While many of the OIG’s audits, reviews, and investigations are specific to a particular component of the Department, other work spans more than one component and, in some instances, extends to Department contractors and grant recipients. The following describes OIG audits, reviews, and investigations that involve more than one Department component.
At the request of the Senate Appropriations Committee, the OIG’s Evaluation and Inspections Division reviewed the coordination efforts among four of the Department’s violent crime task forces: ATF’s Violent Crime Impact Teams, DEA’s Mobile Enforcement Teams, FBI’s Safe Streets Task Forces, and USMS’s Regional Fugitive Task Forces. The need to coordinate task force operations has grown because of the increasing number of cities with multiple Department task forces.
Overall, we found that the Department has not adequately coordinated the operations of its violent crime task forces to prevent duplication of effort, particularly when the Department created new task forces in jurisdictions in which other task forces already were operating. Although the missions of these task forces overlap, the Department had not required components to coordinate operations or investigations, cooperate in joint investigations, or deconflict law enforcement events. The one exception was the violent crime task forces that were focused on gang crime. In August 2005, the Department issued a policy requiring components to obtain the Deputy Attorney General’s approval to conduct anti-gang programs and activities in new locations. However, that policy has not been applied to other types of violent crime task forces.
During field visits in eight cities with multiple task forces, the OIG determined that task forces in four cities were better coordinated because the U.S. attorneys and local task force managers there implemented local policies on coordination, and the task forces used information-sharing systems to coordinate their operations. In the other four cities, the task forces operated as independent entities rather than as part of a coordinated Department approach for combating violent crime. In these cities we found less coordination and more instances of duplicate investigations. We also found that failure to coordinate task force investigations resulted in three “blue-on-blue” incidents in which task force members and informants were targeted as criminals by other task forces. We concluded that guidance was needed to address the problem of competition for state and local law enforcement resources among the Department’s four violent crime task forces. Several special agents in charge, U.S. marshals, and task force managers stated that the participation of local officers was critical to the success of their task forces.
The OIG made four recommendations to improve the coordination of the Department’s violent crime task forces, including that the Department implement guidance for coordinating task force operations and require each of the task forces to use national and local information-sharing and deconfliction systems to coordinate investigations and protect officer safety. The Department concurred with the four recommendations and has since required each component to certify that it has adopted a policy requiring the use of information-sharing and deconfliction measures to coordinate investigations in areas where more than one violent crime task force operates. The Department also directed U.S. attorneys to report to the Department on violent crime task force coordination efforts, the nature of any coordination problems identified, and guidance or policies adopted or revised to address problems.
In June 2007, the OIG’s Evaluation and Inspections Division released a report that examined the process Department components must follow when reporting computer security incidents, identifying losses of sensitive electronic information, and notifying individuals whose personally identifiable information may have been lost. Throughout the federal government personally identifiable information, including social security numbers, medical histories, and tax information, has been compromised after computers or storage media have been lost or stolen.
We reviewed the policies and procedures for reporting loss of sensitive information at nine Department components that accounted for the majority of computer security incidents reported in the Department. We found that the components implemented policies and procedures required by the Department’s Office of the Chief Information Officer to comply with standards set by OMB. However, the components were not always reporting computer security incidents within the timeframes required by the standards. In July 2006, OMB established a new requirement that all federal agencies report incidents involving loss of personally identifiable information within 1 hour of discovery. We found that two of the nine components have not updated their policies and procedures to include the new OMB requirement.
In addition, our analysis of 199 computer security incidents in the Department from July 2006 through November 2006 showed that components were not consistently reporting personally identifiable information incidents within 1 hour of discovery to the Department’s Computer Emergency Readiness Team (DOJCERT), as required by as required by the components’ Incident Response Plans. More over, none of the incidents were reported within 1 hour, as OMB requires, to the U.S. Computer Emergency Readiness Team (US-CERT).
We made eight recommendations to help the Department and its components improve procedures for responding to the loss of sensitive electronic information. The Department concurred with all of the recommendations and has begun implementing corrective actions, including clarifying how quickly computer security incidents must be reported, instructing components on proper reporting of incidents involving classified information, developing reporting measures to ensure that all components meet established timeframes, and developing procedures for notifying individuals affected by a loss of personally identifiable information.
Section 1001 of the USA Patriot Act directs the OIG to receive and review complaints of civil rights and civil liberties abuses by Department employees, to publicize how people can contact the OIG to file a complaint, and to submit a semiannual report to Congress discussing our implementation of these responsibilities. In August 2007, the OIG issued its 11th report summarizing its Section 1001 activities during the period from January 1, 2007, to June 30, 2007.
The report described the number of complaints we received under this section, the cases that were opened for investigation, and the status of these cases. In addition, the report summarized the results of two OIG reviews that were required by the Patriot Reauthorization Act: a review of the FBI’s use of national security letters and a review of the FBI’s use of Section 215 orders for business records. Both reports were issued in March 2007, as required by the Patriot Reauthorization Act. As discussed previously in this semiannual report, the OIG is continuing its review of the FBI’s use of national security letters and Section 215 orders for business records.
The report also highlighted the resolution of the final OIG recommendation made in our June 2003 report that reviewed the treatment of aliens held on immigration charges in connection with the investigation of the September 11, 2001, terrorism attacks. The one recommendation that remained open called for the FBI and the Department of Homeland Security (DHS) to enter into a memorandum of understanding to formalize policies, responsibilities, and procedures to manage a national emergency involving alien detainees. The DHS and the FBI signed a memorandum of understanding that became effective on June 7, 2007, which addressed the handling of administrative cases involving aliens of national security interest.
Grants represent a significant expenditure of federal funds in a wide variety of federal agencies, including the Department. In 2006, the Department organized the National Procurement Fraud Task Force, which seeks to prevent, detect, and prosecute procurement and grant fraud. As part of that effort, the OIG is chairing the Grant Fraud Committee of the task force.
The Grant Fraud Committee is focusing on three areas to help improve the ability of the federal government to prevent, detect, investigate, and prosecute grant fraud: 1) examining ways to enhance information sharing concerning cases and issues related to grant fraud; 2) coordinating efforts to provide training to auditors, agents, and prosecutors on detecting, investigating, and prosecuting grant fraud; and 3) conducting outreach to agency program managers who manage federal grant programs and grantees to coordinate prevention, detection, and investigation of grant fraud and to communicate best practices in these areas.
In conjunction with its work on behalf of the Grant Fraud Committee, the OIG has implemented a Grant Fraud Initiative to focus on grant issues within the Department. As part of this initiative, the OIG’s Audit Division has developed a survey program that examines the internal controls of entities receiving Department grant funds in order to quickly assess the risk of fraud by those entities. Internal controls are intended to provide reasonable assurance that program goals and objectives are met, resources are adequately safeguarded and efficiently used, and reliable data is maintained and fairly disclosed.
Since March 2007, the OIG has performed approximately 20 of these surveys. In instances where we found that a grantee either did not have sufficient internal controls or did not follow its existing internal controls, we reported that lack of internal controls to the grantee for improvement and to the Department to increase its grantee monitoring and carefully scrutinize any future grant requests from the organization. In addition, the survey findings resulted in several referrals to the OIG’s Investigations Division where the grantee had significant internal control deficiencies that raised the risk of fraud. Several of those referrals resulted in fraud investigations, which currently are ongoing. We also found one instance of fraud in grant funds received from another federal agency. We made the appropriate referrals, and that matter is under investigation.
The OIG’s Audit Division issued a report, undertaken at the request of the Senate Appropriations Committee, which examined the nine most expensive Department conferences held in the United States and the most expensive international conference held between October 2004 and September 2006.
We determined that Department conference sponsors adequately justified reasons to hold the conferences, but inconsistently performed and documented cost comparisons among potential sites. In addition, the Department did not maintain a single financial system capable of providing the actual costs of Department conferences. As a result, when asked to provide conference expenditures to Congress, some Department components reported budgeted, awarded, and estimated conference costs instead of actual expenses, while others did not uniformly include travel or personnel costs.
Our audit found that the cost for some meals and receptions at the conferences were extravagant. For example, a 2005 Office of Justice Programs (OJP) Weed and Seed National Conference held in Los Angeles, California, which was attended by 1,500 people, included a $53 per person lunch for 120 attendees; a 1-hour, $64,000 themed “networking” reception; and a post-conference meeting for 30 Department employees who were provided a sandwich buffet lunch at a cost of $44 per person and a themed snack for an additional $25 per person. Overall, this conference’s daily food expenses averaged $64 per registrant, which exceeded the approved federal per diem rate of $51 for meals. The 2006 Office of Community Oriented Policing Services (COPS) National Conference in Washington, D.C., which hosted 1,100 attendees, included daily breakfast buffets; two lunches; two themed breaks; and a networking reception that cost $60,000 by itself and included chef-carved roast beef and turkey, a penne pasta station, and platters of Swedish meatballs at a cost of nearly $5 per meatball. The average food and beverage cost per day for the COPS conference was $83 per attendee, $19 over the $64 federal per diem meal rate for Washington, D.C.
In addition, our review of 253 travel vouchers submitted by federal employees who attended the conferences found that 75 percent of these vouchers failed to deduct one or more meals provided at the conferences, as required by federal travel regulations. When federal attendees do not deduct meals provided at government expense, and when component managers do not systematically review vouchers to ensure that such deductions are made, the government effectively pays for the meals twice.
The OIG made 14 recommendations to the Department regarding conference expenditures, including to: 1) ensure that conference planners compare multiple sites in multiple cities, unless components document an overriding operational reason to hold the conference in a particular city; 2) develop and implement conference food and beverages policies; 3) evaluate how components solicit and hire event planners, since no single entity monitors conference costs to ensure that they are appropriate or that event planners offer the best value for the fees charged; and 4) instruct Department component Chief Financial Officers to adopt procedures confirming that employees deduct appropriate amounts from vouchers for government-provided meals. The Department agreed with all of our recommendations.
During this semiannual period, the OIG’s Audit Division, responding to a request from the House and Senate Appropriations Committees, completed the last of three reports on the Department’s major IT systems. The first report, issued in March 2006, provided an inventory of Department IT systems. The second report examined the Department’s efficiency in tracking costs associated with its most expensive Information Technology (IT) systems. For this report, the OIG collected information on 38 major Department IT systems that cost a reported $5.7 billion through FY 2005. We found that the Department’s Chief Information Officer and component Chief Information Officers were unable to readily verify the costs reported to them by Department IT system managers, and the Department’s various financial systems were not designed to identify and compile costs related to individual IT systems. As a result, IT system cost reporting was fragmented, and individual IT system managers relied on various methods to track costs. Consequently, the costs routinely reported to OMB and Congress were unverified.
As part of the audit, the OIG tested the validity of costs reported by system mangers for 3 of the Department’s 38 major IT systems: the FBI’s Law Enforcement Online system, DEA’s Concorde system, and Justice Management Division’s (JMD) Justice Consolidated Office Network. The system managers reported that the 3 systems cost $328 million, but we determined that the costs were understated by at least $68 million. To improve cost reporting for IT systems, the OIG recommended that the Department develop cost reporting methodologies, report IT system costs to OMB consistently in budget and other documents, and consider whether the Department’s new financial system can be used to accurately identify the costs of individual IT systems. The Department concurred with our recommendations.
Our third report examined the research, plans, studies, and evaluations that the Department has conducted on its 38 major IT systems and sought to identify the depth and scope of problems the Department has experienced in the formulation of its IT plans. We identified nearly 500 studies, plans, and evaluations that the Department has produced, but found significant gaps between the documents described as necessary in guidelines and those actually prepared for individual projects. We also found a lack of compliance in the areas of systems engineering management, configuration management, quality assurance, validation and verification, and training plans.
Prior OIG reports identified planning problems on individual systems and projects, such as weaknesses in business process re-engineering, requirements planning, cooperation between agencies, and IT program and contract management. These weaknesses have contributed to project re-starts, cost increases, and delays in the FBI’s implementation of a case management system; the termination of the FBI’s Laboratory Information Management System project; delays in implementing an interoperable fingerprint identification system that can be used by both the Department and federal immigration authorities; and data integrity problems in the TSC database. Finally, we found that the Department did not produce project management evaluations for either successful or failed IT projects, with the exception of two terminated projects in the FBI.
We recommended that the Department evaluate why project teams do not prepare certain plans and evaluations; reassess the utility of those documents; and consider revising the standards for producing IT studies, plans, and evaluations for individual IT projects. The Department agreed with our recommendations.
Federal Information Security Management Act Audits
The Federal Information Security Management Act (FISMA) requires the Inspector General for each agency to perform an annual independent evaluation of the agency’s information security programs and practices. The evaluation includes testing the effectiveness of information security policies, procedures, and practices of a representative subset of agency systems. To oversee the implementation of policies and practices relating to information security, OMB has issued guidance to agencies for their FISMA requirements.
For FY 2007, the OIG reviewed the security programs of four Department components: the FBI, USMS, BOP, and JMD. Within these components, we selected for review four sensitive but unclassified systems: the FBI’s Combined DNA Index System (CODIS), USMS’s Warrant Information Network, JMD’s Civil Applicant System, and BOP’s Hires/Careers. In addition, we selected one FBI classified system for review.
Based on our FISMA reviews, we responded to the OMB questionnaire by providing updated information about the overall effectiveness of the Department’s IT security program. Our review disclosed that the Department had ensured that systems within the FBI, USMS, BOP, and JMD all were certified and accredited, system security controls were tested and evaluated within the past year, and system contingency plans were tested in accordance with FISMA policy and guidance. The OIG also reviewed documented policies and procedures for reporting incidents internally to US-CERT and to law enforcement. Our review found that three (the FBI, BOP, and JMD) of the four components followed documented policies and procedures for reporting incidents internally. However, the OIG obtained incident reports from the USMS for the period September 1, 2006, through July 15, 2007, and identified incidents that were not reported within the Department’s required 1 hour timeframe.
The OIG and the Department’s Office of Professional Responsibility are conducting a joint review of the Department’s removal of several U.S. attorneys. The joint review also is investigating allegations that Department personnel used political considerations in assessing candidates for career Department positions. In addition, the joint review is examining hiring for the Department’s entry-level Honors Program and Summer Law Intern Program and whether Department employees improperly considered applicants’ political affiliations when deciding who to hire for the programs from 2002 through 2006.
The OIG is reviewing the Department’s involvement with the National Security Agency program known as the “terrorist surveillance program” or “warrantless surveillance program.” This review is examining the Department’s controls over and use of information related to the program and the Department’s compliance with legal requirements governing the program.
The OIG is auditing the processes used throughout the Department for nominating individuals to the consolidated terrorism watchlist, which is maintained by the Terrorist Screening Center.
In October 2001, the federal government deployed the automated Victim Notification System, which allows victims or potential victims of federal crimes to be notified upon a change in the status of the case in which they are involved – from the investigative, prosecution, incarceration, or release phases. The OIG is reviewing the Victim Notification System to determine if services are being provided as required by the terms of the contract; if the Victim Notification System is an effective tool for government users and victims of crime; if outreach is being performed to encourage participation and information sharing; and if information in the system is accurate.
The Department’s Key Performance Indicators
Key Indicators are reported each year within the Department’s Performance and Accountability Report and link to the Department’s Strategic Plan. The OIG is auditing Key Indicators in Department components to examine whether the data underlying the Key Indicators are complete and accurate.
The Department’s Financial Statement Audits
The Chief Financial Officers Act of 1990 and the government Management Reform Act of 1994 require annual financial statement audits of the Department. The OIG oversees and issues financial statement audit reports based on the work performed by independent public accountants. The FY 2007 financial statement audit currently is in process. The results will be included in the Department’s FY 2007 Performance and Accountability Report, which is expected to be issued by November 15, 2007.