April 30, 1998
The Honorable Robert Pitofsky
Federal Trade Commission
Sixth Street & Pennsylvania Avenue, N.W.
Washington, D.C. 20580
Dear Chairman Pitofsky:
The attached report covers the Office of Inspector General's (OIG) activities for the first half of fiscal year 1998, and is submitted according to Section 5 of the Inspector General Act of 1978, as amended. The Act requires that you submit this report, with your Report of Final Action, to the appropriate Congressional committees on, or before, May 31, 1998.
During the reporting period, the OIG issued audit reports dealing with computer systems security, audit follow-up and regional office phone practices focusing on consumer access. The OIG also closed two investigations while providing investigative assistance to management and another law enforcement agency on three other matters.
As in the past, I appreciate management's support, and I look forward to working with you in our ongoing efforts to promote economy and efficiency in agency programs.
Frederick J. Zirkel
TABLE OF CONTENTS
The Federal Trade Commission (FTC) seeks to assure that the nation's markets are competitive, efficient, and free from undue restrictions. The FTC also seeks to improve the operation of the marketplace by ending unfair and deceptive practices, with emphasis on those practices that might unreasonably restrict or inhibit the free exercise of informed choice by consumers. The FTC relies on economic analysis to support its law enforcement efforts and to contribute to the economic policy deliberations of Congress, the Executive Branch and the public.
To aid the FTC in accomplishing its consumer protection and antitrust missions, the Office of Inspector General (OIG) was provided five workyears and a budget of $498,300 for fiscal year 1998.
For this semiannual period the OIG issued three audit reports. The first is an evaluation of the effectiveness of FTC's audit follow up system to ensure a prompt and proper resolution of OIG audit recommendations. The second is a follow up on an earlier audit report concerning computer systems security, and the third is a survey of telephone practices used by FTC regional offices when responding to consumer inquiries. The OIG also completed field work on an audit of the agency's financial statements. More detailed information about each audit is provided below.
Audit Report Number
Subject of Audit
|AR 98-037||Audit of the Federal Trade Commission's Implementation of OMB Circular No. A-50, Audit Follow Up|
|AR 98-038||Follow Up Review of the Federal Trade Commission's Computer Systems Security|
|AR 98-039||Survey of the Telephone Practices Used by FTC Regional Offices in Response to Consumer and Business Inquiries|
Summary of Findings for Audit Reports Issued During the Current Period
In AR 98-037, the objective of the review was to evaluate whether the FTC's audit follow up system results in prompt and proper resolution and corrective action on OIG audit recommendations.
Our review found that FTC managers are taking their audit follow up responsibilities seriously. Of 30 OIG audit recommendations made during the period July 1, 1993 through June 30, 1996, all have been resolved by management. The OIG identified five recommendations that, although resolved, require some additional action by management to fully address OIG concerns. The OIG also identified two recommendations that are no longer relevant due to changed approaches by the agency in attacking consumer fraud.
The review also provided us an opportunity to discuss with line managers and staff attorneys whether our recommendations enhanced the overall work product of the FTC. In some very important ways, staff communicated to the OIG that the recommendations have improved programs, and that in two particular examples, consumers have indirectly benefited from the recommendations.
In AR 98-038, the OIG followed up on a prior year's computer security audit. The objective of this computer review was to determine whether the FTC was more secure, from an information management perspective, as a result of implementing recommendations contained in the prior year audit. The earlier audit found certain access weaknesses that could be exploited by a determined hacker to compromise sensitive agency data bases.
Our follow up review found that the FTC's network was substantially more secure than it was during our prior audit. The agency made significant strides in protecting its network from unauthorized external access. In short, we could not penetrate the network from an external location and, therefore, could not alter, destroy, or download data.
Our internal scan of FTC's network also revealed significant improvements over our previous assessment. Perhaps most notable of these improvements was the fact that none of the password files captured during the current assessment revealed any guessable passwords and default passwords (i.e., passwords installed by systems manufacturers and known to most hackers) as they had all been changed in keeping with our recommendations.
Although significant improvements were noted, eight (8) systems were found to still have vulnerabilities that had been identified during the previous assessment. In addition, some systems were also found to have new vulnerabilities. This was primarily due to new services and systems being activated and the ability to test for new vulnerabilities that were unknown during the previous testing period. The vulnerabilities that we identified in the follow up review did not enable us to penetrate the network. Rather, they would make it easier for an unauthorized user to move around the network if access was gained.
Because we were unable to penetrate the network from an external connection, we made no recommendations for technical adjustments to the agency's modems or firewall. But we believe that a policy is needed to guide staff on the proper use of modems. Without such a policy, it is difficult for the security officer to control the proliferation of "renegade" modems attached to the network. Regarding internal access controls, the OIG made six technical recommendations in the follow up review to address the vulnerabilities found. The OIG's recommendations required no budgetary resources, beyond the systems manager's time, to implement.
In AR 98-039 the OIG surveyed how the FTC regional offices respond to public telephone inquiries and identified practices that best facilitate consumer and/or business communications with agency personnel. The survey was linked to management's goals as presented in the FTC Strategic Plan for the period 1997-2002. According to the plan, the agency is to "prevent consumer injury through education." As a strategy to meet this objective, the agency is seeking to "improve the timeliness of responses to consumer and business inquiries."
Overall, the regional offices were found to be responsive to consumers. For the most part, consumers could reach contact representatives when dialing the consumer information lines listed in FTC brochures. When these lines were busy, most regional offices had a voice mail capability which permitted consumers to leave messages rather than having to make repeated telephone calls. We found contact representatives to be polite and friendly and, in most cases, they returned our calls the same day. Regional offices also responded promptly to requests for literature on the topics discussed, and the information provided was helpful. We also found that most regional offices have recorded messages on "hot" consumer topics, such as debt collection and credit issues, which were both informative and easy to understand.
As a result of approximately 250 telephone calls placed by the OIG to the regional offices, we identified eight "best practices" used by one or more regional offices that made them more accessible to, and facilitated communication with, consumers. We believe these "best practices" can be used by management as a baseline to improve customer service to the consumer.
Audits in Which Field Work is Complete
|Audit Report Number||
Subject of Audit
Audit of the Federal Trade Commission's Financial Statements for the Fiscal Year Ending September 30, 1997.
The audited financial statements include the: (i) Balance Sheet, (ii) Statement of Net Costs, (iii) Statement of Changes in Net Position, (iv) Statement of Budgetary Resources, (v) Statement of Financing, (vi) Statement of Custodial Activities, and (vii) Notes to the Financial Statements.
Final adjustments are being reviewed by management before the audited statements are released.
The Inspector General is authorized by the IG Act to receive and investigate allegations of fraud, waste and abuse occurring within FTC programs and operations. Matters of possible wrongdoing usually come to the OIG in the form of allegations or complaints from a variety of sources, including FTC employees, other government agencies and the general public.
Reported incidents of possible fraud, waste and abuse might give rise to administrative, civil or criminal investigations. OIG investigations might also be initiated based on the possibility of wrongdoing by firms or individuals outside the agency when there is some information that indicates they are or were involved in activities intended to affect the outcome of a particular agency enforcement action. Because this kind of wrongdoing strikes at the integrity of the FTC's consumer protection and antitrust law enforcement missions, the OIG places a high priority on investigating it.
In conducting investigations during the past several years, the OIG has sought assistance from, and worked jointly with, other law enforcement agencies, including the Federal Bureau of Investigation, the Postal Inspection Service, the U.S. Secret Service, the Internal Revenue Service, other OIGs, and state and local police departments.
During this reporting period the OIG received 27 complaints of possible wrongdoing. Of these 27 complaints, 15 related to matters that the OIG determined were either the responsibility of FTC program components or another federal law enforcement agency. As such, the OIG referred them to FTC bureaus and the FBI, as appropriate, for disposition. The OIG opened two (2) investigations and provided investigative assistance to FTC management and to the Secret Service in three (3) other matters out of the remaining 12 complaints. The seven (7) remaining complaints were closed without OIG action.
Following is a summary of the OIG's investigative activities for the six-month period ending March 31, 1998. While the OIG opened two (2) new investigations during this reporting period, it also closed two (2) cases:
|Cases pending as of September 30, 1997||4|
|Plus: New cases.||+2|
Less: Cases closed
|Cases pending as of March 31, 1998||4|
Of the four (4) investigations remaining open at the end of this reporting period, the OIG has performed field work on all of them.
Investigations Closed During the Current Period
Employee Misconduct and Ethical Violations. During this reporting period the OIG closed an investigation that was initiated when management suspected employee wrongdoing and informed the OIG. The OIG determined that an FTC employee who had access to electrical and mechanical systems in the agency's headquarters building set off a false fire alarm causing the evacuation of the building for approximately 30 minutes. This act, the OIG conservatively estimated, cost the agency $5,000 in lost productivity.
Based on an OIG report to management, disciplinary action was taken against the employee and the OIG closed its investigation. In addition to providing management the investigation report, the OIG also prepared a separate Investigative Alert. The report to management contained several recommendations to address OIG system concerns regarding how best to administer the FTC's fire alarm system. Management has indicated they will move forward on these OIG suggestions.
Also during this reporting period, the OIG closed an investigation which involved the alleged misuse of an employee's FTC position to gain advantage in a private dispute. After conducting an initial investigation, the OIG was unable to find evidence of wrongdoing or the commission of a serious ethical breach by the employee. However, because of the circumstances of the case, the OIG provided the FTC's Designated Agency Ethics Official with pertinent information about the investigation for appropriate follow up and/or inclusion in future employee ethics training. Thereafter, the OIG closed the investigation.
Matters Referred for Prosecution
During this reporting period the OIG referred a case to an Assistant United States Attorney for prosecutorial consideration concerning the commission of an act of malicious mischief. Criminal prosecution was declined in lieu of agency disciplinary action.
Also during the current reporting period the OIG continued to work with a federal prosecutor on a case referred for criminal prosecution during a prior reporting period. The investigation is continuing.
During this reporting period the OIG also allocated resources to activities other than conducting audits and investigations. These activities involved participating on Executive Council on Integrity and Efficiency (ECIE) committees and responding to Congressional, GAO and OMB requests for information.
Significant Management Decisions
Section 5(a)(12) of the Inspector General Act requires that if the IG disagrees with any significant management decision, such disagreement must be reported in the semiannual report. Further, Section 5(a)(11) of the Act requires that any decision by management to change a significant resolved audit finding must also be disclosed in the semiannual report. For this reporting period there were no significant final management decisions made on which the IG disagreed, and management has not revised any earlier decisions on any OIG audit recommendation.
Access to Information
The IG is to be provided with ready access to all agency records, information or assistance when conducting an investigation or audit. Section 6(b)(2) of the IG Act requires the IG to report to the agency head, without delay, if the IG believes that access to required information, records or assistance has been unreasonably refused, or otherwise has not been provided. A summary of each report submitted to the agency head in compliance with Section 6(b)(2) must be provided in the semiannual report in accordance with Section 5(a)(5) of the Act.
During this reporting period, the OIG did not encounter any problems in obtaining assistance or access to agency records. Consequently, no report was issued by the IG to the agency head in accordance with Section 6(b)(2) of the IG Act.
The OIG can also be accessed via the World Wide Web. The OIG internet address is www.ftc.gov/oig/oighome.htm. A visitor to the OIG home page can download any of the OIG's semiannual reports to Congress that are listed, and can also browse through a list of audit reports, identifying those of interest and ordering them via an e-mail link to the OIG. In addition to this resource of information about the OIG, visitors are also provided a link to other federal organizations and offices of inspector general.
As of the end of this reporting period, all OIG audit recommendations for reports issued in prior periods have been resolved. That is, management and the OIG have reached agreement on what actions need to be taken. Furthermore, the OIG issued an audit of the FTC's implementation of OMB Circular A-50, audit follow up. In the report, the OIG concluded that all resolved recommendations were implemented in accordance with management representations made to the agency's audit resolution official.
Review of Legislation
Section 4(a)(2) of the IG Act authorizes the IG to review and comment on any proposed legislation or regulations relating to the agency or affecting the operations of the OIG. During this reporting period, the OIG responded to requests from the agency's Office of General Counsel, and from OMB, PCIE and ECIE on matters related to possible changes to the IG Act.
Contacting the Office of Inspector General
Employees and the public are encouraged to contact the OIG regarding any incidents of possible fraud, waste or abuse occurring within FTC programs and operations. The OIG telephone number is (202) 326-2800. To report suspected wrongdoing, employees and the public should call the OIG's chief investigator directly on (202) 326-2581. A confidential or anonymous message can be left 24 hours a day.
The OIG is located in room 494 of the FTC Headquarters Building at Sixth Street and Pennsylvania Avenue, N.W., Washington, D.C. 20580. Office hours are from 8:30 a.m. to 6:00 p.m., Monday through Friday, except federal holidays.
SUMMARY OF INSPECTOR GENERAL REPORTING REQUIREMENTS
|IG Act Reference||Reporting Requirement||
|Section 4(a)(2)||Review of legislation and regulations||7|
|Section 5(a)(l)||Significant problems, abuses and deficiencies||1|
|Section 5(a)(2)||Recommendations with respect to significant problems, abuses and deficiencies||1|
|Section 5(a)(3)||Prior significant recommendations on which corrective actions have not been made||7|
|Section 5(a)(4)||Matters referred to prosecutive authorities||6|
|Section 5(a)(5)||Summary of instances where information was refused||7|
|Section 5(a)(6)||List of audit reports by subject matter, showing dollar value of questioned costs and funds put to better use||1|
|Section 5(a)(7)||Summary of each particularly significant report||1|
|Section 5(a)(8)||Statistical tables showing number of reports and dollar value of questioned costs||10|
|Section 5(a)(9)||Statistical tables showing number of reports and dollar value of recommendations that funds be put to better use||11|
|Section 5(a)(10)||Summary of each audit issued before this reporting period for which no management decision was made by the end of the reporting period||6|
|Section 5(a)(11)||Significant revised management decisions||6|
|Section 5(a)(12)||Significant management decisions with which the Inspector General disagrees||6|
INSPECTOR GENERAL ISSUED REPORTS WITH QUESTIONED COSTS
|A. For which no management decision has been made by the commencement of the reporting period||0||0||0|
|B. Which were issued during the reporting period||0||0||0|
|Subtotals (A + B)||0||0||0|
|C. For which a management decision was made during the reporting period||0||0||0|
|(i) dollar value of disallowed costs||0||0||0|
|(ii) dollar value of cost not disallowed||0||0||0|
|D. For which no management decision was made by the end of the reporting period||0||0||0|
|Reports for which no management decision was made within six months of issuance||0||0||0|
INSPECTOR GENERAL ISSUED REPORTS
|A. For which no management decision has been made by the commencement of the reporting period||0||0|
|B. Which were issued during this reporting period||0||0|
|C. For which a management decision was made during the reporting period||0||0|
|(i) dollar value of recommendations that were agreed to by management||0||0|
|- based on proposed management action||0||0|
|- based on proposed legislative action||0||0|
|(ii) dollar value of recommendations that were not agreed to by management||0||0|
|D. For which no management decision has been made by the end of the reporting period||0||0|
|Reports for which no management decision was made within six months of issuance||0||0|