RISK ASSESSMENT AND GAP ANALYSIS FOR PROGRAMS RECEIVING FUNDS FROM THE ARRA

The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009. The legislation seeks to stimulate the economy by preserving and
creating jobs, providing tax cuts and credits to working families and businesses, expanding renewable energy and to improve the nation’s infrastructure. The President has
committed himself and the Federal government to provide the public with unprecedented levels of transparency and accountability relating to how ARRA funds are spent and the
outcomes that are achieved. The Office of Management and Budget (OMB) issued initial implementation guidance for ARRA which provides an initial set of government-wide
requirements and guidelines that Federal agencies must immediately implement, plan to implement, in order to meet ARRA objectives. One of these requirements directs agencies
to perform a risk assessment that will identify risks that could hinder the agency’s ability to fulfill the ARRA accountability objectives. These accountability objectives include:

• Funds are awarded and distributed in a prompt, fair and reasonable manner;
• The recipients and uses of all funds are transparent to the public, and the public benefits of these funds are reported clearly, accurately, and in a timely manner;
• Funds are used for authorized purposes and instances of fraud, waste, error, and abuse are mitigated;
• Projects funded under this Act avoid unnecessary delays and cost overruns; and
• Program goals are achieved, including specific program outcomes and improved results on broader economic indicators.

Meeting these objectives will require sustained focus by managers throughout the Federal government, particularly in planning, awarding, managing, and overseeing contracts and
grants. The attached risk assessment is intended to assess risk and internal controls specifically tailored to the requirements of the ARRA and is Step 1 of the Risk Management
Plan.

The risk assessment contains a series of questions related to each identified area listed below:
* General
* Reporting
* Human Capital
* Grant
* Procurement
* Budget/Financial
* IT Systems
* Audits and Investigations

Each tab of the ARRA Risk Assessment Questionnaire must be filled out (except for Sample Tab). Each question listed must be answered in paragraph format to assess the existing
controls process and must include a gap analysis and description - please see the Sample Tab for an example of how to complete the form.
 Department of Defense
Risk Assessment and Gap Analysis --- American Recovery and Reinvestment Act (ARRA) of 2009

General Information
Before beginning the questionnaire, please provide the following information. Note: all fields must be completed.

DoD Component:

ARRA Program and Treasury Appropriation Fund Symbol (TAFS):

Senior Official Responsible:

Title:

Phone Number:

Email Address:

Approximate ARRA budget for this Program:

The main objective for this Program is:

Page 2 of 11
 RISK ASSESSMENT AND GAP ANALYSIS FOR PROGRAMS RECEIVING FUNDS FROM THE ARRA
Compliance Year: 2009
General Risk Assessment
ATTRIBUTE
ARRA INTERNAL CONTROL POINT
REFERENCE
Does my organization currently have any ongoing
material weaknesses reported in a Federal Managers'
Financial Integrity Act (FMFIA) Statement of Assurance
AI.3
under the DoD Managers' Internal Control Program and
the Office of Management and Budget (OMB) Circular A-
123 or do significant deficiencies currently exist?
Does my organization have staff adequately trained to
G.3
effectively implement ARRA requirements?
GAP
CONTROL ASSESSMENT (EXISTING CONTROL IN PLACE) / GAP ASSESSMENT
GET WELL PLAN
DESCRIPTION (IS THERE A
GAP - Y/N)
In FY 2008, the Program has validated the
correction of two previously reported
N
material weaknesses in FY08 pertaining to
validation of reconciliations.
We currently conduct annual training for We have designated a half-day
contracting and acquisition; however, my to conducting a training class to
organization has identified a need to conduct Y individuals that are affected.
training to provide staff with new Training to be completed by
requirements of the ARRA. 5/31/09.
 RISK ASSESSMENT AND GAP ANALYSIS FOR PROGRAMS RECEIVING FUNDS FROM THE ARRA

Compliance Year: 2009

General Risk Assessment

GAP
CONTROL ASSESSMENT (EXISTING
ATTRIBUTE ASSESSMENT
ARRA INTERNAL CONTROL CONTROL IN PLACE) / GAP GET WELL PLAN
REFERENCE (IS THERE A
DESCRIPTION
GAP - Y/N)

Are the programs under ARRA for my

G.1 organization following the existing procedures
or new procedures?
Are specific ARRA fund objectives and
G.2 requirements incorporated into agency
policies?
Does my organization have staff adequately
G.3 trained to effectively implement ARRA
requirements?

Has my organization provided new

G.4 requirements, conditions, and guidance to the
recipients regarding ARRA?

Does my organization have a risk assessment

G.5 process in place to mitigate risks associated
with ARRA?
Does my organization have a risk
G.6 management plan developed to minimize risks
associated with ARRA?
Is there an agency-wide methodology for
G.7 measuring performance? What are the key
performance metrics?

Are there any process metrics, or are the

G.8
metrics primarily outcome-oriented?

Has my organization established a governance

Senior Assessment Team under the Managers'
Internal Control Program for OMB A-123 that
G.10
has added as part of its charter the oversight
of risk management for the ARRA
implementation?
Have agency strategic plans been updated for
G.11 ARRA activities and the effects of ARRA on
existing programs?

Have training requirements been identified for

G.12 current or new employees to enable them to
meet the requirements of the Act?

Have agency COOP plans been updated for

G.13
ARRA activities?
 RISK ASSESSMENT AND GAP ANALYSIS FOR PROGRAMS RECEIVING FUNDS FROM THE ARRA

Compliance Year: 2009

Reporting Risk Assessment

GAP
ATTRIBUTE CONTROL ASSESSMENT (EXISTING CONTROL IN ASSESSMENT
Risk GET WELL PLAN
REFERENCE PLACE) / GAP DESCRIPTION (IS THERE A
GAP - Y/N)

R.1 Is the necessary reporting under ARRA in place?

Has senior leadership for my organization

assessed people, processes, and technology to
R..2 determine where to deploy and coordinate
resources to meet the initial demands of
reporting for ARRA?

Has your organization implemented

R.3 communication vehicles to ensure ARRA data is
promptly reported on the agency's website?

Are reports published under ARRA reviewed and

R.4
approved by the appropriate individuals?

R.5
Is there a process in place to ensure the data
reported under ARRA accurate and complete?

Do reports tell agency management and the

R.6
public what is happening on a timely basis?

Are issues identified through established reports

R.7
addressed on a timely basis?

R.8
Are reports issued on the effectiveness of risk
management strategies and tactics timely?

R.9
Has your risk management plan been approved
by Department-level personnel?

R.10
Will your risk management plan be updated and
monitored periodically?
Does my organization have reporting
mechanisms in place to collect the required data
R.11
from recipients to meet ARRA transparency
requirements?

Are ARRA funds used transparent to the public

R.12 and the public benefits of these funds reported
clearly, accurately and in a timely manner?
 RISK ASSESSMENT AND GAP ANALYSIS FOR PROGRAMS RECEIVING FUNDS FROM THE ARRA

Compliance Year: 2009

Human Capital Risk Assessment

GAP
ATTRIBUTE CONTROL ASSESSMENT (EXISTING CONTROL IN ASSESSMENT
ARRA INTERNAL CONTROL GET WELL PLAN
REFERENCE PLACE) / GAP DESCRIPTION (IS THERE A
GAP - Y/N)

Has my organization identified qualified personnel

HR.1
to oversee the ARRA funds?

Does my organization have sufficient level of

personnel to manage the ARRA programs (for
HR.2
instance, Grant, Contracting, Financial
Management, or IT personnel, etc.)?

Is my organization considering performing a

workforce analysis to determine the appropriate
HR.3
level of personnel needed to successfully
implement the ARRA?

Are the appropriate personnel empowered to make

HR.4
decisions and administer the ARRA programs?

Have program officials identified new or ongoing

HR.5
performance management requirements?

Is the staff capable of undertaking a

HR.6 comprehensive risk assessment to identify the key
risks to program objectives?

Are available alternative staffing tools being

HR.7 utilized effectively to support timely
implementation of the ARRA?
 RISK ASSESSMENT AND GAP ANALYSIS FOR PROGRAMS RECEIVING FUNDS FROM THE ARRA

Compliance Year: 2009

Grant Risk Assessment

GAP
ATTRIBUTE CONTROL ASSESSMENT (EXISTING CONTROL IN ASSESSMENT
ARRA INTERNAL CONTROL GET WELL PLAN
REFERENCE PLACE) / GAP DESCRIPTION (IS THERE A
GAP - Y/N)

GT.1 Are funds awarded in a prompt, fair, and reasonable manner?

GT.2
Are funds used for authorized purposes and instances of fraud,
waste, error, and abuse minimized and/or mitigated?

GT.3
Have projects funded under ARRA avoided unnecessary delays and
cost overruns?

Are there any performance issues identified with regards to

GT.4 (potential) funding recipients? Are there any follow up actions to
address the performance issues?

GT.5
Is there a strategy to evaluate the credibility and completeness of
cost and schedule estimates?

Is there a strategy to oversee grantee contract management as it

GT.6
pertains to the ARRA?

Are you timely in taking action to suspend and debar individuals or

GT.7
firms that have defrauded the Government?

Is my organization addressing performance issues with current or

GT.8
potential funding recipients?
 RISK ASSESSMENT AND GAP ANALYSIS FOR PROGRAMS RECEIVING FUNDS FROM THE ARRA

Compliance Year: 2009

Procurement Risk Assessment

GAP
ATTRIBUTE CONTROL ASSESSMENT (EXISTING CONTROL IN ASSESSMENT
ARRA INTERNAL CONTROL GET WELL PLAN
REFERENCE PLACE) / GAP DESCRIPTION (IS THERE A
GAP - Y/N)

Do new Requests for Proposals (RFPs) issued under ARRA

P.1 initiatives contain the necessary language to satisfy the
requirements of the ARRA?

P.2 Are Contracts awarded in a prompt, fair, and reasonable manner?

Do new contracts awarded using ARRA funds have the specific

P.3
terms and clauses required?

Are funds used for authorized purposes and the potential for fraud,
P.4
waste, error, and abuse minimized and/or mitigated?

P.5
Do projects funded under ARRA avoid unnecessary delays and cost
overruns?

Are there any performance issues identified with regards to

P.6 (potential) contractor? Are there follow up actions to address the
performance issues?
 RISK ASSESSMENT AND GAP ANALYSIS FOR PROGRAMS RECEIVING FUNDS FROM THE ARRA

Compliance Year: 2009

Budget/Financial Risk Assessment

GAP
ATTRIBUTE CONTROL ASSESSMENT (EXISTING CONTROL IN ASSESSMENT
ARRA INTERNAL CONTROL GET WELL PLAN
REFERENCE PLACE) / GAP DESCRIPTION (IS THERE A
GAP - Y/N)

F.1
Has my organization established separate Treasury Appropriation Fund
Symbols (TAFS) to ensure ARRA funds are clearly distinguishable?

Are there controls in place to ensure that ARRA funds are not commingled
F.2
with other agency funds?

Are existing internal controls sufficient to mitigate the risks of fraud,

F.3
waste, and abuse?

Has my organization identified the need for and risks associated with new
F.4
processes established for ARRA?

Has senior leadership for my organization assessed people, processes,

F.5 and technology to determine where to deploy and coordinate resources to
meet the initial demands of obligating funds for ARRA?
 RISK ASSESSMENT AND GAP ANALYSIS FOR PROGRAMS RECEIVING FUNDS FROM THE ARRA

Compliance Year: 2009

IT Systems Risk Assessment

GAP
ATTRIBUTE CONTROL ASSESSMENT (EXISTING CONTROL IN ASSESSMENT
Risks GET WELL PLAN
REFERENCE PLACE) / GAP DESCRIPTION (IS THERE A
GAP - Y/N)

S.1
Are financial and operational systems configured to manage and
control recovery funds?

Can financial and operational systems support the increase in volume

S.2
of contracts, grants and loans etc.?

Are the appropriate data elements identified that must be captured,

S.3 classified and aggregated for analysis and reporting to meet
Recovery Act requirements?

Is there a strategy to ensure data quality and integrity from financial

S.4
and operational systems?
 RISK ASSESSMENT AND GAP ANALYSIS FOR PROGRAMS RECEIVING FUNDS FROM THE ARRA

Compliance Year: 2009

Audits and Investigations Assessment

GAP
ATTRIBUTE CONTROL ASSESSMENT (EXISTING CONTROL IN ASSESSMENT
Risks GET WELL PLAN
REFERENCE PLACE) / GAP DESCRIPTION (IS THERE A
GAP - Y/N)

Has my organization been timely in addressing known internal

AI.1
control weaknesses?

Has my organization corrected internal control weaknesses that have

AI.2 been identified during financial statement audits, programmatic
audits, GAO audits or Single Audit Act reviews?

Has my organization corrected any deficiencies, significant

AI.3
deficiencies or material weaknesses identified through the
assessments of internal controls in the DoD Managers' Internal
Control Program?

Have known instances of fraud, waste, and abuse been mitigated in

AI.4
a timely manner?

Does my organization have a corrective action plan process in place

A1.5 to promptly resolve the audit findings identified that may impact the
ability to successfully implement ARRA?