Fiscal Year 2002 (Second Half)

The Honorable Timothy J. Muris
Chairman
Federal Trade Commission
600 Pennsylvania Avenue, N.W.
Washington, D.C. 20580

Dear Chairman Muris:

The attached report covers the Office of Inspector General's (OIG) activities for the second half of fiscal year 2002, and is submitted according to Section 5 of the Inspector General Act of 1978, as amended.

OIG audit efforts for the six-month reporting period ending September 30, 2002, focused primarily on reviewing IT security programs. In tandem with the agency, my office issued its second report under the Government Information Security Reform Act (GISRA). The OIG review found that security improvements have been achieved from a year ago, yet the risk of potential harm from a successful insider attack remained high. Consequently, more needed to be done to protect agency assets and information. Many of the internal security vulnerabilities that were identified during our fiscal year 2002 review were expeditiously dealt with by management. Thus, while additional security enhancements are still needed, the OIG has noted two years of continuous improvements in the agency's information security program.

As in the past, management has been responsive to all OIG recommendations. I appreciate management's support, and I look forward to working with you in our ongoing efforts to promote economy and efficiency in agency programs.

Sincerely,

Frederick J. Zirkel
Inspector General

TABLE OF CONTENTS

TRANSMITTAL

INTRODUCTION

AUDIT ACTIVITIES

Completed Audits/Reviews 
Planned Audits

INVESTIGATIVE ACTIVITIES

Investigative Summary 
Investigations Referred for Action or Closed During the Period 
Matters Referred for Prosecution

OTHER ACTIVITIES

Significant Management Decisions
Access to Information 
Internet Access 
Audit Resolution 
Review of Legislation 
Contacting the Office of Inspector General

TABLES

Table I: Summary of Inspector General Reporting Requirements

Table II: Inspector General Issued Reports With Questioned Costs

Table III: Inspector General Issued Reports With Recommendations That Funds Be Put To Better Use

INTRODUCTION

The Federal Trade Commission (FTC) seeks to assure that the nation's markets are competitive, efficient, and free from undue restrictions. The FTC also seeks to improve the operation of the marketplace by ending unfair and deceptive practices, with emphasis on those practices that might unreasonably restrict or inhibit the free exercise of informed choice by consumers. The FTC relies on economic analysis to support its law enforcement efforts and to contribute to the economic policy deliberations of Congress, the Executive Branch and the public.

To aid the FTC in accomplishing its consumer protection and antitrust missions, the Office of Inspector General (OIG) was provided five workyears and a budget of $710,000 for fiscal year 2002.

AUDIT ACTIVITIES

During this semiannual period, the OIG issued its second Government Information Security Reform Act (GISRA) evaluation, and a review of contract administration for two large software development contracts. The OIG also initiated fieldwork for its review of the unauthorized use of Federal agency names in unsolicited commercial emails or "spam." In addition, the OIG began its audit of the FY 2002 FTC financial statements. Details of these audits and reviews are provided below.

Completed Audits/Reviews

Audit Report Number Subject of Audit
AR 02-053 GISRA Technical Evaluation Report
AR 02-053A GISRA Technical Evaluation Report - Executive Summary
BR 02-054
(Briefing Report)
Review of Contract Administration in the Software Development Branch

Summary of Findings for Reviews Issued During the Current Period

In AR 02-053 and AR 02-053A, GISRA Technical Evaluation Report and Executive Summary, the OIG performed an evaluation of information security at the FTC pursuant to requirements contained in GISRA. This is the second annual GISRA evaluation completed by the OIG. Our first report, issued in September 2001, focused on the management and operational aspects of the security controls at the FTC. This year, the OIG performed a technical assessment of the FTC's Information Technology (IT) environment, to include network infrastructure (routers, hubs and switches), desk top and server systems (PC's, e-mail and database servers) and select application systems.

The review team performed its scans from inside the agency by hooking up to the network through a port located in the OIG. The team did not perform an external penetration test, i.e., it did not attempt to "break in" to the FTC's computer system from outside the agency. Rather, the review team focused on mapping the internal network and equipment on the network to search for vulnerabilities that would enable either internal or external unauthorized users to access sensitive systems.

The internal scan identified both strengths and weaknesses in the agency's information security program. On the positive side, the review team was unsuccessful in accessing information stored on the hard drives of FTC employees. Further, the remote management account on each desktop is protected by a strong password. We also found network servers to be configured securely.

On the negative side, the OIG found vulnerabilities that permitted the review team to obtain unauthorized access to sensitive resources and information. Although access was possible, no files or data were downloaded. If any disgruntled employee, student or contract employee with malicious intent achieved the same level of access, s/he could have read, altered or deleted any data file stored on any one of the agency's data servers, to include such information as premerger filings, consumer complaints, employee e-mails or Commission minutes from nonpublic meetings.

The OIG used readily-available software tools, many of them freely downloaded from the Internet, to scan the network and identify linked computers. The scans found that many of the computers were configured to share files with anyone who knew where to look. The scans also revealed that many of the computers required no passwords for access or were "protected" by easily crackable passwords. Such rudimentary security oversights were not found on desktop computers where one might expect security lapses to occur. Rather, these were identified on Network servers and routers that are managed by IT specialists and provided access to all of the agency's sensitive information.

Such vulnerabilities were generally of the common "house keeping" variety (as opposed to architectural or systemic vulnerabilities) and, thus, can be quickly corrected with little or no additional resources. Many occur because security components of operating software are often left set on the lowest default level to ease installation and administration. This initial password is then not changed or deleted.

The OIG understands that the majority of FTC users are unlikely to possess the technical computer knowledge to achieve the level of access obtained by the OIG. But, the OIG believes that there exists a fairly significant population of individuals working at the agency with the requisite knowledge to achieve the same access as OIG evaluators. Furthermore, many of these individuals are students or contractors who do not undergo any background check.

The OIG developed a matrix containing 31 technical recommendations and met with IT team leaders and staff to discuss each recommendation and respond to their questions and/or comments. This process created a useful dialog about methods to enhance security and, in select instances, how best to make configuration changes to implement the OIG recommendations. As a result, most recommendations were implemented within days of the conclusion of our fieldwork. Management has developed an action plan to implement all remaining recommendations.

In BR 02-054, Review of Contract Administration in the Software Development Branch, the audit objective was to determine compliance with selected aspects of the Federal Acquisition Regulation (FAR) and FTC contract administration requirements for information technology support contracts. The review focused on whether or not the contracts provide for personal services, whether the work performed was within the scope of the contracts, and the adequacy of the technical monitoring and oversight. Two large contracts with software development firms were selected for review. From October 1999 to July 2002, FTC expended about $5.7 million on these two contracts.

The OIG obtained necessary background information on the two contracts, along with details of how they were being monitored by FTC contract officials. The information was then tested and supplemented by examining documents and administering a questionnaire to Software Development Branch staff, including both government and contractor employees. Additional interviews were conducted with contracting officials and other FTC staff.

Review of the documents provided and tests of those documents indicated that contract monitoring mechanisms are in place to provide adequate technical monitoring and oversight over the progress of the work and the contractors' performance. Documents examined and interview responses indicated that work performed by contractor employees was within the scope of work of their respective contracts.

When 13 of 18 contractor employees responded to the OIG survey saying that they were being supervised by a government employee, concerns arose about the possible issuance of a personal services contract. Personal services, which is prohibited by the FAR, would result if continuous supervision and control over the contractor employees were being exercised by a government officer or employee.

Based on a close review of relevant contract provisions and after discussions with both the agency's contracting officer and General Counsel staff it was determined that neither contract contained provisions indicative of personal services, i.e., the government did not reserve the right to (i) assign tasks to contractor staff or prepare work schedules, (ii) control the method by which the contractor performs the service, the number of people employed, and the specific duties of individual employees, (iii) provide for a performance review of individual employees, or (iv) have contractor employees removed from the job for security concerns or misconduct.

Audits in Which Fieldwork is in Progress

Audit Report Number Subject of Audit
AR 03-055 Audit of FTC Financial Statements for Fiscal Year 2002. The objective of this financial audit is to determine whether the agency's financial statements present fairly the financial position of the agency. The statements to be audited are the Balance Sheet as of September 30, 2002, and the related Statement of Net Cost, Statement of Changes in Net Position, Statement of Budgetary Resources, Statement of Financing, and Statement of Custodial Activity for the year then ended. Audit fieldwork performed during this period include preliminary tests of internal and management controls over the accumulation and reporting of financial information, and compliance with laws and regulations that have a material affect on the financial statements.

In addition to following up on reportable conditions identified in the prior year audit, including the payment of interest penalties, aging of redress cash and referral of past due receivables to Treasury, the OIG will also continue to work with program staff to improve the accuracy, timeliness and usefulness of financial information submitted to the FTC by court-appointed receivers.

BR 03-056 Review of "Spam" Database for the Unauthorized Use of Federal Agency Names. In the prior period, the OIG period, the OIG reported on its efforts to search the agency's unsolicited commercial email (UCE) or "spam" database for, among other things, matches with names of individuals on the FBI's "Watch List" of suspected terrorists, as terrorist organizations occasionally use fraudulent advertisements and promotions in email solicitations to fund their activities. As a follow-up analysis of the UCE, the OIG again searched the spam database for scams that attempt to legitimize their product or service by relating it to departments or agencies of the Federal government, either claiming to be such an agency,

or affiliated with such agency or claiming agency approval for their activities. The OIG will alert sister Offices of Inspector General for potential follow-up when such e-mails are identified.

Planned Audits

Audit Report Number Subject of Audit
AR 03-XXX Review of Systems Used to Capture Annual Performance Measures Under the Government Performance and Results Act. The OIG is planning a follow-up review of the systems and processes used by the FTC to capture and report on its performance measures. Since our initial review, the agency has modified many of its measures while refining its collection methods. In our prior review of the agency's performance measures, the OIG found that systems were generally in place to collect and process data and to report it timely. However, the methodology used for accumulation of selected performance data was not completely defined to allow for the reporting of measures accurately and consistently. To address this weakness, the OIG recommended that the agency's GPRA task force define the rationale behind each of the 13 performance measures; i.e., clearly articulate how consumers and/or businesses are better off when the FTC meets or exceeds its performance targets.

The OIG will follow-up on management actions to more clearly define what is being measured and to accurately report these outcomes. Specifically, the OIG will (i) verify the existence of measurement systems; (ii) determine whether the measures themselves are quantifiable; and (iii) assess whether the systems are maintaining accurate and timely data. The OIG will review the 21 performance measures detailed in the FY 2004 OMB Budget Request.

INVESTIGATIVE ACTIVITIES

The Inspector General is authorized by the IG Act to receive and investigate allegations of fraud, waste and abuse occurring within FTC programs and operations. Matters of possible wrongdoing are referred to the OIG in the form of allegations or complaints from a variety of sources, including FTC employees, other government agencies and the general public.

Reported incidents of possible fraud, waste and abuse can give rise to administrative, civil or criminal investigations. OIG investigations might also be initiated based on the possibility of wrongdoing by firms or individuals when there is an indication that they are or were involved in activities intended to improperly affect the outcome of particular agency enforcement actions. Because this kind of wrongdoing strikes at the integrity of the FTC's consumer protection and antitrust law enforcement missions, the OIG places a high priority on investigating it.

In conducting criminal investigations during the past several years, the OIG has sought assistance from, and worked jointly with, other law enforcement agencies, including other OIG's, the Federal Bureau of Investigation (FBI), the U.S. Postal Inspection Service, the U.S. Secret Service, the U.S. Marshal's Service, the Internal Revenue Service, Capitol Hill Police, as well as and state agencies and local police departments. In past years, the OIG has also provided assistance to, and worked with foreign government law enforcement agencies, including the Royal Canadian Mounted Police and the Canada Customs and Revenue Agency.

Investigative Summary

During this reporting period, the OIG received 45 complaints/allegations of possible wrongdoing. Of the 45 complaints, 22 involved issues that fall under the jurisdiction of FTC program components (identity theft, credit repair, etc.). Consequently, the OIG referred these matters to the appropriate FTC component for disposition. Another five complaints were referred to other government and/or law enforcement agencies for ultimate disposition.

Of the remaining 18 complaints, 13 were closed without any action. The OIG conducted preliminary investigative work on the remaining 5 matters.

The first of these five matters dealt with a possible web hijacking. After determining that an FTC employee was not implicated in the web hijacking, the OIG referred the matter to an FTC program component.

The second complaint, directed not at an individual, but rather at a serious IT security weakness, was determined to have merit and, as such, resulted in the OIG IT security review/audit team conducting some additional testing. These tests confirmed the security weakness identified in the complaint. OIG results were immediately reported to management and the needed security upgrades implemented.

The third matter involved an attempted impersonation by an unknown person(s) using as a ruse the FTC's newly proposed "do not call" list. The OIG, after being unable to confirm the identity of the caller, referred the matter to the FTC's identity theft unit for inclusion into the agency's government-wide data base.

The fourth matter involved a complaint by an attorney who, on behalf of his client, expressed concern that the FTC had improperly delayed the granting of an early termination request under the Hart Scott Rodino (HSR) Antitrust Improvements Act. As the OIG found no evidence to suggest any improper action on the part of HSR staff, the matter was closed.

The final matter involved the OIG opening a preliminary investigation into an allegation made by FTC staff concerning enforcement of parking restrictions at the main entrance to the FTC building. These restrictions were established, in part, to enable daycare center patrons to park when dropping off and picking up children at the daycare center. The individual making the complaint observed that, on many days, the restrictions were being violated with no apparent penalty, often by the same individuals. He asked the OIG to consider looking into the matter and, if appropriate, making a referral to the District of Columbia Inspector General for follow-up into possible abuse by D.C. parking enforcement personnel.

The OIG monitored the parking spaces over a number of days during the restricted times, noting cars and recording all violations issued in an effort to validate the complaint. The OIG also discussed parking at this location with a Washington D.C. parking enforcement officer responsible for patrolling the area. The OIG found that cars routinely exceeded the parking time limitation (15 minutes), although the OIG identified only a few repeat offenders. More importantly, the OIG observed evidence of parking enforcement. On three of the five days, the OIG noted that violators had received parking tickets. Further, the parking officer indicated that the city had recently increased enforcement of the restrictions throughout the day. As the OIG did not note a pattern of abuse by the same individuals, and given the evidence of parking enforcement, the OIG determined that a referral to the District of Columbia OIG was not warranted. The OIG then closed the investigation.

Following is a summary of the OIG's investigative activities for the six-month period ending September 30, 2002.

Cases pending as of 3/31/02 3
Plus: New cases +5
Less: Cases closed -5
Cases pending as of 9/30/02 3

Matters Referred for Prosecution

During the current reporting period the OIG did not refer any cases to a federal prosecutor.

OTHER ACTIVITIES

Significant Management Decisions

Section 5(a)(12) of the Inspector General Act requires that if the IG disagrees with any significant management decision, such disagreement must be reported in the semiannual report.

Further, Section 5(a)(11) of the Act requires that any decision by management to change a significant resolved audit finding must also be disclosed in the semiannual report. For this reporting period there were no significant final management decisions made on which the IG disagreed, and management did not revise any earlier decision on an OIG audit recommendation.

on, records, or assistance has been unreasonably refused, or otherwise has not been provided. A summary of each report submitted to the agency head in compliance with Section 6(b)(2) must be provided in the semiannual report in accordance with Section 5(a)(5) of the Act.

During this reporting period, the OIG did not encounter any problems in obtaining assistance or access to agency records. Consequently, no report was issued by the IG to the agency head in accordance with Section 6(b)(2) of the IG Act.

Internet Access

The OIG can be accessed via the world wide web at: http://www.ftc.gov/oig A visitor to the OIG home page can download recent 1996 - 2002 OIG semiannual reports to Congress, the FY 1998 - 2001 financial statement audits, and other program and performance audits issued beginning in FY 1999. A list of audit reports issued prior to FY 1999 can also be ordered via an e-mail link to the OIG. In addition to this information resource about the OIG, visitors are also provided a link to other federal organizations and offices of inspectors general.

Audit Resolution

As of the end of this reporting period, all OIG audit recommendations for reports issued in prior periods have been resolved. That is, management and the OIG have reached agreement on what actions need to be taken.

Review of Legislation

Section 4(a)(2) of the IG Act authorizes the IG to review and comment on proposed legislation or regulations relating to the agency or affecting the operations of the OIG. During this reporting period, the OIG reviewed several legislative items pertinent to the federal law enforcement community.

On May 14, 2002, the IG testified before the House Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations about the costs and benefits of non-CFO agencies conducting financial statement audits. The subcommittee was considering a bill that would expand the CFO Act to require all federal agencies with budgets in excess of $25 million to produce financial statements and to have the statements audited annually. The CFO Act requires all cabinet-level agencies to undergo such a review.

The OIG also reviewed legislation designed to established a Homeland Security Agency and another directive from OMB regarding privacy concerns pertaining to the reporting of investigative statistics.

Contacting the Office of Inspector General

Employees and the public are encouraged to contact the OIG regarding any incidents of possible fraud, waste, or abuse occurring within FTC programs and operations. The OIG telephone number is (202) 326-2800. To report suspected wrongdoing, employees and the public should call the OIG's chief investigator directly on (202) 326-2581. A confidential or anonymous message can be left 24 hours a day.

The OIG is located in Suite 1110, 601 New Jersey Avenue, Washington, D.C. Office hours are from 8:30 a.m. to 6:00 p.m., Monday through Friday, except federal holidays. Mail should be addressed to:

Federal Trade Commission Office of Inspector General 600 Pennsylvania Avenue, NW Washington, DC 20580

TABLE I

SUMMARY OF INSPECTOR GENERAL
REPORTING REQUIREMENTS

IG Act Reference Reporting Requirement Page(s)
Section 4(a)(2) Review of legislation and regulations 9
Section 5(a)(l) Significant problems, abuses and deficiencies 2, 3, 4
Section 5(a)(2) Recommendations with respect to significant problems, abuses and deficiencies 3
Section 5(a)(3) Prior significant recommendations on which corrective actions have not been made 9
Section 5(a)(4) Matters referred to prosecutive authorities 8
Section 5(a)(5) Summary of instances where information was refused 8
Section 5(a)(6) List of audit reports by subject matter, showing dollar value of questioned costs and funds put to better use 1
Section 5(a)(7) Summary of each particularly significant report 1
Section 5(a)(8) Statistical tables showing number of reports and dollar value of questioned costs 11
Section 5(a)(9) Statistical tables showing number of reports and dollar value of recommendations that funds be put to better use 12
Section 5(a)(10) Summary of each audit issued before this reporting period for which no management decision was made by the end of the reporting period 9
Section 5(a)(11) Significant revised management decisions 8
Section 5(a)(12) Significant management decisions with which the Inspector General disagrees 8

TABLE II

INSPECTOR GENERAL ISSUED REPORTS
WITH QUESTIONED COSTS

 

Number

Number Dollar Value

Questioned Costs Unsupported Costs
A. For which no management decision has been made by the commencement of the reporting period 0 0 0
B. Which were issued during the reporting period 0 0 0
Subtotals (A + B) 0 0 0
C. For which a management decision was made during the reporting period 0 0 0
(i) dollar value of disallowed costs 0 0 0
(ii) dollar value of cost not disallowed 0 0 0
D. For which no management decision was made by the end of the reporting period 0 0 0
Reports for which no management decision was made within six months of issuance 0 0 0

TABLE III

INSPECTOR GENERAL ISSUED REPORTS
WITH RECOMMENDATIONS THAT FUNDS BE PUT TO BETTER USE

  Number Dollar Value
A. For which no management decision has been made by the commencement of the reporting period 0 0
B. Which were issued during this reporting period 0 0
C. For which a management decision was made during the reporting period 0 0
(i) dollar value of recommendations that were agreed to by management 0 0
- based on proposed management action 0 0
- based on proposed legislative action 0 0
(ii) dollar value of recommendations that were not agreed to by management 0 0
D. For which no management decision has been made by the end of the reporting period 0 0
Reports for which no management decision was made within six months of issuance 0 0