Air Force: Enhanced Enterprise Risk Management and Internal Control Assessments Could Improve Accountability over Mission-Critical Assets
Fast Facts
The Air Force identified more than half of its $398 billion in assets (i.e., aircraft, weapons, vehicles, buildings) as mission-critical in fiscal year 2019. But, for decades, the service has not been accurately tracking and reporting financial information about its mission-critical assets. Without reliable information on this, the Air Force can’t support informed decisions about the condition, cost, or reliability of its assets, or about the need to request more resources.
Our 12 recommendations could help the Air Force strengthen its policies and procedures for overseeing and reporting on its mission-critical assets.
Aerial view of the Pentagon
Highlights
What GAO Found
The Air Force's efforts to implement Enterprise Risk Management (ERM) are in the early stages, and accordingly, it has not fully incorporated ERM into its management practices as outlined in Office of Management and Budget (OMB) Circular No. A-123. As a result, the Air Force is not fully managing its challenges and opportunities from an enterprise-wide view. Until it fully incorporates ERM—planned for some time after 2023—the Air Force will continue to leverage its current governance and reporting structures as well as its existing internal control reviews.
The Air Force has not designed a comprehensive process for assessing internal control, including processes related to mission-critical assets. GAO found that existing policies and procedures that Air Force staff follow to perform internal control assessments do not accurately capture the requirements of OMB Circular No. A-123. For example, the Air Force does not require (1) an assessment of each internal control element; (2) test plans that specify the nature, scope, and timing of procedures to conduct; and (3) validation that the results of internal control tests are sufficiently clear and complete to explain how units tested control procedures, what results they achieved, and how they derived conclusions from those results. Also, Air Force guidance and training was not adequate for conducting internal control assessments.
In addition, GAO found that the Air Force did not design its assessment of internal control to evaluate all key areas that are critical to meeting its mission objectives as part of its annual Statement of Assurance process.
Furthermore, GAO found that procedures the Air Force used to review mission-critical assets did not (1) evaluate whether the control design would serve to achieve objectives or address risks; (2) test operating effectiveness after first determining if controls were adequately designed; (3) use process cycle memorandums that accurately reflected the current business process; and (4) evaluate controls it put in place to achieve operational, internal reporting, and compliance objectives. GAO also found that the results of reviews of mission-critical assets are not formally considered in the Air Force's assessment of internal control.
Without performing internal control reviews in accordance with requirements, the Air Force increases the risk that its assessment of internal control and related Statement of Assurance may not appropriately represent the effectiveness of internal control, particularly over processes related to its mission-critical assets.
Why GAO Did This Study
OMB Circular No. A-123 requires agencies to provide an annual assurance statement that represents the agency head's informed judgment as to the overall adequacy and effectiveness of internal controls related to operations, reporting, and compliance objectives. Although the Air Force is required annually to assess and report on its control effectiveness and to correct known deficiencies, it has been unable to demonstrate basic internal control, as identified in previous audits, that would allow it to report, with reasonable assurance, the reliability of internal controls, including those designed to account for mission-critical assets.
This report, developed in connection with fulfilling GAO's mandate to audit the U.S. government's consolidated financial statements, examines the extent to which the Air Force has incorporated ERM into its management practices and designed a process for assessing internal control, including processes related to mission-critical assets.
GAO reviewed Air Force policies and procedures and interviewed Air Force officials on their process for fulfilling ERM and internal control assessments.
Recommendations
GAO is making 12 recommendations to the Air Force, which include improving its risk management practices and internal control assessments. The Air Force agreed with all 12 recommendations and cited actions to address them.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of the Air Force | The Secretary of the Air Force should develop and implement procedures for an ERM governance structure that includes oversight responsibilities for identifying, assessing, responding to, and reporting on the risks associated with agency material weaknesses from all relevant sources. These procedures should clearly demonstrate that risks associated with material weaknesses are considered by Air Force governance, as a whole, and are mitigated appropriately to achieve goals and objectives. (Recommendation 1) | During our fiscal year 2020 review of the U.S. Air Force's enterprise risk management (ERM) practices, we found that the Air Force's governance structure did not include a mechanism for senior management to oversee the management of risk associated with material weaknesses and consider its effect across the entire agency. To enhance controls over the ERM process, we recommended that the Secretary of the Air Force develop and implement procedures for an ERM governance structure that includes oversight responsibilities for identifying, assessing, responding to, and reporting on the risks associated with agency material weaknesses from all relevant sources. The recommendation further stated... that these procedures should clearly demonstrate that risks associated with material weaknesses are considered by Air Force governance, as a whole, and are mitigated appropriately to achieve goals and objectives. In response to our recommendation, in April 2023, the Air Force developed and implemented procedures that require senior management to identify if updates are needed to the reviewed enterprise risks, which include risks that are contributing to operational, reporting, or compliance material weaknesses. The Air Force's actions to help ensure that it has a thorough and integrated ERM governance structure meet the intent of our recommendation and should help reduce the risk that Air Force will not properly identify, assess, and respond to significant entity-level risks.
View More |
| Department of the Air Force | The Secretary of the Air Force should develop policies or procedures for assessing internal control to require (1) clearly delineating who within the Air Force is responsible for evaluating the internal control components and principles, how often they are to perform the evaluation, the level (e.g., entity or transactional) of the evaluation, what objectives are covered in the assessment, to whom to communicate the results if they are relevant to others performing assessments of internal control, and what guidance to follow; (2) documenting management's determination of whether each component and principle is designed, implemented, and operating effectively; and (3) documenting management's determination of whether components are operating together in an integrated manner. (Recommendation 2) | During our fiscal year 2020 review of the extent to which the U.S. Air Force has incorporated enterprise risk management into its management practices and designed a process for assessing internal control, we found that the Air Force's assessment of the five components of internal control lacked a determination of whether each internal control principle was designed, implemented, and operating effectively. Also, there was no indication that the Air Force designed the assessment to be pertinent to all Air Force objectives, nor did the Air Force provide the assessment results to the unit managers for input or consideration in their unit-specific control assessments and supporting...
|
| Department of the Air Force | The Secretary of the Air Force should develop policies or procedures for assessing internal control to require the use of test plans that (1) tie back to specific objectives to be achieved as included in the Business Operations Plan; (2) specify the nature, scope, and timing of procedures to conduct under the OMB Circular No. A-123 assessment process; and (3) reflect a consideration of prior year self-identified control deficiencies and results of internal and external audits. (Recommendation 3) | During our fiscal year 2020 review of the extent to which the U.S. Air Force incorporated enterprise risk management into its management practices and designed a process for assessing internal control, we found that the Air Force did not have a process in place to base its annual assessment of internal control and Statement of Assurance preparation on uniform testing performed across its agency. To enhance controls over the internal control assessment process, we recommended that the Secretary of the Air Force develop policies or procedures for assessing internal control to require the use of test plans that (1) tie back to specific objectives to be achieved as included in the Business...
|
| Department of the Air Force | The Secretary of the Air Force should develop policies or procedures for assessing internal control to require SAF/FM to validate (1) the number of organizational units reporting for its overall internal control assessment; (2) how control procedures were tested, what results were achieved, and how conclusions were derived from those results; and (3) whether the results used to compile the current year report are based on current fiscal year's assessments. (Recommendation 4) | DOD concurred with this recommendation. In April 2023, the Air Force stated that they updated policy and procedures to require validation of assessable units and revamp assessable unit structure to simplify roles, responsibilities, and reporting. We reviewed the provided updates and found that the guidance does not discuss how Air Force should validate the number of units reporting, the testing performed, or the results obtained. In May 2024, the Air Force told us they are updating policy and procedures to require validation of the number of reporting units, control testing, and whether the results are based on current year assessments. The estimated completion date is December 31, 2025....
|
| Department of the Air Force | The Secretary of the Air Force should develop policies or procedures for assessing internal control to require SAF/FM to assess how waivers affect the current year assessment of internal control, the determination of systemic weaknesses, and the compilation of the Air Force's overall Statement of Assurance. (Recommendation 5) |
DOD concurred with this recommendation. In April 2023, the Air Force stated that they updated policy to include procedures for assessing the impact of waivers on internal control assessments. We reviewed the provided updates and found that there is no documented requirement to assess waivers' impact on the Statement of Assurance. In May 2024, the Air Force told us they are updating policy and procedures to require an assessment of waivers related to internal control assessments and the Statement of Assurance. The estimated completion date is December 31, 2025. We will continue to monitor efforts to address this recommendation.
|
| Department of the Air Force | The Secretary of the Air Force should require that developers of the policy and related guidance associated with designing the procedures for conducting OMB Circular No. A-123 assessments receive recurring training and are appropriately skilled in conducting internal control assessments and are familiar with Standards for Internal Control in the Federal Government. (Recommendation 6) | DOD concurred with this recommendation. In April 2023, the Air Force stated that they updated policy and procedures to require enterprise risk management and internal control policy owners to receive training on OMB Circular A-123 requirements and annual updates. They also stated they provided detailed instructions for updating OMB Circular A-123 training materials annually to reflect current guidance from the GAO, OMB, and DOD. Additionally, they stated that annual training was updated to include specific roles, responsibilities, procedures, and templates for assessing internal controls over operations, as well as consideration for compliance objectives and training was refined to...
|
| Department of the Air Force | The Secretary of the Air Force should analyze all definitions included in Air Force ERM and internal control assessment policy and related guidance to ensure that all definitions and concepts are defined correctly. (Recommendation 7) | During our fiscal year 2020 review of the extent to which the U.S. Air Force incorporated enterprise risk management (ERM) into its management practices and designed a process for assessing internal control, we found that the Air Force guidance for its assessments of internal control did not accurately or completely reflect definitions included in applicable guidance. For example, it lacked complete definitions of the four material weakness categories and did not accurately defining internal control. To enhance controls over the internal control assessment process, we recommended that the Secretary of the Air Force analyze all definitions included in Air Force ERM and internal control...
|
| Department of the Air Force | The Secretary of the Air Force should require SAF/FM to design recurring training for those who will assess internal control that (1) includes enhancing their skills in evaluating the internal control system and documenting results; (2) reflects all OMB Circular No. A-123 requirements, such as those related to identifying objectives, evaluating deficiencies, and determining material weaknesses; and (3) is provided to all who are responsible for performing internal control assessments. (Recommendation 8) | During our fiscal year 2020 review of the extent to which the U.S. Air Force incorporated enterprise risk management (ERM) into its management practices and designed a process for assessing internal control, we found that the Air Force's training provided to unit managers responsible for assessing internal control lacked sufficient instructions on how to perform such assessments. To enhance controls over the internal control assessment process, we recommended that the Air Force design recurring training for those who will assess internal control that (1) includes enhancing their skills in evaluating the internal control system and documenting results; (2) reflects all relevant...
|
| Department of the Air Force | The Secretary of the Air Force should develop policy or procedures consistent with OMB Circular No. A-123 to assess the system of internal control using a risk-based approach. (Recommendation 9) | During our fiscal year 2020 review of the extent to which the U.S. Air Force incorporated enterprise risk management (ERM) into its management practices and designed a process for assessing internal control, we found that the Air Force's approach for assessing internal control did not consider quantitative or qualitative risks. To enhance controls over the internal control assessment process, we recommended that the Secretary of the Air Force develop policy or procedures consistent with applicable guidance to assess the system of internal control using a risk-based approach. In response to our recommendation, in April 2023, the Air Force updated guidance for assessments to be performed...
|
| Department of the Air Force | The Secretary of the Air Force should develop procedures to assess internal control over processes related to mission-critical assets, including (1) tests of design that evaluate whether controls are capable of achieving objectives, (2) tests of effectiveness only after a favorable assessment of the design of the control, and (3) a baseline that has accurate descriptions of business processes and identifies key internal controls as designed by management to respond to risks. (Recommendation 10) | During our fiscal year 2020 review of the extent to which the U.S. Air Force incorporated enterprise risk management (ERM) into its management practices and designed a process for assessing internal control, we found that Air Force's reviews of internal control over processes related to mission-critical assets did not meet applicable requirements or federal internal control standards for evaluating a system of internal control. To enhance controls over the internal control assessment process, we recommended that the Secretary of the Air Force develop procedures to assess internal control over processes related to mission-critical assets, including (1) tests of design that evaluate...
|
| Department of the Air Force | The Secretary of the Air Force should establish a process and reporting lines of all the sources of information, including reviews performed of internal control processes related to mission-critical assets, that will be considered in the Secretary's Statement of Assurance. (Recommendation 11) | During our fiscal year 2020 review of the U.S. Air Force's enterprise risk management practices and processes for assessing internal control, we found that the Air Force lacked a process for managers to consider the results of internal control reviews performed at the business process assessable unit level when they assess and report on the status of internal control for the overall Air Force Statement of Assurance. To enhance controls over the internal control assessment process, we recommended that the Secretary of the Air Force establish a process and reporting lines of all the sources of information, including reviews performed of internal control processes related to...
|
| Department of the Air Force | The Secretary of the Air Force should develop procedures to require coordination between business process leads and the Air Force's unit managers to ensure that mission-critical asset–related internal control deficiencies are considered in the unit managers' assessments of internal control and related supporting statements of assurance. These procedures should include how, when, and with what frequency the results from the business process internal control reviews should be provided to relevant organizational units for consideration in their respective assurance statements. (Recommendation 12) | During our fiscal year 2020 review of the extent to which the U.S. Air Force incorporated enterprise risk management (ERM) into its management practices and designed a process for assessing internal control, we found that the Air Force lacked a process for the organizational unit managers to consider the results of internal control reviews performed in business process units when they assess and report on the status of internal control for the overall Air Force Statement of Assurance. To enhance controls over the internal control assessment process, we recommended that the Secretary of the Air Force develop procedures to require coordination between business process leads and the Air...
|