Return to the USDOJ/OIG Home Page
Return to the Table of Contents

Department Critical Infrastructure Protection Implementing Plans to Protect Cyber-Based Infrastructure

Report No. 04-05
November 2003
Office of the Inspector General


Appendix 4
Statement on Management Controls

In planning and performing our audit of the Department's management of its planning and assessment activities for protecting its critical infrastructure, we considered the Department's management controls for the purpose of determining our auditing procedures. This evaluation was not made for the purpose of providing assurance on the management control structure as a whole; however, we noted certain matters that we consider reportable conditions under Government Auditing Standards.

Reportable conditions involve matters coming to our attention relating to significant deficiencies in the design or operation of the management control structure that, in our judgment, could adversely affect the Department's ability to effectively manage projects in support of its CIP planning. During our audit, we found the following management control deficiencies.

  • The IMSS did not adequately oversee risk mitigation actions from components to ensure that vulnerabilities would be mitigated by May 2003.
  • The Department has not ensured testing of its contingency plans for the Department's critical systems or other aspects of its emergency management plan.
  • The Department has not documented its interagency and liaison relationships.
  • The IMSS could not document that the Department's critical systems complied with the Department's requirements (Department Order 2640.2D).

Because we are not expressing an opinion on the Department's overall management control structure, this statement is intended for the information and use of the Department in managing its CIP program. This restriction is not intended to limit the distribution of this report, which is a matter of public record.