Reference is made to your memorandum dated August 21, 2003, concerning the FBI response to recommendations set forth in the Department of Justice (DOJ), Office of the Inspector General (OIG), draft audit report entitled "Federal Bureau of Investigation's Implementation of Information Technology Recomrnendations." This memorandum requested that the FBI review and provide written comments regarding report recommendations. Specifically, you requested that the FBI comment on its agreement or disagreement with each of the recommendations. You also requested that the FBI identify steps taken or are planned to achieve corrective action and to include the dates of implementation.

Attached is the FBI's written response. Please note that the format of the document identifies the specific DOJ recommendations followed by the responses of the FBI Executive Management. Additionally, a sensitivity review is being conducted per your request and the results will be forwarded to you under separate cover.

The responses set forth in the attached were coordinated through the FBI's Inspection Division. If you have any questions, please contact either me, on 202-324-2901, or Kevin L. Perkins on 202-324-2903.

Recommendation Number 1, Page 74: We recommend that the Director of the FBI: Develop, document, and implement Bureau-wide procedures to follow-up and close audit and investigative recommendations, in accordance with 0MB Circular A-5O and DOJ Order 2900.6A. This process should include the tracking and resolution of system audit recommendations.

Response: The FBI agrees with this recommendation. On 07/11/2003, OIG and GAO guidance was promulgated Bureau-wide. See attached Electronic Communications entitled "DOJ OIG Financial and Non-Financial Audits" and "General Accounting Office," Tabs A and B. These documents have also been posted on the Inspection Division website. Additionally, the MPMOU has spoken with the FBIHQ Manuals Desk on the feasibility of including these guidance documents into a planned centralized database of FBI policies, procedures, and processes. These documents will be reviewed on a semiannual basis and updated accordingly to accommodate any changes. The next review is scheduled for December 2003.

Recommendation Number 2, Page 74: We recommend that the Director of the FBI: Ensure that the ARCS database is complete and includes recommendations from all sources of OIG audits and reviews.

Response: The FBI agrees with this recommendation. The transition strategy for migrating audit information into ARCS addresses both new as well as prior year audits. All new (FY 2003 and subsequent) audits will be entered into ARCS. The strategy for entering open prior year audits is twofold. Known prior year open audits will be entered into ARCS immediately while unknown open prior year audits, those that may have slipped through the cracks due to inefficiencies in prior methods used to track audit compliance, will be entered when a formal response request is received from the 01G. Prior year closed audits will not be entered into ARCS. Since implementation of this strategy, 113 audits have been entered into and are being or have been tracked/monitored using ARCS.

The FBI has taken and will continue to take proactive steps to ensure the ARCS database is accurate and complete. First, all INSD Audit Liaison POC's were requested to search their records to identify open prior year audits. Audits that were identified but not in ARCS were immediately entered into ARCS. Also, the FBI recently performed a reconciliation of the ARCS database with the audit/inspection activities identified in the "Audit Highlights for the U.S. Department of Justice" Newsletter, dated May-June 2003 (Tabs C). The newsletter is published by the DOJ, Justice Management Division (JMD), Audit Liaison Office (ALO). The reconciliation was conducted to assess whether or not the ARCS database was current, accurate, and complete. The DOJ "Status of Current General Account Office Activities" and "Status of Current Office of Inspector General Internal Activities" listed in the newsletter were matched to the ARCS database. The reconciliation identified only two findings. First, all of the OIG and with the exception of two GAO audits/reviews listed in the newsletter were in ARCS. In regards to the two GAO audits that were not in ARCS, further investigation determined that DOJ initially identified the FBI as a component in which the audits were applicable, then DOJ verbally informed the FBI that they were not. Regardless, they have since been entered into ARCS, documenting the initial identification of the FBI as a component and the subsequent rescissions. The reconciliation also noted that the audit status reporting in the newsletter did not account for audits that are resolved but have open recommendations. However, with the recent dissemination of DOJ, IMD, ALO guidance entitled "Process to Monitor and Oversee the Implementation of Audit Recommendations," we believe this finding will ultimately be resolved.

With the exception of one report (Campaign Finance), all of the OIG audits/investigations identified in Appendix 2 of the draft audit report are being monitored and tracked using ARCS. In regards to the report that is riot in ARCS, the FBI has contacted the report issuing entity to request a copy of the audit report and associated correspondence. Upon receipt of the report, it will be entered into ARCS and tracked accordingly. The GAO reports sited in Appendix 3 of the draft audit report are not in ARCS due to their closure prior to the implementation of ARCS.

In regards to the statement that ARCS "does not include vulnerabilities generated by system audits required by GISRA," ARCS was not designed to track these types of internal audits. Systems audits, referred to as certification and accreditation (C&A), fall under the purview of the FBI's information Assurance Section (IAS) (Tab D). ISA is mandated by policy to maintain all C&A information. IAS is in the process of establishing a database to maintain all information associated with the outcome of the C&A process of which system deficiencies/vulnerabilities would be a subset of the information collected. An award of a contract to develop the IAS database is imminent. Initial operational capability is anticipated within 3-4 months after the contract is awarded. It should be noted that IAS's action to establish and implement a C&A database is being tracked in ARCS in response to a recommendation contained in OIG Audit Report 03-06 (ARCS 03-03). ARCS will document and track all OIG GISRA audit findings and recommendations until closure. The three reports issued for FYs 2001 and 2002 specific to the FBI compliance with GISRA mentioned in the draft audit report have been entered into and are being tracked/monitored using ARCS.

Recommendation Number 3, Page 74: We recommend that the Director of the FBI: Ensure that managers are held accountable for the tracking, resolution, and timely implementation of OIG recommendations.

Response: The FBI agrees with this recommendation. In accordance with FBI guidance (see response to recommendation number 1), various individuals (i.e., managers and non-managers) are held accountable for the tracking, resolution, and timely implementation of OIG recommendations. An executive owner, a recommendation contact lead as well as compliance action/task points of contact is identified for each audit recommendation. Each have varying degrees of accountability for the tracking, resolution, and timely implementation of OIG recommendations. Executive owners have overall accountability for the timely implementation of audit recommendations. They must review, approve, and oversee the corrective action plan associated with each audit recommendation as well as allocate the necessary resources to execute the corrective action plans. The recommendation contact lead must develop, manage, and execute the corrective action plan associated with a specific recommendation. The action/task point of contact is responsible for the execution of a specific action or task associated with a recommendation corrective action plan. ARCS is designed to record, track, and monitor audit information including management accountability for the tracking, resolution, and timely implementation of OIG recommendations. As noted in the draft audit report, weekly email notifications are issued when tasks are past due or approaching their due date. This control mechanism ensures that the appropriate individual is held accountable for the timely execution of recommendation corrective action plans.