FAQs about OIG Audits and Evaluations
What to Expect: FAQs for Commerce Employees and Managers
Under the Inspector General Act of 1978, as amended, OIG is authorized to carry out various reviews to “promote economy, efficiency, and effectiveness in the administration of, and … prevent and detect fraud and abuse in … [the Department’s] programs and operations.”
As part of our mission, we conduct reviews that involve employees, management officials, and affected departmental programs and operations. The findings from our audits and evaluations help the Department improve its programs and operations as well as prevent or detect fraud, waste, or abuse.
This set of frequently asked questions (FAQs) is intended to give Commerce employees and managers helpful information regarding the nature and scope of OIG audit and evaluation activities, as well as their obligations and rights in connection with these activities. In the interest of transparency, we are providing these FAQs to promote greater understanding of OIG’s processes.
Q: What professional standards apply to OIG's audits and other reviews?
A: An audit conforms to the Government Accountability Office's Government Auditing Standards which require that we plan and perform the audit to obtain sufficient, appropriate evidence that will provide a reasonable basis for our findings and conclusions based on our audit objectives. Evaluations conform to the Council of Inspectors General on Integrity and Efficiency's Quality Standards for Inspection and Evaluation which defines inspections and evaluations simply as reviews that do not constitute an audit or a criminal investigation. (For further details, please see FAQs About OIG Investigations.)
Q: What do OIG reviews accomplish?
A: Audit and evaluation objectives may vary widely—a review might even have more than one objective. Objectives can include:
- assessments of program effectiveness, economy, and efficiency;
- internal control, which includes the plans, policies, methods, and procedures adopted by management to meet its missions, goals, and objectives;
- compliance with laws and regulations; or
- prospective analysis.
Q: How does OIG decide what to audit or evaluate?
A: Each year, we conduct a risk assessment of Department programs. Based on each year's risk assessment, we develop an audit plan outlining the work we intend to accomplish during the next fiscal year. The plan is modified during the year as necessary to respond to unanticipated requests and issues. We may decide to perform an audit based on a number of factors:
- It may be required by law. For instance, every year we assess the effectiveness of the Department's information technology (IT) security controls as required by the Federal Information Security Management Act of 2002.
- It may be requested. If an issue or program is of interest to Congress, the Secretary of Commerce, or the current administration, they may ask us to perform an audit or evaluation.
- Some audits or evaluations are based on issues we have determined to be a high priority for the Department or operating unit, as communicated in our annual Top Management Challenges report to the Secretary and Congress.
- We may initiate an audit or evaluation if we uncovered significant issues during a previous review, or if we have determined that the program or office is of higher risk.
Q: What is the audit process? What can an agency office expect?
A: After we decide to perform an audit or an evaluation and the project is approved by our management, we follow this process:
- issue an announcement memo to the operating unit,
- hold an entrance meeting with the operating unit and stakeholders,
- conduct fieldwork and analyze results,
- hold an exit conference with the operating unit and stakeholders,
- prepare and issue a draft report, and
- prepare and issue a final report.
Upon receipt of the final report, an agency must submit an action plan outlining plans to address our recommendations.
Q: If OIG finds something, how does it decide whether the finding is a problem?
A: The elements needed for an issue to be considered a finding depend on the objectives of the audit. An effect (or potential effect) of a risk, a lack of internal control, a quality-control issue, or another problem may demonstrate the need for corrective action.
Q: Will the agency have a chance to respond to or rebut OIG findings?
A: Yes, although the form may vary. We usually discuss preliminary findings with agency staff as we identify them during our fieldwork. Agency staff can, and should, work with us during fieldwork to ensure that our information is factually correct and to promptly resolve any issues or miscommunications.
After fieldwork, we generally hold an exit conference with agency officials to discuss what we found and solicit feedback. Following the exit conference, we issue a draft report. Under our professional standards (and the particular circumstances), an agency is given a timeframe to provide us with written comments that include, for each recommendation, a statement of agreement or disagreement. An agency can use its response to provide a proposed action or updates on steps already taken to address OIG’s recommendations or to point out areas of disagreement with our findings or recommendations. However, an agency must support any disagreements included in the response.
We will consider the agency’s response to the draft as we create our final report and will revise the report as appropriate. In most cases, we will include agency comments as an appendix to the final report.
Q: How long will it take to see the final product?
A: While it depends on the individual project, we generally issue a final report within a year after the audit announcement date. However, we may shorten or extend this timeline.
- based on the significance of the issues we uncover,
- when Congress requests a report by a particular date, or
- if the operational timeline for the area under audit changes (if, for example, we are auditing certain milestones of a program and the milestone dates are extended).
Q: What happens when the final report is issued?
A: The head of the operating unit or office being audited or evaluated and any other stakeholders receive a PDF of the report via e-mail. We also send PDFs of reports to staff on the pertinent Congressional committee or subcommittee. Finally, we post a PDF of the report on the OIG website for public viewing. If the report contains proprietary information or other information that is not appropriate for public release under applicable law, it may be redacted before we post it, or we may clear only the abstract of the report (what we call a Report in Brief) for public release.
Q: What is an audit action plan and why does an agency need to give OIG one?
A: When we issue the final report, we request in the transmittal memorandum that the auditee prepare an action plan to address the report's recommendations. The plan should describe the specific actions the agency has taken, or plans to take, in response to our recommendations, as well as a schedule for their completion. Department Administrative Order 213-5 allows the agency 60 days to provide the plan (unless we state otherwise in the memorandum).
Q: To whom may questions or issues about OIG's audit and evaluation process be addressed?
Any questions or issues may be addressed with OIG’s Principal Assistant Inspector General for Audits and Evaluations, Mark Zabarsky, at mzabarsky@oig.doc.gov