommendation. Specifically, the Air Force test plans for internal controls over financial reporting and financial systems tie back to their relevant risk frameworks embedded in authoritative audit guidance. The framework used for financial reporting is the Financial Audit Manual, and the framework used for financial systems is the Federal Information Systems Controls Audit Manual, and include the nature, scope and timing of procedures performed. The Air Force's process-level internal control test plans are aligned with business process-level risks and objectives and are not directly associated with the Air Force's strategic objectives. The Air Force Business Operations Plan identifies strategic objectives, but not business process-level objectives. The Air Force will update policies to require the annual documented internal control assessment scoping process to consider prior year self-identified control deficiencies and results of internal and external audits. The Air Force will also update test plan templates for internal controls over reporting and financial systems to include compliance objectives, and create test plan templates for internal controls over operations to include compliance objectives, nature, timing and scope. Due to the need for policy, procedure, and documentation updates required for operational and compliance controls, and the coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine policies, procedures, and documentation by September 2021 and publish the associated policies by September 2022. In December 2021, Air Force informed us that it continues to work on implementation of this recommendation. We will continue to monitor efforts to address this recommendation.
|
| Department of the Air Force | The Secretary of the Air Force should develop policies or procedures for assessing internal control to require SAF/FM to validate (1) the number of organizational units reporting for its overall internal control assessment; (2) how control procedures were tested, what results were achieved, and how conclusions were derived from those results; and (3) whether the results used to compile the current year report are based on current fiscal year's assessments. (Recommendation 4) |
DOD concurred with this recommendation. The Air Force plans to design policies and procedures to require validation of assessable units in scope, procedure requirements, and verification that results reported are from the current fiscal year. Additionally, Air Force plans to revamp assessable unit structure to simplify roles, responsibilities, and reporting in accordance with OMB Circular No. A-123 and the DOD Risk Management and Internal Control program. Due to the need to reevaluate the Air Force's assessable unit structure and the associated change management that will be necessary to implement the changes to sustain an effective program, the Air Force plans to refine the policies by September 2021 and publish the policies by September 2022. In December 2021, Air Force informed us that it continues to work on implementation of this recommendation. We will continue to monitor efforts to address this recommendation.
|
| Department of the Air Force | The Secretary of the Air Force should develop policies or procedures for assessing internal control to require SAF/FM to assess how waivers affect the current year assessment of internal control, the determination of systemic weaknesses, and the compilation of the Air Force's overall Statement of Assurance. (Recommendation 5) |
DOD concurred with this recommendation. The Air Force will design policies and procedures to include procedures for assessing the impact of waivers on internal control assessments. Due to the need for coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to publish the policies by September 2021. In December 2021, Air Force informed us that they have completed implementation of corrective actions for this recommendation. However, the support provided was a letter outlining topics that they plan to include in the next update to their policy. We will review the revised policy and procedures once formalized. We will continue to monitor efforts to address this recommendation.
|
| Department of the Air Force | The Secretary of the Air Force should require that developers of the policy and related guidance associated with designing the procedures for conducting OMB Circular No. A-123 assessments receive recurring training and are appropriately skilled in conducting internal control assessments and are familiar with Standards for Internal Control in the Federal Government. (Recommendation 6) |
DOD concurred with this recommendation and described steps taken or planned to address the recommendation. Specifically, the Air Force is updating policies and procedures to require enterprise risk management and internal control policy owners to receive training on OMB Circular A-123 requirements and annual updates, and to provide detailed instructions for updating OMB Circular A-123 training materials annually to reflect current guidance from DOD, OMB, and GAO. The Air Force will update annual training to include specific roles, responsibilities, procedures, and templates for assessing internal controls over operations, as well as consideration for compliance objectives. Training content in fiscal year 2020 was updated to reflect additional information, including definitions for internal controls and considerations for determining material weaknesses for operations. The Air Force will continue to update its the policies, guidance, and training to coincide with the current progress of the program. The Air Force will continue to refine audiences to those integral to managing risks and internal controls over reporting, operations, and associated compliance. Due to the need for policy, procedure, documentation, and training updates required for operational and compliance controls, and the coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies, procedures, documentation, and training by September 2021 and publish the associated policies by September 2022. In December 2021, Air Force informed us that it continues to work on implementation of this recommendation. We will continue to monitor efforts to address this recommendation.
|
| Department of the Air Force | The Secretary of the Air Force should analyze all definitions included in Air Force ERM and internal control assessment policy and related guidance to ensure that all definitions and concepts are defined correctly. (Recommendation 7) |
The DOD concurred with this recommendation and described steps planned to address the recommendation. The Air Force will update definitions and concepts to be current and consistent with other authoritative guidance. Due to the need for coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to publish the policies by September 2021. In December 2021, Air Force informed us that by September 2022 they will update applicable directives to address the intent of our recommendation. We will continue to monitor efforts to address this recommendation.
|
| Department of the Air Force | The Secretary of the Air Force should require SAF/FM to design recurring training for those who will assess internal control that (1) includes enhancing their skills in evaluating the internal control system and documenting results; (2) reflects all OMB Circular No. A-123 requirements, such as those related to identifying objectives, evaluating deficiencies, and determining material weaknesses; and (3) is provided to all who are responsible for performing internal control assessments. (Recommendation 8) |
DOD concurred with this recommendation and described actions taken or planned to address the recommendation. Specifically, the Air Force performs annual training to Major Commands, Direct Reporting Units, and Functional Executives. In fiscal year 2020, the Air Force included business process assessable leads in this training. The Air Force plans to update annual training to include specific roles, responsibilities, procedures, and templates for assessing internal controls over operations, as well as consideration for compliance objectives. Finally, the Air Force plans to continue to refine audiences to those integral to managing risks and internal controls over reporting, operations, and associated compliance by September 2021. In December 2021, Air Force informed us that they have completed implementation of corrective actions for this recommendation. However, the support provided was a letter outlining topics that they plan to include in the next update to their policy. We will review the revised policy and procedures once formalized. We will continue to monitor efforts to address this recommendation.
|
| Department of the Air Force | The Secretary of the Air Force should develop policy or procedures consistent with OMB Circular No. A-123 to assess the system of internal control using a risk-based approach. (Recommendation 9) |
DOD concurred with this recommendation and described actions taken or planned to address the recommendation. Specifically, the Air Force's scoping procedures, beginning in fiscal year 2019, consider materiality, both quantitative and qualitative risk, as well as risks identified in the enterprise risk management process. The Air Force assesses internal controls over financial reporting and financial systems using a risk-based approach as evidenced currently in documented procedures and testing templates. The Air Force will refine its procedure documentation to require a risk-based approach for assessing internal controls over operations and related compliance. Additionally, the Air Force will update procedures to include instructions for performing OMB Circular A-123 assessments for internal controls over operations and compliance using a risk-based approach. Due to the need for policy, procedure, and documentation updates required for operational and compliance controls, and the coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies, procedures, and documentation by September 2021 and publish the associated policies by September 2022. In December 2021, Air Force informed us that it continues to work on implementation of this recommendation. We will continue to monitor efforts to address this recommendation.
|
| Department of the Air Force | The Secretary of the Air Force should develop procedures to assess internal control over processes related to mission-critical assets, including (1) tests of design that evaluate whether controls are capable of achieving objectives, (2) tests of effectiveness only after a favorable assessment of the design of the control, and (3) a baseline that has accurate descriptions of business processes and identifies key internal controls as designed by management to respond to risks. (Recommendation 10) |
DOD concurred with this recommendation and described actions taken or planned to address the recommendation. The Air Force plans to update policies and procedures documents to require risk assessments to identify key controls, include detailed instructions for completing tests of design that evaluate whether or not controls are capable of achieving objectives, and tests for effectiveness only after a favorable assessment of the control design. In addition, these documents will include detailed instructions for documenting businesses processes, assessing process risks, and identifying key internal controls over operations and non-financial compliance that address the identified risks. Due to the need for policy, procedure, and documentation updates required for operational and compliance controls related to mission-critical assets, and the coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies, procedures, and documentation by September 2021 and publish the associated policies by September 2022. In December 2021, Air Force informed us that it continues to work on implementation of this recommendation. We will continue to monitor efforts to address this recommendation.
|
| Department of the Air Force | The Secretary of the Air Force should establish a process and reporting lines of all the sources of information, including reviews performed of internal control processes related to mission-critical assets, that will be considered in the Secretary's Statement of Assurance. (Recommendation 11) |
DOD concurred with this recommendation and described actions taken or planned to address the recommendation. The Air Force plans to update policies and procedures to solidify reporting channels and provide clear instructions for reporting material weaknesses in internal controls over operations and compliance. Due to the need for policy, procedure, documentation, and training updates required to appropriately report deficiencies in internal control over operations and compliance, and the coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies, procedures, documentation, and training by September 2021 and publish the associated policies by September 2022. In December 2021, Air Force informed us that it continues to work on implementation of this recommendation. We will continue to monitor efforts to address this recommendation.
|
| Department of the Air Force | The Secretary of the Air Force should develop procedures to require coordination between business process leads and the Air Force's unit managers to ensure that mission-critical asset–related internal control deficiencies are considered in the unit managers' assessments of internal control and related supporting statements of assurance. These procedures should include how, when, and with what frequency the results from the business process internal control reviews should be provided to relevant organizational units for consideration in their respective assurance statements. (Recommendation 12) |
DOD concurred with this recommendation and described actions taken or planned to address the recommendation. The Air Force will develop procedures to require communication of deficiencies from testing to responsible assessable units and to include clear instructions for communicating deficiencies in internal controls over operations and non-financial compliance to business process leads and assessable unit owners. Due to the need for coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, as well as the change management needed to implement additional communications and protocol processes, the Air Force plans to refine the policies by September 2021 and publish the policies by September 2022. In December 2021, Air Force informed us that it continues to work on implementation of this recommendation. We will continue to monitor efforts to address this recommendation.
|