SAT Presentations

Office of Internal Controls and Management Systems04/11/23 1

2009 Internal Control Update

Senior Assessment Team April 29, 2009

Office of Internal Controls and Management Systems (OICMS)

National Aeronautics and Space Administration


Senior Assessment Team Rotations

• The SAT Charter calls for 3 Deputy Center Directors to serve on overlapping 18 month terms

• Current SAT membership held their first meeting on July 18, 2007

• OICMS recommends a 12 month cycle vs. 18 to better align with the SoA process

• There is no documented process for membership rotation


Report on QAR/MSR Pilots

• OICMS conducted 16 QAR’s at HQ and 5 Center QAR’s over 2008 SoA process

• SoA process generally completed as required and well supported

• Pilot MSR’s looked at one activity for each office reviewed

• Identified 2 findings and 2 observations• HQ MSR’s will continue in lieu of ISO 9001 audits • Complete MSR’s will be conducted at HQ in summer

2009.


New SoA Process - Recovery Act of 2009

• The Recovery and Reinvestment Act of 2009 requires certain risks be included in each agency’s risk mitigation process

• Organizations receiving Recovery Act funds must ensure that applicable risks have been identified and that there are current controls in place to mitigate such risks

• Recovery Act risks should either be separately identified on the evaluation tool or noted in the risk assessment section if the risk identified includes Recovery Act activities

• The Office of Management and Budget (OMB) identified objectives for oversight of grant and contract awards using Recovery Act funds

• Risks and controls must be identified to ensure these objectives are met


•New 2009 SoA Process - Acquisition Assessments

On May 21, 2008, OMB provided guidelines for conducting internal control assessments of the acquisition function to comply with OMB Circular A-123, Management’s Responsibility for Internal Control.

The guidelines included an acquisition assessment template comprised of 4 Cornerstones, 11 Elements, 26 Critical Success Factors and 208 Assessment Guideposts. OICMS developed a NASA assessment survey with 50 statements based on the 208 guideposts

From the set of 50 guidepost/statements, OICMS created six targeted surveys aimed at specific groups within NASA:

HQ and Center Senior Management Program/Project Managers Procurement Officers HQ Human Capital Management HQ Procurement Policy HQ Mission Directorates


New 2009 SoA Process -Acquisition Assessments, Cont’d

The scope of NASA’s Acquisition Assessment for Program/Project Managers includes those planned and on-going projects with an estimated life-cycle cost of at least $250 million or more. There are 25 projects within scope to be reviewed on a 3 year cycle. OICMS will identify the projects to be reviewed each year

Once completed, Officials-in-Charge and Center Directors will collect, review, and submit all surveys along with their annual Certification of Assurance

OICMS will collect the surveys and work with the appropriate organizations to resolve or report acquisition deficiencies

Any deficiencies noted should be considered for inclusion in the Certification of Assurance of the Official-in-Charge or Center Director.


FY2009 Statement of Assurance (SoA) Process Schedule

Issue Call Letter and Guidance (4/15)

SAT Update and Feedback (4/29)

HQ/Center POC’s Meet with OICMS to Discuss Eval. Tool Progress (NLT 5/29)

HQ/Center POC’s Meet with OICMS to Discuss Eval. Tool Progress (NLT 6/26)

Center POC’s Submit Eval. Tool, incl. HQ Specific work Activities, to OICMS (NLT 7/6)

SAT Update and Feedback (7/15)

SoA Certifications/HQ Eval. Tools/Acq. Assmt. Surveys Due to OICMS (7/31)

OICMS compiles and categorizes SOA Certifications (8/1-9/8)

SAT Review (9/9)

OMC Review/Approval (10/8)

OICMS Develops the Final draft SoA (10/22)

Agency Financial Report Due (11/15)

Quality Assurance Reviews and Preparation for Next SAT

2009 Apr May June July Aug Sept/Oct Nov Dec


Status of OMC Watch List Control Deficiencies

Status Owner

Asset Management MW OCFO

Financial Systems, Analyses, and Oversight MW OCFO

Financial Management Staffing MC OCFO

Information Technology Security OW OCIO

Acquisition Management OW OPII*

Records ManagementImplementation & Accountability MC OCIO

* SAT decided to recommend closure to the OMC at January meeting


Status of OMC Watch List ItemsAsset Management – OCFO (MW)

Summary Description of Issue“Controls relating principally to contractor-held PP&E and materials and NASA-held assets in space and work in

process need improvement; Headquarters oversight needs improvement.” (2008 PAR, page 173)

Note: This is a joint issue with the Office of Infrastructure

Status of Corrective Actions• Implemented activities at Centers to better align business processes at the outset of the acquisition of the asset

(establishment of a project WBS) with the identification of asset acquisitions and the capitalization or expense determination.

• Pursuing strategies to provide auditable estimates of the historical cost of International Space Station (ISS) and Space Shuttle Program (SSP) assets, in the event that that the Federal Accounting Standards Advisory Board (FASAB) adopts new standards for estimating the historical cost of general property, plant, and equipment.

• Enhanced Continuous Monitoring Program (CMP) controls for property, plant, and equipment to provide improved confirmation of valid capital asset balances, including those assets tracked and reported under NPD 9250.1, Identifying Capital Assets and Accumulation of Cost.

• Collaborated with Logistics on automating portion of Real Property depreciation in the SAP Asset Accounting Module.

• Evaluated options for integrating Real Property accounting information into SAP. Recommendations will be presented to the OMC through the Management/Business Systems Integration Group (M/BSIG).

Proposed DispositionAsset Management should continue to be carried as a Material Weakness


Status of OMC Watch List Items (Cont’d)

Financial Systems, Analyses, and Oversight - OCFO (MW)

Summary Description of Issue“… NASA management’s review and the results of our audit procedures continued to identify weaknesses in entity-wide internal control,

which impaired NASA’s ability to report accurate financial information on a timely basis.” (2008 PAR, page 161) This weakness addresses: Financial Statement Preparation Processes; Continuous Monitoring Program; Processes

for Estimating NASA's Environmental Liability; and Financial Management Systems Compliance

Note: This is a joint issue with the Office of the Chief Information Officer (OCIO), Office of Procurement, Office of Infrastructure, and the Environmental Management Division (EMD),

Status of Corrective Actions• Refined CMP activities through focused working sessions (i.e., clinics), including Headquarters and Center subject

matter experts, to discuss best practices and clearly define processes to identify corrective actions, root causes, and recommendations to remediate future discrepancies.

• Enhanced Journal Voucher (JV) procedure to ensure that Centers initiate and fully document Center-specific JVs. • Signed agreement with EMD on the process for developing this year’s unfunded environmental liability estimates. • Conducted an independent validation of the IDEAL models in use at JSC for a limited number of projects. The

results of the validation are favorable and, as more data is collected, the model will continue to be improved.• Actively engaged with Procurement on strategies for the timely close-out of grants.• Working with intra-governmental trading partners to reduce differences in balances by accelerating the frequency

of correspondence with those partners to improve the accuracy and speed of transaction confirmations. For the top 5 trading partners, implemented process of continuous confirmations to more quickly resolve large differences.

Proposed DispositionFinancial Systems, Analyses and Oversight should continue to be carried as a Material Weakness


Status of OMC Watch List Items (Cont’d) Financial Management Staffing – OCFO (MC)

Summary Description of IssueNASA needs to ensure adequate staffing for financial management functions across Headquarters and the Centers, and to provide additional “hands–on” training for financial personnel to ensure that they understand their roles in financial reporting.

Status of Corrective Actions

• CFO Professional Development Status:– Course Development Status:

• 5 Instructor-led Courses– Completed: CFO 101, Budget Execution– Nearly Complete: Budget Formulation, Procurement 360, IEM Financial Systems

• 2 Online Instruction Courses – Completed: Internal Controls Phase I– Nearly Complete: BW Reporting

– Course Sessions Scheduled:• CFO 101 – Ames, Glenn, Stennis, Headquarters, Johnson, Goddard and Langley• Internal Controls – Available on-line

• Established a pilot student intern program to provide additional temporary resources that can be developed as potential future financial management professionals. It is anticipated that as many as 11 interns will be in the program this year.

Proposed DispositionFinancial Management Staffing should continue to be carried as a Management Challenge


Status of OMC Watch List items (Cont’d)

IT Security – OCIO

Summary Description of Issues• The ITS Corrective Action Plan (CAP) is based on a 2006 Center-by-Center

assessment of IT security management controls and consists of 50 action items designed to mitigate those weaknesses identified.

Status of Corrective Actions• As of April 22th, 2009, 80% of the action items have been completed.• The remaining CAP action items are expected to be completed within the third and

fourth quarter of FY-2009, with the exception of two action items that remain in a Suspend/TBA status due to long term project implementation activities related to the NASA Security Operations Center (SOC).

Proposed Disposition• IT Security should continue to be carried as an Other Weakness.



IT Security – OCIO

SOC Status• Phase 2 implementation is in progress and on track as scheduled

• Current SOC IDS roadmap includes;

– Acquiring and deploying log aggregation technology

– Acquiring and deploying IDS sensors within Centers

– Continue planning for IDS sensor deployment to selected mission network environments



Records Management Implementation & Accountability – OCIO (MC)Summary Description of IssueGenerally, programs/projects have not consistently incorporated records management requirements into program/project planning and execution. The execution of records management within programs/projects throughout the program/project life cycle needs to be improved so that the records processes and procedures better conform with governing law and agency policy. Records management does not appear to have been integrated into program/project management processes. No accountability for fulfilling records management responsibilities. Lack of funding to properly disposition Shuttle records during the upcoming transition

Status of Corrective Actions• Agency Records Management was one of eleven processes selected to undergo a Lean Six Sigma (LSS) review. LSS resulted in 29 new actions to provide improved definition and additional tools. OCIO is responsible office for all actions with OCE secondarily responsible for many. • OCIO, in conjunction with the OCE, is conducting center program reviews to assess records management implementation & accountability issues.

Proposed DispositionOCIO is reviewing the 29 LSS actions and making schedule adjustments where necessary. OCIO is also working the OCE to schedule the remaining center program reviews in FY 2009. The revised LSS actions schedule and center program observations will be briefed to the SAT on 7/15/2009.


Status of Concerns Raised in the 2007 SoA Process

SoA list of concerns:• Sensitive But Unclassified

(SBU) Data (OSPP)

Key

Closed

Resolved, tracked by SAT

Office of Internal Controls and Management Systems04/11/23 1604/11/23 16

2008 SoA Concern: Sensitive But Unclassified Data (OSPP)

DESCRIPTION OF ISSUEConcern that the Agency does not have the requisite capability to follow, to the level specified, the guidance related to Sensitive But Unclassified (SBU) data as stated in NPR 1600.1. In particular, lack of available infrastructure, training, and awareness in the proper management and handling of SBU data may put this information at risk of improper disclosure.

ASSESSMENT OF ISSUESBU policy will be removed from NPR 1600.1 and NPR 2810 which will be incorporated into a new NPR for SBU. A new seven member SBU Information Protection Steering Committee (SIPSC) has been chartered and has the responsibility of developing the new SBU NPR. This team has representatives from the Office of the Chief Information Officer (OCIO), Office of Security and Program Protection (OSPP) and the Office of General Counsel (OGC).

PROPOSED DISPOSITIONIn accordance with the requirements of the Federal Information Security Management Act (FISMA), OSPP has recently transferred the lead on all NASA SBU data to the OCIO. OSPP will continue to maintain control of all classified data and will also be a consulting partner to the OCIO on SBU, collaborating on the development of SBU policies, procedures and training. The committee is chaired by a representative from the OCIO. December, 2009 is the anticipated time Draft SBU NPR will be out for comment. Final signature is projected to be mid-2010. It is recommended that the SAT continue to track this issue as a SoA Concern under the OCIO lead.


Status of Concerns Raised in the 2008 SoA Process

SoA list of concerns:

•Compensating Controls

for Real Property and Environmental (OI)

Key

Closed

Resolved, tracked by SAT

OMC level risk, will not be tracked by SAT


Compensating Controls for Real Property and Environmental (OI)

DESCRIPTION OF ISSUEThe Office of Infrastructure (OI) has fallen short in ensuring Agency-wide compliance in all functional management areas. Functional and compliance reviews have not been accomplished in several areas, resulting in financial management reporting problems and concerns regarding stewardship, accountability and management of NASA's assets.

ASSESSMENT OF ISSUECompensating Controls are currently being conducted by the Logistics Management Division (LMD) in the property functional areas but have not been implemented in real property or environmental management due to continued full time equivalent (FTE) reductions. This will continue to cause financial reporting problems and stewardship concerns.

STATUSAs part of the FY 2011 budget call process, OI requested additional FTE to conduct Compensating Controls in the Facilities Engineering and Real Property Division (FERP) and the Environmental Management Division (EMD). The request is currently being evaluated by Agency leadership. Both divisions continue to try to mitigate the effects of not having full functional and compliance reviews. FERP sends annual surveys to the Center Real Property Officers to access the real property inventory. EMD and the Office of the Chief Financial Officer (OCFO) annually review the Agency’s unfunded environmental liability through site visits at each Center and Component Facility. Compensating Control reviews are still needed in FERP and EMD to independently evaluate the accuracy of both processes and the results they yield.

PROPOSED DISPOSITIONOI recommends that this issue remain on the 2008 SAT List of Concerns.


SoA Progress/Next Steps

• Statement of Assurance Call Letter was issued on 4/16/2009

• Web-Ex for new Evaluation Tool TBD

• OICMS will address the OMC on the 2009 SoA Process on 5/7/2009

• Next SAT in July - status of deficiencies and concerns and an update on the 2009 SoA process


Summary of Actions and Closing Remarks

Office of Internal Controls and Management Systems

IT Security Backup Slides


InworkCAP Items, 8

CompletedCAP Items, 40

Suspend/TBDCAP Items

2


IT Security – OCIOCAP Items Completion Status


FY09 Q35

FY09 Q43

Suspend/TBD2


IT Security – OCIOTimeline for Completion of

Remaining CAP Items

Documents

SAT Presentations