This is the accessible text file for GAO report number GAO/OIG-11-4 entitled 'Semiannual Report: October 1, 2010 - March 31, 2011' which was released on June 23, 2011. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Office of the Inspector General: United States Government Accountability Office: GAO/OIG: May 2011: Semiannual Report: October 1, 2010 - March 31, 2011: GAO/OIG-11-4: Office of the Inspector General: United States Government Accountability Office: Memorandum: Date: May 24, 2011: To: Comptroller General Gene L. Dodaro: From: [Signed by] Inspector General Frances Garcia: Subject: Semiannual Report-—October 1, 2010, through March 31, 2011: In accordance with Section 5 of the Government Accountability Office Act of 2008[Footnote 1] (GAO Act), I am pleased to present my semiannual report for the 6-month period ending March 31, 2011, for your comments and its transmission to the Congress. During the reporting period, the Office of the Inspector General (OIG) continued its efforts to finalize and implement the revised OIG order to reflect our statutory role and responsibilities while continuing to conduct audits and investigations. We are in the process of considering and responding to comments we received on the revised draft OIG order and making changes in the order, as appropriate. In addition, we completed an internal review of our quality assurance framework and are in the process of taking steps to further strengthen our processes and controls in response to this review. We recognize that other changes to our quality assurance framework may be needed as we finalize our OIG order and complete our transition to the role of a statutory OIG. As a result, we do not anticipate participating in a peer review until we have completed this transition and have conducted and fully addressed any recommendations resulting from at least two additional internal inspections. We also prepared an annual work plan for fiscal year 2011 based on our updated audit risk assessment of GAO operations, and we conducted a planning survey to further identify potential risks in GAO's procurement activities and areas for future work. While our engagements are generally focused on areas identified in our work plan, adjustments to our work plan are made, as needed, in an effort to ensure we are in tune with changing conditions or emerging issues and are able to respond appropriately. In addition, we completed our annual review of GAO's assessment of its management challenges. We agreed with the assessment that physical security, information security, and human capital continue to be management challenges that may affect GAO's performance. We also agreed with management's view that progress is being made in addressing these challenges. However, we believe that further review is warranted to determine if these areas can be removed as management challenges and if other risks emerge that should be designated as management challenges. Finally, we continued to participate in the activities of the broader inspector general community, including the Council of the Inspectors General on Integrity and Efficiency and the quarterly meetings of Legislative Branch Inspectors General. Audits and Inspections: During the reporting period, we issued two public reports—an assessment of the adequacy of GAO's controls to prevent and detect employee misuse and delinquency of government travel cards[Footnote 2] and an evaluation of GAO's information security program and practices for fiscal year 2010.[Footnote 3] A summary of these reports and GAO actions to address our recommendations are presented in attachment I. Investigations and Hotline Activities: Regarding our efforts to identify potential fraud, waste, and abuse, the OIG's hotline is our primary source of complaints.[Footnote 4] The OIG receives hotline complaints through a variety of sources, such as through its toll-free hotline number and e-mail. As shown in table 1, we had a total of 129 complaints, 7 of which were open at the start of this 6-month reporting period and 122 new complaints received during the period. Table 1: Summary of OIG Hotline and Investigative Activity, October 1, 2010, through March 31, 2011: Complaints: Open at start of period: 7; Received: 122; Referred to FraudNet: 58; Closed, insufficient information/no basis: 46; Referred to other GAO units or agencies: 5; Closed investigations: 9; Open at end of period: 11. Source: GAO OIG. Note: "Complaints" include inquiries and allegations received by OIG. [End of table] The 7 open cases from the prior semiannual reporting period covered a wide range of matters, such as issues related to telework, travel voucher claims, and the day care facility located at GAO headquarters. Of these 7 cases, we closed 4-2 because of no basis for further action and 2 after conducting investigations. Three remained open at the end of the period. We referred the results of one investigation to GAO's Office of Workforce Relations to determine whether any administrative action is appropriate. In addition, our investigation into the daycare facility resulted in our suggesting that management consider expanding GAO's role in overseeing the facility. During the current reporting period, we received 122 new complaints through our hotline and other sources. Fifty-eight of the 122 complaints concerned matters related to other federal agencies and were referred to GAO's FraudNet—a governmentwide hotline operated by GAO staff that receives complaints of fraud, waste, and abuse of federal funds. Of the remaining 64 complaints received during the reporting period, we: * closed 4 complaints after we conducted investigations and combined 3 other complaints into ongoing investigations. The closed investigations included issues relating to unemployment insurance payments for employees of a GAO contractor, purchase card fraud, employee misconduct, and a whistleblower complaint regarding a GAO audit. One of these investigations resulted in an employee being counseled, and, following another investigation, an employee resigned from GAO before the agency could take administrative action. * closed an additional 44 complaints when we determined there was no basis for additional action, sometimes after completing preliminary investigative work. In one of these 44, we provided assistance to the District of Columbia OIG on an investigation. * referred 5 complaints-4 to other GAO units and 1 to another agency— for action that involved such issues as e-mail scams, employee misconduct, and an information request. * continued efforts on the remaining 8 open complaints. Agency Actions on Recommendations Made in Prior OIG Reports: During this reporting period, GAO undertook or continued actions to respond to recommendations intended to provide oversight of and controls over GAO's contractor parking policies and practices. For example, GAO has developed procedures to ensure provisions in the GAO Vehicle Parking Program order are strictly adhered to regarding contractor parking. This includes developing procedures to ensure that contractor parking is provided according to contract provisions and that contract language regarding parking is standardized and includes appropriate caveats. GAO also took actions to respond to a recommendation that the Office of General Counsel consider the adoption of suspension and debarment procedures, including reporting any suspended or debarred GAO contractors to the Excluded Parties List System (EPLS). To address this recommendation, the General Counsel established a study team to consider the merits of a suspension and debarment procedure at GAO. This team recommended, and the Executive Committee concurred, in April 2011, that GAO should develop suspension and debarment procedures, including EPLS reporting. GAO is now in the process of developing such procedures. I provided GAO with a draft of this report for review and comment. The agency provided technical comments that we incorporated, as appropriate. Finally, I want to thank GAO's Executive Committee, managers, and staff for their cooperation during our reviews. Attachment: cc: Patricia A. Dalton, Chief Operating Officer, GAO: David M. Fisher, Chief Administrative Officer/Chief Financial Officer, GAO: Lynn H. Gibson, General Counsel, GAO: GAO's Audit Advisory Committee: [End of section] Attachment I: Summary of GAO/OIG Reports and GAO Actions: Reports Issued October 1, 2010, through March 31, 2011[Footnote 5] GAO Travel Cards: Opportunities Exist to Further Strengthen Controls (GAO/OIG-11-1, Dec. 7, 2010): Findings: GAO's policy and procedures were generally effective in preventing and detecting travel charge card misuse. However, OIG identified areas where GAO's travel card program could be strengthened by adopting selected best practices identified in related Office of Management and Budget (OMB) guidance. As a legislative branch agency, GAO is not required to follow any OMB circulars, including OMB Circular No. A-123 or its appendixes. In testing the effectiveness of GAO's monitoring of travel card delinquency, OIG found that the agency could improve its procedures to reduce delinquency. While GAO has had a process to take action when employees were delinquent in paying their travel cards, OIG found that GAO was missing a key component— procedures that set out the requirements and time frames for referring delinquent cardholders for potential disciplinary action. OIG also found that GAO has implemented some of the controls identified by OMB in its guidance but is not using other controls, such as statistical and narrative information on travel card use to enhance program oversight and management of its travel card program. Further, GAO had not developed a management plan to help provide a road map for ensuring the ongoing effectiveness of its risk management controls. In addition, OIG found that internal controls and best practices identified in OMB Circular No. A-123, Appendix B, were not used by GAO to manage or assess the effectiveness of GAO's travel card program controls. Recommendations and GAO actions: This report recommends that GAO (1) develop procedures to minimize the number of travel cards and review the appropriateness of travel card spending and related ATM cash advance limits; (2) develop policies and procedures, including time frames, for referring delinquent cardholders for disciplinary action and notifying the OIG of actions taken; (3) develop and report statistical and narrative travel card compliance information to oversight managers; (4) establish a goal to gauge agency progress in reducing delinquency; (5) consider establishing a policy to use OMB Circular No. A-123, Appendix B, in GAO's annual assessment of the effectiveness of the travel card program's internal controls; and (6) consider identifying and adopting, as appropriate, additional controls and best practices identified in OMB Circular No. A-123, Appendix B, to help reduce travel card program risk and improve management's assessment of travel card program controls. GAO concurred with these recommendations and has taken actions to reduce the number of travel card accounts and develop standard operating procedures to refer delinquent cardholders to GAO's Office of Workforce Relations. GAO is continuing to address the remaining recommendations in this report. Information Security: Evaluation of GAO's Program and Practices for Fiscal Year 2010 (GAO/OIG-11-3, Mar. 4, 2011)[Footnote 6]: Findings: The OIG's evaluation showed that, in voluntary compliance with the Federal Information Security Management Act of 2002 (FISMA), GAO has established an information security program that is generally consistent with requirements of this act, Office of Management and Budget (OMB) implementing guidance, and standards and guidance issued by the National Institute of Standards and Technology. However, based on evaluation metrics provided by OMB for inspectors general, the OIG identified improvement opportunities for specific elements of GAO's program that concerned (1) identifying the agency's systems inventory and assuring that all systems operated by GAO or by contractors meet security requirements, (2) implementing additional computer-scanning capabilities to test security configuration settings, (3) remediating configuration-related vulnerabilities in a timely manner, (4) ensuring that contractors have access to required role-based security awareness training, and (5) planning for further implementation of the personal identity verification requirements of Homeland Security Presidential Directive 12 (HSPD-12). Recommendations and GAO actions: This report recommends that GAO (1) incorporate procedures within its annual systems inventory process that require inventory changes to be documented and formally approved by the Chief Information Officer and that system interfaces be identified, (2) identify and pursue additional options for obtaining assurances that certain contractor systems meet federal information security requirements, (3) continue efforts to complete and document required information security processes and procedures for all GAO- operated systems, (4) proceed with plans to establish a security configuration scanning capability for GAO notebook computers and workstations, (5) incorporate changes to the configuration management process that remediate specific open configuration-related vulnerabilities, (6) ensure that access to annual role-based information security training or its equivalent is provided for all contractor staff required to take this training, and (7) develop and brief senior management on a plan for practical implementation of HSPD- 12 requirements. GAO concurred with these recommendations and has identified actions to address them with target completion dates through the end of fiscal year 2011. [End of section] Footnotes: [1] Pub. L. No. 110-323, 122 Stat. 3539 (Sept. 22, 2008). [2] GAO, Office of the Inspector General, GAO Travel Cards: Opportunities Exist to Further Strengthen Controls, [hyperlink, http://www.gao.gov/products/GAO/OIG-11-1] (Washington, D.C.: Dec. 7, 2010). [3] GAO, Office of the Inspector General, Information Security: Evaluation of GAO's Program and Practices for Fiscal Year 2010, [hyperlink, http://www.gao.gov/products/GAO/OIG-11-3] (Washington, D.C.: Mar. 4, 2011). [4] Complaints include inquiries and allegations received by OIG. [5] In addition to the reports cited, we issued our semiannual report for the 6-month period ending September 2010: GAO, Office of the Inspector General, Semiannual Report—April 1, 2010, through September 30, 2010, [hyperlink, http://www.gao.gov/products/GAO/OIG-11-2] (Washington, D.C.: Dec. 7, 2010). [6] Because the full report contains sensitive information, only our Highlights page is publicly available on [hyperlink, http://www.gao.gov]. However, congressional members can request the full report. [End of section] Reporting Fraud, Waste, and Abuse in GAO's Internal Operations: To report fraud, waste, and abuse in GAO's internal operations, do one of the following. (You may do so anonymously.) * Call toll-free (866) 680-7963 to speak with a hotline specialist, available 24 hours a day, 7 days a week. * Send an e-mail to OIGHotline@gao.gov. * Send a fax to the OIG Fraud, Waste, and Abuse Hotline at (202) 512- 8361. * Write to: GAO Office of Inspector General: 441 G Street NW, Room 1808: Washington, DC 20548: Obtaining Copies of GAO/OIG Reports and Testimony: To obtain copies of OIG reports and testimony, go to GAO's Web site: [hyperlink, http://www.gao.gov/about/workforce/ig.html]. Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov, (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548: Public Affairs: Chuck Young, Managing Director, youngcl@gao.gov, (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548: This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.