April 30, 1997
The Honorable Robert Pitofsky
Chairman
Federal Trade Commission
Sixth Street & Pennsylvania Avenue, N.W.
Washington, D.C. 20580
Dear Chairman Pitofsky:
The attached report covers the Office of Inspector General's (OIG) activities for the first half of fiscal year 1997, and is submitted according to Section 5 of the Inspector General Act of 1978, as amended. The Act requires that you submit this report, with your Report of Final Action, to the appropriate Congressional committees on, or before, May 31, 1997.
During this reporting period the OIG issued three audit reports dealing with computer security. Field work was also completed on an A-50 audit follow-up review along with a review of contractor performance relating to records processing at the agency. The OIG also began field work on a financial statement audit for fiscal year ending 1997. Finally, the OIG closed four investigations this period, making one referral to a prosecutor.
As in the past, I appreciate management's support during this reporting period, and I look forward to working with you in our ongoing efforts to promote economy and efficiency in agency programs.
Sincerely,
Frederick J. Zirkel
Inspector General
TABLE OF CONTENTS
TRANSMITTAL
INTRODUCTION
AUDIT ACTIVITIES
Completed Audits
Summary of Findings for Audit Reports Issued During the Current Period
Audits in Which Field Work is Complete
Audits in Which Field Work is in Progress
Other Audit Activities
INVESTIGATIVE ACTIVITIES
Investigative Summary
Investigations Closed During the Current Period
Obstructions and Unauthorized Disclosures
Employee Misconduct and Ethical Violations
Crimes Against the Government
Other Matters Referred for Prosecution
OTHER ACTIVITIES
Significant Management Decisions
Access to Information
Internet Access
Audit Resolution
Review of Legislation
Contacting the Office of Inspector General
TABLES
Table I: Summary of Inspector General Reporting Requirements
Table II: Inspector General Issued Reports With Questioned Costs
Table III: Inspector General Issued Reports With Recommendations That Funds Be Put To Better Use
INTRODUCTION
The Federal Trade Commission (FTC) seeks to assure that the nation's markets are competitive, efficient, and free from undue restrictions. The FTC also seeks to improve the operation of the marketplace by ending unfair and deceptive practices, with emphasis on those practices that might unreasonably restrict or inhibit the free exercise of informed choice by consumers. The FTC relies on economic analysis to support its law enforcement efforts and to contribute to the economic policy deliberations of Congress, the Executive Branch and the public.
To aid the FTC in accomplishing its consumer protection and antitrust missions, the Office of Inspector General (OIG) was provided five workyears and a budget of $477,200 for fiscal year 1997.
AUDIT ACTIVITIES
For this semiannual period, the OIG issued two audit reports and a technical appendix, completed field work on an OMB Circular A-50, Audit Follow-Up review, continued to work with management on the preparation and audit of agency financial statements, initiated a survey of the performance of an agency contractor in the Records Processing Branch, and assisted a President's Council on Integrity and Efficiency (PCIE) OIG with a review of government-wide credit card programs. Detailed information about each of these topics is provided below.
|
Completed Audits |
|
|
Audit Report Number |
Subject of Audit |
|
AR 97-034 |
Review of the Federal Trade Commission's Computer Systems Security |
|
AR 97-034TS |
Review of the Federal Trade Commission's Computer Systems Security: Technical Supplement |
|
AR 97-035 |
Review of the Federal Trade Commission's Computer Service Continuity Policies and Procedures |
Summary of Findings for Audit Reports Issued During the Current Period
The objective of the OIG's audit report, Review of the FTC's Computer Systems Security (AR 97-034 & AR 97-034TS),was to assess whether access controls put in place by the agency's information resource managers are adequate to prevent unauthorized access to FTC information systems. The review was performed in the FTC's Office of Information and Technology Management (OITM).
To assess the effectiveness of access controls, the OIG performed penetration tests of the agency's computer system. This was a three-part evaluation that involved (a) external probes via the Internet to the agency's firewall, (b) external probes though dial-in modems, and (c) internal probes of the network from within the FTC. The OIG performed the penetration tests from the perspective of someone with a good understanding of computer systems and an awareness of attack tools that are freely available on the Internet. We were able to penetrate the agency's computer as an unauthorized user and gain access to sensitive databases.
Our findings and recommendations resulting from the penetration test were provided to management during the review to minimize the agency's vulnerability to unauthorized users. The recommendations provided specific instructions to management on how to address various weaknesses in the agency's computer system. The detailed results of our penetration tests were presented in a confidential technical supplement (AR 97-034TS) to the audit report.
The OIG also reviewed password cancellation procedures for employees leaving the agency, and compared departure dates with password cancellation dates for those employees with access to the FTC network and the Prime computer. Although we found numerous examples of former employees maintaining valid passwords to FTC systems for months after leaving the agency, we could not conclusively determine, based on available records, whether any of these former employees had logged-on to the FTC's network or databases during this period of time. As a result of our efforts in this area, systems administrators cancelled passwords for 40 former employees.
To address the security vulnerabilities, the OIG recommended that the agency hire a computer security officer. This person would be independent of operations and be responsible for developing security policy and identifying, on a continuing basis, events that would leave the agency vulnerable to unauthorized users.
In the OIG's Review of the FTC's Computer Service Continuity Policies and Procedures (AR 97-035), our objective was to assess whether the FTC has complied with certain provisions of the Computer Security Act of 1987 and OMB Circular A-130, "Management of Information Resources." Specifically, we wanted to determine whether the agency has taken adequate preventive measures to minimize potential service interruptions due to fires, floods, malicious or terrorist acts, virus attacks, system malfunctions, and other disasters, and to safeguard infor-mation resources should such interruptions occur. The review was also performed in OITM.
The OIG review found that OITM has generally taken a proactive role in implementing crucial practices and procedures that will help to ensure that FTC records are safe from unexpected destruction, however unlikely. OITM has also implemented backup policies and procedures to restore lost or damaged data and attached an uninterruptible power supply (UPS) to each network server in the FTC's central computer facility. The UPS allows for an orderly shutdown of network servers in the event of a power outage. It also filters out electrical spikes and conditions the power line for steady, uninterruptible power. In addition, the agency has a comprehensive virus protection policy. All workstations in the agency run a virus scanning software program which constantly monitors both hard and floppy disks for known viruses.
Although many steps have been taken by OITM to ensure service continuity, it has not updated key elements of the Computer Security Program to keep pace with its many system upgrades and enhancements. The FTC's Disaster Recovery Plan was three years old at the time of our review. If the FTC experienced a disaster, the Disaster Recovery Plan would have helped little in the reconstruction of FTC systems because it no longer reflected the current makeup of the FTC network. All of the major systems purchased in the past three years were not in the plan, including the Windows NT Servers which account for a substantial portion of the network. According to the Disaster Recovery Plan itself, it must be revised annually. The existing Computer Security Program also relied on criticality assessments that were outdated. Criticality assessments identify agency systems that are regarded by all agency managers as the most essential to maintain should service interruption necessitate rebuilding the systems. Many of the FTC's current systems were not in place when the last criticality assessment was performed in 1993.
To address these weaknesses, the OIG recommended that the chief information officer (CIO) update the agency's Disaster Recovery Plan to reflect changes in the agency's network configuration. The absence of a security officer, we believe, is the principal reason for the Computer Security Program becoming outdated. The OIG concluded that the CIO should take the lead role in the establishment of an independent security program since it cuts across many agency programs. The CIO should also ensure that a security officer is assigned responsibility for keeping the program current.
For the three audit reports identified above, the OIG made 12 recommendations for corrective action, most of which required technical adjustments to the agency's computer systems. Management agreed with all recommendations and, according to management's representations, has scheduled to implement 11 of the 12 recommendations by March 31, 1997.
Audits in Which Field Work is Complete
AR 97-036 Review of the Federal Trade Commission's Imple-mentation of OMB Circular No. A-50, Audit Follow-Up. Audit follow up is an integral part of good management and is a shared responsibility among agency management officials and the OIG. Corrective action taken by management on resolved findings and recommendations is essential to improving the effectiveness and efficiency of Government operations. According to OMB Circular A-50, each agency is to establish systems to ensure the prompt and proper resolution and implementation of audit recommendations. These systems are to provide for a complete record of action taken on both monetary and non-monetary findings and recommendations.
The objective of the audit was to evaluate whether the FTC's audit follow-up system results in efficient, prompt and proper resolution and corrective action on audit recommendations. To meet this objective, the OIG reviewed the implementation status of 30 recommendations issued between July 1, 1993 and June 30, 1996.
Audits in Which Field Work is in Progress
AR 98-XX Survey of the Performance of a Records Processing Branch's Contractor for the Period March 1, 1996 to September 30, 1996. The survey objectives are to document and describe the process used to collect, organize, control, store and access both public and nonpublic records. An integral part of the survey is an evaluation of the efficacy of staff complaints regarding the performance of the contractor in carrying out its responsibilities under a multi-year contract. The contract is estimated to total approximately $2 million.
AR 98-XX Audit of the Federal Trade Commission's Financial Statements for the Fiscal Year Ending September 30, 1997. The objective of this audit is to determine whether the agency's financial statements fairly present the financial position of the agency, results of operations, and cash flows or changes in financial position in conformity with generally accepted accounting principles. The principal financial statements to be audited for fiscal year 1997 include: (a) Statement of Financial Position, (b) Statement of Operations and Changes in Net Position, (c) Statement of Cash Flows, (d) Statement of Budgetary Resources and Actual Expense, and (e) Notes to Financial Statements. The OIG, working closely with management, is developing a pro forma financial statement along with all supporting footnotes.
Other Audit Activities
In addition to the audit activities described above, the OIG performed a review of government credit card programs currently in use at the FTC to assist the Department of Agriculture's (USDA) OIG in its government-wide analysis of credit card programs. The objective of this IG community-wide review was to assist the General Services Administration as it develops contract proposals and awards for multiple vendor card services, and to identify best practices along with what control features need to be considered in the contracting process.
The OIG documented card usage at the FTC, including the number of card holders and total dollars charged, the administrative savings resulting from card use by staff, controls and limits on card use, and the incidents of card abuse by agency employees using the centralized card. The OIG limited its credit card review to only the FTC's administration of the Rocky Mountain Visa card program.
The OIG found that the Rocky Mountain Visa card is used by 61 agency employees (6 percent of agency staff), consisting primarily of administrative officers and lead secretaries for "micro purchases" at retail stores. Since the program began at the agency in 1989, program participation has increased by 144 percent, with a 1,000 percent increase in the dollars charged. Officials estimate that the easing of restrictions on the use of the card in 1994 explains this dramatic increase which contributed to a 50 percent reduction in purchase orders processed by the agency. Even with this substantial growth of activity, the OIG identified only two employees who had had their card privileges suspended by the agency. In both cases, the individuals exceeded card limitations on a regular basis. The agency closely monitors card usage by reviewing all purchases made, requiring supporting documentation, and contacting violators.
Results of this limited OIG review were shared with management and provided to the USDA/OIG for inclusion in the government-wide report.
INVESTIGATIVE ACTIVITIES
The Inspector General is authorized by the IG Act to receive and investigate matters of fraud, waste and abuse occurring within FTC programs and operations. Matters of possible wrongdoing usually come to the OIG in the form of allegations or complaints from a variety of sources, including FTC employees, other government agencies and the general public.
Reported incidents of possible fraud, waste and abuse by agency employees might give rise to administrative, civil or criminal investigations. OIG investigations might also be initiated based on wrongdoing by firms or individuals outside the agency when there is an indication that they are or were involved in activities intended to adversely affect the outcome of an agency enforcement action. Because this kind of wrongdoing strikes at the integrity of the FTC's consumer protection and antitrust law enforcement missions, the OIG places a high priority on investigating it.
In conducting investigations over the past several years, the OIG has sought assistance from, and worked jointly with, other law enforcement agencies, including the Federal Bureau of Investigation, the Postal Inspection Service, the U.S. Secret Service, the Internal Revenue Service, other OIGs, and state and local police departments.
Investigative Summary
During this reporting period the OIG received 214 complaints of possible wrongdoing. An overwhelming number of these complaints (181) focused on a single agency matter. The alleged wrongdoing in this matter was that agency enforcement staff had initiated an action for alleged deceptive practices against a company (with which all the complainants were associated) that lacked merit. The OIG advised all complainants that decisions on the merits of enforcement actions are not a matter for review by the OIG but rather are left to a vote of five independent Commissioners and ultimately to the courts. Accordingly, the OIG determined that there was no basis for opening an OIG inquiry into this allegation.
Although the OIG will not usually share with agency management information provided directly by complainants, the IG in the above instance provided a sampling of complainant letters to enforcement officials. This step was taken to ensure that complainant voices would be heard by those in a position to appropriately consider their views.
Of the remaining 33 complaints (214 less 181), 18 related to matters that were determined to be the responsibility of agency program components and, as such, were referred to various units within the agency for disposition. The OIG opened four investigations based on the remaining 15 complaints. Consequently, 11 complaints were closed without OIG action.
Following is a summary of the OIG's investigative activities for the six-month period ending March 31, 1997. As presented above, the OIG opened four new investigations during this reporting period and also closed four cases:
| Cases pending as of September 30, 1996 | 3 |
| Plus: New cases | +4 |
| Less: Cases closed | -4 |
| Cases pending as of March 31, 1997 | 3 |
Field work was performed on each of the three (3) investigations remaining open at the end of the reporting period.
Investigations Closed During the Current Period
1. Obstructions and Unauthorized Disclosures (1)
The first investigation closed during this period was opened based on an allegation that an FTC employee(s) had "leaked" nonpublic information concerning an ongoing enforcement action to a news publication in an effort to force the matter forward to the Commission for a vote. The allegation was made by an attorney representing the subject of the enforcement action based on a phone call he had received from a reporter.
The OIG decided to close its investigation after: 1) being unable to tie the timing of the disclosure to some meaningful motive; 2) determining that numerous individuals both within and outside the bureau possessed the identical information known to the press; and 3) learning that the movement of the case to the Commission did not appear to be stimulated by a press disclosure. Finally, the one employee who the OIG identified as exhibiting a strong inclination to move the case forward left the agency to seek employment elsewhere.
2. Employee Misconduct and Ethical Violations (1)
The second investigation closed during this reporting period involved an allegation of misconduct against a senior FTC employee. The OIG was provided information by a confidential source which alleged the employee, who is an attorney, might have: (1) engaged in unethical conduct relating to legal work he performed while in private practice before he became an FTC employee; (2) made false and/or misleading statements about his litigation experience, and; (3) used government resources for personal purposes since becoming an FTC employee.
The OIG found that: (1) the employee had been sanctioned by a state court for engaging in abusive litigation before he became an FTC employee; (2) his resume was an accurate portrayal of both his education and work experience; and (3) there was insufficient evidence to warrant further investigation of the employee's alleged wrongful use of government resources for personal purposes. Accordingly, the OIG closed the investigation and prepared a report for management to ensure that the employee was fully informed of rules governing the conduct of federal employees.
3. Crimes Against the Government (1)
During this reporting period an agency employee told the IG that she had wrongfully taken public monies from the agency. She also stated that she intended to pay back the money, but in the meantime her supervisors learned of the theft. After management apprised the OIG of the circumstances surrounding the incident, the OIG reviewed original agency payment records covering various cash transactions to confirm that the incident, as reported to the OIG by the employee, was, in fact, an isolated instance of wrongdoing instead of a more extensive pattern of theft of public monies.
There was no evidence to indicate that this employee had engaged in any previous wrongdoing. Consequently, the OIG concluded that the incident was isolated. The employee subsequently resigned from government employment, and the agency was able to obtain reimbursement for approximately $2300 of funds wrongfully taken.
The OIG decided to close the case after referring the matter to a federal prosecutor for consideration of criminal prosecution. The prosecutor's decision is pending as of the close of this reporting period.
4. Other (1)
Another case closed this period involved fraudulent charges being placed on an agency-issued AMEX charge card. The wrongdoing was brought to the OIG's attention by the cardholder who believed that no one other than an agency employee could have obtained access to his account number given his infrequent usage of the card and where he routinely secured it. While the dollar amount of fraudulent charges was small, the possibility that the fraud was perpetrated by someone within the agency was real. After learning from AMEX what type of identification was requested by AMEX employees to authorize a replacement card (which was how the fraud was perpetrated), and after learning from AMEX the reasons why all other agency employees had requested replacement cards over the past few years, the OIG was able to satisfy itself that no larger internal scam was being perpetrated and that sources from outside the agency would have been able to perpetrate the crime. As the government suffered no loss and as no employee wrongdoing was identified, the OIG closed the investigation.
Matters Referred for Prosecution
The OIG referred one case to the Public Corruption Section of the United States Attorney's Office for the District of Columbia during this period. The Assistant United States Attorney's (AUSA) decision on prosecution is pending.
The OIG continued to consult with another AUSA on a public corruption case referred for criminal prosecution during an earlier reporting period. During this period the former FTC employee involved in this earlier referral entered a guilty plea in Federal District Court for the District of Columbia to one felony count of theft of public monies for her involvement in a theft and money laundering scheme while employed by the FTC. Sentencing is pending at the close of this reporting period. The OIG expects that restitution of approximately $7,000 will be an integral part of any sentence imposed.
.OTHER ACTIVITIES
During this reporting period the OIG also allocated resources to activities other than conducting audits and investigations. These activities involved participating on Executive Council on Integrity and Efficiency (ECIE) committees and responding to Congressional and OMB requests for information.
Significant Management Decisions
Section 5(a)(12) of the IG Act requires that if the IG disagrees with any significant management decision, such disagreement must be reported in the semiannual report. Further, Section 5(a)(11) of the Act requires that any decision by management to change a significant resolved audit finding must also be disclosed in the semiannual report. For this reporting period there were no significant final management decisions made on which the IG has disagreed, and management has not revised any earlier decisions on any OIG audit recommendation.
Access to Information
The IG is to be provided with ready access to all agency records, information or assistance when conducting an investigation or audit. Section 6(b)(2) of the IG Act requires the IG to report to the agency head, without delay, if the IG believes that access to required information, records or assistance has been unreasonably refused, or otherwise has not been provided. A summary of each report submitted to the agency head in compliance with Section 6(b)(2) must be provided in the semiannual report in accordance with Section 5(a)(5) of the Act.
During this reporting period, the OIG did not encounter any problems in obtaining assistance or access to agency records. Consequently, no report was issued by the IG to the agency head in accordance with Section 6(b)(2) of the IG Act.
Internet Access
The OIG has established a home page at the FTC Web Site. The OIG internet address is www.ftc.gov/oig/oighome.htm. A visitor to the OIG home page can download the OIG's more recent semiannual reports to Congress, and can also browse through a list of audit reports, identifying those of interest and ordering them via an E-mail link to the OIG. In addition to this resource of information about the OIG, visitors are also provided a link to other federal organizations and offices of inspector general.
Audit Resolution
As of the end of this reporting period, all OIG audit recommendations for reports issued in prior periods have been resolved. That is, management and the OIG have reached agreement on what actions need to be taken. Furthermore, the OIG completed field work on an audit during this reporting period to determine if all resolved recommendations were implemented in accordance with management representations made to the agency's audit resolution official.
Review of Legislation
Section 4(a)(2) of the IG Act authorizes the IG to review and comment on any proposed legislation or regulations relating to the agency or affecting the operations of the OIG. During this reporting period, the OIG responded to requests from the agency's Office of General Counsel, and from OMB, PCIE and ECIE.
Contacting the Office of Inspector General
Employees and the public are encouraged to contact the OIG regarding any incidents of possible fraud, waste or abuse occurring within FTC programs and operations. The main OIG telephone number is (202) 326-2800. To report suspected wrongdoing, employees and the public should call the OIG's chief investigator directly on (202) 326-2581. A confidential or anonymous message can be left 24 hours a day.
The OIG is located in room 494 of the FTC Headquarters Building at Sixth Street and Pennsylvania Avenue, N.W., Washington, D.C. 20580. Office hours are from 8:30 a.m. to 5:30 p.m., Monday through Friday, except federal holidays.
|
TABLE I SUMMARY OF INSPECTOR GENERAL IG Act |
||
| Reference | Reporting Requirement |
Page(s) |
| Section 4(a)(2) | Review of legislation and regulations | 10 |
| Section 5(a)(l) | Significant problems, abuses and deficiencies | 2 |
| Section 5(a)(2) | Recommendations with respect to significant problems, abuses and deficiencies | 2 |
| Section 5(a)(3) | Prior significant recommendations on which corrective actions have not been made | 10 |
| Section 5(a)(4) | Matters referred to prosecutive authorities | 9 |
| Section 5(a)(5) | Summary of instances where information was refused | 10 |
| Section 5(a)(6) | List of audit reports by subject matter, showing dollar value of questioned costs and funds put to better use | 1 |
| Section 5(a)(7) | Summary of each particularly significant report | 2 |
| Section 5(a)(8) | Statistical tables showing number of reports and dollar value of questioned costs | 13 |
| Section 5(a)(9) | Statistical tables showing number of reports and dollar value of recommendations that funds be put to better use | 14 |
| Section 5(a)(10) | Summary of each audit issued before this reporting period for which no management decision was made by the end of the reporting period | 10 |
| Section 5(a)(11) | Significant revised management decisions | 9 |
| Section 5(a)(12) | Significant management decisions with which the Inspector General disagrees | 9 |
|
TABLE II INSPECTOR GENERAL ISSUED REPORTS |
|||
|
Number |
Dollar Value (in thousands) |
||
|
Questioned |
Unsupported |
||
| A. For which no management decision has been made by the commencement of the reporting period | 0 | 0 | 0 |
| B. Which were issued during the reporting period | 0 | 0 | 0 |
| Subtotals (A + B) | 0 | 0 | 0 |
| C. For which a management decision was made during the reporting period | 0 | 0 | 0 |
| (i) dollar value of disallowed costs | 0 | 0 | 0 |
| (ii) dollar value of cost not disallowed | 0 | 0 | 0 |
| D. For which no management decision was made by the end of the reporting period | 0 | 0 | 0 |
| Reports for which no management decision was made within six months of issuance | 0 | 0 | 0 |
|
TABLE III INSPECTOR GENERAL ISSUED REPORTS |
||
| Number |
Dollar Value (in thousands) |
|
| A. For which no management decision has been made by the commencement of the reporting period | 0 | 0 |
| B. Which were issued during this reporting period | 0 | 0 |
| C. For which a management decision was made during the reporting period | 0 | 0 |
| (i) dollar value of recommendations that were agreed to by management | 0 | 0 |
| - based on proposed management action | 0 | 0 |
| - based on proposed legislative action | 0 | 0 |
| (ii) dollar value of recommendations that were not agreed to by management | 0 | 0 |
| D. For which no management decision has been made by the end of the reporting period | 0 | 0 |
| Reports for which no management decision was made within six months of issuance | 0 | 0 |