MEMORANDUM. Comments on the Updating of the LSC Risk Management Program



Similar documents
Five-Year Strategic Plan

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

AUDIT REPORT REPORT NUMBER Information Technology Professional Services Oracle Software March 25, 2014

U.S. Department of Justice Office of the Inspector General. Improving the Grant Management Process

Audit of NRC s Network Security Operations Center

Fraud Risk Management

ADVISORY MEMORANDUM REPORT ON DEVELOPMENT OF THE LOAN MONITORING SYSTEM ADVISORY REPORT NUMBER A1-03 FEBRUARY 23, 2001

Controls Over EPA s Compass Financial System Need to Be Improved

AMTRAK CORPORATE GOVERNANCE: Implementing a Risk Management Framework is Essential to Achieving Amtrak s Strategic Goals

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

AUDIT OF THE MANAGEMENT OF GRANTS AWARDED BY USAID S OFFICE OF AMERICAN SCHOOLS AND HOSPITALS ABROAD

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

State and District Monitoring of School Improvement Grant Contractors in California FINAL AUDIT REPORT

AUDIT REPORT REPORT NUMBER Information Technology Microsoft Software Licenses March 27, 2014

MODULE DESCRIPTIONS. A Brief Introduction to SMART Training (20 minutes)

The Role of the Board in Enterprise Risk Management

CMS DID NOT ALWAYS MANAGE AND OVERSEE CONTRACTOR PERFORMANCE

AUDIT REPORT. The Department of Energy's Management of Cloud Computing Activities

GAO DATA CENTER CONSOLIDATION. Strengthened Oversight Needed to Achieve Cost Savings Goal. Report to Congressional Requesters

NOT ALL COMMUNITY SERVICES BLOCK GRANT RECOVERY ACT COSTS CLAIMED

Introduction to Enterprise Risk Management at UVM DRAFT

Department of Veterans Affairs VA Directive VA Enterprise Risk Management (ERM)

INFORMATION TECHNOLOGY: Reservation System Infrastructure Updated, but Future System Sustainability Remains an Issue

August 9, Report Number: A

HUD Hired Employees in Accordance With Office of Personnel Management Guidelines for Streamlining the Federal Hiring Process HIGHLIGHTS

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

REVIEW OF NASA S INTERNAL CONTROLS FOR AWARDS WITH SMALL BUSINESSES

Audit of the Policy on Internal Control Implementation

DOD BUSINESS SYSTEMS MODERNIZATION. Additional Action Needed to Achieve Intended Outcomes

Work Plan ongoing and planned audit and evaluation projects. Current as of June 5, 2015

ClOP CHAPTER Departmental Information Technology Governance Policy TABLE OF CONTENTS. Section 39.1

THE FCA INSPECTOR GENERAL: A COMMITMENT TO PUBLIC SERVICE

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

United States General Accounting Office GAO. Internal Control Standards. Internal Control Management and Evaluation Tool. August 2001 GAO G

2015 List of Major Management Challenges for the CFPB

M ANAGEMENT I NTEGRATION G OAL. Achieve organizational and management excellence

MISSION VALUES. The guide has been printed by:

AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Fiscal Year 2014 Work Plan

Department of Homeland Security Office of Inspector General. Improvements Needed in Federal Emergency Management Agency Monitoring of Grantees

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

Core Monitoring Guide

A Risk-Based Audit Strategy November 2006 Internal Audit Department

USAID Management Operations Council Charter

U.S. Department of Education. Office of the Chief Information Officer

Department of Veterans Affairs Office of Inspector General Strategic Plan FY

GAO HIGHER EDUCATION. Issues Related to Law School Accreditation. Report to Congressional Requesters. United States Government Accountability Office

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Subject: GSA On-line Procurement Programs Lack Documentation and Reliability Testing

Enterprise Risk Management

AUDIT REPORT. The Energy Information Administration s Information Technology Program

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

INSPECTOR GENERAL UNITED STATES POSTAL SERVICE

Fraud Prevention and Deterrence

VETERANS AFFAIRS CONTRACTING Improved Oversight Needed for Certain Contractual Arrangements

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

Accountant (GS-510) Competency Model

THE GOVERNANCE OF RISK MANAGEMENT. Session 5

GENERAL SERVICES ADMINISTRATION Federal Acquisition Service Mission Oriented Business Integrated Services (MOBIS) SCHEDULE PRICE LIST

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

AUDIT REPORT. Follow-up on the Department of Energy's Acquisition and Maintenance of Software Licenses

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL 400 MARYLAND AVENUE, S.W. WASHINGTON, DC

LEGAL SERVICES CORPORATION OFFICE OF INSPECTOR GENERAL FINAL REPORT ON SELECTED INTERNAL CONTROLS RHODE ISLAND LEGAL SERVICES, INC.

Transcription:

Office of Inspector General Legal Services Corporation 3333 K Street, NW. 3rd Floor Washington, DC 20007 3558 202.295. 1660 (p) 202.337.6616 (f) www.oig.lsc.gov MEMORANDUM TO: FROM: LSC Audit Committee Jim J. Sandman, President Ronald S. Flagg, Vice President & General Counsel David Richardson, Treasurer and co,~)td;j. n.).-x.j,y (7, Jeffrey E. Schanz, Inspector Generf~ C. DATE: July 19, 2013 U SUBJECT: Comments on the Updating of the LSC Risk Management Program Introduction: The purpose of this memorandum is to provide the Office of Inspector General (OIG) comments on the updating of the LSC Risk Management Program (RMP) originally released in January 2009, as requested by the Audit Committee at its July 2, 2013 telephonic meeting. Please consider our comments to be advisory in nature. Placing the RMP in the forefront of organizational initiatives is important evidence of leadership by the Audit Committee and Management. Proactively managing risk is a central function of organizational leadership and directly impacts LSC's ability to achieve its operations, reporting and compliance objectives. If mismanaged, risks can carry significant regulatory, financial, and reputational consequences. Overall, the OIG believes LSC should broaden its approach to risk assessment by placing a greater emphasis on a strong and dynamic internal control framework, understood by the Board, LSC Management, LSC staff, and the grantee community. 1 =Ii:LSC II Am.,;",', P."n«For Equ.l Ju.ti«

Larger Perspectives on Risk Management: Generally, the OIG recommends that LSC use applicable risk management guides and practices throughout the design and implementation of its risk management program. 1. Promoting a Strong System of Internal Controls The OIG recommends that LSC use an applicable internal control framework to further design its risk management program. 1 The Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control-Integrated Framework, dated May 2013, is comprised of five integrated components including the control environment, risk assessment, control activities (policies and procedures), information and communication, and monitoring activities. While all five components are necessary to successfully implement the framework, Information and Communication, and Monitoring Activities would greatly help the LSC address concerns of being able to exercise its responsibility for organizational risk. The OIG believes that unless such a framework is implemented by LSC, the current risk matrix could eventually meet the same fate as the 2009 matrix as Management officials and Board members change: paraphrasing one Committee member at a recent committee meeting -- The matrix was very helpful; I didn't know it existed. Three publications would be very helpful to the Corporation: 2 a. The Executive Summary to the recently revised COSO Internal Control Integrated Framework, dated May 2013. b. OMB Circular A-123-Management's Responsibility for Internal Control. c. Government Accountability Office's (GAO) Standards for Internal Control in the Federal Government. LSC's Accounting Guide for LSC Recipients already emphasizes the COSO Internal Control Framework. Adopting the COSO framework would bring LSC headquarters in agreement with both GAO and the guidance provided to the grantee community. 1 " A strong system of internal controls and oversight helps an organization to identify complications or ga ps in processes, allowi ng fo r a continuing cycle of self-improvement to enhance the efficiency and effectiveness of operations.", Fiscal Oversight Task Force (FOTF) report, July 28, 2011, page 21. 2 Available at https ://oi g.lsc.gov/gov/bi bliography.htm. 2

2. Enterprise Risk Managemene - A Larger Dynamic and Systematic Approach to Risk Assessment Further, the OIG recommends LSC use the COSO Enterprise Risk Management Integrated Framework that takes an expanded approach to internal control by including objective settings, event identification, and risk response. 3. Fiscal Oversight Task Force Report The OIG recommends that LSC incorporates the FOTF recommendations (2011) into its risk management program. The report reinforces the importance of internal control to reduce financial risks and achieve stronger fiscal grantee oversight. 4. Essential Elements in the Success of LSC's Risk Management Program Incorporating many of the components of these frameworks, the OIG recommends LSC consider applying the following: a. Strategy and Performance: LSC should identify, review and modify key risks in alignment with the 2012-2016 LSC Strategic Plan to more integrate performance and risks. b. Dynamic Process: LSC should not limit its risk assessment to a static or periodic identification and review of key risks but rather include this process in the context of Enterprise Risk Management. Risk Management is a dynamic process that should be ingrained across all activities in the organizational structure and memorialized in policy and culture. c. Tone at the Top: LSC should continue to establish a strong "tone at the top" that stresses a sense of responsibility within all levels of the organization towards the management of risks and achievement of objectives. d. Measurement: LSC should create a series of performance and risk measures to provide the Corporation with more timely information about recent risk events as they pertain to strategic objectives. 3 "Enterprise Risk Management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potentia l events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regard ing the achievement of entity objectives ". The Committee of Sponsoring Organizations of the Treadway Committee (COSO) Enterprise Risk Management-Integrated Framework, Executive Summary, September 2004, Page 2. 3

e. Communication and Coordination: i. LSC should ensure relevant information is identified, managed and shared in a timely manner throughout the organization that allows all parties to carry their responsibilities. ii. As recommended by the FOTF report, LSC should create one central information management system to support sharing of grants oversight information across the oversight offices. 4 This could include a centralized risk management module as well. iii. There should be transparency and measurement in all risk management activities with accountability and consequences for failure. f. Training : LSC and its grantees need to ensure individuals across the organization have the proper knowledge and skills to manage risks to achieve mission success. 5 Risk Matrix Comments: Although the OIG supports a broader approach to LSC's risk management program, we offer the following comments on the draft risk matrix for Committee and Management consideration. 5. Further Definition Instead of categorizing risks by People, Funding, Assets and Grantees, LSC should consider aligning its risks to the 2012-2016 LSC Strategic Plan's Goals and Initiatives. This would assist LSC's overall monitoring and management of key performance and risk areas. The OIG recommends LSC more specifically clarify and define the risks and their associated mitigation strategies throughout the risk matrix. Further, the Corporation should document the strengths and weaknesses of the strategies and determine the level of tolerance for each risk. 4 "Create a common system for the storing and viewing of appropriate information related to grantee operation s and oversight... "FOTF report, page 18. 5 "The governance and fiscal overs ig ht provid ed by LSC and its grantees should be supported by ind ividuals with knowledge of LSC-related risks as well as strong financial expertise." FOTF Report, page 19. 4

6. Additional Risk Area Considerations a. Management Systems Risks : The OIG recommends LSC review whether it has the management systems in place to achieve its goals and objectives. Several management system areas are worthy of inclusion or further strengthening within the RMP. Many of these management systems are commonly identified by the Government Accountability Office in its 2013 High Risk List of Federal Proqrams 6. I. Performance Management (failure to achieve performance of defined goals). Potential Strategy: Create a formal organizational management performance cycle including an annual management plan and quarterly reporting to help routinize the achievement of the LSC multi-year Strategic Plan 's goals and initiatives. ii. Human Capital Management (failure to attract, hire, motivate and retain high quality and innovative staff needed to carryout organizational goals and objectives; poor labor relations - including strikes). Potential Strategies: 1. Define career ladders. 2. Provide professional trainings and continuing education. 3. Implement pay for performance system. 4. Maintain open communication with the union. 5. Transition planning (at all levels). iii. Information Management (failure to collect and share vital information). Potential Strategies: 1. Create a more transparent corporate culture that expects the timely sharing of information and the breaking of information silos. 2. Perform organizational systems analysis identifying most critical information sharing needs (e.g. one common grantee oversight and risk management system). 3. Determine degree of business process maturity and reengineering needs. 4. Perform process automation requirement analysis. 5. Procure or build information systems to enhance core function execution. 6 http://www.qao. qov/hiq hriskloverview. 5

iv. Cost Management (unknown waste related to insufficient cost reporting). Potential Strategy: LSC could review the managerial accounting reporting and timekeeping systems to determine if the organization would be better supported by an activity based management system (integrating budget, resources, plans, actions, costs and performance). This could allow costs (including human resource costs) of all operational projects to be visible, creating more management information potentially leading to cost savings through process improvements or eliminations. v. Acquisitions Management (higher contract costs and possible areas of fraud, waste and abuse). LSC should consider adding acquisitions management as a potential risk area both for LSC Management and Grantee Operations. Weaknesses in acquisition systems, the procurement process, policies and procedures, accountability and contracts management are all areas of possible concern. b. LSC Regulations (Risk that regulations do not clearly and effectively implement statutory requirements). To the extent it exists, ambiguity or obscurity in regulatory language and official LSC interpretations can make compliance by grantees and enforcement by the Corporation more difficult. Additionally, changing circumstances extrinsic to the rules themselves may alter the impact of rules on grantees and their effectiveness, e.g., technological changes could lead to reduced burden on grantees, other extrinsic changes lead to increased or decreased burden on grantees. c. Grant Competition (Low grantee production). The lack of an openly competitive landscape for LSC services hurts innovation and incentives to provide more efficient service delivery within the LSC funded network of grantees. Potential Strategies: LSC could review restructuring of the grants and alternative delivery strategies. d. Subgrant Oversight and Performance: This is a traditional concern area for Federal grant programs as subgrant oversight is often missed. e. Information Technology: a. Investment. (Failure to architect LSC technology initiatives portfolio to maximize returns on investments). 6

Potential Strategies: 1. LSC has hired a Chief Information Officer. 2. Create a national legal aid technology investment plan focusing in the highest return on investment projects and national replication. 3. Create a Board Technology Committee or Information Technology Investment Review Committee to frequently oversee this critical area in enabling LSC grantees and legal aid providers to serve more eligible persons. b. Security. There are high information security management risks at grantees (e.g., grantees are using internet based case management systems and mobile applications). Potential Strategy: LSC should review the grantees' security policies and provide guidance for protecting sensitive client and case information and other relevant organizational data. 7. Risk Probability Considerations The OIG recommends LSC review the probability and severity rankings in the following areas: a. LSC Management Leadership: Preventing Leadership Problems. There are many new senior management team members (with less than one year of LSC experience), an impending reorganization, as well as open collective bargaining negotiations; thus, an unstable environment. b. Conflicts of Interest/Ethics Violations. As noted in the FOTF report LSC should continue to identify, monitor, and disclose conflicts of interest related to staff and grantees. c. Preservation of LSC interest in grantee property (potential for loss). Beyond Human Capital, the next largest cost area in legal services is real estate. LSC's real estate interests include the preservation of LSC interest in grantee properties nationwide and the headquarters lease and potential transition to ownership. d. Major Misuse of grant funds. LSC should pay attention to all, not just major misuses of grant funds. Any misuse is an indicator of general mismanagement. e. Failure of insufficient controls. Internal controls are critical and likely not well-understood. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information