Bureau of Land Management (BLM) Fiscal Year (FY) Annual Enterprise Risk Management and Internal Control Program Guidance
UNITED STATES DEPARTMENT OF THE INTERIOR
BUREAU OF LAND MANAGEMENT
WASHINGTON, D.C. 20240
http://www.blm.gov
November 4, 2016
In Reply Refer To:
1240 (WO-830) P
EMS TRANSMISSION 11/08/2016
Instruction Memorandum No. 2017-008
Expires: 09/30/2020
To: Assistant Directors, State Directors and Center Directors
From: Assistant Director, Business, Fiscal and Information Resources Management
Subject: Bureau of Land Management (BLM) Fiscal Year (FY) Annual Enterprise Risk Management and Internal Control Program Guidance
Program Area: Enterprise Risk Management and Internal Control Program
Purpose: This Instruction Memorandum (IM) implements the framework for the BLM Enterprise Risk Management and Internal Control Program, establishes key due dates and milestones, and explains the annual requirements for the BLM's Executive Leadership Team (ELT) members. The BLM will meet the statutory requirements of the Office of Management and Budget (OMB) Circular A-123-Management's Responsibility for Enterprise Risk Management and Internal Control, revised on July 15, 2016, and will manage risk across the Bureau by following this guidance and other corresponding guidance including Federal Managers Financial Integrity Act of 1982, (FMFIA); the Improper Payments Elimination and Recovery Act of 2010 (IPERA); Government Performance Results Act (GPRA) Modernization Act, Public Law 111-352; OMB A-11 – Preparation, Submission, and Execution of the Budget, Government Accountability Office (GAO) Standards of Internal Control, and DOI annual guidance for the Internal Control Program and OMB Circular A-50 – Audit Follow-up.
Policy/Action: In accordance with the OMB Circular A-123, Department of the Interior (DOI) Internal Control and Audit Follow-up (ICAF) Handbook, and DOI annual Internal Control Program guidance, the BLM will measure its level of risk and assess the internal controls in place to mitigate risk annually by completing Entity Level Assessments (ELAs), Risk Assessments (RAs) using the Integrated Risk Rating Tool (IRRT), Internal Control Reviews (ICRs), Program Reviews, Annual Assurance Statements (AAS) and addressing the recommendations of the GAO and the Office of Inspector General (OIG). The AAS is the culmination of the FY’s risk management program and is due to the BLM's Division of Evaluations and Management Services (WO-830) by August 15th each year. All ELT members, through their Division Chiefs, Deputy State Directors, and designated ICAF leads, should consult the internal control documents they submitted in the prior FY. ELT members should also do the following:
• Revisit their prior year entity and programmatic risk scores, audit recommendations, and internal control review findings; particularly for high-risk programs for consideration in the current year Component Inventory and 3-Year Review Plan;
• Review corrective action plans resulting from prior internal control activities or audits that the State, Center, or Directorate completed and post the documents to the Internal Control and Evaluations SharePoint; and
• Evaluate the effectiveness of the corrective actions taken in response to these findings.
Due dates for key actions detailed guidance for key actions will no longer be included in this IM. However, key actions and due dates, specific instructions and templates for the key actions identified below will be accessible via the BLM intranet on the Evaluations and Management Services (WO830) Intranet site and the Internal Control and Evaluations SharePoint folder, which contains the respective folders for annual guidance, ELA, Risk Assessments, Internal Control Reviews, and Annual Assurance Statement. WO Directorate, State and Center ICAF representatives have been granted access to the SharePoint Site. Please contact your local ICAF representative for risk management and internal control documents for your local office or WO-830.
WO Directorates, States and Centers are required to complete the following key actions:
• Component Inventory. The National Component Inventory and 3-Year Review Plan (Component Inventory) is the key document in the BLM’s internal control program which provides a listing of all assessable units (major programs) for each component (WO Directorate, State and Center). The Component Inventory identifies the assessable unit managers, provides for entry of risk assessment results and planned reviews for 3 FYs. The Component Inventory will be posted in the BLM Component Inventory and 3-Year Review Plan folder on the Internal Control and Evaluations SharePoint. Refer to National Component Inventory Instructions for additional details. WO Directorates, States and Centers are required to update their annual Component Inventories and Review Plans annually. Offices are required to identify the reviews planned for the next 3 years. The ELT should ensure that resources and plans are in place to complete these reviews within the planned year. ELT members are to review the plan annually to ensure that higher risks areas are planned as soon as possible. The Consolidated Component Inventory and Review Plan will include the following information for each WO Directorate, State, and Center:
o Component/Assessable Unit;
o Assessable Unit Manager;
o Assessable Unit Inherent and Residual Risk Ratings for the 2 previous years;
o Last known review of assessable unit
o 3-Year Review Plan
o GAO/OIG reviews (with specific areas noted)
Note: The Component Inventory includes assessable units which are listed in the annual internal control guidance. The BLM component inventory is reviewed annually by WO-830 and the Senior Assessment Team (SAT), who provides internal control program oversight and decision-making to determine that the assessable units are relevant and appropriate. Changes to the annual budget may impact or change the assessable units included on the component inventory.
• Entity Level Assessments. The Assistant, State and Center Directors are required to complete an Entity Level Assessment to assess the control environment of the organizations they manage and certify completion of the assessment with a Certification Memorandum.
• Program Risk Assessments. The WO Directorate, State and Center Directors are required to complete a program risk assessment for each assessable unit in their component Inventory to assess inherent (uncontrolled risk) and residual risk (controlled risk) of the program operations in the organizations they manage and certify completion of the assessments with certification memorandums. In addition, the WO Directorate, State and Center Directors or their ICAF representatives are required to enter the inherent and residual risk assessment scores into their annual Component Inventory and 3-Year Review Plans.
• Programmatic/Mission ICRs. The Washington Office is required to complete a minimum of five programmatic/mission ICRs and each State and Center is required to complete a minimum of two programmatic/mission ICRs in accordance with this guidance. The two minimum programmatic/mission ICRs shall not include mandatory ICRs related to Business and Fiscal Resources (Credit Card Reviews, Procurement/Acquisition/Grants and Agreements, Property, etc.), CASHE, or the Fire Program. The States will collaborate with WO-830 to select assessable units for the purpose of building a library of process narratives, ICR test documents, ICR reports, and programmatic reviews using the templates provided. WO830 will ensure that collaboration and cross coordination across states and with the respective National Program Managers. Offices are also required to complete the in-progress reviews scheduled for completion in the annual national component inventory. The Assistant, State and Center Directors are required to submit all completed and signed ICRs and corrective action plans (CAPs) as soon as available and no later than the established due date to improve accountability, records management, and coordination with the audit coordination, response, and follow-up program. ICRs and CAPS shall be posted to the ICR Documents Folders created for each WO Directorate and State or Center.
• Corrective Action Plans (CAPS). WO Directorates, State and Centers are required to submit an ICR report with CAPs for all completed reviews. The form and content of CAPS are included in ICR Report and CAP template located on the BLM intranet on the WO830 Intranet site and Internal Control and Evaluations SharePoint. Each CAP shall include a completed Corrective Action Plan Tracking Sheet identifying the report, recommendation, corrective action plan tasks, target completion date, responsible official(s), and percentage of completion. Assessable unit managers are responsible for completing and reporting completion of corrective actions to WO-830, through their WO Directorate State and Center ICAF representatives in a timely manner. CAPs will be monitored by the State ICAF lead and WO-830 until all corrective actions have been completed and recommendations have been closed.
• Annual Assurance Statements (AAS). WO Directorate, State and Center Directors are required to submit AASs to WO-830 that include a statement on whether there is reasonable assurance that the internal controls in place are achieving their intended objectives and a statement on material weaknesses in the Directorate, State or Center internal controls. In addition, all supporting documentation must be submitted with the AAS. Supporting documentation, including but not limited to ICR test matrices, ICR reports, program evaluation reports, checklists, corrective action plans, etc., must be posted to the SharePoint link provided to WO Directorate, State and Center ICAF contacts. WO Directorates, States and Center Directors are required to certify that there have been no changes in the status of their internal control program since the submission of their signed AAS on August 15th and September 30th of the FY. WO-830 will issue short survey to all ELT members requiring the certification. If there has been a change in the status of the State, Center, and WO Directors Internal Control Program, WO-830 will follow up with the office on a case-by-case basis.
• Other Programmatic and Targeted Reviews. WO Directorate, State and Center Directors are required to complete all mandatory ICRs based on bureau/departmental commitments, GAO/OIG audits, high risks program areas, and those assessable units that have not been conducted in several years. Specific instructions will be provided for other programmatic reviews on a case by case basis and WO-830 will coordinate with the key national offices and assigned states to complete these reviews.
• Other Programmatic Departmental Assurance Statements. Assistant Directors/Centers are required to provide copies of other Annual Assurance Statements due to the DOI (IT Security, Safety and Health, Acquisition and Property Management) to WO-830 to support the BLM's Annual Assurance Statement on Internal Controls. In addition, information submitted in accordance with Departmental compliance reviews, targeted reviews, etc. must also be submitted. This information supports the overall Bureau Annual Assurance Statement signed by the Director of the BLM.
• Audit Resolution. WO Directorate, State and Center Directors are required to mitigate risks identified by external auditing entities including, but not limited to the GAO, OIG, and the agency financial statements auditors. These Alternate Internal Control Reviews (AICR) activities include responding to audit reports, developing and implementing corrective action plans in a timely manner, and reducing financial and programmatic risk by closing recommendations, as required.
Timeframe: This IM is effective upon issuance. Annual requirements included in this IM are to be completed in accordance with the established due dates provided on the Internal Control and Evaluations SharePoint Site. Specifically, the information is located in the SharePoint BLM Guidance folder, which contains the respective folders ELA, Risk Assessments, Internal Control Reviews, and Annual Assurance Statement.
Budget Impact: The costs for implementation of required and basic management duties, such as implementation of internal controls, are included within existing funding for labor and operations. Regular monitoring and investment in the improvement of these internal controls should improve overall management of appropriated funds.
Background: In accordance with the Federal Managers' Financial Improvement Act (FMFIA); the Improper Payments Information Act of 2002 (IPIA); the revised OMB Circular A-123, Management's Responsibility for Enterprise Risk Management and Internal Control; GAO Standards for Internal Control; and the annual DOI guidance for the Internal Control Program, BLM managers are required to continuously monitor and assess the effectiveness of their internal controls and report annually on the adequacy of their program and operation of internal control systems. The Chief Financial Officers Act and the Government Performance Results Act reinforce the need for effective internal controls and program performance assessments.
Manual/Handbook Sections Affected: The BLM Manual Section 1240 - Evaluation Program, will be updated to reflect these procedures.
Coordination: WO-830 coordinated with the Business Management Council (BMC), BLM Senior Assessment Team, ICAF Community, and WO Directorate managers, program leads and staff to prepare this guidance.
Contact: Please contact Tiya Samuels Division Chief, Evaluations and Management Services at, 202-912-7090 or tsamuels@blm.gov or James Shoaff, Senior Management and Program Analyst, at 202-912-7176 or jshoaff@blm.gov for assistance with any questions you may have.
Signed by: Authenticated by:
Janine Velasco Robert M. Williams
Assistant Director Division of IT Policy and Planning,WO-870
Business, Fiscal and Information
Resources Management