Air Force: Enhanced Enterprise Risk Management and Internal Control Assessments Could Improve Accountability over Mission-Critical Assets
Fast Facts
The Air Force identified more than half of its $398 billion in assets (i.e., aircraft, weapons, vehicles, buildings) as mission-critical in fiscal year 2019. But, for decades, the service has not been accurately tracking and reporting financial information about its mission-critical assets. Without reliable information on this, the Air Force can’t support informed decisions about the condition, cost, or reliability of its assets, or about the need to request more resources.
Our 12 recommendations could help the Air Force strengthen its policies and procedures for overseeing and reporting on its mission-critical assets.
Aerial view of the Pentagon
Highlights
What GAO Found
The Air Force's efforts to implement Enterprise Risk Management (ERM) are in the early stages, and accordingly, it has not fully incorporated ERM into its management practices as outlined in Office of Management and Budget (OMB) Circular No. A-123. As a result, the Air Force is not fully managing its challenges and opportunities from an enterprise-wide view. Until it fully incorporates ERM—planned for some time after 2023—the Air Force will continue to leverage its current governance and reporting structures as well as its existing internal control reviews.
The Air Force has not designed a comprehensive process for assessing internal control, including processes related to mission-critical assets. GAO found that existing policies and procedures that Air Force staff follow to perform internal control assessments do not accurately capture the requirements of OMB Circular No. A-123. For example, the Air Force does not require (1) an assessment of each internal control element; (2) test plans that specify the nature, scope, and timing of procedures to conduct; and (3) validation that the results of internal control tests are sufficiently clear and complete to explain how units tested control procedures, what results they achieved, and how they derived conclusions from those results. Also, Air Force guidance and training was not adequate for conducting internal control assessments.
In addition, GAO found that the Air Force did not design its assessment of internal control to evaluate all key areas that are critical to meeting its mission objectives as part of its annual Statement of Assurance process.
Furthermore, GAO found that procedures the Air Force used to review mission-critical assets did not (1) evaluate whether the control design would serve to achieve objectives or address risks; (2) test operating effectiveness after first determining if controls were adequately designed; (3) use process cycle memorandums that accurately reflected the current business process; and (4) evaluate controls it put in place to achieve operational, internal reporting, and compliance objectives. GAO also found that the results of reviews of mission-critical assets are not formally considered in the Air Force's assessment of internal control.
Without performing internal control reviews in accordance with requirements, the Air Force increases the risk that its assessment of internal control and related Statement of Assurance may not appropriately represent the effectiveness of internal control, particularly over processes related to its mission-critical assets.
Why GAO Did This Study
OMB Circular No. A-123 requires agencies to provide an annual assurance statement that represents the agency head's informed judgment as to the overall adequacy and effectiveness of internal controls related to operations, reporting, and compliance objectives. Although the Air Force is required annually to assess and report on its control effectiveness and to correct known deficiencies, it has been unable to demonstrate basic internal control, as identified in previous audits, that would allow it to report, with reasonable assurance, the reliability of internal controls, including those designed to account for mission-critical assets.
This report, developed in connection with fulfilling GAO's mandate to audit the U.S. government's consolidated financial statements, examines the extent to which the Air Force has incorporated ERM into its management practices and designed a process for assessing internal control, including processes related to mission-critical assets.
GAO reviewed Air Force policies and procedures and interviewed Air Force officials on their process for fulfilling ERM and internal control assessments.
Recommendations
GAO is making 12 recommendations to the Air Force, which include improving its risk management practices and internal control assessments. The Air Force agreed with all 12 recommendations and cited actions to address them.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of the Air Force | The Secretary of the Air Force should develop and implement procedures for an ERM governance structure that includes oversight responsibilities for identifying, assessing, responding to, and reporting on the risks associated with agency material weaknesses from all relevant sources. These procedures should clearly demonstrate that risks associated with material weaknesses are considered by Air Force governance, as a whole, and are mitigated appropriately to achieve goals and objectives. (Recommendation 1) |
During our fiscal year 2020 review of the U.S. Air Force's enterprise risk management (ERM) practices, we found that the Air Force's governance structure did not include a mechanism for senior management to oversee the management of risk associated with material weaknesses and consider its effect across the entire agency. To enhance controls over the ERM process, we recommended that the Secretary of the Air Force develop and implement procedures for an ERM governance structure that includes oversight responsibilities for identifying, assessing, responding to, and reporting on the risks associated with agency material weaknesses from all relevant sources. The recommendation further stated that these procedures should clearly demonstrate that risks associated with material weaknesses are considered by Air Force governance, as a whole, and are mitigated appropriately to achieve goals and objectives. In response to our recommendation, in April 2023, the Air Force developed and implemented procedures that require senior management to identify if updates are needed to the reviewed enterprise risks, which include risks that are contributing to operational, reporting, or compliance material weaknesses. The Air Force's actions to help ensure that it has a thorough and integrated ERM governance structure meet the intent of our recommendation and should help reduce the risk that Air Force will not properly identify, assess, and respond to significant entity-level risks.
|
Department of the Air Force | The Secretary of the Air Force should develop policies or procedures for assessing internal control to require (1) clearly delineating who within the Air Force is responsible for evaluating the internal control components and principles, how often they are to perform the evaluation, the level (e.g., entity or transactional) of the evaluation, what objectives are covered in the assessment, to whom to communicate the results if they are relevant to others performing assessments of internal control, and what guidance to follow; (2) documenting management's determination of whether each component and principle is designed, implemented, and operating effectively; and (3) documenting management's determination of whether components are operating together in an integrated manner. (Recommendation 2) |
During our fiscal year 2020 review of the extent to which the U.S. Air Force has incorporated enterprise risk management into its management practices and designed a process for assessing internal control, we found that the Air Force's assessment of the five components of internal control lacked a determination of whether each internal control principle was designed, implemented, and operating effectively. Also, there was no indication that the Air Force designed the assessment to be pertinent to all Air Force objectives, nor did the Air Force provide the assessment results to the unit managers for input or consideration in their unit-specific control assessments and supporting statements of assurance. To enhance controls over the internal control assessment process, we recommended that the Secretary of the Air Force develop policies or procedures for assessing internal control to require (1) clearly delineating who within the Air Force is responsible for evaluating the internal control components and principles, how often they are to perform the evaluation, the level (e.g., entity or transactional) of the evaluation, what objectives are covered in the assessment, to whom to communicate the results if they are relevant to others performing assessments of internal control, and what guidance to follow; (2) documenting management's determination of whether each component and principle is designed, implemented, and operating effectively; and (3) documenting management's determination of whether components are operating together in an integrated manner. In June 2023, we reviewed Air Force's updated policy and procedures for assessing internal control and we initially found that the guidance did not meet the intent of our recommendation. In July 2023 we discussed this with Air Force, and in September 2023 Air Force provided additional information and guidance that demonstrated that in April 2023, the Air Force updated guidance for who is responsible for evaluating the internal control components and principles, how often, the level of testing, objectives to be included, to whom to communicate the results, and what guidance to follow. Additionally, the Air Force updated its guidance requiring management to document its determinations on components and principles. The Air Force's actions to help ensure that management is assessing whether each internal control component and principle is designed, implemented, and operating effectively meet the intent of our recommendation. These actions should help ensure that management's assurances on internal control effectiveness, as reported in the Statement of Assurance, appropriately represent the effectiveness of the Air Force's internal control.
|
Department of the Air Force | The Secretary of the Air Force should develop policies or procedures for assessing internal control to require the use of test plans that (1) tie back to specific objectives to be achieved as included in the Business Operations Plan; (2) specify the nature, scope, and timing of procedures to conduct under the OMB Circular No. A-123 assessment process; and (3) reflect a consideration of prior year self-identified control deficiencies and results of internal and external audits. (Recommendation 3) |
During our fiscal year 2020 review of the extent to which the U.S. Air Force incorporated enterprise risk management into its management practices and designed a process for assessing internal control, we found that the Air Force did not have a process in place to base its annual assessment of internal control and Statement of Assurance preparation on uniform testing performed across its agency. To enhance controls over the internal control assessment process, we recommended that the Secretary of the Air Force develop policies or procedures for assessing internal control to require the use of test plans that (1) tie back to specific objectives to be achieved as included in the Business Operations Plan; (2) specify the nature, scope, and timing of procedures to conduct under the Office of Management and Budget (OMB) Circular No. A-123 assessment process; and (3) reflect a consideration of prior year self-identified control deficiencies and results of internal and external audits. In June 2023, we reviewed Air Force's updated policy and procedures for assessing internal control and we initially found that the guidance did not meet the intent of our recommendation. In July 2023 we discussed this with Air Force, and in September 2023 Air Force provided additional information and guidance that demonstrated that in April 2023, the Air Force updated guidance to require test plans that outline the intent and approach for testing, coordination and assignment of testing procedures, and a plan for test execution. According to Air Force procedures, the execution plan should identify how to test the control activities, how to document and evaluate the results, and identify deficiencies. The Air Force's actions to help ensure that management is evaluating internal control by establishing a baseline through test plans meet the intent of our recommendation and should help ensure that the Air Force is consistently and effectively assessing its internal control to timely identify and correct deficiencies.
|
Department of the Air Force | The Secretary of the Air Force should develop policies or procedures for assessing internal control to require SAF/FM to validate (1) the number of organizational units reporting for its overall internal control assessment; (2) how control procedures were tested, what results were achieved, and how conclusions were derived from those results; and (3) whether the results used to compile the current year report are based on current fiscal year's assessments. (Recommendation 4) |
DOD concurred with this recommendation. In April 2023, the Air Force stated that they updated policy and procedures to require validation of assessable units and revamp assessable unit structure to simplify roles, responsibilities, and reporting. We reviewed the provided updates and found that the guidance does not discuss how Air Force should validate the number of units reporting, the testing performed, or the results obtained. In May 2024, the Air Force told us they are updating policy and procedures to require validation of the number of reporting units, control testing, and whether the results are based on current year assessments. The estimated completion date is December 31, 2025. We will continue to monitor efforts to address this recommendation.
|
Department of the Air Force | The Secretary of the Air Force should develop policies or procedures for assessing internal control to require SAF/FM to assess how waivers affect the current year assessment of internal control, the determination of systemic weaknesses, and the compilation of the Air Force's overall Statement of Assurance. (Recommendation 5) |
DOD concurred with this recommendation. In April 2023, the Air Force stated that they updated policy to include procedures for assessing the impact of waivers on internal control assessments. We reviewed the provided updates and found that there is no documented requirement to assess waivers' impact on the Statement of Assurance. In May 2024, the Air Force told us they are updating policy and procedures to require an assessment of waivers related to internal control assessments and the Statement of Assurance. The estimated completion date is December 31, 2025. We will continue to monitor efforts to address this recommendation.
|
Department of the Air Force | The Secretary of the Air Force should require that developers of the policy and related guidance associated with designing the procedures for conducting OMB Circular No. A-123 assessments receive recurring training and are appropriately skilled in conducting internal control assessments and are familiar with Standards for Internal Control in the Federal Government. (Recommendation 6) |
DOD concurred with this recommendation. In April 2023, the Air Force stated that they updated policy and procedures to require enterprise risk management and internal control policy owners to receive training on OMB Circular A-123 requirements and annual updates. They also stated they provided detailed instructions for updating OMB Circular A-123 training materials annually to reflect current guidance from the GAO, OMB, and DOD. Additionally, they stated that annual training was updated to include specific roles, responsibilities, procedures, and templates for assessing internal controls over operations, as well as consideration for compliance objectives and training was refined to target specific audiences integral to managing risks and internal control. We reviewed the provided updates and found that the guidance does not require training for the developers of policy. In May 2024, the Air Force told us they are currently updating policy to require developers and reviewers of policy to receive recurring training related to internal control assessments. The estimated completion date is December 31, 2025. We will continue to monitor efforts to address this recommendation.
|
Department of the Air Force | The Secretary of the Air Force should analyze all definitions included in Air Force ERM and internal control assessment policy and related guidance to ensure that all definitions and concepts are defined correctly. (Recommendation 7) |
During our fiscal year 2020 review of the extent to which the U.S. Air Force incorporated enterprise risk management (ERM) into its management practices and designed a process for assessing internal control, we found that the Air Force guidance for its assessments of internal control did not accurately or completely reflect definitions included in applicable guidance. For example, it lacked complete definitions of the four material weakness categories and did not accurately defining internal control. To enhance controls over the internal control assessment process, we recommended that the Secretary of the Air Force analyze all definitions included in Air Force ERM and internal control assessment policy and related guidance to ensure that all definitions and concepts are defined correctly. In response to our recommendation, in April 2023, the Air Force reviewed relevant policies and guidance, and updated definitions and concepts to be consistent with authoritative guidance. We confirmed that the risk management and internal control program procedures included the accurate and complete definitions of internal control and material weakness. The Air Force's actions to help ensure that its guidance reflects accurate and complete definitions meet the intent of our recommendation and should help ensure that officials performing internal control assessments will properly conclude on the results.
|
Department of the Air Force | The Secretary of the Air Force should require SAF/FM to design recurring training for those who will assess internal control that (1) includes enhancing their skills in evaluating the internal control system and documenting results; (2) reflects all OMB Circular No. A-123 requirements, such as those related to identifying objectives, evaluating deficiencies, and determining material weaknesses; and (3) is provided to all who are responsible for performing internal control assessments. (Recommendation 8) |
During our fiscal year 2020 review of the extent to which the U.S. Air Force incorporated enterprise risk management (ERM) into its management practices and designed a process for assessing internal control, we found that the Air Force's training provided to unit managers responsible for assessing internal control lacked sufficient instructions on how to perform such assessments. To enhance controls over the internal control assessment process, we recommended that the Air Force design recurring training for those who will assess internal control that (1) includes enhancing their skills in evaluating the internal control system and documenting results; (2) reflects all relevant requirements, such as those related to identifying objectives, evaluating deficiencies, and determining material weaknesses; and (3) is provided to all who are responsible for performing internal control assessments. In response to our recommendation, in April 2023, the Air Force updated guidance to require annual training for those managing risks and internal control. We confirmed that Air Force procedures include requirements for risk management and internal control staff to attend annual training. The Air Force's actions to help ensure that its staff have appropriate training meet the intent of our recommendation and should help reduce the risk that those responsible for assessing internal control may not adequately and timely identify internal control deficiencies.
|
Department of the Air Force | The Secretary of the Air Force should develop policy or procedures consistent with OMB Circular No. A-123 to assess the system of internal control using a risk-based approach. (Recommendation 9) |
During our fiscal year 2020 review of the extent to which the U.S. Air Force incorporated enterprise risk management (ERM) into its management practices and designed a process for assessing internal control, we found that the Air Force's approach for assessing internal control did not consider quantitative or qualitative risks. To enhance controls over the internal control assessment process, we recommended that the Secretary of the Air Force develop policy or procedures consistent with applicable guidance to assess the system of internal control using a risk-based approach. In response to our recommendation, in April 2023, the Air Force updated guidance for assessments to be performed using a risk-based approach that depends on the nature of the internal controls and importance of the unit's objectives. The Air Force's actions to help ensure internal controls are evaluated using a risk-based approach meet the intent of our recommendation and should help the Air Force ensure that resources are used efficiently. These actions should also help the Air Force assess key controls associated with achieving Air Force objectives-particularly those objectives that are subject to the highest risks or designated as high priority by agency management.
|
Department of the Air Force | The Secretary of the Air Force should develop procedures to assess internal control over processes related to mission-critical assets, including (1) tests of design that evaluate whether controls are capable of achieving objectives, (2) tests of effectiveness only after a favorable assessment of the design of the control, and (3) a baseline that has accurate descriptions of business processes and identifies key internal controls as designed by management to respond to risks. (Recommendation 10) |
During our fiscal year 2020 review of the extent to which the U.S. Air Force incorporated enterprise risk management (ERM) into its management practices and designed a process for assessing internal control, we found that Air Force's reviews of internal control over processes related to mission-critical assets did not meet applicable requirements or federal internal control standards for evaluating a system of internal control. To enhance controls over the internal control assessment process, we recommended that the Secretary of the Air Force develop procedures to assess internal control over processes related to mission-critical assets, including (1) tests of design that evaluate whether controls are capable of achieving objectives, (2) tests of effectiveness only after a favorable assessment of the design of the control, and (3) a baseline that has accurate descriptions of business processes and identifies key internal controls as designed by management to respond to risks. In response to our recommendation, in April 2023, the Air Force updated guidance to assess internal control over processes related to mission-critical assets. We confirmed that for fiscal year 2023, the risk management and internal control group assessed materiality and risks associated with mission-critical assets, performed tests of design and operating effectiveness, and documented baselines of business processes for those mission-critical assets within scope. The Air Force's actions to help ensure it is comprehensively evaluating internal control over processes related to mission-critical assets meet the intent of our recommendation and should help reduce the risk that Air Force may not timely identify internal control deficiencies. These actions also help to increase the Air Force's reasonable assurance over the effectiveness of internal control for processes accounting for mission-critical assets.
|
Department of the Air Force | The Secretary of the Air Force should establish a process and reporting lines of all the sources of information, including reviews performed of internal control processes related to mission-critical assets, that will be considered in the Secretary's Statement of Assurance. (Recommendation 11) |
During our fiscal year 2020 review of the U.S. Air Force's enterprise risk management practices and processes for assessing internal control, we found that the Air Force lacked a process for managers to consider the results of internal control reviews performed at the business process assessable unit level when they assess and report on the status of internal control for the overall Air Force Statement of Assurance. To enhance controls over the internal control assessment process, we recommended that the Secretary of the Air Force establish a process and reporting lines of all the sources of information, including reviews performed of internal control processes related to mission-critical assets, that will be considered in the Secretary's Statement of Assurance. In June 2023, we reviewed Air Force's updated policy and procedures for assessing internal control and we initially found that the guidance did not meet the intent of our recommendation. In July 2023 we discussed this with Air Force, and in September 2023 Air Force provided additional information and guidance that demonstrated that in April 2023, the Air Force updated guidance to require conclusions of a control's design, implementation, operating effectiveness, and residual risk to be documented within the Enterprise Governance Risk and Compliance (eGRC) tool. Additionally, the procedures require results of all walkthroughs performed by the assessable unit leads or Air Force Audit Agency, who review control activities for processes related to mission-critical assets, to be documented in eGRC. The Air Force's actions to help ensure that they are comprehensively evaluating internal control processes related to mission-critical assets meet the intent of our recommendation and should help ensure that the Air Force will timely identify internal control deficiencies.
|
Department of the Air Force | The Secretary of the Air Force should develop procedures to require coordination between business process leads and the Air Force's unit managers to ensure that mission-critical asset–related internal control deficiencies are considered in the unit managers' assessments of internal control and related supporting statements of assurance. These procedures should include how, when, and with what frequency the results from the business process internal control reviews should be provided to relevant organizational units for consideration in their respective assurance statements. (Recommendation 12) |
During our fiscal year 2020 review of the extent to which the U.S. Air Force incorporated enterprise risk management (ERM) into its management practices and designed a process for assessing internal control, we found that the Air Force lacked a process for the organizational unit managers to consider the results of internal control reviews performed in business process units when they assess and report on the status of internal control for the overall Air Force Statement of Assurance. To enhance controls over the internal control assessment process, we recommended that the Secretary of the Air Force develop procedures to require coordination between business process leads and the Air Force's unit managers to ensure that mission-critical asset-related internal control deficiencies are considered in the unit managers' assessments of internal control and related supporting statements of assurance. The recommendation further stated that these procedures should include how, when, and with what frequency the results from the business process internal control reviews should be provided to relevant organizational units for consideration in their respective assurance statements. In response to our recommendation, in April 2023, the Air Force updated guidance to require communication of deficiencies identified from testing to responsible assessable units, with clear instructions for this communication. We confirmed that for fiscal year 2023, the deficiencies identified during assessments were communicated through a Summary of Aggregated Deficiencies tool. The Air Force's actions to help ensure they are considering results of various evaluations in the assessment process meet the intent of our recommendation and should help ensure that the Air Force's assessment of internal control and related Statement of Assurance appropriately represent the effectiveness of internal control.
|