Objectives
The objectives of this audit were to determine if:
EOUSA has effectively managed the VNS, including overseeing the contractors, ensuring the accuracy of data in the system, and planning for the future;
The VNS is an effective tool for victims of crime; and
The VNS was properly secured to prevent unauthorized use, access, and data modification.
Scope and Methodology
To accomplish our audit objectives, we conducted more than 50 interviews with agencies that are directly involved with the VNS, including headquarters officials from EOUSA, the DOJ Criminal Division, the FBI, the BOP, the USPIS, and the OVC. We also spoke with headquarters officials from those agencies that do not directly participate in the VNS, such as the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF); the Drug Enforcement Administration (DEA); the U.S. Marshals Service (USMS); the Administrative Office of the U.S. Courts (AOUSC); the Bureau of Immigration and Customs Enforcement (ICE); and the U.S. Secret Service (USSS) to determine their knowledge of the VNS and whether they had been contacted about participating in the VNS. Additionally, we interviewed the contractor (AT&T Government Solutions) who manages the system, as well as the sub-contractor (Appriss) who manages the Call Center/Help Desk and back-up servers. We also reviewed internal documents, such as planning materials, contracts, manuals, internal directives and policies, and financial reports from EOUSA, the DOJ Criminal Division, the FBI, the BOP, the USPIS, and the OVC. Moreover, we obtained and analyzed empirical data from the VNS and used this information to develop descriptive statistics on the number and types of victims in the system.
We conducted fieldwork in Chicago and Lisle, Illinois; Lexington and Louisville, Kentucky; Kansas City and Leavenworth, Kansas; and Kansas City, Missouri, where we interviewed field personnel. Specifically, at these locations we spoke with senior management and staff who utilized the VNS at the local USAO, BOP, and FBI offices, and reviewed reports and files applicable to our review. In general, the scope of our audit covered the period of FYs 1998 through 2007.
Related to our first objective, we performed a limited review of the services provided by the contractor and sub-contractor – including Call Center operations, discussed the entry of information into the VNS with federal VNS users, reviewed data in the VNS and spoke with federal VNS users to determine if information in the system was accurate, and interviewed non‑participating agencies to determine if outreach was performed and if the agencies were interested in participating in the VNS. To determine if the VNS is an effective tool for victims, we designed and deployed two surveys: (1) one to victims who were active in the system, and (2) another to victims who were no longer active in the system.51 We selected stratified, statistical samples of victims, to which we sent the surveys.52 We also reviewed other surveys conducted by EOUSA and the BOP, and conducted our own testing of the VNS website through use of a test victim account.
To accomplish our third objective, we utilized a private auditing firm, with experience in conducting IT audits, to perform an information security review of the VNS. Specifically, t he OIG engaged Urbach, Kahn, & Werlin, LLP (UKW) to conduct an independent assessment to determine whether VNS information security and privacy policies comply with government standards and established best practices. To identify whether the VNS complied with DOJ and federal privacy and information security policies, UKW performed interviews, on-site observations, and reviews of information security-related documents.
Prior Reviews
The OIG has not performed any prior reviews of DOJ’s Victim Notification System. In July 2003, the Government Accountability Office (GAO) reviewed whether EOUSA had institutionalized key information technology (IT) management capabilities that are critical to achieving DOJ’s strategic goal of improving the integrity, security, and efficiency of its IT systems. The report identified the VNS as one of EOUSA’s systems. The GAO report recommended EOUSA: (1) designate institutionalization of each of the IT management disciplines as priorities, and (2) develop and implement action plans in each of the four IT disciplines to address the weaknesses that were identified in its report. EOUSA agreed with the majority of the GAO’s findings and recommendations and stated that it would address most of the recommendations. EOUSA also stated that it has made notable progress in institutionalizing the IT management disciplines, particularly information security, and that each was an office priority.