This is the accessible text file for GAO report number GAO-08-1000T entitled 'U.S. Capitol Police: Progress Made in Addressing Prior GAO Recommendations on Administrative and Management Options' which was released on July 16, 2008. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony: Before the Committee on Rules and Administration, U.S. Senate: United States Government Accountability Office: GAO: For Release on Delivery Expected at 10:00 a.m. EDT: July 16, 2008: U.S. Capitol Police: Progress Made in Addressing Prior GAO Recommendations on Administrative and Management Operations: Statement of: Richard M. Stana, Director Homeland Security and Justice: Kay Daly, Director Financial Management and Assurance: Bernice Steinhardt, Director Strategic Issues: Valerie C. Melvin, Director Information Technology: GAO-08-1000T: GAO Highlights: Highlights of GAO-08-1000T, a report to Committee on Rules and Administration, U.S. Senate. Why GAO Did This Study: The United States Capitol Police (USCP) is responsible for securing the 276-acre Capitol Complex, including protecting Members of Congress, congressional facilities, national treasures, and visitors. In response to heightened security concerns, various requests, and legislative mandates over the years, GAO has reported on management control problems in five key areas: (1) establishing an accountability framework for monitoring recommendations, (2) establishing a risk management framework, (3) ensuring financial management, (4) ensuring strategic and human capital planning, and (5) managing information technology (IT). From January 2004 through March 2007, GAO made 46 recommendations aimed at improving USCP administrative and management operations and achieving strategic goals in these areas. This testimony reports on the status of USCP’s efforts to address GAO’s recommendations. To conduct its work, GAO analyzed USCP documentation, such as risk matrices, budget documents, and strategic plans. GAO also conducted interviews with USCP officials and contractors on their efforts related to its recommendations. GAO performed this work from October 2007 through April 2008, and updated its work on certain financial management activities in July 2008. USCP generally agreed with GAO’s 46 prior recommendations and its findings on the status of those recommendations. What GAO Found: USCP has made significant progress in addressing the 46 recommendations GAO made since 2004. As shown in the table below, USCP has completed actions on 15 recommendations, is making progress toward addressing 30 recommendations, and has not made progress on 1 recommendation. With respect to the five areas, the status of USCP’s efforts to address GAO’s recommendations is as follows: * Accountability Framework for Monitoring Recommendations. USCP has completed actions on creating a framework to monitor progress on addressing GAO’s recommendations and on reporting this progress to appropriate congressional committees and the USCP Police Board. * Linking Resources to Risks, Threats, and Vulnerabilities. USCP has taken steps to complete risk assessments for 18 of the 19 congressional facilities. However, additional actions will be required to adequately test and review its overall risk management approach. * Financial Management. USCP has completed actions on 8 GAO recommendations, including preparing its first full set of financial statements. USCP is making progress in addressing another 15 recommendations related to staffing, training, policies, procedures, and internal controls. * Human Capital Management. USCP has implemented one recommendation by adopting a hiring policy and is making progress on seven other recommendations related to workforce planning and training. USCP has not yet addressed a ninth recommendation to monitor and evaluate the results of its strategic workforce plan because this plan is still being developed. * Information Technology. USCP has implemented four recommendations related to IT management capabilities and is making progress toward implementing the remaining five recommendations related to enterprise architecture, IT investment management, information security, and continuity of operations planning. Table: Status of USCP Progress in Addressing GAO's Recommendations: Issue area: Accountability framework for monitoring recommendations; GAO recommendations since 2004: 2; Status of recommendations: Competed: 2; Status of recommendations: In progress: 0; Status of recommendations: No progress: 0. Issue area: Linking resources to risks, threats, and vulnerabilities; GAO recommendations since 2004: 3; Status of recommendations: Competed: 0; Status of recommendations: In progress: 3; Status of recommendations: No progress: 0. Issue area: Financial management; GAO recommendations since 2004: 23; Status of recommendations: Competed: 8; Status of recommendations: In progress: 15; Status of recommendations: No progress: 0. Issue area: Human capital management; GAO recommendations since 2004: 9; Status of recommendations: Competed: 1; Status of recommendations: In progress: 7; Status of recommendations: No progress: 1. Issue area: Information technology; GAO recommendations since 2004: 9; Status of recommendations: Competed: 4; Status of recommendations: In progress: 5; Status of recommendations: No progress: 0. Source: GAO analysis of USCP data. [End of table] What GAO Recommends: To view the full product, including the scope and methodology, click on [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO-08-1000T]. For more information, contact Richard M. Stana at (202) 512-8777 or stanar@gao.gov. [End of section] Chairman Feinstein, Mr. Bennett, and Members of the Committee: We appreciate the opportunity to be here today to discuss the United States Capitol Police's (USCP) progress in implementing our prior recommendations on administrative and management operations. The USCP is responsible for securing the 276-acre Capitol Complex; protecting members of Congress, their staff, visitors, 19 buildings, national treasures; and regulating traffic within the Capitol grounds. Having efficient and effective administrative and management operations is important in the USCP's overall mission to protect the United States Capitol Complex and the on-site public. Over the years, in response to various requests and legislative mandates, we have reported on USCP's efforts to address a range of (1) operational, (2) financial management, (3) human capital management, and (4) information technology (IT) management issues. Our reviews have disclosed management control problems in these areas. As a result of these reviews, we have made a number of recommendations that we believe the USCP should implement to achieve its strategic goals and operate in an efficient and effective manner. In our March 2007 report, we noted that USCP's progress in implementing many of our past recommendations in the four aforementioned areas had been slow for reasons that included an absence of goals, time frames, and accountability; a lack of continuity in leadership and staff; and a tendency to focus on near-term operational demands to the exclusion of longer-term challenges. To ensure greater accountability and transparency, we recommended that the Chief of Police set goals and timetables to track prior recommendations and to report semiannually to the Capitol Police Board and congressional stakeholders on progress towards addressing open recommendations (that is, recommendations not yet fully implemented). My remarks today are based on our recent review of USCP progress toward addressing recommendations we have made from January 2004 through March 2007 in the following areas: (1) creating an accountability framework for monitoring recommendations; (2) effectively linking USCP's resource requirements and allocations to risks, threats, and vulnerabilities; (3) ensuring adequate accountability for its assets and resources and meeting its long-term goal of becoming a sound, fully functional financial management operation; (4) ensuring strategic management of its workforce; and (5) effectively leveraging information technology to meet its strategic mission, goals, and outcomes. To evaluate USCP's efforts in these areas, we reviewed documentation, such as risk matrices, budget documents, financial reports, and strategic plans in support of the current status of USCP actions to improve management controls and close outstanding recommendations; analyzed USCP operational, strategic and human capital planning, and IT management information; reviewed USCP management and administrative processes and written policies, procedures, plans, and directives; and interviewed members of the USCP leadership team, contractors, and other key USCP staff. In determining the status of financial management recommendations we also supplemented our assessment with the agency auditor's report findings. Prior experience with the auditors and our review of their reports provided the basis for determining the sufficiency and relevance of evidence provided in these documents. We conducted our review from October 2007 through April 2008, and updated our work in certain financial management activities in July 2008 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Summary: Since our March 2007 report, USCP has made significant progress toward addressing 46 recommendations we made since 2004. As shown in table 1, of the 46 recommendations we made, USCP has completed actions on 15 recommendations, is making progress toward addressing 30 recommendations, and has not made progress on 1 recommendation. Table 1: USCP's Progress toward Addressing GAO's Recommendations: Issue area: Accountability framework for monitoring recommendations; GAO recommendations since 2004: 2; Status of recommendations: Competed: 2; Status of recommendations: In progress: 0; Status of recommendations: No progress: 0. Issue area: Linking resources to risks, threats, and vulnerabilities; GAO recommendations since 2004: 3; Status of recommendations: Competed: 0; Status of recommendations: In progress: 3; Status of recommendations: No progress: 0. Issue area: Financial management; GAO recommendations since 2004: 23; Status of recommendations: Competed: 8; Status of recommendations: In progress: 15; Status of recommendations: No progress: 0. Issue area: Human capital management; GAO recommendations since 2004: 9; Status of recommendations: Competed: 1; Status of recommendations: In progress: 7; Status of recommendations: No progress: 1. Issue area: Information technology; GAO recommendations since 2004: 9; Status of recommendations: Competed: 4; Status of recommendations: In progress: 5; Status of recommendations: No progress: 0. Source: GAO analysis of USCP data. [End of table] The following describes the actions taken and the work remaining to address the recommendations in the five areas shown in table 1: Accountability Framework for Monitoring Recommendations. USCP has completed actions on both of our recommendations relating to creating a framework for monitoring recommendations and holding management accountable. USCP set goals and timetables for implementing each of GAO's 46 recommendations, assigned responsibility to an appropriate USCP official for ensuring that actions are taken to implement the recommendations, and created a tracking system to monitor progress. In addition, USCP now reports semiannually to the USCP Board, Senate and House Appropriations Committees, the Senate Committee on Rules and Administration, and the Committee on House Administration on progress made in implementing our prior recommendations. Linking Resources to Risks, Threats, and Vulnerabilities. USCP is making progress toward implementing our three recommendations relating to more effectively linking USCP's staffing and other resource needs to the risks, threats, and vulnerabilities that the Capitol Complex faces. USCP has taken steps to complete and apply a risk matrix that assesses the security environment at 18 of the 19 Capitol Complex facilities, and plans to apply it to six Library of Congress buildings when USCP assumes responsibility for their security at the end of the fiscal year. Moreover, initial steps have been taken to conduct both external peer reviews and periodic testing of USCP's overall risk management approach. While USCP has plans to periodically test and evaluate the risk matrix, the process has yet to be formalized as a Standard Operating Procedure (SOP). Financial Management. Of the 23 GAO recommendations relating to financial management, USCP has completed actions on 8 recommendations, in areas such as assessing its staffing needs and procurement process and issuing its first full set of financial statements in accordance with generally accepted accounting principles in December 2007. USCP is also making progress towards addressing 15 recommendations related to staffing, training, policies, procedures, and internal controls. Importantly, since April 2008, USCP has filled five financial management vacancies, including the Chief Financial Officer position, and the remaining positions are in the process of being filled. Human Capital Management. Of the nine GAO recommendations relating to human capital management, USCP has implemented one recommendation by adopting a hiring policy and is making progress on seven other recommendations related to workforce planning and training. USCP has not yet addressed a ninth recommendation to monitor and evaluate the results of its strategic workforce plan because this plan is still being developed and it is still too soon for USCP Office of Human Resources (OHR) officials to monitor and evaluate any progress on achieving the human capital goals of the plan. Information Technology (IT). Of our nine recommendations relating to IT, USCP has implemented four recommendations and is making progress toward implementing the remaining five. Specifically, USCP has made progress towards establishing important IT management capabilities, such as the use of disciplined system acquisition management practices. However, more work remains to be done in the areas of enterprise architecture, IT investment management, information security, and continuity of operations planning. I will briefly discuss each of the major areas where we have made recommendations and USCP's progress to date in implementing those recommendations. More detailed information on our recommendations and USCP's efforts to implement them is included as an appendix to this statement. Creating an Accountability Framework for Monitoring Recommendations: USCP Has Established a Framework: USCP's progress in implementing many of our past recommendations had been slow for reasons that included an absence of goals, time frames, and accountability; a lack of continuity in leadership and staff; and a tendency to focus on near-term operational demands to the exclusion of longer-term challenges. To help ensure that actions were taken to implement our recommendations, in March 2007, we recommended that the USCP Chief of Police (1) set goals and timetables, and establish accountability for implementing the recommendations, and (2) report semiannually to the USCP Board, Senate and House Appropriations Committees, the Senate Committee on Rules and Administration, and the House Committee on House Administration on progress made in implementing our recommendations. To address our first recommendation, USCP appointed an Audit Liaison to coordinate the tracking, reporting, and resolution of recommendations made by GAO and the USCP Office of the Inspector General (OIG). In this regard, USCP created a formal recommendation resolution process with several components. Each recommendation is assigned to a designated official who is responsible for establishing an action plan to outline the actions needed to implement the recommendation, identify staff responsible for taking the needed actions, establish a target completion date, and track the status of related actions until completion. In a larger sense, during the last year, USCP has taken additional steps to strengthen management accountability and address both our and OIG recommendations. For example, USCP has created a formal process known as the Force Development Planning Process aimed at ensuring that all organizationwide decision-making, planning, and resource allocation processes incorporate elements of threat-based planning. According to USCP, the process links seven previously separate activities related to planning, investments, budget formulation, execution, and performance evaluation into a single process that integrates risk and operational and administrative assessments. By linking these activities, USCP endeavors to establish timetables and better accountability for planning and resource requirements while ensuring that the overall department employs a more strategic and results-oriented approach. With respect to the second recommendation, USCP submitted two semiannual reports during 2007 to stakeholders to provide an update on progress made to implement both our and the OIG prior recommendations. In these reports, the Chief of Police also linked USCP's progress toward implementing the recommendations and improving overall USCP management and operations to the steps necessary to realize the goals in the USCP strategic plan and Concept of Operations (ConOps). Linking Resources to Risks, Threats, and Vulnerabilities: Progress Made in Implementing a Risk Management Approach: Over the years, we have supported the use of a risk management approach to help implement and assess responses to various national security and terrorism concerns. We have concluded that without an approach that provides insights about the present threat and vulnerabilities as well as the organizational and technical requirements necessary to achieve a program's goals, there is little assurance that programs are properly prioritized and focused. In the past, we have reported that to improve operations and better support resource requirements, USCP would have to more effectively link threats and vulnerabilities to its staffing and other resource needs. In our 2005 report, we noted that according to USCP, continued increases in its operational requirements were not being met with necessary increases in its number of uniformed officers. We also noted that USCP's ability to assess risk levels--relative to the vulnerabilities of and threats to USCP security posts--would provide USCP with information needed to more effectively allocate limited resources to the areas of greatest need. In that regard, we worked with USCP to develop a risk analytical management matrix that could be used to assess risk relative to the threats and vulnerabilities of the Capitol Complex. Moreover, we issued three recommendations to help USCP develop a risk management framework that links threats and vulnerabilities to allocation of resources. In our March 2007 report, we noted that while USCP had taken several steps to develop a risk management framework to address our recommendations, its progress was slow. Since we issued that report, USCP has made significant progress in addressing our recommendations regarding the implementation of a risk management approach, although further actions are needed. Progress Has Been Made in Applying the Risk Matrix, but It Is Not Fully Implemented: USCP has made significant progress in applying the risk management framework. Using the risk matrix and other tools, USCP has completed risk assessments for 18 of 19 congressional facilities and is scheduled to complete all assessments this fiscal year. According to USCP officials, they will be required to complete a total of 25 assessments after the department assumes responsibility for six additional facilities from the Library of Congress at the end of the fiscal year. USCP will need to complete the risk assessments of all the facilities under its responsibility to fully address our recommendations. Moreover, to ensure that USCP's resource requirements are better linked to threats and vulnerabilities, USCP contracted with Enlightened Leadership Solutions (ELS) to assess the department's manpower configuration, law enforcement operations, and overall staffing resources. According to USCP officials, the findings from the ELS Manpower Study are currently being evaluated and integrated into its Force Development Planning Process. Agency officials told us that upon integration, the USCP will be able to more effectively link resource requirements to threats and vulnerabilities. Initial Steps Taken to Review and Test the Effectiveness of the Matrix; However, Additional Actions Are Necessary: While USCP has taken initial steps to review and test the effectiveness of its risk management framework, further action is necessary to fully implement our recommendation. For example, ELS examined the risk management frameworks employed by comparable federal law enforcement agencies to identify best practices and potential benchmarks. To do this work, ELS conducted best practices research and interviewed high- level officials in the Central Intelligence Agency (CIA), the Federal Bureau of Investigation (FBI), the U.S. Department of State's Bureau of Diplomatic Security, and the Department of Defense. Moreover, USCP sought the assistance of three additional agencies--the General Services Administration (GSA), the Transportation Security Administration (TSA), and the U.S. Secret Service (USSS)--to conduct peer reviews by reviewing USCP's risk management framework. According to USCP, the agencies listed above share protective missions similar to the USCP as well as conduct large physical security surveys. According to USCP, regarding the risk management framework, these agencies all concur with USCP's methodologies, processes, and reporting structures. Although we did not validate the initial findings of the external peer reviews, we believe that USCP is taking steps in the right direction to review the effectiveness of its risk management framework. To test the effectiveness of the risk matrix, according to USCP officials, the department's Safety and Security Bureau (SSB) plans to conduct an annual internal review and assessment of the risk matrix after all risk assessments have been completed for all congressional facilities. As a part of the review, SSB proposed to evaluate the thoroughness and accuracy of each risk assessment; review whether or not all existing vulnerabilities and mitigation options were correctly identified; and suggest changes or updates to the risk matrix as a result of the review. Agency officials told us that this plan has yet to be formalized into their SOPs until all physical assessments of the congressional facilities have been completed. When fully integrated, the combination of these efforts should fulfill our remaining recommendations regarding the linkage between risk management and the necessary resource requirements to address those risks in the most efficient and effective manner. Financial Management: Progress Noted in Certain Areas, but Major Financial Management Challenges Remain: In our March 2007 report, we found that USCP continued to face major challenges and had not made significant progress toward improving its financial management operations. Major challenges reported included a high level of staff turnover and open vacancies, which have continued into fiscal year 2008 and prevented USCP's Office of Financial Management (OFM) from stabilizing its financial management operations. As you know, a stable and skilled workforce is needed to build a strong foundation for financial management, internal control, and accountability. Our March 2007 report also highlighted continuing challenges related to financial reporting and the performance of related physical inventories of assets, the implementation of a new financial management system, and the need to follow through with plans to develop and implement an internal control program. Further, we reported that 23 previously issued financial management recommendations covering general financial management and reporting, internal control policies and training development, procurement, and staffing identified during our reviews since 2004 had not been addressed. During the past year, OFM has made important progress toward addressing long-standing financial management issues in each of these areas, including the issuance of its first full set of financial statements in accordance with generally accepted accounting principles in December 2007. In addition to achieving this important milestone, USCP completed actions in areas such as assessing its staffing needs and procurement process that effectively addressed 8 of our 23 recommendations. In addition, although USCP has made important progress toward addressing the remaining 15 recommendations related to staffing, training, policies and procedures, internal controls, and other financial management activities, continued efforts are needed to ensure that USCP's financial management operations meet their objectives and stakeholder needs. Addressing Staffing Shortages Is Critical for Sustained Improvements: USCP effectively addressed two of our prior recommendations related to evaluating its financial management staffing needs by conducting internal assessments of current and future needs that included assessing the need for additional staff or contractors to meet ongoing needs and high-priority demands. USCP has made recent progress in addressing two recommendations related to staffing shortages. As of April 4, 2008, eight OFM positions, including the Chief Financial Officer (CFO), Deputy CFO, Budget Officer, and Procurement Officer were vacant, due to recurring turnovers and other factors. As a result of these shortages, USCP financial statement auditors reported significant weaknesses related to OFM's ability to effectively monitor its financial management operations. Since that time, several of the positions--including the CFO position--have been filled and others are in the process of being filled. Additional Efforts Needed to Build on Progress Made in Procurement Activities and Credit Card Programs: Collectively, USCP efforts effectively addressed three of our prior recommendations related to procurement activities and credit card programs; however, additional efforts are needed to address nine other recommendations in these areas. For example, efforts to realign procurement staff and implement workload efficiencies have enabled OFM to eliminate previously reported backlogs and provided an effective framework for meeting future activity. In addition, USCP monitored purchase card activity to identify potential fraudulent activity, improper usage, or abuses of these cards and initiated efforts to monitor fleet and travel card activities. USCP has also made progress toward providing training and guidance for staff involved in procurement activities and credit card programs. However, continued efforts are needed to further assess credit card program risks and enhance existing guidance, training, and monitoring activities to ensure consistent application of policies and procedures. Financial Reporting and Internal Control Have Improved, but Challenges Remain: USCP effectively addressed three of our seven recommendations related to financial reporting and general internal control by issuing its first full set of financial statements, formalizing procedures related to reprogramming transactions, and establishing electronic approval paths in its new financial management system. By the end of fiscal year 2007 USCP had also issued or revised about 30 policies and procedures covering a wide range of financial activities including payroll, capitalized assets, and access to its financial management reporting system. Although USCP has made substantial progress in formalizing its policies and procedures, additional efforts are needed to address issues identified in the four remaining recommendations. For example, the USCP financial statement auditor noted in its 2007 audit report instances where the lack of staff and improper implementation of USCP's policies and procedures created deficiencies that ultimately contributed to two material weaknesses[Footnote 1] and the auditor's inability to issue an opinion on the financial statements. Recognizing that annual financial statements audits provide a valuable assessment of USCP's financial management operations and that auditors reported significant deficiencies in December 2007, we encourage USCP to continue to work with its auditors to address (1) the deficiencies that prevented its auditors from expressing an unqualified opinion on its financial statements, (2) significant internal control deficiencies reported by the auditors including those considered to represent material weaknesses related to payroll processing and financial management, and (3) any instances of noncompliance with laws and regulations reported by the auditors. Correcting these deficiencies will not only permit USCP to obtain an unqualified opinion in the future, but will also help in achieving its long-term goal of becoming a fully functional financial management operation with a solid foundation of internal control and accountability. Human Capital Management: USCP Has Adopted Hiring Policy and Initiated Efforts to Address Long-standing Workforce Planning and Training Issues: Since our prior review in March 2007, USCP has successfully implemented our August 2004 recommendation to adopt a civilian hiring policy. USCP has addressed this recommendation by issuing a policy that describes the department's process for hiring both sworn and civilian staff and outlines the responsibilities of managers and selecting officials in this process. Additionally, USCP has made some initial steps to develop a strategic workforce plan and a master training plan. Our past work has identified the need for USCP to develop these plans to address several long-standing human capital challenges, such as updating human resource management policies and procedures, improving workforce planning, and addressing employees' training needs. In January 2004, we issued six recommendations proposing that USCP develop and implement a strategic workforce planning process containing specific human capital strategies addressing such areas as recruitment and training. We made two additional recommendations regarding the implementation of this process in our reports issued in 2005. Of these eight recommendations, USCP has made progress on all but one recommendation--to monitor and evaluate the results of its strategic workforce plan. Because USCP has not yet fully developed its strategic workforce plan, it is still too soon for officials from USCP's Office of Human Resources (OHR) to monitor and evaluate the results of this plan. USCP Has Adopted a Civilian Hiring Policy: In our August 2004 report, we determined that USCP needed to adopt clear, up-to-date policies and procedures for hiring individuals into civilian positions. Specifically, both USCP's SOP that discusses the roles and responsibilities managers have in the civilian hiring process and the supplemental memorandum on the process for making job offers were out-of-date and not consistently implemented by USCP officials. In October 2007, USCP successfully implemented this recommendation by issuing its Employment and Promotion Policy Plan that provides a standardized hiring process for both sworn and civilian positions within USCP. In addition to including a description of the department's hiring process, this plan also outlines the responsibilities that managers and selecting officials have in the hiring process, such as determining whether vacant positions still need to be filled and consulting with OHR officials on any changes in the position's duties, responsibilities, or organizational placement. This plan was approved by USCP's Chief of Police and applies to all personnel actions related to filling USCP positions. USCP Has Taken Initial Steps to Develop a Strategic Workforce Plan: Our prior work examining the practices of leading organizations has highlighted the importance of developing human capital strategies--the programs, policies, and processes that organizations use to hire and train staff; develop succession plans; administer a performance management system; and use human capital flexibilities.[Footnote 2] These strategies can assist an agency in addressing skill gaps within its current workforce as well as acquiring skills needed in the future to achieve an agency's mission and goals. To address our eight recommendations relating to the development and implementation of a strategic workforce planning process, USCP's Office of Human Resources has completed an initial draft of a strategic workforce plan, which discusses the importance of workforce planning, demographic information on USCP's workforce, as well as a listing of action items needed to develop a set of human capital strategies. Although creating this initial draft plan is an important first step, OHR officials acknowledge that the plan will need further refinement. Specifically, as the draft plan is further developed, the action items should be more fully developed and include such details as specific tasks to complete, defined roles and responsibilities, milestones, and resource requirements. Finally, because USCP has not yet fully developed its strategic workforce plan, it is too soon for OHR officials to monitor and evaluate their progress on achieving the human capital goals of their planone of the eight recommendations we made related to strategic planning. Further Collaboration Needed to Complete Master Training Plan: In our March 2007 report, we discussed USCP's efforts to establish a well-designed training program that addresses the needs of both sworn and civilian staff. Effective training and development programs are an integral part of an agency's ability to ensure that its employees have the information, skills, and competencies to work effectively. These training programs can also enhance an agency's ability to attract and retain employees with needed skills and competencies. To address three of the recommendations related to developing USCP's strategic workforce plan, USCP's Training Services Bureau (TSB) officials have been working on a four-phase process to develop a master training plan, which is to define and prioritize staff training needs and requirements. TSB has completed the process' first phase by issuing a training catalog containing all training courses available to USCP staff through TSB as well as external training providers and facilities. Currently, TSB is in the second phase of this process-- validating the competencies of USCP's position descriptions--which will require further collaboration with OHR. According to OHR officials, they have finished identifying the competencies for USCP's civilian positions and are currently reviewing and revising competencies for the sworn positions. Upon completion of this phase, TSB officials, working with OHR and other stakeholders, plans to then identify appropriate professional development and training curriculum for all USCP staff based on the set of validated competencies. To complete the development of the master training plan, TSB officials plan to develop specific training strategies and procedures, such as formulating future training needs. Information Technology: USCP Has Made Progress toward Establishing IT Management Capabilities, but Further Actions Are Needed to Address Remaining Weaknesses: USCP relies on information technology (IT) to support achievement of its mission. For example, USCP depends on IT systems to schedule and dispatch police officers, manage the maintenance of vehicles and equipment, and perform numerous administrative functions, such as preparing financial reports and paying employees. To effectively leverage IT in achieving strategic mission goals and outcomes, an organization such as USCP needs to institutionalize certain management disciplines and capabilities. Accordingly, we have advised the agency on the importance of (1) following disciplined system acquisition management practices, (2) developing and implementing an enterprise architecture, (3) establishing and implementing IT investment management structures and processes, and (4) developing and implementing an effective information security program and continuity of operations plan. Our research of leading private and public sector organizations shows that success in managing and leveraging IT can be linked to these strategic IT management disciplines and capabilities. USCP has made progress in addressing our recommendations related to each of these IT management disciplines and capabilities, including the use of disciplined system acquisition management practices. Nevertheless, weaknesses remain in the areas of enterprise architecture, investment management, information security, and continuity of operations planning. Of nine recommendations we made in January and August 2004 to improve USCP's IT management capabilities, the department has completed actions on four of the recommendations and has made progress toward completing the remaining five recommendations. System Acquisition Policies and Procedures Have Been Developed and Implemented: USCP has completed the development and implementation of system acquisition policies and procedures that are essential to reducing the risk of acquiring systems that do not perform as intended, are delivered late, and cost more than planned. Specifically, the agency's policies and procedures provide for, among other things, developing acquisition plans and maintaining them throughout the acquisition life- cycle. Additionally, USCP has taken steps to ensure that system acquisitions are conducted in accordance with the policies and procedures. For example, as part of its acquisition of a new case management system, USCP developed a project management plan, defined requirements, and monitored project development costs. According to USCP officials, the agency's policies and procedures are followed for ongoing and planned system acquisitions. As a result of improving its system acquisition management, USCP has reduced the risk of systems not performing as intended, not being delivered on time, and not meeting cost and schedule expectations. Further Actions Needed to Develop and Implement Enterprise Architecture: USCP has a long-standing enterprise architecture program and, according to agency officials, all but one of the agency's existing applications are in compliance with the current architecture version. However, progress within the last year toward effectively managing the program in accordance with relevant guidance, such as our enterprise architecture management maturity framework, has been limited. Further, the agency's architecture products do not include the full breadth of necessary content, particularly regarding descriptions of how security will be achieved. Additionally, USCP officials have identified the need to update their transition plan and for the revised plan to include a current schedule for legacy systems replacement and the resource needs for accomplishing this replacement. According to the officials, the agency has not had sufficient staff resources to support its architecture program, and thus, has requested funding for two full-time architecture staff in its fiscal year 2009 budget request. Until USCP addresses these weaknesses in its enterprise architecture program, the agency will be challenged in its ability to implement systems that optimally support mission operations. IT Investment Management Process Has Been Developed, but Implementation Has Limitations: USCP has developed, but not yet fully implemented, a comprehensive IT investment management process. The agency's IT Capital Planning and Investment Control Guide defines a comprehensive process that includes selection, control, and evaluation of proposed and ongoing investments. While the agency has made progress toward implementing a process consistent with its guide, the existing process is largely limited to the selection of proposed investments, with little emphasis on controlling and evaluating ongoing investments. For example, the process does not yet require documentation of key decisions or include assignment of responsibility for executing decisions during the control and evaluation stages of the investment life cycle. In speaking to these activities, USCP officials said they chose to focus their initial investment management efforts on increasing discipline in the selection of all (i.e., IT and non-IT) investments across the agency; however they recognized the need to extend such discipline to the control and evaluation of the agency's investments. Until USCP implements an investment management process that includes control and evaluation of investments, in addition to the already established selection process, the agency will not be effectively positioned to provide the management oversight and informed decision making that is necessary to ensure that investments are performing as planned and delivering promised value. Further Actions Needed to Fully Implement Information Security Program and Continuity of Operations Plan: USCP has implemented an information security program and performed continuity of operations planning. The agency reported that it has implemented 70 of 108 information security program activities that it had identified as necessary. For example, it has completed the execution of vulnerability assessments and network scans. Additionally, according to agency officials, certification and accreditation of major applications has been completed and information security plans have been developed for major applications. Regarding continuity of operations planning, USCP has revised its continuity of operations plan and begun activities to implement the plan throughout the agency. Specifically, in January 2008, the Chief of Police adopted the revised plan and directed follow-on activities to be completed that include a timeline for ensuring the integration of the plan with agency operations. Nevertheless, USCP officials assert that the agency needs additional staff resources to fully implement its remaining security program activities and maintain an effective security program. To this end, the agency has requested funding for two full-time IT security staff in its fiscal year 2009 budget request. Until USCP completes its security program activities, it will not be positioned to protect its systems and critical information. Concluding Remarks: Over the years, we have recommended that USCP take actions to correct deficiencies we identified in the areas of operations, financial management, strategic and human capital planning, and IT management. Since the issuance of our last report and as noted in this statement, USCP has made significant progress in addressing our prior recommendations. Notwithstanding the progress that has been made, there is still substantial work that remains to be done. For example, in the areas of linking resources to threats and vulnerabilities, USCP has yet to fully integrate its risk management framework. Until this process is completed, USCP will not be in the best position to effectively link resources needs to threats and vulnerabilities. In the areas of financial management, USCP has yet to fully address the challenges of ongoing staff shortages and work imbalances. Until these recommendations are implemented, USCP's ability to sustain improvement efforts and meet long-term financial management goals will be limited. In the area of human capital management, work still remains to complete its strategic workforce plan and master training plan, which should include long-term strategies for acquiring, developing, and retaining a workforce with the critical skills and competencies needed to accomplish the department's mission. In the area of information technology, despite the progress made in addressing management concerns, weaknesses remain in enterprise architecture, investment management, and information security. Until these management and operational issues are fully addressed and implemented, USCP will not be in the best position to achieve its strategic goals and mission in the most efficient and effective manner. This underscores Congress's need to stay closely attuned to USCP's progress toward addressing the administrative and management challenges we identified. Madam Chair, this concludes our prepared statement. We would be happy to respond to questions you or other members of the subcommittee may have at this time. For questions regarding this testimony, please contact Richard M. Stana at (202) 512-8777 or stanar@gao.gov. Contact points for our offices of Congressional Relations and Public Affairs may be found on the last page of this statement. [End of section] Appendix I: Status of United States Capitol Police (USCP) Recommendations: This appendix provides a status summary of the progress made and remaining actions by USCP in addressing prior GAO recommendations. [See PDF for image] Source: GAO. [A] OMB Circular No. A-123, Management's Responsibilities for Internal Control (revised Dec. 2004). [End of table] [End of section] Appendix II: GAO Contact and Staff Acknowledgments: GAO Contact: Richard M. Stana, (202) 512-8777 or stanar@gao.gov: Acknowledgments: Individuals making key contributions to this statement were Bernice Steinhardt, Director; Valerie Melvin, Director; Kay Daly, Acting Director; Bill Crocker, Assistant Director; Elizabeth Martinez, Assistant Director; Mark Bird, Assistant Director; Steven Lozano, Assistant Director; John Mortin, Assistant Director; Josh A. Diosomito; Heather Dunahoo; James Kernen; Teresa M. Neven; Kenrick Isaac; Lerone Reid; Katherine Davis; Geoffrey Hamilton; Jacquelyn Hamilton; Franklin Jackson; and Mike Volpe. [End of section] Footnotes: [1] A material weakness is a significant deficiency, or a combination of significant deficiencies, that result in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected. A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity's financial statements that is more than inconsequential will not be prevented or detected. [2] GAO, Human Capital: Agencies Need Leadership and the Supporting Infrastructure to Take Advantage of New Flexibilities, GAO-05-616T (Washington, D.C.: Apr. 21, 2005; and GAO, Human Capital: Effective Use of Flexibilities Can Assist Agencies in Managing Their Workforces, GAO- 03-2 (Washington, D.C.: Dec. 6, 2002). GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: