Enterprise-wide Risk Assessment Audit of NARA’s Internal Controls

View Report

Date Issued

Friday, October 28, 2016

Submitting OIG

National Archives and Records Administration OIG

Other Participating OIGs

National Archives and Records Administration OIG

Agencies Reviewed/Investigated

National Archives and Records Administration

Report Number

17-AUD-01

Report Description

Cotton & Company LLP independent report on the NARA's enterprise-wide risk assessment of internal controls and the risks to NARA’s mission, operations, and procedures.

Report Type

Audit

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 7 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1a	Yes	$0	$0
We recommend that the Chief Operating Officer\Chief Risk Officer fully implement all components of NARA 160, including developing, documenting, and fully implementing NARA 162, NARA’s Enterprise Risk Management Program. Within NARA 162, roles and responsibilities for ERM activities should be clearly identified.
1b	Yes	$0	$0
We recommend that the Chief Operating Officer\Chief Risk Officer fully implement all components of NARA 160, including Developing, documenting, and fully implementing NARA 163, NARA’s Issues Management.
2a	Yes	$0	$0
We recommend that the Chief Operating Officer\Chief Risk Officer develop, document, and implement a formal process to identify and prioritize risks within the organization. Risks should be tied directly to NARA’s strategic plan and mission and prioritized based on their overall importance to the agency.
2b	Yes	$0	$0
We recommend that the Chief Operating Officer\Chief Risk Officer develop, document, and implement a formal process to prioritize risk management activities including the use of limited resources based on key risks within the organization. Management’s prioritization should be clearly documented and include formal steps to ensure risks are maintained at an appropriate level.
3	Yes	$0	$0
We recommend that the Chief Operating Officer\Chief Risk Officer Provide additional resources to the Office of Accountability to ensure ICP activities are effectively carried out.
4	Yes	$0	$0
We recommend that the Chief Operating Officer\Chief Risk Officer develop and implement a formal process to review and evaluate the completeness and accuracy of ICP documentation submitted. Validation procedures should include a formal review: To ensure all required documentation has been submitted by the due date. Where documentation has not been provided, NARA should have a formal process in place to follow up and obtain the required documentation. Of ICP documentation submitted to ensure it is both complete and accurate. Where discrepancies are identified, NARA should have a formal process in place to follow up with management so corrections can be made. Of each office’s submission to determine whether risks identified and conclusions made are appropriately supported. Of test plans and test results for all high-risk or highly critical functions to ensure they clearly demonstrate the office’s methodology for performing testing and reaching conclusions. Of monitoring plans and monitoring results for all functions that clearly show the extent of monitoring performed, the office’s methodology for performing the monitoring, and the rationale for its conclusions
5	Yes	$0	$0
We recommend that the Chief Operating Officer\Chief Risk Officer develop and fully implement a formal ICP training program. NARA’s ICP training program should identify and require individuals who are involved with NARA’s ICP to complete initial training and refresher training periodically thereafter. Further, management should track completion of ICP training to ensure all individuals involved in the ICP process have received adequate training.