"2009 Internal Control Update"
2009 Internal Control Update Senior Assessment Team July 22, 2009 Office of Internal Controls and Management Systems (OICMS) National Aeronautics and Space Administration 8/28/2010 Office of Internal Controls and Management Systems 1 Status of OMC Watch List Control Deficiencies Status Owner Asset Management MW OCFO Financial Systems, Analyses, and Oversight MW OCFO Financial Management Staffing MC OCFO Information Technology Security OW OCIO Records Management Implementation & Accountability MC OCIO 8/28/2010 Office of Internal Controls and Management Systems 2 Asset Management – OCFO (MW) Summary Description of Issue “Enhancements needed for controls over legacy PP&E and Contractor Held assets.” (2008 PAR, page 169 - 172). Note: This is a joint issue with the Office of Infrastructure Status of Corrective Actions: Strengthen Property Monitoring Controls Strengthened oversight of PP&E by establishing additional control activities in the Continuous Monitoring Program (CMP). New Capitalization Policy Continue to monitor and assess the implementation of the new policy and develop a testing plan to validate the new process is working effectively. Real Property Ongoing meetings with Facilities to improve communications and understanding of integration activities associated with Real Property valuation and fair display in the agency accounting records. 3 Asset Management – OCFO (MW) (Cont.) Legacy Assets Executing proposed strategy to provide auditable estimates of the historical cost of International Space Station (ISS) and Space Shuttle Program (SSP) assets in anticipation of FASAB SFFAS 35, Estimating the Historical Cost of General Property, Plant, and Equipment. Proposed Disposition Asset Management should continue to be carried as a Material Weakness 4 Property, Plant & Equipment Accounting Process Integrated Asset Management Module $10.8 B Agency review prior to post into GL GENERAL LEDGER Review prior to posting Real Property CHATS $867 M $ 13.3 B $2.5 B CHATS Contractual Controls (NASA FAR Supplemental 1852.245.70, 1845.107-70(a), and PIC05-07) •No equipment purchase w/o NASA approval •Must notify NASA of property disposal CHATS = Reporting Tool Net as of 6/30/09 5 Property, Plant & Equipment Balances In Millions Net Book Value NBV Cost Accum Dep (NBV) 3/31/09 6/30/09 Space Exploration ISS & support equipment $ 22,788 $ (10,788) $ 12,000 7.615 Space Shuttle & support equipment $ 9,075 $ (8,458) $ 617 272 Shuttle/Station Equipment $ 4 $ (0) $ 3 - Other Equipment $ 1,211 $ (729) $ 482 - ISS Assets Under Construction $ 1,703 $ - $ 1,703 1,274 Work In Process - Equipment $ 3,592 $ 3,592 1,255 $ 37,158 $ (19,246) $ 17,912 10,418 General Land $ 123 $ - $ 123 122 Buildings & Other Structures & Facilities $ 7,390 $ (5,707) $ 1,683 1,759 Institutional/Other Equipment $ 1,478 $ (921) $ 557 335 Construction In Process $ 533 $ - $ 533 558 Internal Use Software $ 217 $ (128) $ 88 84 $ 9,741 $ (6,756) $ 2,985 2,860 TOTAL PP&E $ 46,899 $ (26,002) $ 20,897 13,278 6 Financial Systems, Analyses, and Oversight – OCFO (MW) Summary Description of Issue “… NASA management’s review and the results of our audit procedures continued to Identify weaknesses in entity-wide internal control, which impaired NASA’s ability to report accurate financial information on a timely basis.” (2008 PAR, page 161). This weakness addresses: Continuous Monitoring Program; Financial Statement Preparation Processes; Resolve Data Issues; Processes for Estimating NASA's Environmental Liability; and Financial Management Systems Compliance with FFMIA Note: This is a joint issue with the Office of the Chief Information Officer (OCIO), Office of Procurement, Office of Infrastructure. Status of Corrective Actions: Continuous Monitoring Program CMP refinements executed . See next slide “Timeline of CMP Accomplishments.” CMP Clinics held. Financial Statement Preparation Processes NASA is in compliance with Federal guidelines for reconciling intra-governmental transactions. Financial statement checklist. Automated FACTS II. 7 Financial Systems, Analyses, and Oversight – OCFO (MW) (Cont.) Resolve Data Issues – Grant and Contract Close-out Status update to be provided by Office of Procurement Environmental Liability Status update to be provided by Office of Infrastructure and Administration Proposed Disposition Financial Systems, Analyses and Oversight should continue to be carried as a Material Weakness 8 Timeline of CMP Accomplishments * Exceptions (in $Mil) $1,600 $1,475 $1,400 $1,200 $1,000 $1,071 $800 $738 $688 $600 $503 $552 $400 $372 $200 $264 $91 $80 $0 $32 $20 $11 $19 $39 # Exceptions 300 249 250 200 129 134 150 118 97 92 86 86 89 100 72 57 46 48 29 33 50 - *CMP excluding property . Financial Systems, Analyses, and Oversight Grant & Cooperative Agreement Closeout • The backlog of expired grants continues to be a major focus within the Agency, especially at the NSSC and GSFC where the majority of the backlog exists • NSSC & GSFC have both implemented action plans intended to – – Accelerate the closeout process & reduce the existing backlog – Streamline the closeout process for the long-term by eliminating non-value added activities (e.g., technical officer certification that all reports were received) • GSFC recently completed their Grants Tiger Team efforts, which targeted the closeout of nearly 6,000 over-aged grants – Backlog has been reduced to 1,398 awards – Summer interns have been hired to tackle the remaining backlog • NSSC has established a closeout action team to – – Identify the bottlenecks in the grant closeout process – Develop IT solutions to automate the closeout process – Provide recommendations to NASA HQs related to policy changes to the NASA Grant Handbook to facilitate a faster closeout process Office of Internal Controls and Management Systems Contract Closeout Process Refinement Implementation Action Status 7/22/09 # Action Action Lead Due Status Date JSC- Develop pre-award closeout requirement Rosalie 11/20/09 1 (clause) for inclusion in the contract In Process Carpentier HQ Issue guidance for 533 training, conduct of Procurement- 2 monthly 533 analysis and an annual risk 10/30/09 Guidance under development assessment of funds on contract Cheryl Robertson Develop NFS requirement to have a HQ Coordinating with lead for closeout milestone plan and conduct a Procurement- Implementation Action 1 to 3 11/20/09 contract closeout planning meeting no Cheryl ensure compatibility with later than 6 months before POP end Robertson requirement levied on contractor Revise the FMR to require resources personnel training in 533 analysis, immediate notification to COs of 533 HQ CFO-Shelley TBP by 4 discrepancies, Costing training, and In Process Meredith POC participation in annual risk assessments of contract funds 1/30/09 5 Identify the owner of the 533 requirement HQ CFO Complete Issue guidance requiring a contracting HQ officer to transfer a contract to the Procurement- In Process-guidance will include 6 10/30/09 closeout office within 45 days after Cheryl the checklist developed in Item 7 physical completion Robertson Office of Internal Controls and Management Systems Contract Closeout Process Refinement Implementation Action Status 7/22/09 Due # Action Action Lead Date Status Develop standardized checklist MSFC-Amy 7 for transfer to closeout contractor 1/31/09 Complete Campbell Proposed timelines out for closeout Update 1612 to include timelines NSSC-Monique team review/comment- Draft 1612 8 for external inputs (Patents, 12/31/09 Sulivan revision for Center/Agency review Property, New Technology etc.) by mid-Feb Pursue FAR change to expand HQ Procurement- FAR case opened-new language 9 criteria and increase $ threshold 12/31/09 Jamiel Commodore being developed with NASA input for quick closeout Improve management/oversight of DCAA audit process and HQ CFO-Tom TBP by CFO and Procurement to meet to 10 pursue other outside providers Green POC review/discuss alternatives to DCAA for yearly and closeout audits Working with the CFO to develop HQ Procurement- Develop standardized closeout one method of Center data Cheryl 11 reporting requirement to HQ and 9/30/09 reporting on closeout—currently Robertson/HQ action based metrics awaiting CFO data requirement CFO-Lisa Oliver identification Create Agency desk guide for the 12 GSFC-Randy Belew 3/30/10 In Process closeout process Currently exploring processes being Establish administrative closeout 13 KSC-Dave Reeves 11/30/09 used at other agencies to address process for “old dogs” this problem Office of Internal Controls and Management Systems Contract Closeout Process Refinement Implementation Action Status 7/22/09 # Action Action Lead Due Date Status Establish standard process for use of expired & cancelled funds and HQ CFO-Charles 14 TBP by POC In Process Identification of HQ/Center CFO McIntosh POCs Incentivize contract closeout for HQ Procurement- 15 4/1/09 Complete 1102 Personnel Bill McNally Formalize contract closeout GSFC-Randy 16 3/30/10 In Process training (including COTRs) Belew Office of Internal Controls and Management Systems Financial Management Staffing – OCFO (MC) Summary Description of Issue NASA needs to ensure adequate staffing for financial management functions across Headquarters and the Centers, and to provide additional “hands–on” training for financial personnel to ensure that they understand their roles in financial reporting. Status of Corrective Actions CFO FTE authorized ceiling and headcount has fluctuated during the past five years, 2005 to 2009 Fiscal Year FTE Ceiling FTE Headcount 2009 103 94* 2008 109 93 2007 109 89 2006 123 101 2005 132 80 *FTE Headcount as of 7/4/09. • There are 10 interns on board that are participating in this year’s intern program. 14 Financial Management Staffing – OCFO (MC) • CFO Professional Development University - Course Development Status: •Completed - CFO 101, Budget Execution, Budget Formulation/PPBE, BW Reporting, Internal Controls, and BW Reporting •Under Development - Procurement 360, IEM Financial Systems FY 2009 CFO University Courses Held Dates Location CFO 101 Jan 28 - 29 Stennis May 12 – 13, Headquarters May 19 – 20, Kennedy June 2 – 4, Goddard June 4 – 5 Ames June 25 - 26 Glenn Budget Formulation May 27 - 28 Kennedy Finance for Non-Financial Managers June 2-3 Ames Proposed Disposition Financial Management Staffing should continue to be carried as a Management Challenge. 15 Status of OMC Watch List items (Cont’d) IT Security – OCIO Summary Description of Issues • The ITS Corrective Action Plan (CAP) is based on a 2006 Center-by-Center assessment of IT security management controls and consists of 50 action items designed to mitigate those weaknesses identified. Status of Corrective Actions • As of July 20th, 2009, 97% of the action items have been completed. • The remaining CAP action items are expected to be completed between the fourth quarter of FY 2009 and the first quarter of FY 2010, in addition to one item projected to be completed third quarter FY 2010. There are two exception items that remain in a Suspend/TBA status due to long term project implementation activities related to the NASA Security Operations Center (SOC). Proposed Disposition • IT Security should continue to be carried as an Other Weakness. There is an expectation that this status will change at the time of the next SAT meeting based on a comprehensive 6 month GAO IT security vulnerability analysis that has taken place. 8/28/2010 Office of Internal Controls and Management Systems 16 Status of OMC Watch List items (Cont’d) IT Security – OCIO SOC Status • Phase 2 implementation (SIM integration and Log aggregation activities) is in progress as planned. • 47 network IDS sensors have been transitioned to SOC control (management & monitoring) – The SOC will more than double it’s visibility over the next 6 months. 80 new sensors are being implemented – 40 will replace end of life GOTS product another 40 will be placed inside Center local networks • Current SOC IDS roadmap includes; – Gaining the ability to monitor IDS sensors on the Mission networks – Transitioning Center internal IDS sensors to SOC management 8/28/2010 Office of Internal Controls and Management Systems 17 Status of OMC Watch List items (Cont’d) Records Management Implementation & Accountability – OCIO (MC) Summary Description of Issue Generally, programs/projects have not consistently incorporated records management requirements into program/project planning and execution. The execution of records management within programs/projects throughout the program/project life cycle needs to be improved so that the records processes and procedures better conform with governing law and agency policy. No accountability for fulfilling records management responsibilities. Lack of funding to properly disposition Shuttle records during the upcoming transition. Proposed Completion Dates/Disposition • Agency Records Management was one of eleven processes selected to undergo a Lean Six Sigma (LSS) review. This review was conducted December 2-4 and was briefed by the stakeholders to the Deputy Administrator January 15. The lack of integration of records management into program/project management processes was identified as part of the LSS objectives. A corrective action plan was developed for this issue as part of the LSS activities. • Retaining as Management Challenge on OMC Watch List. 18 Office of Internal Controls and Management Systems Records Management Six Sigma Kaizen (December 2-4, 2008) • Kaizen resulted in 29 new actions (rolled into 8 summary tasks) to provide improved definition and additional tools. • OCIO is responsible office for all actions with OCE secondarily responsible on many. Item Task Due date Status No. 1 Establish a working group (WG) for continued implementation work 1/15/09 Established 1/6/09 2 Develop master list of POCs for locating legacy and current program/project 2/27/2009 Slipped to 9/30/2009 records 3 Enhance incorporation of RM into employee exit process 12/30/2009 Memo - FY09; Process - FY10 4 Numerous 7120/1440 modifications to elaborate RM requirements/guidance 3/31/2009 7120.5 – Complete 1440 – 9/30/2009 5 Develop enhanced products to improve performance of RLO/DM/RMs 3/31/2009 Content 9/30/2009 (responsibilities definition, focused training, consultation by P/P management) Live - 3/30/2009 6 Enhance standardization of IT policy & requirements for software, data & 12/30/2009 In work records formats, indexing/retrieval of information 7 Look at development of Agency-level data system 12/30/2009 In work 8 Develop standard NASA FAR Supplement RM clause options 12/30/2009 In work 19 Office of Internal Controls and Management Systems RM Review (7120.5 Compliance) Observations March 25, 2009 - LaRC Reviewed Orion’s Launch Abort System (LAS) and Mars Entry Descent & Landing Instrumentation (MEDLI) • Strengths – Following LaRC policy for project RM responsible POC – Project records in controlled LaRC document management system • Areas for Improvement – CM LAS records duplicated in Constellation Program’s (CxP’s) Windchill – determine one location for official records. – Categories of records with associated retentions not identified – Identification by program management of the disposal point within schedules’ retention bands. – Failure to employ LaRC document management capability of associating retention schedules with categories of documents/records to enable more effective records disposition. 20 Office of Internal Controls and Management Systems Report of Constellation Activity Independent of any RM Review: • CxP has identified manager with full responsibility to define and implement program RM policy/procedures – Dialogue with Shuttle management to learn from Shuttle problems. – Identified records liaisons across all projects and established a Cx RM Working Group. – Identifying Shuttle records required for CxP work. – Developing a RM plan, ERM approach, and implementation milestones for managing records. – Defining required attributes/metadata for Cx records objects with the information systems. – Implementing recently released Government-wide RM functional requirements. 21 Office of Internal Controls and Management Systems Status of Concerns Raised in Previous Years SoA Process SoA List of Concerns: Key Closed Sensitive But Unclassified Resolved, tracked by SAT (SBU) Data (OSPP) OMC level risk, Compensating Controls will not be tracked by SAT for Real Property and Environmental (OI) 8/28/2010 Office of Internal Controls and Management Systems 22 2008 SoA Concern: Sensitive But Unclassified Data (OCIO) DESCRIPTION OF ISSUE Concern that the Agency does not have the requisite capability to follow, to the level specified, the guidance related to Sensitive But Unclassified (SBU) data as stated in NPR 1600.1. In particular, lack of available infrastructure, training, and awareness in the proper management and handling of SBU data may put this information at risk of improper disclosure. ASSESSMENT OF ISSUE SBU policy will be removed from NPR 1600.1, NPR 2810, and NPR 1382 which will be incorporated into a new NPR for SBU. A new seven member SBU Information Protection Steering Committee (SIPSC) has been chartered and has the responsibility of developing the new SBU NPR. This team has representatives from the Office of the Chief Information Officer (OCIO), Office of Security and Program Protection (OSPP) and the Office of General Counsel (OGC). The committee is chaired by a representative from the OCIO. December, 2009 is the anticipated time Draft SBU NPR will be out for comment. Final signature is projected to be mid- 2010. PROPOSED DISPOSITION OSPP will continue to maintain control of all classified data and will also be a consulting partner to the OCIO on SBU, collaborating on the development of SBU policies, procedures and training. Estimated completion date for the new SBU NPR is yet to be determined. It is recommended that the SAT continue to track this issue as a SoA Concern under the OCIO lead. 8/28/2010 Office of Internal Controls and Management Systems 23 Compensating Controls for Real Property and Environmental (OI) DESCRIPTION OF ISSUE The Office of Infrastructure (OI) has fallen short in ensuring Agency-wide compliance in all functional management areas. Functional and compliance reviews have not been accomplished in several areas, resulting in financial management reporting problems and concerns regarding stewardship, accountability and management of NASA's assets. ASSESSMENT OF ISSUE Compensating Controls are currently being conducted by the Logistics Management Division (LMD) in the property functional areas but have not been implemented in real property or environmental management due to continued full time equivalent (FTE) reductions. This will continue to cause financial reporting problems and stewardship concerns. STATUS As part of the FY 2011 budget call process, OI requested additional FTE to conduct Compensating Controls in the Facilities Engineering and Real Property Division (FERP) and the Environmental Management Division (EMD). The request is currently being evaluated by Agency leadership. Both divisions continue to try to mitigate the effects of not having full functional and compliance reviews. FERP sends annual surveys to the Center Real Property Officers to access the real property inventory. EMD and the Office of the Chief Financial Officer (OCFO) annually review the Agency’s unfunded environmental liability through site visits at each Center and Component Facility. Compensating Control reviews are still needed in FERP and EMD to independently evaluate the accuracy of both processes and the results they yield. PROPOSED DISPOSITION OI recommends that this issue remain on the 2008 SAT List of Concerns. 8/28/2010 Office of Internal Controls and Management Systems 24 Status of 2009 Process • On-line Internal Control Evaluation Tool (IceT) now in use. • IceT database - require only minor updates and fine tuning beyond 2009. • ICET Access managed by OICMS. • OCIO and OSMA requested specific work activity assessments from their center counterparts - all received by 7/21/09. 8/28/2010 Office of Internal Controls and Management Systems 25 Status of 2009 SoA Process • HQ and centers final ICET, Certification of Assurance and Acquisition Surveys due on 7/31/09. • OICMS will compile and assess SoA data and prepare SAT briefing for 9/9/09 SAT meeting. • SAT recommendations will be presented to the OMC decisional meeting planned for 9/23/09. • OICMS will complete the draft Administrator’s SoA by 10/22/09. • Agency financial report is due 11/15/09. 8/28/2010 Office of Internal Controls and Management Systems 26 Revisions to NPD 1280.1 • April 2008 - OMC decided to forgo ISO 9001 certification at NASA HQ. • OICMS charged with revising HQ management system and HQ internal audit plan. • This provided an opportunity to revise NPD 1280.1 and redefine as NASA integrated management system. Benefit of the redefined policy: - Integrate the various management systems and internal controls in use into a seamless integrated management system (IMS) that provides accountability and ensures NASA objectives are met in a timely, safe, and quality manner without duplication of effort. • Members of the MSWG met in June 2009 to discuss and rewrite NPD 1280.1 to: - Ensure that NASA satisfies the requirements of the Governance and Strategic Management Handbook (NPD 1000.0A), the Federal Managers’ Financial Integrity Act (FMFIA), and the Office of Management and Budget’s Circular A-123 “Management Accountability and Control”. - Recognize the wide variety of agency management systems necessary to accomplish organizational goals and missions and allow flexibility in the implementation of the policy among the Centers and at Headquarters to achieve overall mission success. 8/28/2010 Office of Internal Controls and Management Systems 27 Revisions to NPD 1280.1 • An IMS is an integration of multiple management systems each of which is specifically focused on achieving objectives and goals related to a functional, programmatic, or operational area. • Achievement of ISO 9001/AS 9100 compliance or registration is consistent with the intent of this policy. • An IMS documents and implements policies, processes, and standards necessary to identify risks. Risks are assessed to determine how they should be managed. 8/28/2010 Office of Internal Controls and Management Systems 28 Revisions to NPD 1280.1 (Cont’d) The IMS ensures that: • Institutional, Programmatic, and Financial risk assessments are performed at the Agency and Center levels. • Appropriate periodic reviews and assessments, reconciliations or comparisons of data, and other auditing and assessment activities are performed to effect change and continual improvement. • Monitoring shall include assessment of the quality of performance over time and assurance that the findings of audits and other reviews are promptly resolved. The revised NPD 1280.1 will be placed in the August NODIS review cycle. 8/28/2010 Office of Internal Controls and Management Systems 29 Management Systems Working Group (MSWG) Charter Update • MSWG shares information relating to key topics, changes or issues that may have potential impact on the design and implementation of Center level or Agency level Integrated Management Systems. • MSWG meetings promote the sharing of experiences and best practices, and promote group and member level discussion on the assessment of value added or risk reduction activities. • MSWG shares information with established work teams such as the Audit Collaboration Team and the Statement of Assurance Team or with new teams established by senior management. • Work teams focus on specific areas under the scope of IMS Cross- Center activities. These teams identify and recommend improvements that relate to a particular function, program, or operation. • The MSWG ensures appropriate integration of and alignment with the IMS framework. 8/28/2010 Office of Internal Controls and Management Systems 30 Summary of Actions and Closing Remarks Actions: Closing Remarks: 8/28/2010 Office of Internal Controls and Management Systems 31 IT Security Backup Slides Office of Internal Controls and Management Systems Status of OMC Watch List items (Cont’d) IT Security – OCIO CAP Items Completion Status Inwork Suspend/TBD CAP Items, 5 CAP Items 2 Closed CAP Items, 43 8/28/2010 Office of Internal Controls and Management Systems 33 Status of OMC Watch List items (Cont’d) IT Security – OCIO Timeline for Completion of Remaining CAP Items FY10 Q3 FY09 Q4 1 1 FY10 Q1 3 8/28/2010 Office of Internal Controls and Management Systems 34