National Aeronautics and Space Administration FINANCIAL MANAGEMENT DIVISION

National Aeronautics and Space Administration FINANCIAL MANAGEMENT DIVISION | POLICY & GRANTS DIVISION | QUALITY ASSURANCE DIVISION | BUDGET DIVISION | STRATEGIC INVESTMENTS DIVISION | AGENCY FINANCIAL SYSTEMS OFFICE | MISSION SUPPORT OFFICE OCFO OFFICE OF THE CHIEF FINANCIAL OFFICER March of the UNICORN www. nasa. gov Frank E. Petersen III | 13 December 2019

Office of the Chief Financial Officer Table of Contents Background Quality Assurance Division ERM at NASA UNICORN – ERM in Action ERM Evolution ERM Maturity Model Continuing the March of the UNICORN Fraud Risk Management Requirements Management’s Responsibility for Fraud Awareness, Prevention, Detection & Reporting • NASA Fraud Risk Framework • Q&A's • • • 2

Office of the Chief Financial Officer Background • NASA’s mission is to pioneer the future in space exploration, scientific discovery, and aeronautics research • NASA employs 17, 000 civil servants at its Headquarters in Washington, D. C. and nine Centers located around the country including Langley Research Center located in Hampton, VA • NASA continues to be one of the best places to work in the Federal Government • NASA has a budget of approximately $22. 6 B billion • NASA continues to partner with large and small commercial partners for space exploration • NASA earned a clean opinion on its FY 2019 financial (maintained clean opinion for 9 consecutive years) 3

Office of the Chief Financial Officer Quality Assurance Division • The NASA Office of the Chief Financial Officer (OCFO) established the Quality Assurance Division (QAD) in FY 2005. • Vision - Empowering NASA beyond compliance as a transformative leader in the federal space to optimize management excellence (financial, operational and institutional). • Mission - Promote management assurance and compliance with requirements, applicable laws and regulations, through consultative services, communication and collaboration. • Values - Integrity, Teamwork, Quality Products and Services, Continuous Improvement Traditional Financial Risk Management FINANCIAL REPORTING Operational Risk Management CENTERS/MISSIONS DIRECTORATE PROGRAMS/PROJECTS Strategic Risk Stewardship INSTITUTIONAL REPUTATION 4

Office of the Chief Financial Officer Quality Assurance Division Strategic Framework Encompasses Five Areas 1. Leadership & Organizational Direction 2. A-123 Enterprise Risk Management and Internal Control 3. Audit Planning and Coordination 4. Audit Resolution 5. Assessment, Assurance & Advisory Services 5

Office of the Chief Financial Officer Enterprise Risk Management 6

Office of the Chief Financial Officer ERM at NASA Enterprise Risk Management (ERM) • Agency-wide approach to address agency’s significant cross-cutting risks by considering them as an inter-related portfolio • “a discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprise-wide, strategically aligned portfolio view Guidance for ERM Implementation and Compliance • OMB Circular No. A-123 Management’s Responsibility for Enterprise Risk Management and Internal Control requires Agencies to implement ERM capability (2016) • Update to A-123 -Appendix A, Internal Control over (ALL) Reporting (2018) • • • Heavy emphasis on incorporating DATA Act (Digital Accountability and Transparency Act) reporting on USASpending. gov as part of the Internal Control System and ERM OMB A-11, Preparation, Submission and Execution of the Budget The President’s Management Agenda, Cross Agency Priority Goals (2018) • Leveraging Data as a Strategic Asset (CAP Goal #2) 7

Office of the Chief Financial Officer The NASA UNICORN – ERM in Action Unified Comprehensive Operational Risk Network 1. Strategic: Risks relating to strategic goals & objectives aligned with and supporting the agency’s mission. 2. Political/Reputational: Risk that may arise due to actions taken by Congress, the Executive Branch or other key policy makers that could potentially impact business operations, and/or risk of loss resulting from damages to the Agency’s reputation caused by actions that could affect mission objectives. 3. Operational: Risks relating to the effective and efficient use of the agency’s resources related to administrative and major program operations, including fraud objectives. 4. Programmatic: Risks related to technical, cost, schedule and mission objectives. 5. Financial: Risks re: Budgeting, Internal Controls over Financial Operations (ICo. FR), Financial Reporting, and Compliance with Laws and Regulations. 8

Office of the Chief Financial Officer ERM Maturity Model 9

Office of the Chief Financial Officer NASA’s ERM Evolution Level 1 • Conducted targeted interviews of top-level stakeholders (A-Suite) (March 2016) Level 2 • Incorporated NASA’s Governance Model into a UNICORN concept that reflects how NASA embraces ERM (May 2016) Level 2 • Conducted ERM roadshows with all Assessible Units; • Current State Assessment of existing functions that can be leveraged and further integrated to fully implement ERM Level 3 • Developed and obtained approval of the initial annual Agency Risk Profile (May 2017) Level 3 • The annual Enterprise Risk Profile was baselined and approved by the APMC (June 2018/October 2019) Level 4 • Formulated initial Enterprise Risk Management Working Group (ERMWG) (December 2018) Level 4 • Developed draft ERM scorecard and revised risk matrix • Obtained the initial scoring for each enterprise risk to help rank and prioritize the risk Level 5 • Held initial Interagency Roundtable (March 2019) • Held second Interagency Roundtable (November 2019) 10

Office of the Chief Financial Officer Continuing the March of the UNICORN • Identify an agency-wide ERM tool for documenting and monitoring risk • Develop individualized risk appetite statements for each of assessable unit • Update Fraud Risk Framework with other mitigating activities and mechanisms such as an “Insider Threat Program” • Conduct additional integrated site visits to NASA Centers to discuss ERM and Fraud Risk Management • Continue active collaboration with the OIG on ERM and Fraud Risk Management 11

Office of the Chief Financial Officer Fraud Risk Management 12

Office of the Chief Financial Officer Fraud Risk Management Requirements The GAO Green Book (Principle 8) requires management to assess fraud risks by considering: • • • various types of fraud that can occur within the organization fraud risk factors (incentive/pressure, opportunity, attitude/rationalization) development of appropriate response to identified fraud risks OMB Circular A-123 indicates management responsibility for: • • Establishing internal controls to manage the risk of fraud Reporting to the Agency’s governance structure actions taken to manage fraud risks Including evaluation of fraud risk as part of the Agency Risk Profile Using a risk-based approach to design and implement appropriate (financial and administrative) controls to mitigate identified fraud risks Per OMB A-123, Agencies (management) should adhere to leading practices identified in GAO’s Fraud Risk Framework to effectively design , implement, and operate an internal control system that addresses fraud risks. The Antifraud Playbook (CFO Council and Treasury, Bureau of the Fiscal Service) is an additional tool that was developed to conceptualize and implement the identified best practices 13

Office of the Chief Financial Officer Management’s Responsibility for Fraud Awareness, Prevention, Detection & Reporting • NASA management has the stewardship responsibility for establishing and maintaining internal controls to safeguard NASA’s assets against loss from unauthorized use or disposition, ensure that NASA’s financial statements are not materially misstated, and ensure compliance with applicable laws and regulations. • As an integral part of this stewardship responsibility, management has a specific duty to design and implement programs and controls to prevent, deter and detect fraud. • NASA has Fraud Safeguarding Mechanisms in place including: Ø Office of the Inspector General Hotline Ø Background Checks for Sensitive Positions Ø Annual Ethics Training and Financial Disclosure Requirements Ø Whistleblower Protection Ø Annual No Fear Act Training Ø Internal Controls Ø OMB Circular No. A-123, Annual Assurance Ø Acquisition Assessment and Integrity Program Ø Counterfeit Parts Awareness and Inspection Program 14

Office of the Chief Financial Officer NASA’s Fraud Risk Management Fence Line 15

Office of the Chief Financial Officer NASA’s Fraud Risk Management Framework Fraud Prevention & Detection Activities Objective Key Stakeholders To monitor and ensure coordination of criminal, civil, contractual and administrative remedies for investigations of fraud and/or corruption related to procurement activities. Establish and maintain coordination with the Office of the Inspector General (OIG) and the Department of Justice (DOJ) OCFO, General Counsel, AIP Director, A-Suite, OIG Review all agency programs and activities to identify those susceptible to improper payments. Process includes annual risk assessment and testing OCFO, A-Suite, Procurement, OIG, Agency Application Office (AAO) Fraud Risk Assessments To identify and prioritize fraud risks and determine scope of testing OCFO, Center CFOs, Procurement Evaluation of Fraud Risk Management Control Activities through the annual Control Environment Summary To describe how the organization considers the potential for fraud in assessing risks to the achievement of objectives, and to rate the effectiveness of control activities A-Suite, NASA Shared Services Center (NSSC) To identify and report significant cross-cutting risks impacting the Agency that require escalation to senior management OCFO, A-Suite, Agency Risk Working Group, ERMWG Acquisition Integrity Program (AIP) Improper Payment Program Enterprise Risk Assessment & Management of Agency Risk Profile 16

Office of the Chief Financial Officer NASA’s Fraud Risk Management Framework Fraud Prevention & Detection Activities Objective Key Stakeholders Anti-fraud Awareness Initiatives (includes mandatory fraud prevention training and antifraud campaign) To establish the tone at top, communicate employee responsibility/accountability, and increase awareness of fraud reporting mechanisms Human Resources, Mission Directorates, All NASA employees Coordination and collaboration with the Office of the Inspector General To share information on potential fraud risks, relevant controls, identified issues, results of investigations and other reviews. To learn of emerging fraud trends and improved fraud prevention and detection techniques OCFO and A-Suite OIG Audits, Reviews and Investigations To evaluate the adequacy and effectiveness of controls (this may include controls that address fraud risk); to investigate potential incidents of fraud, waste and abuse OIG Financial Statement Audit To obtain reasonable assurance that the financial statements are free from material misstatements whether due to fraud or error OIG and OCFO Data Breach Response Program Counterfeit Parts Awareness & Inspection Program To establish policies, procedures and practices that address OCIO federal IT mandates including privacy and security requirements, and to reduce the risk of loss of NASA’s data and technology assets Regular investigation and examination of parts, components and materials to mitigate the risk of misrepresentation by a supplier or vendor A-Suite 17

Office of the Chief Financial Officer NASA’s Fraud Risk Management Framework – Creating a Culture • Determining our fraud exposure by: • Conducting interviews with Agency stakeholders • Identifying key fraud risks • Determining where we are through: • Identifying programs and anti-fraud activities occurring throughout the Agency • Identifying gaps • Developing fraud inventory • Promoting fraud awareness throughout the Agency by: • Conducting Enterprise Risk Management/Fraud Risk Framework & Internal Controls Integration Site Visits • Identifying resources to mitigate fraud risk 18

Office of the Chief Financial Officer Fraud prevention begins and ends with the people 19

Office of the Chief Financial Officer Question and Answers 20