Skip to main content
January 15, 2002

The Honorable Timothy J. Muris
Federal Trade Commission
600 Pennsylvania Avenue, N.W.
Washington, D.C. 20580

Dear Chairman Muris:

The attached report covers the Office of Inspector General's (OIG) activities for the second half of fiscal year 2001, and is submitted according to Section 5 of the Inspector General Act of 1978, as amended.

During this six-month reporting period, the OIG conducted an information security evaluation as required by the Government Information Security Reform Act (GISRA). The OIG found that while the agency has systems in place to guard against intrusion by external sources, it lacks documented policies and procedures that would establish adequate controls to guard against abuses by internal sources. The OIG also found that security measures are not yet fully integrated into the IT systems' life cycle as required by OMB Circular A-130. In keeping with requirements of GISRA, a second OIG review is scheduled to be performed later in fiscal year 2002.

The OIG has also completed field work in response to a Congressional inquiry into the agency's implementation of the "SmartPay" program. The OIG found that the agency's use of charge cards to make selected small purchases was generally operating effectively.

The OIG also initiated fieldwork on the FY 2001 Financial Statement Audit along with performing some preliminary work relating to a survey of the agency's collection and use of unsolicited commercial email. Details of these efforts are found in the body of this report.

As in the past, management has been responsive in attempting to address OIG recommendations. I appreciate management's support, and I look forward to working with you in our ongoing efforts to promote economy and efficiency in agency programs.


Frederick J. Zirkel
Inspector General

Special Message of Condolence and Support

The Federal Trade Commission's Office of Inspector General wishes to express deep sorrow and heartfelt condolences to all those who experienced the loss of family, friends and coworkers, as well as traumatic injuries in the great tragedy that took place in our nation on September 11, 2001 - a day forever etched in our memory.

We would also like to pay tribute to the firefighters, police and rescue workers for their incredible bravery in the effort to save lives. They are true heroes. Although a disaster of this magnitude leaves all of us grieving and looking for answers, it can also provide all Americans with a unique opportunity to unite and act for a common purpose. This is one of the greatest challenges we will ever face, and by standing together as a nation we can draw strength from each other.





Completed Audits Summary of Findings for Audit Reports Issued During the Current Period
Audits in Which Field Work is Complete
Audits in Which Planning Efforts are Underway

Planned Audits


Investigative Summary
Investigations Closed During the Current Period
Matters Referred for Prosecution
Investigative Alert


Significant Management Decisions
Access to Information
Internet Access
Audit Resolution
Review of Legislation
Contacting the Office of Inspector General


Table I: Summary of Inspector General Reporting Requirements
Table II: Inspector General Issued Reports With Questioned Costs
Table III: Inspector General Issued Reports With Recommendations That Funds Be Put To Better Use


The Federal Trade Commission (FTC) seeks to assure that the nation's markets are competitive, efficient, and free from undue restrictions. The FTC also seeks to improve the operation of the marketplace by ending unfair and deceptive practices, with emphasis on those practices that might unreasonably restrict or inhibit the free exercise of informed choice by consumers. The FTC relies on economic analysis to support its law enforcement efforts and to contribute to the economic policy deliberations of Congress, the Executive Branch and the public.

To aid the FTC in accomplishing its consumer protection and antitrust missions, the Office of Inspector General (OIG) was provided with five work years and a budget of $656,400 for fiscal year 2001.


For this semiannual period, the OIG issued a Government Information Security Reform Act (GISRA) evaluation. The OIG also completed fieldwork on evaluating how the agency has managed its "SmartPay" credit card program, initiated fieldwork on the FY 2001 financial statement audit, and began an audit survey of the agency's collection and use of unsolicited commercial email. Detailed information regarding these audits and reviews is provided below.

Completed Audits

Audit Report Number Subject of Audit
AR 01-051 GISRA Security Evaluations Report
AR 01-051A GISRA Security Evaluations Report - Executive Summary

Summary of Findings for Audit Reports Issued During the Current Period

In AR 01-051and AR 01-051A, GISRA Security Evaluations Report and Executive Summary, the OIG performed an evaluation of the agency's information security program and practices which included testing the effectiveness of security controls for selected agency systems.(1) The OIG applied the National Institute of Science and Technology's (NIST) Security Assessment Framework to the FTC's information security program to identify the level of security attained by the FTC. The OIG found that while the agency has systems in place to guard against external intrusion, it lacks documented policies and procedures to ensure continuity in the face of service interruptions and controls to effectively guard against internal abuse.

The Government Information Security Reform Act (P.L.106-398) amended the paperwork Reduction Act of 1995 by enacting a new subchapter on information security. In effect, GISRA codifies existing requirements of OMB Circular A-130, Security of Federal Automated Information Resources, which requires agencies to incorporate security into the life cycle of agency information systems. GISRA requires agencies to (i) implement an agency-wide security program practiced throughout the systems' life-cycles, (ii) provide incident response capability, (iii) conduct an annual program review, and (iv) detail security plan implementation steps in the annual performance plan.

The "NIST Framework" used by the OIG identifies five levels of IT security program effectiveness. The five levels measure specific management, operational and technical control objectives. Level 1 requires that the FTC have a formally documented and disseminated security policy covering its three major programs. Policy documentation should address, at a minimum, the purpose and scope of the policy, the person(s) responsible for implementing the policy, and the consequences and penalties for not implementing the policy. Subsequent levels build on this basic foundation, culminating with the highest level of security preparedness, Level 5, in which the organization has "fully integrated procedures and controls."

The OIG found that management had no documented security policy for any of its three program areas (Consumer Protection, Maintaining Competition and General Support) as required by OMB Circular A-130 and other government guidelines. As a result, the OIG concluded that the agency did not achieve a level 1 security rating in accordance with NIST guidelines which, in the opinion of the OIG, constitutes a material weakness.

Regarding a second material weakness, the OIG found that established security procedures were not routinely documented or followed in the general support program area. Documentation of technology configuration would provide a needed blueprint into current IT operations and would, once created, mitigate possible disruptions in operations whenever critical IT staff leave the agency.

Further, the OIG learned that the agency's contingency plan was outdated. Level 2 of the NIST Framework requires formal, complete and well-documented procedures (to include contingency plans) for implementing policies established at level 1. OMB guidelines require that the plan be reviewed annually and revised as appropriate. The agency's contingency plan was last updated in 1997. It identifies many systems that no longer exist at the agency, while other newer systems are not mentioned.(2)

Moving to Level 3 of the framework requires that IT security procedures and controls be implemented in a consistent manner and reinforced through training. In select areas where documentation does exist, the OIG found security procedures were not always being followed. Most serious were those procedures requiring IT staff to periodically check network and applications "user lists."(3) The OIG identified a number of employees who left the agency and who still had active network accounts.

The OIG also noted that the agency's IT Security Incident Response Policy (No. 2000-01) is not always followed. This vulnerability can lead to wrongdoing by agency staff not being detected timely, and/or external attacks not being reported to senior management consistently. The Incident Response Policy is not well known outside the small group of people involved in information security or system administration. As a result, many incidents go unreported. Incidents that were fully resolved did not contain evidence of followup with management.

The OIG found no indication that senior management was routinely made aware of security violations affecting agency information resources. Based on interviews with both program officials and technical operations staff, the OIG learned that dozens of incidents were "resolved" by operations with no incident reports being prepared. Short-cutting the Incident Response Policy means there is little, if any, effective management oversight as few records are maintained as to incident trends, types, or their ultimate resolution.

In addition to the aforementioned weaknesses, the OIG identified five other reportable conditions. Specifically, the OIG found:

(i) No internal reporting on IT resource usage. Such activity reports could be designed and produced to identify egregious exceptions to what is considered normal usage of IT resources by agency employees;
(ii) Inadequate separation of duties among IT staff. The OIG noted that a senior staff person in technology operations is the sole producer and custodian of security-related reports that, among other things, would enable the security officer and/or the CIO to review the performance of operations;
(iii) Periodic risk assessments are not performed. Once a system or an application has been moved to production there are no periodic risk assessments performed by either IT staff or bureau program managers, per requirements in OMB Circular A-130. In short, the OIG found that security considerations are being addressed only at the front end of the system application life cycle;
(iv) Verification of external organization's security controls is not performed. The FTC relies too heavily on security procedures at other Federal, state, local and foreign law enforcement organizations to ensure security of sensitive FTC information. Specifically, the FTC does not routinely ascertain that previously authorized non-FTC users continue to maintain a valid need to access applications. Further, for IT contractors who process sensitive information for the agency, the OIG found no formal MOUs with these organizations detailing security processes and procedures; and
(v) Security Officer responsibilities are not well integrated into ITM operations. The newly created position of Computer Security Officer (April 2000) does not possess the authority to effectively monitor and report on IT resource usage by agency employees or on external threats. The computer security officer must often rely on ITM operations staff to obtain needed security-related information.

To address the findings, the OIG recommended that IT management develop an agency-wide and individual systems security plan and policy; disseminate the Incident Response Policy to all program and IT employees and define what constitutes an "incident" for reporting purposes; produce exception reports to identify areas of potential internal abuse; immediately disable accounts of former employees and/or contractors and establish controls to prevent future occurrences; review current practices and redefine roles and responsibilities to ensure no single individual possesses all knowledge and access to security information; limit accounts of external users and periodically review internal user accounts to eliminate in a timely manner outdated access privileges; and provide the computer security officer with the necessary authorities to adequately fulfill the position's mandate.

The CIO is preparing a GISRA action plan to address these recommendations. The action plan is due to the Office of Management and Budget in the beginning of fiscal year 2002.

Audits in Which Field Work is Complete

Audit Report Number Subject of Audit
BR 01-048

Audit of FTC Telecommunications Billing Procedures, (Briefing Report)Practices, Controls and Expenditures The overall objective of this review was to identify vulnerabilities pertaining to the oversight and payment of the agency's telecommunication services. To address this overall objective, the OIG (i) assessed whether the agency is paying only for the services it uses and/or the hardware/equipment it employs; (ii) reviewed system controls that are in place to monitor employee use of telephones, cell phones, and pagers, and determined whether these controls work effectively; (iii) analyzed whether the agency is using, given its service history, optimal service plans (for local, long distance, pagers and cell phones) to efficiently and effectively meet its needs; and (iv) documented the role GSA and other third parties perform in assisting the FTC in implementing its telecommunications program and reviewed the cost and the effectiveness of this assistance.

In lieu of a written report, the OIG provided a detailed briefing to the manager of the telecommunications program on the results of our review. The OIG found that in general the Telecommunications group within the Information and Technology Management Office (ITM) takes its responsibility seriously for maintaining voice-related services in an efficient and economic manner, and that basic provisions for making services available to staff appear well-designed. The OIG confirmed that the billing records for the two year period under review accurately reflected the universe of voice telecommunications services recognized and paid for by FTC, and relied upon for planning and decision support.

The OIG did note that the ability to capture and reflect the costs for services acquired and paid for, while accurate, did not necessarily mean that all services were appropriate and well-controlled. In particular, we found that there were a number of instances where diligent, after-the-fact work on the part of Telecommunications staff was required to capture information about inappropriate telecommunications costs and recover payments that otherwise would have resulted in FTC losses. The reliance on after-the-fact review for identification of such items suggests that controls during the requesting process, or over routine infrastructure planning and maintenance processes, could be improved.

During the audit, management hired a full time staff person dedicated to enhancing controls over planning, maintenance and expenditures pertaining to voice communication services.

AR 02-XXX Review of the FTC's "SmartPay" Program. The OIG responded to a PCIE/ECIE-wide congressional request to review controls in the agency's charge card program. The OIG completed fieldwork and has prepared a draft report.

Audits in Which Field Work is in Progress

Audit Report Number Subject of Audit

Audit of FTC Financial Statements for Fiscal Year 2001. The objective of this financial audit is to determine whether the agency's financial statements present fairly the financial position of the agency. The statements to be audited are the Balance Sheet as of September 30, 2001, and the related Statement of Net Cost, Statement of Changes in Net Position, Statement of Budgetary Resources, Statement of Financing, and Statement of Custodial Activity for the year then ended. Audit fieldwork performed during this period included preliminary tests of internal and management controls over the accumulation and reporting of financial information, and compliance with laws and regulations that have a material effect on the financial statements.

The OIG will continue to work with management to better tie the Statement of Net Cost to the agency's performance measures. These reported measures of program and financial performance are to be consistent with information on major goals and objectives from the agency's strategic plan and should be linked to the programs featured in the Statement of Net Cost.

This will be the fifth annual financial statement audit performed by the OIG; the first four audits resulted in unqualified opinions.


Audit Survey of the Receipt, Storage and Use of Unsolicited Commercial E-Mail. In 1998, the FTC's Bureau of Consumer Protection asked consumers to forward their unsolicited commercial e-mails (UCE) to the agency. This request was made because of the bureau's desire to learn of e-mails that might contain false and/or deceptive solicitations. Commission staff has testified before Congress on the FTC's program to combat deceptive and fraudulent UCEs.

Since 1998, internet service providers and consumers have responded by forwarding large numbers of UCEs on a daily basis to the agency. Due to the sheer volume of e-mails, the agency has stored the bulk of these messages. The OIG learned that the agency has received and stored "millions" of UCEs over the years. Recently, the agency has implemented a more powerful search engine for use by enforcement staff that will allow it to review more UCEs and, if necessary, act upon them.

The OIG has learned that aside from volume details, no summary reports exist detailing what is contained in the information forwarded to the FTC. Currently, there is no efficient way to separate useful UCEs from those that are not useful.

The objective of this OIG survey is to gain a better understanding of the information being accumulated. A secondary objective is to determine if technology is available to efficiently and cost effectively provide summary information on a routine basis to agency management. Such summary information, if it can be efficiently obtained, should help management determine 1) if spending agency resources to collect, store and access information of questionable and/or limited usefulness is in the public interest, and 2) if the information being stored is determined to be highly valuable, as well as time sensitive, might the commitment of additional resources to allow the agency to make more effective use of the information be prudent.

Planned Audits

Audit Report Number Subject of Audit

Audit of Hart Scott Rodino Fee Processes. Beginning in February 2001, significant changes were made to the filing requirements of the HSR Antitrust Improvements Act. Chief among these changes is an increase from $15 million to $50 million in the transaction value threshold over which companies must file premerger notification forms, as well as the implementation of a new tiered fee structure, with companies paying $45,000 for transactions valued between $50 and $100 million, $125,000 for transactions valued at $100 million to less than $500 million, and $280,000 for transactions valued at $500 million or more.Transactions valued at less than $50 million are not required to file.The tiered fee structure replaces the existing uniform filing fee. The fee that the acquiring company must pay is based on the value of the voting securities or assets held as a result of the transaction.

The objective of this review will be to determine whether the amended fee payment requirements are applied accurately and consistently.

AR 02-XXX Government Information Security Reform Act (GISRA) Evaluation(Phase II) In FY 2001, the OIG completed a high-level review of the agency's information security program. (See Completed Audits, GISRA Security Evaluations, AR 01-051 and AR 01-051A). In the review, the OIG identified selected aspects of the agency's information security program that warrant additional review. These areas, to include check out procedures, background checks of contractor employees, incidence response procedures, and internal reporting of abuse of agency systems by staff will be among those topics covered in depth in this Phase II review.


he Inspector General is authorized by the IG Act to receive and investigate allegations of fraud, waste and abuse occurring within FTC programs and operations. Matters of possible wrongdoing are referred to the OIG in the form of allegations or complaints from a variety of sources, including FTC employees, other government agencies and the general public.

Reported incidents of possible fraud, waste and abuse can give rise to administrative, civil or criminal investigations. OIG investigations might also be initiated based on the possibility of wrongdoing by firms or individuals when there is an indication that they are or were involved in activities intended to improperly affect the outcome of a particular agency enforcement action. Because this kind of wrongdoing strikes at the integrity of the FTC's consumer protection and antitrust law enforcement missions, the OIG places a high priority on investigating it.

In conducting criminal investigations during the past several years, the OIG has sought assistance from, and worked jointly with, other law enforcement agencies, including other OIG's, the Federal Bureau of Investigation (FBI), the U.S. Postal Inspection Service, the U.S. Secret Service, the U.S. Marshal's Service, the Internal Revenue Service, Capitol Hill Police, as well as state agencies and local police departments. In past years the OIG has also provided assistance to, and worked with foreign government law enforcement agencies, including the Royal Canadian Mounted Police and the Canada Customs and Revenue Agency.

During this reporting period, the OIG obtained assistance from, and worked on a criminal investigation with the FBI's Washington Field Office Computer Analysis Resource Team (CART).

Investigative Summary

During this reporting period the OIG received 35 complaints or allegations of possible wrongdoing. Of these 35 matters, a total of 20 involved issues which the OIG determined were the responsibility of FTC program components. Consequently, the OIG referred these 20 matters to appropriate FTC components for disposition, while one (1) other complaint/allegation was referred to another law enforcement agency for review and/or action.

Of the fourteen (14) remaining complaints/allegations, the OIG closed ten (10) of them after a careful review of the issues involved and/or after conducting preliminary investigative reviews. Based on all complaints/allegations of possible wrongdoing received during this reporting period, the OIG decided to open one (1) criminal investigation. Finally, the OIG continued to monitor three (3) other complaints/allegations that it received during this reporting period with the possibility of opening investigations in the future.

Also during this reporting period, the OIG closed three (3) investigations. The OIG also continued to monitor two (2) other investigations opened in prior reporting periods involving leaks of nonpublic information to the media and the embezzlement of several million dollars by a court-appointed receiver from several receivership estates growing out of FTC enforcement cases.

Following is a summary of the OIG's investigative activities for the six-month period ending September 30, 2001.

Cases pending as of March 31, 2001 4
Plus: New cases +1
Less: Cases closed -3
Cases pending as of September 30, 2001 2

Investigations Closed During the Current Period

Obstructions & Unauthorized Disclosures (2)
In prior reporting periods, the OIG received a number of referrals from senior officials of possible wrongdoing relating to the unauthorized release of nonpublic information. In several of these cases it appeared that the information leaked was being directed to a particular news organization.
While the OIG conducted dozens of interviews and considered various motives for each of the apparent leaks, it was unable to directly implicate any agency employee in the leaking of nonpublic information. Reporters, when contacted by the OIG, more often than not, refused to provide details of their contacts with agency staff. Consequently, as only circumstantial evidence of possible wrongdoing was developed, the OIG decided to close two investigations into the unauthorized release of nonpublic information without making a referral to either a prosecutor or an agency official.
Employee Misconduct & Ethical Violations (1)
Early in this reporting period, the OIG received information that pornography had been downloaded to a specific FTC employee's computer and that the downloaded pornography was possibly being shared with other employees on an FTC server. The information received by the OIG also suggested that child pornography might be included among the downloaded material. While downloading pornography to an FTC computer is a violation of the government-wide standards of conduct as well as FTC policy, the possession of child pornography is a federal crime. As the OIG believed that the source of the information was credible, it initiated a criminal investigation.
During the investigation, the OIG requested that an FBI CART team assist us by imaging the hard drive of the identified FTC computer. The results of this imaging process showed that pornography was being routinely downloaded onto a government computer.
When confronted with this evidence, the subject cooperated with the OIG and provided a statement admitting wrongdoing. A report of the OIG's findings was then referred to management to consider administrative action after the OIG obtained a declination of criminal prosecution from a federal prosecutor.

Matters Referred for Prosecution

During this reporting period, the OIG provided some additional supporting material in a criminal case previously referred to a federal prosecutor in California involving the embezzlement of redress funds by a court-appointed receiver.

Also during this reporting period, the OIG referred a case for consideration of criminal prosecution to a federal prosecutor involving the downloading of pornography using government equipment. As none of the hundreds of images and/or film shorts downloaded on the employee's computer contained child pornography, criminal prosecution was declined and the matter was referred to management for administrative action.

Investigative Alert

During this period, the OIG issued one investigative alert to FTC management. An investigative alert is an OIG report which stems from an investigation. An OIG investigative alert, unlike an investigation report, does not focus on individual wrongdoing but instead identifies for management specific vulnerabilities or weaknesses in agency programs or operations which the OIG believes contributed to a climate in which the wrongdoing found during an OIG investigation was allowed to continue, or in which checks and balances which would have deterred the wrongdoing were not in place. Like an audit report, an investigative alert can include OIG recommendations.

The investigative alert issued to management this period identified certain internal control weaknesses within FTC's Information and Technology Management Office (ITM). The OIG learned of these internal control weaknesses while conducting interviews in an OIG investigation of alleged wrongdoing by an ITM employee.

Specifically, while conducting the investigation the OIG found: 1) a failure by contract employees assigned to ITM operations to report an FTC policy violation; 2) a failure by an ITM management official to address employee wrongdoing; and, 3) the computer security officer lacked authority to independently access information needed to quickly identify potential security abuses.

In this case, the OIG found that a number of ITM and contractor employees knew of the ITM employee's wrongdoing yet did nothing. More importantly, a lack of effective internal controls meant that the Chief Information Officer and the ITM computer security officer could not ascertain if a problem existed when attempting to learn what was going on.

As noted previously in this semiannual report, the Executive Director is in the process of finalizing an action plan based on the OIG's recent completion of an ITM security review mandated by GISRA. If the GISRA recommendations are implemented, the OIG believes that they should address the ITM internal control weaknesses identified in the investigative alert. Therefore, the OIG did not make any specific recommendations in the investigative alert.


Congressional Inquiries - The OIG responded to a PCIE/ECIE-wide request from the Chairman, Committee on Government Reform, to summarize OIG efforts in the area of recovery auditing. Recovery auditing is an established business practice whose objective is to identify missed discounts, duplicate payments and other overpayments. The FTC OIG provided the Committee with information about the overpayment of rent totaling $189,200. This finding is detailed in a management letter accompanying the FY 2000 Financial Statement Audit. Peer Review Activities - Federal offices of inspector general are required by the IG Act to have a peer review performed of their organization once every three years. These reviews are to be performed only by federal auditors. A committee of the Executive Council on Integrity and Efficiency (ECIE) schedules the reviews to ensure that resources are available to perform them and that OIGs do not conduct reviews of one another.

Against this background, the FTC OIG completed a peer review of the OIG at the Peace Corps. The objectives of a peer review are to determine whether an effective internal quality control system has been established in the office and established policies, procedures and applicable government auditing standards are being followed. A final report was prepared and provided to the Peace Corps inspector general.

Significant Management Decisions

Section 5(a)(12) of the Inspector General Act requires that if the IG disagrees with any significant management decision, such disagreement must be reported in the semiannual report. Further, Section 5(a)(11) of the Act requires that any decision by management to change a significant resolved audit finding must also be disclosed in the semiannual report. For this reporting period there were no significant final management decisions made on which the IG disagreed, and management did not revise any earlier decision on an OIG audit recommendation.

Access to Information

The IG is to be provided with ready access to all agency records, information or assistance when conducting an investigation or audit. Section 6(b)(2) of the IG Act requires the IG to report to the agency head, without delay, if the IG believes that access to required information, records or assistance has been unreasonably refused, or otherwise has not been provided. A summary of each report submitted to the agency head in compliance with Section 6(b)(2) must be provided in the semiannual report in accordance with Section 5(a)(5) of the Act.

During this reporting period, the OIG did not encounter any problems in obtaining assistance or access to agency records. Consequently, no report was issued by the IG to the agency head in accordance with Section 6(b)(2) of the IG Act.

Internet Access

The OIG can be accessed via the world wide web at visitor to the OIG home page can download recent (1996 - 2000) OIG semiannual reports to Congress, the FY 1998, FY 1999 and FY 2000 CFO Act audits and other program and performance audits issued beginning in FY 1999, and can browse through a list of audit reports issued prior to FY 1999 and order them via an e-mail link to the OIG. In addition to this information resource about the OIG, visitors are also provided a link to other federal organizations and offices of inspector general.

Audit Resolution

As of the end of this reporting period, all OIG audit recommendations for reports issued in prior periods have been resolved. That is, management and the OIG have reached agreement on what actions need to be taken.

Review of Legislation

Section 4 (a) (2) of the IG Act authorizes the IG to review and comment on proposed legislation or regulations relating to the agency or affecting the operations of the OIG. During this reporting period, the OIG reviewed several bills which were intended to fund Executive Branch agencies and law enforcement activities.

Contacting the Office of Inspector General

Employees and the public are encouraged to contact the OIG regarding any incidents of possible fraud, waste or abuse occurring within FTC programs and operations. The OIG telephone number is (202) 326-2800. To report suspected wrongdoing, employees and the public should call the OIG's chief investigator directly on (202) 326-2581. A confidential or anonymous message can be left 24 hours a day.

The OIG is located in room 494 of the FTC Headquarters Building at 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. Office hours are from 8:30 a.m. to 6:00 p.m., Monday through Friday, except federal holidays.


IG Act Reference Reporting Requirement Page(s)
Section 4(a)(2) Review of legislation and regulations 14
Section 5(a)(l) Significant problems, abuses and deficiencies 1-4
Section 5(a)(2) Recommendations with respect to significant problems, abuses and deficiencies 4
Section 5(a)(3) Prior significant recommendations on which corrective actions have not been made  
Section 5(a)(4) Matters referred to prosecutive authorities 11
Section 5(a)(5) Summary of instances where information was refused 13
Section 5(a)(6) List of audit reports by subject matter, showing dollar value of questioned costs and funds put to better use 1-4
Section 5(a)(7) Summary of each particularly significant report 1
Section 5(a)(8) Statistical tables showing number of reports and dollar value of questioned costs 16
Section 5(a)(9) Statistical tables showing number of reports and dollar value of recommendations that funds be put to better use 17
Section 5(a)(10) Summary of each audit issued before this reporting period for which no management decision was made by the end of the reporting period 13
Section 5(a)(11) Significant revised management decisions 13
Section 5(a)(12) Significant management decisions with which the Inspector General disagrees 13




Number Dollar Value

Questioned Costs Unsupported Costs
A. For which no management decision has been made by the commencement of the reporting period 0 0 0
B. Which were issued during the reporting period 0 0 0
Subtotals (A + B) 0 0 0
C. For which a management decision was made during the reporting period 0 0 0
(i) dollar value of disallowed costs 0 0 0
(ii) dollar value of cost not disallowed 0 0 0
D. For which no management decision was made by the end of the reporting period 0 0 0
Reports for which no management decision was made within six months of issuance 0 0 0


  Number Dollar Value
A. For which no management decision has been made by the commencement of the reporting period 1 29,359*
B. Which were issued during this reporting period 0 0
C. For which a management decision was made during the reporting period 1 29,359
(i) dollar value of recommendations that were agreed to by management 1 29,359
- based on proposed management action 1 29,359
- based on proposed legislative action 0 0
(ii) dollar value of recommendations that were not agreed to by management 0 0
D. For which no management decision has been made by the end of the reporting period 1 29,359
Reports for which no management decision was made within six months of issuance 0 0

*See AR 01-050A (pages 2, 20).


1. The Executive Summary was prepared in conjunction with management and was issued under a separate cover.

2. ITM management told the OIG that agency size and IT staff experience lessen the need for formal documentation as required by OMB A-130. To a large extent the OIG agrees that ITM can efficiently and effectively meet the agency's recurring IT operational needs without the need to document every system and procedure. However, a baseline level of documentation is needed to ensure that the agency maintains its focus on providing adequate security and that the agency is protected from unforeseen events.

3. Personnel separation lists are distributed twice monthly to system administrators to verify that all accounts have been disabled. A cross check against active accounts would identify accounts to terminate.