The OIG Audit office initiated this audit based upon an assessment of program risks. Our audit objective was to determine whether the U.S. AbilityOne Commission’s (Commission) enterprise risk management (ERM) process is effective and used to make risk-based decisions.
Although the Commission has designed and implemented a formal ERM program, the OIG determined that the ERM program is not fully effective. This could impact the Commission’s ability to make fully informed risk-based decisions. Specifically, we found that the Commission’s ERM process and related internal controls need improvements, and the Commission lacked the ERM training to identify and correct these improvement areas.
The OIG recommended that the Commission ensure that the appropriate individuals are trained through a structured ERM program training, assess and update existing ERM policies and procedures, and research and adopt an appropriate ERM maturity model. We also recommended that the Commission develop and implement effective key controls and results assessment, include a process in the ERM program to document management’s determination of key process decisions for its other process considerations, and develop and implement a process for tracking the consolidation of risks.
