U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audit of the U.S. AbilityOne Commission's Enterprise Risk Management (ERM) Program

Report Information

Date Issued
Report Number
OA-2024-01
Report Type
Audit
Description
The OIG Audit office initiated this audit based upon an assessment of program risks. Our audit objective was to determine whether the U.S. AbilityOne Commission’s (Commission) enterprise risk management (ERM) process is effective and used to make risk-based decisions.  Although the Commission has designed and implemented a formal ERM program, the OIG determined that the ERM program is not fully effective. This could impact the Commission’s ability to make fully informed risk-based decisions. Specifically, we found that the Commission’s ERM process and related internal controls need improvements, and the Commission lacked the ERM training to identify and correct these improvement areas.  The OIG recommended that the Commission ensure that the appropriate individuals are trained through a structured ERM program training, assess and update existing ERM policies and procedures, and research and adopt an appropriate ERM maturity model. We also recommended that the Commission develop and implement effective key controls and results assessment, include a process in the ERM program to document management’s determination of key process decisions for its other process considerations, and develop and implement a process for tracking the consolidation of risks.
Joint Report
No
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

Ensure the appropriate individuals are trained through a structured ERM program training to increase knowledge and understanding throughout the organization and share key takeaways and materials with employees at all levels to effectively contribute to the
organization’s program success.

CFO-2025-01

Assess and update the Commission’s existing policies and procedures to ensure compliance with federal requirements and that the policies and procedures reflect the processes that it wants to adopt.

CFO-2025-02

Research and adopt an appropriate ERM maturity model.

CFO-2025-03

Develop and implement effective key controls that identify risks and assign the Commission’s risk tolerances by aligning each control objective with the appropriate control activity and completing an updated entity-level control and results assessment.

CFO-2025-04

Include a process in the ERM program to include documenting management’s determination of key process decisions for its other process considerations.

CFO-2025-05