NASA OIG Final Memorandum on Audit of NASA’s Compliance with Federal Internal Control Reporting Requirements
National Aeronautics and Space Administration
Office of Inspector General
Washington, DC 20546-0001
August 14,2007
TO: Assistant Administrator for Internal Controls and Management Systems
FROM: Assistant Inspector General for Auditing
SUBJECT: Final Memorandum on Audit of NASA’s Compliance with Federal Internal Control Reporting Requirements (Report No. IG-07-025; Assignment No. A-07-004-00)
The Office of Inspector General (OIG) has completed an audit to evaluate the adequacy and effectiveness of NASA’s process for complying with Federal internal control reporting requirements. Specifically, we determined the comprehensiveness of NASA’s guidance for assessing and reporting on internal controls, the effectiveness of the tools (i.e., training and communication) for implementing the guidance, and the adequacy of the documentation supporting NASA’s Statement of Assurance1. As part of the audit, we visited the Office of Internal Controls and Management Systems (OICMS), Office of the Chief Information Officer (OCIO), Integrated Enterprise Management Program (IEMP), and Goddard Space Flight Center (GSFC). (See Enclosure 1 for details on the audit scope and methodology.)
Executive Summary
We found that NASA’s process for complying with Federal internal control requirements was not adequate in FY 2006. While the FY 2007 process will see progress (e.g., additional guidance to be issued), additional improvements are needed. NASA’s internal control reporting process was, and continues to be, developed without a well-defined and structured approach. We found that NASA’s FY 2006 guidance, as well as the guidance being drafted for FY 2007, were incomplete or lacked sufficient clarification and were not distributed in a timely manner. Also, while both the FY 2006 and the draft FY 2007 guidance require that program managers include an internal control matrix, neither guidance was clear as to why the matrix was required or how the matrix would ultimately be used; and the sample matrices provided in the guidance were insufficient. In addition, we found that the training was not comprehensive or attended by all key personnel, and that lines of communication among management and reporting bodies were not clearly defined and established. Furthermore, we found that there was not a clear audit trail of the documentation supporting the FY 2006 statements of assurance submitted by NASA offices and Centers, which was the basis for NASA’s Statement of Assurance signed by the Administrator.
In our July 10, 2007, draft of this memorandum, we recommended that the Assistant Administrator of OICMS revise NASA’s policy and implementing guidance and issue such guidance timely. We also recommended, after the guidance is clarified as to why there is a requirement for an internal control matrix and how the matrix will ultimately be used, that a better sample matrix be provided. In addition, we recommended the implementation of a training program and procedures to solicit feedback on the training program. Further, we recommended the establishment of well-defined lines of communication between OICMS and the rest of the Agency. Finally, we recommended that the Assistant Administrator of OICMS implement a quality control process for the Agency’s internal control program.
Management concurred with all eight recommendations and requested closure of two recommendations (see Enclosure 2). We closed the two recommendations and will close the remaining recommendations upon completion and verification of management’s corrective actions.
1 OMB Circular A- 123 notes that “The statement on reasonable assurance represents the agency head’s informed judgment as to the overall adequacy and effectiveness of management controls within the agency. The statement must take one ofthe following forms: unqualified statement of assurance (no material weaknesses reported); qualified statement of assurance, considering the exceptions explicitly noted (one or more material weaknesses reported); or statement of no assurance (no processes in place or pervasive material weaknesses).”