In 2001 the Attorney General requested that the Office of the Inspector General (OIG) conduct audits of the controls over weapons and laptop computers throughout the Department of Justice (DOJ) because of concerns about the DOJ’s accountability for such property. In response to this request, the OIG conducted separate audits of the controls over weapons and laptop computers at the Federal Bureau of Investigation (FBI), the Drug Enforcement Administration (DEA), the Federal Bureau of Prisons, and the United States Marshals Service. The OIG issued separate reports on each component and an overall report summarizing the results from each audit.
In August 2002 we issued our audit report on the DEA’s control over weapons and laptop computers.15 That report covered the 2-year period from October 1999 through November 2001. Our report disclosed losses of weapons and laptop computers and weaknesses in the DEA’s management of this property, including purchases, receipts and assignments, transfers, returns of property from employees who leave the DEA, physical inventories, and disposals. We reported that the DEA:
identified 16 weapons as lost, missing, or stolen during the 2‑year period;
identified that 229 laptop computers were unaccounted for;
did not always report lost, missing, or stolen weapons to DEA management and DOJ officials in a complete and timely manner and did not ensure that all weapons reported as lost, missing, or stolen were entered in the National Crime Information Center (NCIC) database;16
did not adequately segregate duties associated with maintaining its weapons inventory at its Firearms Training Unit in Quantico, Virginia;
did not always conduct annual physical inventories of weapons or obtain written confirmation of receipt of weapons that were excessed to other law enforcement agencies; and
did not maintain Employee Clearance Records with sufficient detail on remitted weapons and laptops for separated employees.
We made 22 recommendations to help the DEA address these deficiencies, including:
reiterate to all DEA employees the guidelines for the security, safety, and storage of weapons and the requirements for reporting losses of DEA weapons as outlined in the DEA firearms policy;
ensure the accurate and timely submittal of semiannual DOJ theft reports and the prompt entry of all lost, missing, or stolen weapons into the NCIC database;
ensure that all purchases of laptops are entered into the Fixed Asset Subsystem inventory in a timely manner and that field division Property Custodial Assistants are advised in a timely manner by DEA headquarters of purchases and transfers of property items that pertain to their division; and
ensure that details, such as property descriptions, DEA property numbers, and weapon serial numbers, are included on employee clearance records, and that confirmations from law enforcement entities affirming receipt of DEA excessed weapons are received and forwarded to the Firearms Training Unit.
Overall, the DEA stated that it agreed with our recommendations and would take corrective action to address the deficiencies. As of April 20, 2005, all 22 recommendations had been closed.
According to the DEA, its mission is to enforce the controlled substance laws and regulations of the United States and bring to the criminal and civil justice systems those organizations and principal members of organizations involved in the growth, manufacture, or distribution of controlled substances that are destined for illicit traffic in the United States. The DEA’s Headquarters are in Arlington, Virginia. It has 227 domestic offices in 21 divisions throughout the United States and 86 foreign offices in 62 countries. As of June 23, 2007, the DEA had a total of 9,294 personnel (4,929 law enforcement) assigned to these offices.
In April 2007 the DEA had a total inventory of 14,449 weapons and 7,381 laptop computers. The inventory included semi‑automatic handguns, shotguns, rifles, and training weapons that do not use live ammunition. Ninety-percent of DEA‑owned weapons are issued to Special Agents, while 10-percent are unassigned and remain in the stock inventory at the Firearms Training Unit and at field locations.
Since 1973 DEA Special Agents also have been authorized to carry personally owned weapons for official use. The standards for personally owned weapons are the same as those for the DEA‑owned weapons. DEA Special Agents are prohibited from carrying any personally owned weapon for official use other then those listed in the DEA Agent’s Manual. In addition, DEA Special Agents must have an approved DEA Form 609 (Request for Authority to Carry a Personally Owned Firearm, see Appendix XIII) in their Primary Firearms Instructor file. Personally owned weapons were not included in our prior audit. In this follow-up audit, we included personally owned weapons because we noted that a significant number of Special Agents were authorized to carry personally owned weapons for official duty purposes.
Laptop computers are assigned to most Special Agents and other employees of the DEA. In April 2007 the DEA had an inventory of 7,381 laptop computers. An October 18, 2002, memorandum from the DEA Administrator stated that the storage of classified and other case sensitive information on laptop computers is strictly prohibited unless authorized by the DEA Office of Security Programs. Such an authorization must be laptop specific to ensure that the laptop is certified and accredited to process sensitive or classified information.17
The Office of Management and Budget Circular A-123 requires agencies to develop and maintain effective internal controls to ensure that federal programs operate and federal resources are used efficiently and effectively to achieve desired objectives with minimal potential for waste, fraud, and mismanagement.18 It also requires agencies to establish a management control system that ensures transactions are promptly recorded, properly classified, and accounted for in order to prepare accounts in a timely manner and reliable financial and other reports. The DOJ’s Justice Property Management Regulations require DOJ components to issue detailed operating procedures for protecting federal property against fraud, waste, and abuse.
The DEA’s Property Management Unit provides agency policy and guidance for laptop computers for DEA headquarters, domestic offices, and foreign offices. The DEA guidelines for the general management of property are contained in its Property Management Handbook, which was being revised and in draft status during our audit. The Accountable Personal Property and Equipment section of this handbook stated that weapons and laptop computers fall into the category of Accountable Personal Property and must receive an asset number and be entered into one of the DEA’s independently operated property subsystems. The handbook also stated that both weapons and laptop computers must be inventoried annually.
The draft version of the Property Management Handbook, which was still being reviewed and had not yet been issued as of January 29, 2008, defines property management as those functions of the government that deal with the acquisition, inventory control, protection, and disposition of government property. The Firearms Training Unit is responsible for the overall management of the DEA’s inventory of stock weapons and the DEA’s weapon property system – the Weapons Database. Each of the DEA’s 21 field divisions has a designated Primary Firearms Instructor assigned to control the weapons inventory for that division. For each headquarters unit, division office, district office, resident office, and foreign country office, a Property Custodial Assistant is designated for property management, including laptop computers.
When a weapon is lost or stolen, the responsible employee must immediately notify, through the chain of command, the employee’s office head, who must ensure that the incident is immediately reported to the DEA headquarters Command Center. The Command Center is staffed 24 hours a day, 7 days a week and is responsible for immediately notifying the DEA’s Board of Professional Conduct and Office of Professional Responsibility about the missing weapon. Within 48 hours of a loss, the responsible office head must notify the DEA’s Board of Professional Conduct and the Office of Professional Responsibility and the discovering employee must provide details of the incident by completing Part 1 of the DEA Form 29, which is the DEA’s standardized document for reporting lost and stolen property (see Appendix XI). In March 2007 the DEA issued interim policy designating the DEA Office of Professional Responsibility to manage the DEA’s Lost or Stolen Firearm Program. The Office of Professional Responsibility determines whether it will conduct the investigation or require the responsible office to conduct the investigation.
Similar to a weapon loss, immediately upon discovery that a laptop computer has been lost or stolen, the responsible employee must immediately notify through the chain of command the office head, who must ensure the incident is reported to the DEA Help Desk. The Help Desk is then responsible for notifying the DEA Information Security Section. If the incident is reported outside normal business hours, the Help Desk should report the incident to the DEA Command Center instead of the Information Security Section. If the laptop computer contains PII or sensitive information, the Information Security Section or the DEA Command Center is required to report the incident within 1 hour to the DOJ Computer Emergency Readiness Team (DOJCERT).19 If the laptop computer contains classified information, the incident must also be reported to the Department of Justice Security and Emergency Planning Staff (SEPS). Within 48 hours, the responsible office head must notify the DEA’s Board of Professional Conduct and the Office of Professional Responsibility, and the responsible employee must provide details of the incident in completing Part 1 of the DEA Form 29. The reporting office is responsible for conducting an investigation of the incident.
The DEA Board of Professional Conduct is responsible for reviewing the circumstances of the loss of firearms and laptops and making recommendations, such as assessing financial liability or recommending disciplinary action, to the DEA Office of Deciding Officials. The deciding officials are two senior DEA Special Agents who are responsible for assessing the discipline or punishment to be imposed.
During our 2002 audit we noted that DEA utilized separate systems for recording, tracking, and managing weapons and laptop computers. The DEA Weapons Database includes information on each weapon, including the make, model, serial number, name of the responsible custodian, location, acquisition date, and cost. Information on laptop computers is maintained in the DEA’s Fixed Asset Subsystem, which contains laptop computer information such as asset number, serial number, manufacturer, model number, acquisition cost and date, name of the responsible Property Custodial Assistant, physical location, and condition.
In our 2002 audit report we reported that the DEA replaced its automated property management system for weapons (M‑204 system) with a database system referred to by the DEA as the Weapons Database. As noted in our prior report, this change was necessary because the previous system contained unreliable information and had internal control weaknesses that allowed system users to manipulate data so that items in inventory could be transferred or deleted without approval. During the switchover to the new system, the DEA completed an inventory and reconciliation of all DEA‑owned weapons. In addition, one of the controls in the new firearms system is that only designated personnel in the Firearms Training Unit can access the Weapons Database.
In our 2002 audit report we noted that the DEA had two automated systems comprising its official property management system for accounting for laptop computers: the Fixed Asset Subsystem and the Technical Equipment Inventory System. The Technical Equipment Inventory System recorded laptops used for technical purposes, such as surveillance and tracking. All other laptops were tracked in the Fixed Asset Subsystem.
During this follow-up review we found that the DEA is still utilizing dual systems to account for laptop computers. The Fixed Asset Subsystem allows field locations to change the status of laptops assigned to it to be “disposed of,” “excessed,” or “transferred,” but does not allow a field office to access or change inventory data for other locations. The Technical Equipment Inventory System allows technical group supervisors in the field to issue laptops to users and update the status of laptop assignments. However, they are unable to delete information from the system. Dedicated inventory management specialists in the field are authorized to dispose of laptops with prior approval from the Office of Investigative Technology.
We conducted this follow-up audit to assess the DEA’s progress in addressing the weaknesses we identified during our previous audit regarding its control over weapons and laptop computers. Our review period for this follow-up audit covered the 66 months between January 2002 and June 2007.
We performed a complete inventory of all DEA weapons and laptop computers at DEA headquarters in Arlington, Virginia; the DEA warehouse in Alexandria, Virginia; the Special Operations Division and the Depot in Chantilly, Virginia; the Organized Crime Drug Enforcement Task Force Fusion Center in Merrifield, Virginia; and the DEA Training Academy in Quantico, Virginia. We also tested a statistical sample of weapons and laptop computers at the DEA field division offices in Chicago, Illinois; Denver, Colorado; Houston, Texas; Los Angeles, California; Miami, Florida; and New York, New York. Further, our audit included testing at these headquarters and field locations of the DEA’s records and controls for its Special Agents authorized to carry personally owned weapons.
Our audit also examined the actions, including disciplinary and assessment of financial liability, taken in response to lost, stolen, and missing weapons and laptop computers as reported by the DEA Board of Professional Conduct. Additionally, we queried the NCIC to determine if lost, stolen, or missing weapons were entered into the system in a timely manner.
We also reviewed the DEA’s internal controls over weapons and laptops, which included examining the accuracy and completeness of DEA records, evaluating the DEA’s compliance with DOJ reporting requirements for lost or stolen items, and assessing the DEA’s accountable property exit procedures for departing employees. We also tested a statistical sample of records for weapons and laptop computers that were disposed of at DEA headquarters and the Firearms Training Unit between January 1, 2002, and June 30, 2007. Additionally, our assessment of controls over weapons included physically verifying all weapons issued to Special Agents in the DEA headquarters geographic area and all stock weapons maintained at the Firearms Training Unit at Quantico, Virginia. We selected for testing 5,094 total weapons (4,331 DEA-owned and 763 personally owned) and 3,007 laptop computers.
ITEMS TESTED DURING OUR FOLLOW-UP AUDIT
|DEA Owned||Personally Owned||DEA Owned|
|Firearms Training Unit||3,322||0||554|
In addition, where appropriate we compared results from this follow‑up review of the DEA to results in our February 2007 follow-up audit report of the FBI’s controls over weapons and laptop computers.20 Our follow‑up review of the FBI covered a 44-month period from February 2002 through September 2005. For this review, we computed and compared losses of weapons and laptops for these two agencies, and we comparatively evaluated the circumstances regarding losses.
NCIC is a computerized index of criminal justice information, including criminal history information, fugitives, stolen property, and missing persons, that is available to federal, state, and local law enforcement and other criminal justice agencies.
As of July 2007, the DEA stated that it had only five laptop computers that were specifically designated to process classified information. After 2007, sensitive data may be processed on encrypted laptop computers. Prior to this, approval had to be granted to process sensitive data on a DEA laptop. The DEA’s Security Programs Information Security Section Chief told us that he was unaware of any approvals to process sensitive data.
Personally Identifiable Information is any information about an individual, including, (but not limited to), education, financial transactions, medical history, criminal or employment history, or any information that can be used to distinguish or be traced to an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records.