Federal Bureau of Investigation's Implementation of Information Technology Recommendations
Report No. 03-36
Office of the Inspector General
The Federal Bureau of Investigation (FBI) is the principal investigative arm of the Department of Justice (DOJ). To execute its responsibilities, the FBI's Headquarters in Washington, D.C. provides program direction and support services to 56 field offices, approximately 400 satellite offices known as resident agencies, and more than 40 foreign liaison posts.
As of April 2003, the FBI had over 11,000 special agents and over 16,000 other employees who performed professional, administrative, technical, clerical, craft, trade, or maintenance operations. The FBI's budget authority was nearly $4.3 billion for FY 2003.9 Of this budget authority, $606 million was allocated to information technology (IT) projects.
The terrorist attacks of September 11, 2001, prompted the Attorney General to make counterterrorism the DOJ's highest priority. The DOJ reflected these new priorities in its Strategic Plan for FYs 2001 - 2006, which was issued in November 2001. In the Strategic Plan, the Attorney General recognized that the fight against terrorism requires the DOJ "to improve the integrity and security of its computer systems and make more effective use of information technology."
Additionally, in July 2002, the DOJ released an IT Strategic Plan that included the following goals:
In response to the DOJ's new priorities following September 11, 2001, the FBI proposed fundamental changes in its strategic priorities and business practices. In May 2002, the Director of the FBI announced a major reorganization that dedicates more resources to the prevention of terrorism. Although the core missions of the FBI remain intact, the changes are intended to transform the Bureau's role from reactive to preventive. To accomplish this transition, FBI officials repeatedly have told Congress that new and improved IT is required to support a redesigned and refocused FBI. In testimony before the Senate Judiciary Committee on June 6, 2002, the Director released the FBI's top ten priorities in the post-September 11 era, with the number one priority being protecting the United States from terrorist attacks. Number ten on the list of priorities is upgrading technology to successfully perform the FBI's mission. Clearly, the FBI's future ability to prevent terrorism and other crimes depends on modern information technology and effective management of technology.
Because of the significance of IT to the FBI's mission-critical activities, the Office of Inspector General (OIG) has issued numerous audits and special reviews over the past 12 years relating to the Bureau's IT management processes. These reports resulted from reviews of the FBI's internal controls of financial IT systems, compliance with the Government Information Security Reform Act (GISRA), and management of IT investments.
Additionally, the OIG has conducted special reviews that considered the FBI's use of computer applications in its investigative activities. Both the OIG audit and special review reports have highlighted many IT deficiencies at the FBI and have provided recommendations directed toward improving those vulnerabilities.
Other entities (such as the General Accounting Office (GAO), private contractors, Congressional committees, and specially formed commissions) have conducted reviews that discuss the FBI's IT management practices, but do not necessarily contain IT-related recommendations. While the focus of our audit was to assess the FBI's progress in implementing IT recommendations, in Appendix 3 of this report we discuss the findings of reports issued by the GAO and the Commission for the Review of FBI Security Programs (Webster Commission) due to their relevance to the FBI's IT program.12
The Office of Management and Budget (OMB) and DOJ have issued policies and procedures for following-up on recommendations of audit reports. According to OMB Circular A-50, audit follow-up is an integral part of good management, and is a shared responsibility of agency management officials and auditors. Corrective action taken by management on resolved findings and recommendations is essential to improving the effectiveness and efficiency of government operations. OMB Circular A-50 requires agencies to establish systems to assure the prompt and proper resolution and implementation of audit recommendations. These systems are to provide for a complete record of action taken on both monetary and non-monetary findings and recommendations.
The DOJ issued Order 2900.6A, Audit Follow-Up and Resolution, to establish the Departmental policies and criteria for the follow-up and resolution of audit findings and recommendations, to ensure that all OIG audit reports are adequately and timely resolved, and that all resolution actions are consistent with the governing laws and regulations. The order states that DOJ components should assign a high priority to the immediate implementation of the order so that the DOJ will be in full compliance with the legislative and regulatory requirements pertaining to the timely resolution of audits.
The order also states that the heads of DOJ components are responsible for overall audit resolution and follow-up activities within their organizations and are accountable to the Deputy Attorney General. Further, DOJ components should establish an audit follow-up and resolution system that ensures written comments on audit findings and recommendations are made within a 4-month period.
OIG audit reports generally contain recommendations that have a status of either open or closed. Open recommendations should be resolved13 within six months of the final report issuance date. Recommendations are closed by the OIG when the OIG is satisfied that the component has taken the agreed upon corrective actions, or when the corrective action is waived. To determine if the agreed upon corrective actions were taken, the OIG may request that FBI officials provide documentation demonstrating that the stated corrective actions were completed. In other cases, the OIG may perform additional review to verify that the stated corrective actions were taken. Although subjective, the timeliness of corrective actions is assessed on a recommendation-by-recommendation basis due to the inherent difficulties associated with implementing certain recommendations.
Upon issuing other OIG reports that also contain recommendations, such as special investigations or reviews, the OIG elicits responses from components regarding planned corrective actions. When received by the OIG, the responses are reviewed to determine whether the planned corrective actions meet the intent of the recommendations. Periodically, the OIG makes inquiries with components to monitor the implementation of these actions. However, as with audit reports, component management is ultimately responsible for ensuring that recommendations are implemented in a timely manner.