oversight

Office of Inspector General Recommendations Not Yet Implemented by the Department of Education, January 2001 through December 2007. PDF (566K)

Published by the Department of Education, Office of Inspector General on 2001-01-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

            Office of Inspector General Recommendations
                         Not Yet Implemented
                   by the Department of Education

                           January 2001 through December 2007




                                    January 31, 2008




Our mission is to promote the
                                                          U.S Department of Education
efficiency, effectiveness, and
                                                          Office of Inspector General
integrity of the Department's
                                                          Washington, DC
programs and operations.
                                   UNITED STATES DEPARTMENT OF EDUCATION
                                                            OFFICE OF INSPECTOR GENERAL

                                                                                                       THE INSPECTOR GENERAL




                                                             January 31, 2008




The Honorable Henry Waxman
Chairman, Committee on Oversight and Government Reform
U.S. House of Representatives
2157 Rayburn House Office Building
Washington, D.C. 20515-6143


Dear Chairman Waxman:

In response to your December 7, 2007, request for a list of recommendations made by the Office of Inspector
General to the U.S. Department of Education to reduce government waste and make federal education programs
more efficient and effective, attached please find our report that presents the results of our review.

If you have any questions, or require any additional information, please do not hesitate to contact myself or
Catherine Grant, our Public Affairs Liaison at (202) 245-7023.

                                                      Sincerely,

                                                      /s/

                                                      Thomas L. Sipes
                                                      Acting Inspector General


Enclosure
cc: The Honorable Tom Davis, Ranking Member, Committee on Oversight and
    Government Reform
    The Honorable Margaret Spellings, Secretary U.S. Department of Education




 The Department of Education's mission is to promote student achievement and preparation for global competitiveness by fostering educational
                                                   excellence and ensuring equal access.
                 Office of Inspector General Recommendations
            Not Yet Implemented by the U.S. Department of Education
                             January 2001 through December 2007

                                          Overview

On December 7, 2007, Chairman Henry Waxman, U.S. House of Representatives Committee on
Oversight and Government Reform, requested that the U.S. Department of Education
(Department), Office of Inspector General (OIG), compile a list of recommendations made that
had not yet been implemented by the Department or by Congress. The information was
requested to include recommendations made from January 1, 2001, to present. This report is that
response.

OMB Circular A-50 (Circular), Audit Followup, require agencies to establish systems to assure the
prompt and proper resolution and implementation of audit recommendations. The Circular provides
definitions as follows:

    ·   Audit Resolution – The point at which the audit organization and agency management or
        contracting officials agree on actions to be taken on reported findings and recommendations.
    ·   Corrective Action – Measures taken to implement resolved audit findings and
        recommendations.

The Department tracks audit resolution and the implementation of corrective actions related to OIG
products in its Audit Accountability and Resolution Tracking System (AARTS). The Office of the
Chief Financial Officer (OCFO) maintains this system, which includes input from OIG and responsible
program officials. AARTS includes recommendation-level detail for all reports where the Department
is directly responsible for implementing corrective action. The system includes less detailed information
on the status of individual recommendations made to non-federal entities, such as state educational
agencies, local educational agencies, participants in the student financial assistance programs,
contractors, or grantees. As such, OIG’s response to the December 7, 2007, request includes only those
recommendations for which the Department is directly responsible for implementing corrective action.

For the time period requested, we identified 241 OIG products that included 1,519 recommendations.
Of that universe, the Department reported in AARTS that corrective actions had been completed for 207
products (86 percent) and 1,363 recommendations (90 percent). The remaining 34 products included
156 recommendations that the Department had not yet implemented. We did not identify any
recommendations issued prior to January 1, 2001, that the Department had not yet implemented.

The 156 recommendations that the Department had not yet implemented are presented in chronological
order, with the most recently issued recommendations presented first. We have categorized the
recommendations, and included the recommendation-level detail in separate sections, as follows:

   ·    Section A – Recommendations Issued within the Last Six Months presents recommendations
        made from July 1, 2007, through December 31, 2007. These recommendations are not
        considered overdue for resolution. A total of 9 products and 77 recommendations are included in
        this section.


                                                1
    ·   Section B – Recommendations Issued January 1, 2007, through June 30, 2007, presents
        recommendations made between six and twelve months ago. A total of 8 products and 19
        recommendations are included in this section.

    ·   Section C – Recommendations Issued Prior to January 2007 presents recommendations made
        more than one year ago. A total of 17 products and 60 recommendations are included in this
        section.

A complete list of acronyms that are used throughout this report is provided in Appendix A, and a copy
of the request from Chairman Waxman is provided in Appendix B.

In accordance with the request, this report presents only recommendations for which the Department has
not completed corrective actions. All corrective actions reported as completed prior to January 1, 2008,
are excluded from this report. OIG has not confirmed the Department’s representations that corrective
actions have been completed.

A summary schedule follows that lists the OIG products and the number of recommendations not yet
implemented. The appendices provide detail on each OIG product, including report title, report number,
date the report was issued, and link to the report on the OIG website. This information is followed by a
brief summary of the objectives of the review, the findings, and the recommendation(s) for which
corrective action has not been completed. Each recommendation is numbered to correspond with the
specific finding. For example, a recommendation numbered 1.1 signifies it relates to Finding 1.
Likewise, a recommendation numbered 2.1 relates to Finding 2. If no recommendations are included for
a particular finding, all corrective actions related to that finding have been completed.

Under each recommendation is the current status (unresolved or resolved),1 the planned completion date
as reported by the Department in AARTS, any estimated cost savings, and a brief description of the non-
monetary benefits of the recommendation. Except where noted, the Department did not provide
information on any delays in implementing the recommendations included in this response. OIG has not
confirmed the Department’s explanations.

Periodically, OIG evaluates the effectiveness of the Department’s audit followup system and corrective
actions taken to address audit recommendations. The last such audit was issued February 27, 2006, and
can be found on OIG’s website at the following link: http://oigmis3.ed.gov/auditreports/a19e0017.pdf.
The Department stated it has implemented all corrective actions related to this audit.




1
  A “resolved status” indicates that the Department has proposed corrective actions and OIG has agreed that the proposed
actions should adequately address the recommendation. The Department’s planned date for completing corrective actions is
also provided. An “unresolved” status indicated that either the Department has not yet proposed corrective actions, or the
Department and OIG have not agreed upon proposed corrective actions to address the recommendation. No planned
completion dates are included for unresolved recommendations.



                                                        2
                 Office of Inspector General Recommendations
            Not Yet Implemented by the U.S. Department of Education
                             January 2001 through December 2007

                                    Summary Schedule

                                                                        Number of       Report
                                                      Date Issued     Unimplemented      Page
                    Report Title                                     Recommendations    Number

               Reports Issued July 1, 2007, through December 31, 2007 (see Section A)
Financial Statement Audits – U.S. Department of        11/15/2007            5            5
Education for Fiscal Years (FY) 2007 and 2006
Financial Statement Audits – Federal Student Aid for   11/15/2007            5            8
FY 2007 and 2006
System Security Review of the Common Origination       09/26/2007            54           11
and Disbursement System for FY 2007
Virgin Islands Department of Education’s Third Party   09/26/2007            1            22
Fiduciary Has Been Ineffective in Providing Fiscal
Oversight and Management of Department Funds
Inspection of Active Congressional Earmarks for FY     09/25/2007            1            23
2005
Review of Federal Student Aid’s Monitoring of          09/07/2007            5            24
Guaranty Agency Compliance with the Establishment
of the Federal Fund and Operating Fund
Controls Over Contract Monitoring for Federal Student 08/24/2007             2            26
Aid Contracts
Department of Education’s Oversight of the Free        08/23/2007            2            27
Application for Federal Student Aid Verification
Process
Information Security Risk – Keylogger Vulnerability    07/02/2007            2            28

Subtotal Unimplemented Recommendations                                       77

                Reports Issued January 1, 2007, through June 30, 2007 (see Section B)
Effectiveness of the Department’s Financial            06/26/2007             6           29
Management Support System Oracle 11i Re-
Implementation
Hurricane Education Recovery Act, Temporary            06/18/2007             3           32
Emergency Impact Aid
Termination of Department of Education Network         05/23/2007             3           34
Access for Separated Employees
Information Security Risk – Capturing of Internet      05/03/2007             1           36
Protocol Addresses
Audit of the Discretionary Grant Award Process in the  04/16/2007             1           37
Office of Postsecondary Education




                                                 3
                                                                         Number of      Report
                                                       Date Issued     Unimplemented     Page
                      Report Title                                    Recommendations   Number
Review of the Department’s Competitive Sourcing/ A-     02/28/2007           1            38
76 Competition
The Department’s Administration of Selected Aspects     02/22/2007             3          39
of the Reading First Program
Conflicting Responsibilities Included in the EDNet      02/16/2007             1          41
Contract Performance Work Statement
Subtotal Unimplemented Recommendations                                        19

                        Reports Issued Prior to January 1, 2007 (see Section C)
Controls Over Excess Cash Drawdowns by Grantees          12/18/2006             2         42
Audit of the Department of Education FY 2005 IT          11/29/2006             1         44
Equipment Inventory
Financial Statement Audits – U.S. Department of          11/15/2006             1         45
Education for FY 2006 and FY 2005
Review of Financial Partner’s Monitoring and             09/29/2006            14         46
Oversight of Guaranty Agencies, Lenders, and
Servicers
Review of the Department’s Online Privacy Policy and     09/29/2006             1         50
Protection of Sensitive Information
Review of the Department’s Incident Handing Program 09/28/2006                  5         51
and Intrusion Detection System
System Security Review of the Education Data Center      09/28/2006             5         53
for FY 2006
The Reading First Program’s Grant Application            09/22/2006             5         55
Process
Telecommunications Billing Accuracy                      02/01/2006             4         57
Audit of the Department’s IT Contingency Planning        01/31/2006             4         59
Program – Asset Classification
Department Activities Relating to Consolidating Funds    12/29/2005             4         61
in Schoolwide Programs Provisions
Death and Total and Permanent Disability Discharges      11/14/2005             1         63
of FFEL and Direct Loan Program Loans
Review of the Department’s Incident Handling             10/06/2005             4         64
Program and EDNet Security Controls
Review of the Department Identified Contracts and        09/01/2005             6         66
Grants for Public Relations Services
Departmental Actions to Ensure Charter Schools’          10/26/2004             1         68
Access to Title I and Individuals with Disabilities Act,
Part B Funds
FSA Audits on Administrative Stay                        05/04/2004             1         69
Contract Unliquidated Balances Converted from            08/29/2002             1         70
Department’s Payment Management System

Subtotal Unimplemented Recommendations                                        60

Grand Total Unimplemented Recommendations                                    156



                                                 4
                                Section A - Recommendations Issued
                                     Within the Last Six Months
                                 (July 1, 2007, through December 31, 2007)

                                     Report/Recommendation Summary
This section presents those OIG work products released from July 1, 2007, through December 31, 2007.
During this timeframe, OIG released 9 reports that included 98 recommendations for the Department to
implement. Of that universe, 9 reports include 77 recommendations that have not yet been
implemented. As these audits are less than six months old, OIG does not consider the recommendations
overdue for resolution.

Report Title:                        Financial Statement Audits – U.S. Department of Education
                                      for Fiscal Year (FY) 2007 and FY 2006
Report Numbers:                      A17H0003
Report Issued:                       11/15/2007
Link to Report:                      http://www.ed.gov/about/reports/annual/2007report/auditors.pdf

Objective(s):

The objectives of the audit were to:

1. Provide an opinion on whether the financial statements are fairly presented in all material
   respects.
2. Report on internal controls that are intended to ensure that transactions are properly recorded
   to permit the preparation of reliable financial statements, maintain accountability for
   safeguarding of assets, and ensure that data supporting performance measures are properly
   recorded.
3. Report on compliance with laws and regulations that could have a direct and material effect
   on the financial statements.

Finding(s):

1.         Continued focus on credit reform estimation and financial reporting processes. This is a
           modified repeat condition (MRC).2
2.         Additional focus on program monitoring activities is needed.
3.         Controls surrounding information systems need enhancement. (MRC)




2
    Modified Repeat Condition or MRC denotes that the recommendation was cited in a prior audit(s).


                                                          5
Recommendation(s) Not Yet Implemented by Department:

1.1   Continue to improve the analytical tools used for the loan estimation process and in
      periodic meetings of the Credit Reform Workgroup. Ensure that all analytical tools
      reconcile with one another to allow for their use as detect controls for loan program cost
      estimates.
                   · Status - Unresolved.
                   · Planned Completion Date - Not applicable, unresolved.
                   · Estimated Cost Savings - Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits - More accurate measures of and budgeting
                       for the cost of federal loan programs, enhanced credit reform estimation
                       process, strengthened internal control and tools, greater program
                       performance insight, more accurate cohort-level data.

1.2   Continue efforts to more fully implement cohort reporting with specific research on
      whether balances in the Department's financial records are supported by estimates, by
      cohort, from the Student Loan Model (SLM) and the newly developed cohort analysis tool,
      and that remaining credit reform estimates for each cohort are appropriate in relation to the
      remaining outstanding loans for such cohorts.
                   · Status - Unresolved.
                   · Planned Completion Date - Not applicable, unresolved.
                   · Estimated Cost Savings - Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits - More accurate measures of and budgeting
                       for the cost of federal loan programs, enhanced credit reform estimation
                       process, strengthened internal control and tools, greater program
                       performance insight, more accurate cohort-level data.

1.3   Document the consideration and ultimate resolution, in detail, of scenarios under which
      deviation from patterns of prior cash flows may be appropriate in developing credit reform
      estimates.
                   · Status – Unresolved.
                   · Planned Completion Date – Not applicable, unresolved.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – More accurate measures of and budgeting
                      for the cost of federal loan programs, enhanced credit reform estimation
                      process, strengthened internal control and tools, greater program
                      performance insight, more accurate cohort-level data.




                                                 6
2.1   Continue to re-assess oversight and monitoring practices to include a specific focus on the
      risks of each program in connection with its evaluation and assessment of internal control.
      This process should also address risks identified in other assessment, audit, and inspection
      activities. The identified risks and the controls identified to mitigate such risks, both of
      which should be thoroughly documented, serve as a starting point for identifying
      appropriate improvement initiatives. The Department and Federal Student Aid (FSA)
      should continue and refine efforts we were informed are underway to identify and
      implement, as appropriate, additional changes needed in the approach to program
      management, including procedures for performing program and monitoring reviews, and
      reviews of payments to Federal Family Education Loan (FFEL) program lenders and
      guaranty agencies prior to disbursement as appropriate.
                    · Status – Unresolved.
                    · Planned Completion Date – Not applicable, unresolved.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Reduction in potential noncompliance
                        with program requirements, reduction in deficiencies noted in the program
                        oversight processes, improved program administration and performance,
                        improved policies development and dissemination, better oversight over
                        funds and disbursements.

3.1   Continue efforts to address security and control weaknesses disclosed in audit reports or
      identified in internal self-assessments with an emphasis on addressing the root cause of the
      security or control weakness uniformly across the organization, which should decrease the
      likelihood of a similar weaknesses being identified in future audit assessments and internal
      self-assessments.
                    · Status – Unresolved.
                    · Planned Completion Date – Not applicable, unresolved.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Protection of mission critical systems,
                        improved and consistent security configuration across the organization,
                        greater and enhanced oversight over contractor supported systems,
                        stronger security procedures and detection systems, strengthened internal
                        control, improved protection and safeguarding of personally identifiable
                        information (PII).




                                                7
Report Title:         Financial Statement Audits – Federal Student Aid
                      For FY 2007 and FY 2006
Issue Date:           11/15/2007
Report Number:        A17H0004
Link to Report        http://www.ed.gov/about/offices/list/oig/auditreports/fy2008/a17h0004.pdf

Objective(s):

The objectives of the audit were to:

1. Provide an opinion on whether the financial statements are fairly presented in all material
   respects.
2. Report on internal controls that are intended to ensure that transactions are properly recorded
   to permit the preparation of reliable financial statements, maintain accountability for
   safeguarding of assets; and ensure that data supporting performance measures are properly
   recorded.
3. Report on compliance with laws and regulations that could have a direct and material effect
   on the financial statements.

Finding(s):

1.    Continued focus on credit reform estimation and financial reporting processes is warranted.
      (MRC)
2.    Additional focus on program monitoring activities is needed.
3.    Controls surrounding information systems need enhancement. (MRC)

Recommendation(s) Not Yet Implemented by the Department:

1.1   Continue to improve the analytical tools used for the loan estimation process and in
      periodic meetings of the Credit Reform Workgroup. Ensure that all analytical tools
      reconcile with one another to allow for their use as detect controls for loan program cost
      estimates.
                   · Status – Unresolved.
                   · Planned Completion Date – Not applicable, unresolved.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – More accurate measures of and budgeting
                       for the cost of federal loan programs, enhanced credit reform estimation
                       process, strengthened internal control and tools, greater program
                       performance insight, more accurate cohort-level data.




                                                8
1.2   Continue efforts to more fully implement cohort reporting, with specific research on
      whether balances in the Department's and FSA's financial records are supported by
      estimates, by cohort, from the SLM and the newly developed cohort analysis tool, and that
      remaining credit reform estimates for each cohort are appropriate in relation to the
      remaining outstanding loans for such cohorts.
                   · Status – Unresolved.
                   · Planned Completion Date – Not applicable, unresolved.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – More accurate measures of and budgeting
                       for the cost of federal loan programs, enhanced credit reform estimation
                       process, strengthened internal control and tools, greater program
                       performance insight, more accurate cohort-level data.

1.3   Document the consideration and ultimate resolution, in detail, of scenarios under which
      deviation from patterns of prior cash flows may be appropriate in developing credit reform
      estimates.
                   · Status – Unresolved.
                   · Planned Completion Date – Not applicable, unresolved.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – More accurate measures of and budgeting
                      for the cost of federal loan programs, enhanced credit reform estimation
                      process, strengthened internal control and tools, greater program
                      performance insight, more accurate cohort-level data

2.1   Continue to re-assess oversight and monitoring practices to include a specific focus on the
      risks of each program in connection with its evaluation and assessment of internal control.
      This process should also address risks identified in other assessment, audit and inspection
      activities. The identified risks and the controls identified to mitigate such risks, both of
      which should be thoroughly documented, serve as a starting point for identifying
      appropriate improvement initiatives. The Department and FSA should continue and refine
      efforts we were informed are underway to identify and implement, as appropriate,
      additional changes needed in the approach to program management, including procedures
      for performing program and monitoring reviews, and reviews of payments to FFEL lenders
      and guaranty agencies prior to disbursement as appropriate.
                    · Status – Unresolved.
                    · Planned Completion Date – Not applicable, unresolved.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Reduction in potential noncompliance
                        with program requirements, reduction in deficiencies noted in the program
                        oversight processes, improved program administration and performance,
                        improved policies development and dissemination, better oversight over
                        funds and disbursements




                                                9
3.1   Continue efforts to address security and control weaknesses disclosed in audit reports or
      identified in internal self-assessments with an emphasis on addressing the root cause of the
      security or control weakness uniformly across the organization, which should decrease the
      likelihood of a similar weaknesses being identified in future audit assessments and internal
      self-assessments.
                    · Status – Unresolved.
                    · Planned Completion Date – Not applicable, unresolved.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Protection of mission critical systems,
                        improved and consistent security configuration across the organization,
                        greater and enhanced oversight over contractor supported systems,
                        stronger security procedures and detection systems, strengthened internal
                        control, improved protection and safeguarding of PII.




                                                10
Report Title:                         System Security Review of the Common Origination
                                      and Disbursement System for FY 2007
Issue Date:                           9/26/2007
Report Number:                        A11H0001
Link to Report:                       Not posted, sensitive data3

Objective(s):

The objective of the audit was to evaluate management, operational, and technical controls of the
FSA system security program in accordance with the Federal Information Systems Management
Act (FISMA). This included auditing the FSA-managed Common Origination and Disbursement
(COD) system and the outsourced service provider that hosts the system.

Finding(s):

1.       FSA needs to improve controls over COD certification and accreditation (C&A) program.
2.       FSA needs to improve controls over risk assessment.
3.       FSA did not ensure the contractor documented roles, provided specialized training, and
         developed formal documented procedures for implementing the security awareness and
         training program.
4.       FSA did not ensure configuration management controls were effective.
5.       Improvements are needed for the COD contingency planning program.
6.       FSA did not ensure effective reporting for the incident response and handling program.
7.       FSA did not ensure adequate media protection controls.
8.       FSA did not ensure adequate physical and environmental protection of the COD system.
9.       FSA did not effectively monitor personnel security controls.
10.      FSA did not ensure the contractor provided proper access controls.
11.      FSA did not ensure the contractor provided proper audit and accountability controls.
12.      FSA did not effectively monitor the contractor to ensure proper identification and
         authentication controls.
13.      FSA needs to improve controls for safeguarding PII.
14.      FSA did not adequately monitor the COD system contractor.

Recommendation(s) Not Yet Implemented by the Department:

1.1        Monitor and document the development, management, operation, and security of all
           connections between the COD and interfacing systems.
                · Status – Resolved.
                · Planned Completion Date – 03/15/2008.
                · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                · Other Non-monetary Benefits – Identification of risk to the Department,
                  strengthened internal control.




3
    Reports containing sensitive data are not posted on the OIG website.


                                                           11
1.3   Ensure that all risk categorization frequency and intensity are commensurate with the
      potential harm to the Department’s operations, and all vulnerabilities previously
      identified during the 2004 C&A process are mitigated.
              · Status – Resolved.
              · Planned Completion Date – 01/07/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Increased system security, reduced risk.

1.4   After an adequate review of all interconnected systems and assessment of the appropriate
      risk categorization to all vulnerabilities, document and reflect the results in an updated
      C&A package.
              · Status – Resolved.
              · Planned Completion Date – 01/07/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Enhanced monitoring of the development,
                 management, operations, and security of connections between interfacing
                 systems, strengthened internal control.

2.1   Conduct a risk assessment that adheres to current federal requirements and identifies
      current system vulnerabilities.
              · Status – Resolved.
              · Planned Completion Date – 01/07/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Supports organization business objectives or
                 mission, identifies system potential threats and vulnerabilities, strengthened
                 internal control, compliance with laws and/or regulations.

2.2   Establish controls to ensure that risk assessments are conducted at least every three years
      or when there is a major change in the COD environment, whichever occurs first.
              · Status – Resolved.
              · Planned Completion Date – 01/07/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Reduces risk to an acceptable level, ensures
                 compliance with laws/regulations.

2.3   Develop and implement a plan of action to mitigate/correct identified risks and
      vulnerabilities.
             · Status – Resolved.
             · Planned Completion Date – 01/22/2008.
             · Estimated Cost Savings – Not applicable, non-monetary recommendation.
             · Other Non-monetary Benefits – Increased system security, reduced risk,
                  strengthened internal control.




                                              12
3.1   Develop and document all roles and responsibilities for all personnel with access to COD,
      in accordance with National Institute of Standards and Technology (NIST), Office of
      Management and Budget (OMB) guidance, and contract requirements.
             · Status – Resolved.
             · Planned Completion Date – 03/15/2008.
             · Estimated Cost Savings – Not applicable, non-monetary recommendation.
             · Other Non-monetary Benefits – Compliance with laws and/or regulations,
                 provides separation of duties and assists in establishing security awareness
                 and training requirements.

3.2   Maintain, update and disseminate the list of roles and responsibilities for all personnel.
             · Status – Resolved.
             · Planned Completion Date – 03/15/2008.
             · Estimated Cost Savings – Not applicable, non-monetary recommendation.
             · Other Non-monetary Benefits – Ensures that each person involved
                 understands their roles and responsibilities and is adequately trained,
                 strengthened internal control.

3.3   Provide specialized training programs for firewall, Windows operating system, and
      Intrusion Prevention System (IPS) administrators and any refresher training required to
      perform their responsibilities.
              · Status – Resolved.
              · Planned Completion Date – 03/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Compliance with laws and/or regulations,
                 increased system security.

4.1   Develop an up-to-date configuration management plan to address all required elements.
      The new plan should refer to the proper release of the COD system, and a current audit
      plan.
            · Status – Resolved.
            · Planned Completion Date – 04/16/2008.
            · Estimated Cost Savings – Not applicable, non-monetary recommendation.
            · Other Non-monetary Benefits – Established control for baseline
                configurations, strengthened internal control.

4.3   Ensure that the contractor establishes procedures for testing the IPS and firewall
      configurations before implementing changes.
             · Status – Resolved.
             · Planned Completion Date – 02/15/2008.
             · Estimated Cost Savings – Not applicable, non-monetary recommendation.
             · Other Non-monetary Benefits – Increased system security, strengthened
                 internal control.




                                               13
4.4   Direct the contractor to securely configure servers, databases, and routers.
              · Status – Resolved.
              · Planned Completion Date – 03/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Increased system security, reduced risk.

4.5   Establish and implement an effective contract monitoring plan to ensure that the
      contractor is fulfilling responsibilities under the contract, and the COD system has the
      proper configuration management controls in place to protect Department information.
              · Status – Resolved.
              · Planned Completion Date – 11/01/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Increased assurance that actions are
                  appropriate, and increased system security, reduced risk.

5.1   Develop an up-to-date disaster recovery plan that includes providing details of changes
      that may have occurred throughout the different system releases, ensuring the listing of
      system names reflects the current inventory device name/host name/web address, and
      documenting testing scenario details and testing criteria to provide a consistent baseline
      of scenarios and criteria to judge the impact of the disaster recovery test and results.
             · Status – Resolved.
             · Planned Completion Date – 04/15/2008.
             · Estimated Cost Savings – Not applicable, non-monetary recommendation.
             · Other Non-monetary Benefits – Compliance with laws and/or regulations,
                 increased system security, reduced risk.

5.3   Develop and implement a plan of action to mitigate/correct identified risks and
      vulnerabilities.
             · Status – Resolved.
             · Planned Completion Date – 02/29/2008.
             · Estimated Cost Savings – Not applicable, non-monetary recommendation.
             · Other Non-monetary Benefits – Increased system availability and data
                  security.

6.1   Establish and implement an effective contract monitoring plan to ensure the contractor is
      fulfilling the responsibilities under the contract, and that the COD system is properly
      monitored for all suspicious activities and security incidents are properly reported in
      accordance with Department and FSA incident response and handling programs.
               · Status – Resolved.
               · Planned Completion Date – 04/30/2008.
               · Estimated Cost Savings – Not applicable, non-monetary recommendation.
               · Other Non-monetary Benefits – Increased assurance that actions are
                   appropriate and that proper resolutions are attained for incidents and/or
                   suspicious activities, strengthened internal control.



                                               14
6.2   Direct the contractor to incorporate incident handling and response processes and
      reporting as a part of the COD system security plan, in accordance with Department and
      FSA guidance.
              · Status – Resolved.
              · Planned Completion Date – 03/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Increased system security, reduced risk.

7.2   Require that a review for media storage be included on the next physical security
      assessment and each assessment performed thereafter.
             · Status – Resolved.
             · Planned Completion Date – 03/31/2008.
             · Estimated Cost Savings – Not applicable, non-monetary recommendation.
             · Other Non-monetary Benefits – Ensure adequate media protection controls,
                 increased system security, reduced risk.

7.3   Affix external labels to removable information system media and information system
      output indicating the distribution limitations, handling caveats, and applicable security
      markings (if any) of the information for all tapes at the contractor’s site containing COD
      information.
              · Status – Resolved.
              · Planned Completion Date – 02/01/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Strengthened internal control, reduced risk.

8.1   Perform an adequate periodic agency review of the physical access controls for COD,
      including both the north and east data centers.
             · Status – Resolved.
             · Planned Completion Date – 02/29/2008.
             · Estimated Cost Savings – Not quantified.
             · Other Non-monetary Benefits – Compliance with laws and/or regulations,
                 increased system security, reduced risk.

8.2   Ensure that the contractor adequately manages all environmental controls and inspections
      for the fire extinguishers, diesel storage tanks, and fire suppression cylinders.
              · Status – Resolved.
              · Planned Completion Date – 02/29/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Ensure adequate environmental controls,
                   increased system security, enhanced data reliability and availability.




                                              15
8.3    Correct all environmental control problems, including proper inspections, maintenance,
       and signage requirements.
              · Status – Resolved.
              · Planned Completion Date – 03/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Ensure adequate environmental controls and
                   system data availability.

9.4    Conduct a thorough annual review of the access control listing to verify whether
       contractors accessing COD have the proper background investigation that is
       commensurate with the level of harm that can be inflicted to the COD system.
              · Status – Resolved.
              · Planned Completion Date – 04/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Increased assurance that actions are
                  appropriate, increased system and data security, reduced risk.

9.5    Suspend or obtain interim clearances for system access for those personnel that do not
       have complete, required background investigations, interim clearances, or security risk
       assessments, until security investigations are completed.
              · Status – Resolved.
              · Planned Completion Date – 03/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Increased assurance that actions are
                 appropriate, strengthened internal control, increased system security.

10.1   Configure servers, IPS, routers, and firewalls to prevent disclosure of sensitive network
       information, potential malicious attacks, and performance degradation.
              · Status – Resolved.
              · Planned Completion Date – 04/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Provide adequate controls over access, audit
                  and accountability, identification and authentication, and PII, strengthened
                  internal control.

10.2   Ensure proper authorization for user accounts on servers, IPS, routers and switches.
              · Status – Resolved.
              · Planned Completion Date – 04/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Increased system security, reduced risk.




                                               16
10.3   Ensure proper management of user rights, permissions, and system services.
              · Status – Resolved.
              · Planned Completion Date – 04/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Enhanced internal control over
                 resources/actions, increased system security.

10.4   Implement use of NIST checklists, so that the contractor can improve security on the
       COD’s servers, IPS, routers, and firewalls.
             · Status – Resolved.
             · Planned Completion Date – 5/31/2008.
             · Estimated Cost Savings – Not applicable, non-monetary recommendation.
             · Other Non-monetary Benefits – Compliance with laws and/or regulations,
                 increased system security, reduced risk.

10.5   Establish and implement an effective contract monitoring plan to ensure that the
       contractor is fulfilling its responsibilities under the contract, and that the COD system is
       properly configured to mitigate internal threats to the COD environment.
               · Status – Resolved.
               · Planned Completion Date – 11/30/2008.
               · Estimated Cost Savings – Not applicable, non-monetary recommendation.
               · Other Non-monetary Benefits – Increased effectiveness, strengthened internal
                   control.

11.1   Develop, maintain, and effectively enforce well-defined policy and procedures containing
       roles and responsibilities and rules of behavior for firewall administrators.
               · Status – Resolved.
               · Planned Completion Date – 04/30/2008.
               · Estimated Cost Savings – Not applicable, non-monetary recommendation.
               · Other Non-monetary Benefits – Increased system security, reduced risk.

11.2   Correct the identified discrepancies on all firewalls.
              · Status – Resolved.
              · Planned Completion Date – 04/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Increased system security, reduced risk.

11.3   Properly configure network devices and servers to enforce separation of duties by
       limiting system access in accordance with assigned roles and responsibilities.
               · Status – Resolved.
               · Planned Completion Date – 04/15/2008.
               · Estimated Cost Savings – Not applicable, non-monetary recommendation.
               · Other Non-monetary Benefits – Avoid potential conflicts of interest, allow
                  appropriate monitoring of administrator activities, increased system security,
                  reduced risk.


                                                17
11.4   Adhere to the Department’s incident response program policy to configure IPS, routers,
       and switches to detect and alert suspicious network activities.
              · Status – Resolved.
              · Planned Completion Date – 08/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Ensure that access and modification of
                  sensitive or critical files are closely logged and monitored to prevent
                  inappropriate activities, increased system security, reduced risk.

11.5   Communicate and effectively enforce audit policy and procedures to all employees.
            · Status – Resolved.
            · Planned Completion Date – 03/31/2008.
            · Estimated Cost Savings – Not applicable, non-monetary recommendation.
            · Other Non-monetary Benefits – Strengthened internal control over
               resources/actions, increased system security.

11.6   Properly configure IPS, routers, and switches to collect, maintain, and protect audit logs.
              · Status – Resolved.
              · Planned Completion Date – 07/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Increased system security, reduced risk.

11.7   Properly maintain security logs and periodically review the logs for IPS, routers, and
       switches, according to the Department’s Information Assurance Security Policy.
              · Status – Resolved.
              · Planned Completion Date – 07/31/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Compliance with laws and/or regulations, and
                  increased system security, reduced risk.

11.8   Implement proper system audit configurations to detect suspicious activities and to
       prevent unauthorized access.
              · Status – Resolved.
              · Planned Completion Date – 07/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Increased system security, reduced risk.

11.9   Correct audit configurations for routers, servers, and databases.
              · Status – Resolved.
              · Planned Completion Date – 07/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Facilitate the implementation of the audit and
                  accountability policy and associated audit and accountability controls,
                  strengthened internal control.


                                                18
12.1   Configure all servers and devices to ensure logging capability is properly configured to
       record or identify unauthorized transactions or functions.
              · Status – Resolved.
              · Planned Completion Date – 08/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Enable system administrators to isolate
                   system anomalies and possible security breaches, increased system security,
                   reduced risk.

12.2   Effectively perform user account and password maintenance.
               · Status – Resolved.
               · Planned Completion Date – 08/15/2008.
               · Estimated Cost Savings – Not applicable, non-monetary recommendation.
               · Other Non-monetary Benefits – Prevent unauthorized access to system
                  resources, increased system security, reduced risk.

12.3   Remove unnecessary functions or accounts from the COD system.
            · Status – Resolved.
            · Planned Completion Date – 08/15/2008.
            · Estimated Cost Savings – Not applicable, non-monetary recommendation.
            · Other Non-monetary Benefits – Prevent loss or unauthorized disclosure of
                sensitive Department information, strengthened internal control over
                resources.

12.4   Ensure that the contractor follows through to implement actions for logging and access
       discrepancies.
              · Status – Resolved.
              · Planned Completion Date – 08/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Increased assurance that actions are
                  appropriate, reduced risk.

12.5   Require the contractor to revise the COD system security plan to comply with
       Department directives.
              · Status – Resolved.
              · Planned Completion Date – 03/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Compliance with laws and/or regulations,
                  increased system security, reduced risk.




                                               19
12.6   Schedule periodic reviews of the configuration to ensure that the controls are operating as
       intended.
              · Status – Resolved.
              · Planned Completion Date – 08/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Strengthened internal control.

13.1   Ensure that the contractor removes any unneeded data from the system.
              · Status – Resolved.
              · Planned Completion Date – 08/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Increased system security, reduced risk

13.2   Ensure that the contractor safely stores all internal transaction logs.
              · Status – Resolved.
              · Planned Completion Date – 08/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Maintain control and prevent unauthorized
                  access, increased system security.

13.3   Ensure that the contractor preserves event logs.
              · Status – Resolved.
              · Planned Completion Date – 09/30/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Ensure an audit trail can be reviewed to
                  identify repeat attacks, increased system security.

13.4   Ensure that the contractor establishes policies to safeguard backed-up data.
              · Status – Resolved.
              · Planned Completion Date – 02/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Strengthened internal control over
                  resources/actions.

13.5   Ensure that the contractor handles disposal of privacy related data in a secure manner.
              · Status – Resolved.
              · Planned Completion Date – 08/15/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Increased system security, strengthened
                  internal control.




                                               20
13.6   Ensure that system policy describes actionable items related to privacy data.
              · Status – Resolved.
              · Planned Completion Date – 06/30/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Ensure the Department identifies and
                  provides information security protection commensurate with the risk and
                  magnitude of the harm resulting from the unauthorized access, use, disclosure,
                  disruption, modification, or destruction of information or information systems.

13.7   Ensure that the recommendations in previous sections are evaluated as to how they
       ultimately impact safeguarding PII, and take action commensurate with the risk and
       magnitude of harm resulting from data compromise.
              · Status – Resolved.
              · Planned Completion Date – 09/30/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Increased system security, reduced risk.

14.2   Develop an effective contract monitoring plan to ensure that all aspects of the contract are
       appropriately monitored and Department polices are followed, including the deficiencies
       specifically noted in this report.
               · Status – Resolved.
               · Planned Completion Date –09/26/2008.
               · Estimated Cost Savings – Not applicable, non-monetary recommendation.
               · Other Non-monetary Benefits – Increased assurance that actions are
                   appropriate, reduced risk.

14.3   Ensure the Contracting Officer (CO), Contracting Officer’s Representative (COR), other
       FSA staff, and contractors involved in contract management, meet to review the contract
       monitoring plan and agree upon the methodology for monitoring the remainder of this
       contract. Ensure all parties understand their responsibilities for contract monitoring.
              · Status – Resolved.
              · Planned Completion Date – 10/31/2008.
              · Estimated Cost Savings – Not applicable, non-monetary recommendation.
              · Other Non-monetary Benefits – Increased effectiveness and system security.

14.5   Ensure that all future system contracts include requirements for documentation
       supporting scans, tests, and analyses conducted, and decisions made on the risks and
       mitigating factors considered, in support of the contractor's recommendations.
               · Status – Resolved.
               · Planned Completion Date – 12/31/2009.
               · Estimated Cost Savings – Not applicable, non-monetary recommendation.
               · Other Non-monetary Benefits – Ensure full support of work performed to
                  ensure the Department’s credibility with regard to any statements provided,
                  increased system security.



                                               21
Report Title:                       Virgin Islands Department of Education’s Third Party Fiduciary Has
                                    Been Ineffective in Providing Fiscal Oversight and Management of
                                    Federal Education Funds
Issue Date:                         9/26/2007
Report Number:                      L02H0011 (Alert Memorandum4)

Objective(s):

The purpose of this alert memorandum was to inform the Department that the Virgin Islands
Department of Education’s (VIDE) third party fiduciary has been ineffective in providing fiscal
oversight and management of federal education funds.

Finding(s):

1.    VIDE third party fiduciary has been ineffective in providing fiscal oversight and
      management of federal education funds.

Recommendation(s) Not Yet Implemented by the Department:

1.1 Evaluate the lapsing of VIDE funds, numerous technical issues preventing full
    implementation of the third party fiduciary arrangement, the fiduciary’s serious internal
    control and financial weaknesses, the fiduciary’s security of confidential information and
    records in accordance with all applicable laws, and the fiduciary’s performance of its duties
    in accordance with its contract requirements. These matters should be addressed prior to
    the approval of the 2006 Consolidated Grant application.
                  · Status – Resolved.
                  · Planned Completion Date – 02/29/2008.
                  · Estimated Cost Savings – Not quantified.
                  · Other Non-monetary Benefits – Enhanced program effectiveness,
                      minimize future lapsed funds.




4
 Alert Memoranda are prepared when a serious condition is identified that requires immediate Department
management action that is either outside the agreed-upon objectives of an on-going audit or inspection assignment
or is identified while engaged in work not related to an on-going assignment when an audit or inspection report will
not be issued. Alert memoranda are not on the OIG website and are not publicly distributed.


                                                         22
Report Title:                      Inspection of Active Congressional Earmarks in
                                   FY 2005
Issue Date:                        9/25/2007
Report Number:                     I13H0004 (Inspection Report5)
Link to Report:                    http://www.ed.gov/about/offices/list/oig/aireports/i13h0004.pdf

Objective(s):

The objectives of our inspection were to:

1. Determine the total number and cost of congressional earmarks within the Department in FY
   2005, including the cost of the earmark and related costs such as staff time and
   administration.
2. Determine the adequacy of the oversight conducted on congressional earmarks under the
   Fund for the Improvement of Postsecondary Education (FIPSE) and the Fund for the
   Improvement of Education (FIE.)
3. Determine the overall impact of FIPSE and FIE congressional earmarks on advancing the
   primary mission and goals of the Department.

Finding(s):

1.    Monitoring of earmarks within the Department is not consistent and the amount of time
      devoted to monitoring earmarks may not be sufficient to hold earmark recipients
      accountable.

Recommendation(s) Not Yet Implemented by the Department:

1.1   Develop a methodology to ensure that earmark recipients are held accountable for the
      Federal funds they receive.
                  · Status – Unresolved.
                  · Planned Completion Date – Not applicable, unresolved.
                  · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                  · Other Non-monetary Benefits – Improved monitoring and oversight.




5
  Inspections are analyses, evaluations, reviews or studies of the Department’s programs. The purpose of an
inspection is to provide Department decision makers with factual and analytical information, which may include an
assessment of the efficiency and effectiveness of their operations, and vulnerabilities created by their existing
policies or procedures. They are performed in accordance with the 2005 President’s Council on Integrity and
Efficiency Quality Standards for Inspections appropriate to the scope of the inspection


                                                       23
Report Title:                Review of Federal Student Aid’s Monitoring of Guaranty
                             Agency Compliance with the Establishment of the Federal
                             Fund and the Operating Fund
Issue Date:                  9/07/2007
Report Number:               I13H0001 (Inspection Report)
Link to Report:              http://www.ed.gov/about/offices/list/oig/aireports/i13h0001.pdf

Objective(s):

The objective of our inspection was to determine the adequacy of FSA’s support for its
conclusions concerning the establishment of the Federal Fund and the Operating Fund at the 27
guaranty agencies not audited by OIG in 2003. The OIG audited nine guaranty agencies and
reported the results in the 2003 OIG Audit, Oversight Issues Related to Guaranty Agencies
Administration of the Federal Family Education Loan Program Federal and Operating Funds.

Finding(s):

1.    The work performed by FSA on the 27 guaranty agencies not audited by OIG provides no
      assurance that the Federal and Operating Funds were established in compliance with the
      Higher Education Act of 1965, as amended (HEA).

Recommendation(s) Not Yet Implemented by the Department:

1.1   Perform onsite program reviews to examine supporting records for the establishment of the
      Federal and Operating Funds at the 27 guaranty agencies not previously reviewed by OIG
      to ensure that the funds were established in accordance with the HEA, including the
      requirement for the use of the cash basis of accounting.
                   · Status – Resolved.
                   · Planned Completion Date – 12/31/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Enhanced program effectiveness and
                        compliance, improved monitoring and oversight.

1.2   Ensure that the program reviewers have the requisite accounting knowledge to sufficiently
      evaluate the establishment of the Federal and Operating Funds.
                   · Status – Resolved.
                   · Planned Completion Date – 12/31/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Enhanced program effectiveness and
                       compliance, improved monitoring and oversight.




                                              24
1.3   Ensure that adequate resources are devoted to perform the program reviews, e.g., adequate
      staff days and travel funds.
                   · Status – Resolved.
                   · Planned Completion Date – 12/31/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Enhanced program effectiveness and
                        compliance, improved monitoring and oversight.

1.4   In performing the program reviews, identify, quantify, and report as erroneous payments
      any lost revenue to the Federal Fund that resulted from the incorrect assessment of usage
      fees.
                   · Status – Resolved.
                   · Planned Completion Date – 12/31/2008.
                   · Estimated Cost – Not quantified. Implementation of the recommendation
                       will result in quantification of erroneous payments.
                   · Other Non-monetary – Increased accuracy in reporting improper
                       payments, enhanced program effectiveness and compliance, improved
                       monitoring and oversight.

1.5   In performing the program reviews, identify any improper purchases made by guaranty
      agencies prior to the establishment of the Federal and Operating Funds, and require full
      repayment to the Federal Fund.
                   · Status – Resolved.
                   · Planned Completion Date – 12/31/2008.
                   · Estimated Cost Savings – Not quantified. Implementation of the
                       recommendation will result in quantification of funds to be repaid.
                   · Other Non-monetary Benefits – Enhanced program effectiveness and
                       compliance, improved monitoring and oversight.




                                                25
Report Title:                 Controls over Contract Monitoring for Federal Student Aid
                              Contracts
Issue Date:                   8/24/2007
Report Number:                A19G0006
Link to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a19g0006.pdf

Objective(s):

The objectives of our audit were to determine whether FSA’s contract monitoring process
ensures that contractors adhere to the requirements of the contract, and that FSA receives the
products and services intended.

Finding(s):

1.    Improvements were needed in the monitoring of FSA contracts.

Recommendation(s) Not Yet Implemented by the Department:

1.3   Develop and implement a process to ensure acceptance/rejection of deliverables is
      appropriately communicated by the COR to the CO. Ensure the CORs provide written
      recommendations of deliverable acceptance/rejection to the COs.
                   · Status – Resolved.
                   · Planned Completion Date – 3/31/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Improved monitoring and oversight,
                      enhanced contractor compliance with terms and conditions, increased
                      strength of the Department’s position in the case of any dispute.

1.6   Ensure COR appointment letters are issued timely by the CO, and signed and returned
      timely by the COR. Review all FSA contracts to ensure that all current CORs have
      received an appointment letter and that a signed copy is included in the contract file.
                   · Status – Resolved.
                   · Planned Completion Date – 12/31/2007.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Improved monitoring and oversight,
                      enhanced understanding of COR responsibilities under the contract.




                                                26
Report Title:                 Department of Education’s Oversight of the Free Application
                              for Federal Student Aid Verification Process
Issue Date:                   8/23/2007
Report Number:                A09G0012
Link to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a09g0012.pdf

Objective(s):

Our audit objective was to determine if the Department had adequate procedures for evaluating
the effectiveness of the Free Application for Federal Student Aid (FAFSA) verification process
and ensuring that schools completed verification requirements for award year 2005-2006.

Finding(s):

1.    The Department could further enhance its procedures for ensuring schools complete
      FAFSA verification requirements.

Recommendation(s) Not Yet Implemented by the Department:

1.1   Conduct program reviews, provide technical assistance, or take other actions to ensure that
      the schools we identified in our May 2, 2007, memorandum have completed verification
      and have accurately reported the results to the Department.
                   · Status – Resolved.
                   · Planned Completion Date – 01/31/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Enhanced program effectiveness and
                       compliance, improved monitoring and oversight.

1.3   Require schools to report an S status to the COD system for a student whose application
      was selected by Central Processing System for verification, but the verification was not
      completed because the student was exempt under 34 C.F.R. § 668.54(b).
                   · Status – Resolved.
                   · Planned Completion Date – 09/30/2009.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Strengthened internal control, improved
                      data reliability/accuracy.




                                               27
Report Title:                       Information Security Risk – Keylogger Vulnerability
Issue Date:                         7/02/2007
Report Number:                      L11H0002 (Alert Memorandum)

Objective(s):

The purpose of this alert memorandum was to bring attention to an increase of information
security risk associated with keylogger6 activities.

Finding(s):

1.    The Department did not always effectively identify potential compromised accounts.
2.    The Department lacks a coordinated strategy to mitigate keylogger risks.

Recommendation(s) Not Yet Implemented by the Department:

1.1   Develop and implement a plan to mitigate the risks presented by keyloggers. This plan
      should include policies and procedures to ensure that all potentially compromised accounts
      reported by the United States Computer Emergency Readiness Team are thoroughly
      reviewed and appropriate actions taken.
                   · Status – Resolved.
                   · Planned Completion Date – 06/30/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Proactively implement appropriate
                       information security controls to support the mission while managing
                       evolving information security risks, strengthen internal control.

1.3      Ensure that the Department’s customer base is educated as to keylogger and other threats,
         without increasing these threats, including modifying existing web pages to require the
         user to read and "click-through" an informational warning.
                     · Status – Resolved.
                     · Planned Completion Date – 06/30/2008.
                     · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                     · Other Non-monetary Benefits – Increased awareness to identify threats,
                        increased system security.




6
  Keyloggers are diagnostic tools that capture user’s keystrokes, make screenshots within the specified time
intervals, and save and record all activity (including passwords).


                                                         28
                    Section B – Recommendations Issued between
                       January 1, 2007, through June 30, 2007

                              Report/Recommendation Summary

This section presents those OIG work products released from January 1, 2007, through June 30, 2007.
During this timeframe, OIG released 13 reports that included 52 recommendations for the Department to
implement. Of that universe, 8 reports include 19 recommendations that have not yet been
implemented.

Report Title:                 Effectiveness of the Department’s Financial Management
                              Support System Oracle 11i Re-Implementation
Issue Date:                   6/26/2007
Report Number:                A11F0005
Link to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a11f0005.pdf

Objective(s):

The objective of our audit was to assess the effectiveness of the overall project management of
the Department’s Financial Management Support System (FMSS) re-implementation. In
particular, we assessed: (1) the project’s system development methodology to manage system
requirements; (2) the project’s Earned Value Management System (EVMS) implementation to
control project scope, costs, and schedules; (3) aspects of contract monitoring, change control
and risk management; (4) the Department’s use of Independent Verification and Validation
(IV&V) services; and (5) the Department’s Information Technology (IT) capital asset
management and oversight practices.

Finding(s):

1.    The Department needs to improve project management planning, execution, and control.

Recommendation(s) Not Yet Implemented by the Department:

1.1   Strengthen the March 2006 EVMS policy by developing EVMS monitoring procedures for
      CORs, COs, and project managers, and for Investment Acquisition Management Services
      (IAMS)/Contracts and Acquisitions Management (CAM) oversight.
                   · Status – Resolved.
                   · Planned Completion Date – 01/30/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Strengthened internal control.

1.2   Modify Administrative Communication System (ACS) Directive, Office of the Chief
      Financial Officer (OCFO): 2-108, to require a documented monitoring plan for all major
      IT investments, commensurate with project risks (e.g., complexity, cost, length, lifecycle
      stage); and make necessary adjustments to associated procedures.


                                                29
                   ·   Status – Resolved.
                   ·   Planned Completion Date – 01/31/2008.
                   ·   Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   ·   Other Non-monetary Benefits – Strengthened internal control.

1.3   Develop an IV&V services ACS Directive that establishes: (1) IV&V independence from
      the project served; (2) documented disposition of significant or repeated IV&V findings;
      and (3) periodic communication of IV&V findings to oversight bodies and project
      stakeholders at all levels.
                    · Status – Resolved.
                    · Planned Completion Date – 06/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Increased system security, strengthened
                       internal control.

3.1   Direct the Chief Financial Office (CFO) and Chief Information Officer (CIO) to work
      jointly to coordinate CAM and IAMS oversight and monitoring functions, and to develop a
      mandatory project and contract monitoring curriculum that focuses on: (a) establishing and
      carrying out a comprehensive contract monitoring plan for major IT investments; (b)
      EVMS compliance monitoring and reviewing a contractor’s periodic status reports; and (c)
      using EVMS variances and forecasts to mitigate project risks.
                    · Status – Resolved.
                    · Planned Completion Date – 07/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Strengthened internal control.

5.1   Direct the Investment Review Board Chair, the CFO, and the CIO to jointly improve IT
      acquisition and the IT Investment Management program to make oversight practices more
      effective by making the Capital Planning and Investment Control (CPIC) “Evaluate” phase
      applicable at the conclusion of any major system enhancements, and ensuring that CPIC
      oversight functions are able to ascertain whether/verify that: (a) tangible investment
      outcomes are established prior to capital investment approval; (b) the EVMS effectively
      complies with all essential industry standard guidelines; (c) the project has provided
      reliable performance results information to all decision-makers and stakeholders sufficient
      for informed decision making; (d) the disposition of IV&V findings is adequate and risks
      resulting from disposition are acceptable; and (e) project managers generally follow project
      plans, departures are documented, and resulting risks are understood and acceptable.
                    · Status – Resolved.
                    · Planned Completion Date – 3/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Strengthened internal control and project
                        management.




                                                30
6.1   Direct the CIO to determine the feasibility and advisability of consolidating system
      development infrastructures agency-wide and offering centralized expert support to
      development projects.
                   · Status – Resolved.
                   · Planned Completion Date – 01/30/2009.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Increased efficiency and effectiveness,
                      strengthened internal control.




                                            31
Report Title:                 Hurricane Education Recovery Act, Temporary Emergency Impact Aid
Issue Date:                   6/18/2007
Report Number:                L06H0008 (Alert Memorandum)

Objective(s):

During our audits of the Hurricane Education Recovery Act, Temporary Emergency Impact
Aid (EIA) at the Texas Education Agency (TEA) and the Louisiana Department of Education
(LDE), we became aware of displaced students being counted in both states in the same
quarter. The purpose of this alert memorandum was to bring our concerns to the Department’s
attention so as to expedite corrective measures regarding this issue. We are concerned that
similar problems may be occurring in other states that received EIA funds.

Finding(s):

1.    Comparison of TEA and LDE databases identified duplicate student counts.
2.    Comparison of displaced students in at least 10 states needed to determine duplicates.

Recommendation(s) Not Yet Implemented by the Department:

1.1   Coordinate with TEA and LDE to determine the circumstances of the duplicate counts and,
      where appropriate, determine the amount each state should refund due to the duplicate
      student counts we identified.
                   · Status – Resolved.
                   · Planned Completion Date – 06/30/2008.
                   · Estimated Cost Savings –$799,500 in duplicate payments made.
                   · Other Non-monetary Benefits – Enhanced program effectiveness and
                      compliance.

2.1   At a minimum, take a sample of at least the 10 states that received the majority (91 percent)
      of the EIA funding and compare between those states to determine whether additional
      duplicate counting and duplicate EIA funding exists.
                   · Status – Resolved.
                   · Planned Completion Date – 06/30/2008.
                   · Estimated Cost Savings – Not quantified. Implementation of the
                       recommendation will result in determination of any additional duplicate
                       payments made.
                   · Other Non-monetary Benefits – Enhanced program effectiveness and
                       compliance.

2.2   Ensure collection of any amounts disbursed based on duplicate displaced student counts.
                   · Status – Resolved.
                   · Planned Completion Date – 06/30/2008.




                                                32
·   Estimated Cost Savings – Not quantified. Implementation of
    Recommendation 2.1 above will result in determination of any additional
    duplicate payments made.
·   Other Non-monetary Benefits – Enhanced program effectiveness and
    compliance.




                            33
Report Title:                 Audit of the Termination of Department of Education Network
                              Access for Separated Employees
Issue Date:                   5/23/2007
Report Number:                A19G0012
Link to the Report:           http://www.ed.gov/about/offices/list/oig/auditreports/a19g0012.pdf

Objective(s):

The objectives of our audit were to determine whether access to the Department’s computer
network, Education Network (EDNet), was terminated timely for employees who separated from
the Department and, in cases where access was not terminated timely, to determine whether
separated employees accessed EDNet after their departure, and if so, assess the impact of that
access.

Finding(s):

1.    Improvements are needed in the Department's process for terminating access of separated
      employees.

Recommendation(s) Not Yet Implemented by the Department:

1.1   Review the Handbook for Information Assurance Security Policy, Information Technology
      Security Controls Reference Guide, the Department's Directive on the Clearance of
      Personnel for Separation or Transfer, and the EDNet System Security Plan and make
      revisions, as necessary, to ensure consistency of guidance with regard to timeliness of
      notification of separation, method of notification, and account termination. Consider
      consolidating some of these documents, if feasible, to reduce duplication and confusion.
                    · Status – Resolved.
                    · Planned Completion Date – 06/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Enhanced use of resources, strengthened
                        internal control, improved monitoring and oversight, enhanced protection
                        of systems and data.

1.2   Revise the clearance form to require Principal Office (PO) IT coordinators to certify that an
      Account Termination Form has been completed and will be submitted to the Department’s
      Help Desk immediately upon the employee's separation from the Department.
                   · Status – Resolved.
                   · Planned Completion Date – 6/30/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Strengthened internal control, improved
                       monitoring and oversight, enhanced protection of systems and data.




                                                34
1.3   Amend the Department's policies and procedures, EDNet Access Control and Help Desk
      Standard Operating Procedures, and the EDNet contract to establish consistent guidance on
      the retention period for requests and other supporting documentation related to account
      terminations, as well as archiving and purging procedures and timeframes.
                    · Status – Resolved.
                    · Planned Completion Date – 6/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Strengthened internal control.




                                              35
Report Title:                 Information Security Risk – Capturing of Internet Protocol
                              Addresses
Issue Date:                   5/03/2007
Report Number:                L21H0012 (Alert Memorandum)

Objective(s):

The purpose of this alert memorandum is to bring attention to a significant IT security risk with
FSA’s failure to capture the originating Internet Protocol (IP) addresses of users logging in to
major FSA systems.

Finding(s):

1.    FSA did not capture the originating IP addresses of users logging in to major FSA systems.

Recommendation(s) Not Yet Implemented by the Department:

1.1   Make the necessary changes to FSA systems that would require the capturing of every
      user's IP address who logs in to the systems.
                   · Status – Resolved.
                   · Planned Completion Date – 03/31/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Increased system security, reduced risk.




                                                36
Report Title:                 Audit of the Discretionary Grant Award Process in the Office
                              of Postsecondary Education
Issue Date:                   4/16/2007
Report Number:                A19G0001
Link to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a19g0001.pdf

Objective(s):

The objectives of our audit were to evaluate the effectiveness of the Office of Postsecondary
Education’s (OPE) grant award process, and determine if FY 2005 awards were made to
appropriately qualified entities.

Finding(s):

1.    OPE staff did not ensure grantees complied with OMB Circular A-133 audit requirements.

Recommendation(s) Not Yet Implemented by the Department:

1.1   Ensure staff are aware of and screen for compliance with audit requirements prior to
      making noncompeting continuation awards, as required.
                   · Status – Resolved.
                   · Planned Completion Date – 5/30/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Enhanced program effectiveness,
                       improved monitoring and compliance.




                                               37
Report Title:                 Review of the Department’s Competitive Sourcing/A-76 Competition
Issue Date:                   2/28/2007
Report Number:                I13G0004 (Inspection Report)
Link to Report:               http://www.ed.gov/about/offices/list/oig/aireports/i13g0004.pdf

Objective(s):

The objectives of our inspection were to:

1.   Determine whether Human Resources Services is meeting the performance requirements in
     the Letter of Obligation and the Agency Tender.
2.   Determine whether Human Resources Services is meeting the cost savings identified in the
     Letter of Obligation and Agency Tender.

Finding(s):

1.   The Department did not provide the Most Efficient Organization (MEO) with the resources
     specified in the agreement.
2.   The MEO does not generate adequate performance data to assess compliance with the
     performance standards in the agreement.
3.   OCFO has not monitored MEO compliance with the performance standards in the
     agreement.
4.   Neither OCFO nor the MEO has sought a modification to the agreement.
5.   The Department is not meeting the cost savings identified in the agreement and is
     overstating its cost savings to OMB and Congress.

Recommendation(s) Not Yet Implemented by the Department:

1.1 Reconsider how to best provide the Department with the competed human resources
    and training functions and determine whether the MEO should continue.
                  · Status – Unresolved.
                  · Planned Completion Date – Not applicable, unresolved.
                  · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                  · Other Non-monetary Benefits – Enhanced use of resources and
                     management effectiveness.




                                             38
Report Title:                The Department’s Administration of Selected Aspects of the
                             Reading First Program
Issue Date:                  2/22/2007
Report Number:               A03G0006
Link to Report:              http://www.ed.gov/about/offices/list/oig/auditreports/a03g0006.pdf

Objective(s):

The objective of our audit was to determine whether the Department carried out its role in
accordance with applicable laws and regulations in administering the Reading Leadership
Academies (RLA) and related meetings and conferences, the National Center for Reading First
Technical Assistance contract award process, and its website and guidance for the Reading First
program.

Finding(s):

1.    Sessions at the Secretary's RLAs focused on a select number of reading programs.
2.    The Secretary's RLA handbook and guidebook appeared to promote the Dynamic
      Indicators of Basic Early Literacy Skills assessment test.
3.    The Department did not adequately assess issues of bias and lack of objectivity.

Recommendation(s) Not Yet Implemented by the Department:

1.1   Establish controls to ensure compliance with, and avoid the appearance of violating the
      Department of Education Organization Act (DEOA) and No Child Left Behind Act of 2001
      (NCLB) curriculum provisions, especially when organizing conferences where specific
      programs of instruction are likely to be formally discussed or presented at Department
      sponsored events.
                   · Status – Unresolved.
                   · Planned Completion Date – Not applicable, unresolved.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Strengthened internal control, enhanced
                       program effectiveness and compliance.

2.1   Establish controls to ensure the Department does not promote curriculum or create the
      appearance that it is endorsing or approving curriculum in its conference materials and
      related publications.
                    · Status – Unresolved.
                    · Planned Completion Date – Not applicable, unresolved.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Strengthened internal control, enhanced
                        program effectiveness and compliance.




                                              39
3.1   Establish controls to ensure adequate assessments of bias and lack of objectivity for
      individuals proposed to perform Department contract work are performed by the
      Department and its contractors.
                   · Status – Resolved.
                   · Planned Completion Date – 01/30/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Strengthened internal control, enhanced
                       program effectiveness and compliance.




                                             40
Audit Title:                 Conflicting Responsibilities Included in the EDNet Contract
                             Performance Work Statement
Issue Date:                  2/16/2007
Report Number:               L19H0006 (Alert Memorandum)

Objective(s):

The purpose of this alert memorandum was to inform the Department of concerns regarding
conflicting responsibilities in the EDNet contract Performance Work Statement.

Finding(s):

1.    The EDNet contract's Performance Work Statement included conflicting responsibilities
      related to IT network security.

Recommendation(s) Not Yet Implemented by the Department:

1.2   Establish additional monitoring and oversight, through use of the EDNet IV&V contractor
      or other means, to ensure that the contractor is appropriately monitoring, detecting, and
      reporting on network security.
                   · Status – Resolved.
                   · Planned Completion Date – 2/1/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Improved monitoring and oversight, enhanced
                       network security.




                                              41
                         Section C – Recommendations Issued
                                 Prior to January 2007
                            (January 1, 2001, to December 31, 2006)

                              Report/Recommendation Summary
This section presents those OIG work products released from January 1, 2001, through December 31,
2006. During this timeframe, OIG released 219 reports that included 1,369 recommendations for the
Department to implement. Of that universe, 17 reports include 60 recommendations that have not yet
been implemented.

Report Title:                 Controls over Excessive Cash Drawdowns by Grantees
Issue Date:                   12/18/2006
Report Number:                A19F0025
Link to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a19f0025.pdf

Objective(s):

The objective of our audit was to determine whether the Department’s controls identify and
prevent excessive cash drawdowns by grantees.

Finding(s):

1.    Excessive drawdown reports did not effectively identify all potentially excessive cash
      drawdowns.
2.    Grants Policy and Oversight staff (GPOS) did not ensure POs monitored excessive
      drawdowns.
3.    Improvements are needed in use of payment flags to prevent inappropriate drawdowns.
4.    The Department did not monitor formula grants through the excessive drawdown reports.

Recommendation(s) Not Yet Implemented by the Department:

1.3   Design additional fields in Grant Administration and Payment System to allow GPOS to
      enter resolution information for potentially excessive drawdowns so that, if resolved, the
      grants do not appear on future reports until the next threshold is reached.
                    · Status – Resolved.
                    · Planned Completion Date – 12/31/2009.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Enhanced monitoring and compliance,
                        improved use of resources.




                                               42
3.1   Develop and implement a method to communicate payment flag information, including the
      reasons the flag was imposed or cleared, to all program offices responsible for monitoring
      additional grants awarded to the same recipient.
                    · Status – Resolved.
                    · Planned Completion Date – 12/31/2009.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Enhanced monitoring and compliance,
                       improved use of resources.




                                               43
Report Title:                Audit of the Department of Education FY 2005 IT Equipment
                             Inventory
Issue Date:                  11/29/2006
Report Number:               A19G0007
Link to the Report:          http://www.ed.gov/about/offices/list/oig/auditreports/a19g0007.pdf

Objective(s):

The objective of our audit was to evaluate the process and results for the FY 2005 IT equipment
inventory.

Finding(s):

1.    The Department could not support the results reported for the FY 2005 IT Equipment
      Inventory.
2.    Contract management was not effective.

Recommendation(s) Not Yet Implemented by the Department:

1.3   Update and implement policy and procedures for the inventory reconciliation process,
      including requirements that adequate records are maintained to support inventory
      reconciliations, and that results are referred to PO managers for validation.
                   · Status – Resolved.
                   · Planned Completion Date – 12/31/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Strengthened internal control, improved
                        accuracy in reporting inventory results.




                                               44
Report Title:                 Financial Statement Audits – U.S. Department of Education
                              for FY 2006 and FY 2005
Issue Date:                   11/15/2006
Report Number:                A17G0003
Link to Report:               http://www.ed.gov/about/reports/annual/2006report/rssi-oai.pdf#page=7

Objective(s):

The objectives of the audit were to:

1. Provide an opinion on whether the financial statements are fairly presented in all material
   respects.
2. Report on internal controls that are intended to ensure that transactions are properly recorded
   to permit the preparation of reliable financial statements, maintain accountability for
   safeguarding of assets, and ensure that data supporting performance measures are properly
   recorded.
3. Report on compliance with laws and regulations that could have a direct and material effect
   on the financial statements.

Finding(s):

1.    Continued focus on credit reform estimation and financial reporting processes is warranted.
      (MRC)
2.    Controls surrounding information systems need enhancement. (MRC)

Recommendation(s) Not Yet Implemented by the Department:

2.1   Continue efforts to address security and control weaknesses disclosed in audit reports or
      identified in internal self-assessments with an emphasis on addressing the root cause of the
      security or control weakness, which should decrease the likelihood of a similar weaknesses
      being identified in future audit assessments and internal self-assessments.
                    · Status – Resolved.
                    · Planned Completion Date – 6/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Protection of mission critical systems,
                        improved and consistent security configuration across the organization,
                        enhanced back-up capabilities, stronger security procedures and detection
                        systems, strengthened internal control, improved protection, safeguarding
                        PII, greater accountability for and safeguarding of computer inventory.




                                                45
Report Title:                      Review of Financial Partners’ Monitoring and Oversight of
                                   Guaranty Agencies, Lenders, and Servicers
Issue Date:                        9/29/2006
Report Number:                     A04E0009
Link to the Report:                http://www.ed.gov/about/offices/list/oig/auditreports/a04e0009.pdf

Objective(s):

Our audit objective was to evaluate the adequacy of Financial Partners'7 processes for monitoring
guaranty agencies, lenders, and servicers.

Finding(s):

1.    Weak control environment for monitoring and oversight.
2.    Insufficient control activities over monitoring of program reviews and technical assistance.
3.    Lack of effective information and communication process related to policy issues.
4.    Risk assessment tool not fully implemented.

Recommendation(s) Not Yet Implemented by the Department:

1.2   Amend the Financial Partners' mission statement to better emphasize compliance and
      clarify the role of Financial Partners. Amend the functional statements for Financial
      Partners and Program Compliance to establish clear lines of responsibility and authority for
      oversight, monitoring, and compliance enforcement.
                    · Status – Resolved.
                    · Planned Completion Date – 06/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Strengthened internal control, improved
                        monitoring and oversight.

1.4   Require Financial Partners to stop recording as lender program reviews, program reviews
      that are actually only servicer reviews.
                    · Status – Resolved.
                    · Planned Completion Date – 06/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Improved reporting accuracy.




7
 Financial Partners is the division within FSA that was responsible for the oversight of the FFEL program and its
participants.


                                                        46
1.5   Develop a consistent policy for identifying, quantifying, and reporting all liabilities
      identified in program reviews regardless of whether they are resolved.
                    · Status – Resolved.
                    · Planned Completion Date – 06/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Strengthened internal control, improved
                        reporting accuracy, enhanced reporting and recovery of improper
                        payments or misused funds.

1.6 Request an amendment to the FSA Chief Operating Officer delegation of authority for
    waiving liabilities to include additional controls for monetary limitations and consultation
    with other Department officials. Eliminate the re-delegation to the Financial Partners'
    General Manager, and include appropriate controls in a replacement re-delegation to the
    appropriate Program Compliance Officer. Ensure that managers and staff know and
    understand the delegation of authority for waiving liabilities.
                 · Status – Resolved.
                 · Planned Completion Date – 06/30/2008.
                 · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                 · Other Non-monetary Benefits – Strengthened internal control, enhanced
                      management effectiveness.

1.7   Require the tracking and documentation of the reasons for waiving a liability when
      exercising the waiver authority.
                   · Status – Resolved.
                   · Planned Completion Date – 06/30/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Strengthened internal control.

2.1   Ensure that Financial Partners follows its procedures and guidance for its program review
      process.
                   · Status – Resolved.
                   · Planned Completion Date – 03/31/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Improved monitoring and oversight,
                      enhanced program effectiveness and compliance.

2.2   Require Financial Partners to enhance and implement its guidance to include procedures
      that address the program review weaknesses we identified.
                    · Status – Resolved.
                    · Planned Completion Date – 06/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Improved monitoring and oversight,
                       enhanced program effectiveness and compliance.




                                               47
2.3   Require Financial Partners to enhance and implement its guidance to include procedures
      that address the technical assistance weaknesses and provide oversight to the regions to
      ensure that technical assistance is consistently provided and properly documented.
                    · Status – Resolved.
                    · Planned Completion Date – 06/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Improved monitoring and oversight,
                        enhanced program effectiveness and compliance.

2.4   Ensure that Financial Partners strengthens its program review process to ensure consistency
      in the program review process and that program reviews are issued and closed within
      established timeframes.
                    · Status – Resolved.
                    · Planned Completion Date – 06/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Improved monitoring and oversight,
                       enhanced program effectiveness and compliance.

2.5 Require Financial Partners to establish a quality assurance process that would ensure that
    program reviews are conducted properly, that work papers support the conclusions reached
    and findings are adequately documented.
                 · Status – Resolved.
                 · Planned Completion Date – 06/30/2008.
                 · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                 · Other Non-monetary Benefits – Improved monitoring and oversight,
                     enhanced internal control.

2.6   Require Financial Partners to establish a quality assurance process that would ensure the
      quality and the adequacy of technical assistance.
                   · Status – Resolved.
                   · Planned Completion Date – 06/30/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Improved monitoring and oversight,
                       enhanced internal control.

3.1 Develop written policies and procedures for obtaining timely guidance for resolution of
    program issues and for communicating the results and decisions.
                · Status – Resolved.
                · Planned Completion Date – 04/01/2008.
                · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                · Other Non-monetary Benefits – Strengthened internal control, improved
                    monitoring and oversight




                                               48
3.2 Develop written policies and procedures for regular review of program reviews and other
    significant program determinations by the Office of General Counsel (OGC).
                  · Status – Resolved.
                  · Planned Completion Date – 06/30/2008.
                  · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                  · Other Non-monetary Benefits – Strengthened internal control, improved
                     monitoring and oversight.

4.1 Require Financial Partners to develop written policies and procedures on the use of the
    guaranty agency, lender, and servicer scorecards as a risk assessment tool and train users
    on their use.
                  · Status – Resolved.
                  · Planned Completion Date – 06/30/2008.
                  · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                  · Other Non-monetary Benefits – Strengthened internal control, improved
                    monitoring and oversight.




                                              49
Report Title:                Review of Department of Education's Online Privacy Policy
                             and Protection of Sensitive Information
Issue Date:                  9/29/2006
Report Number:               A11G0004
Link to Report:              Not posted, sensitive data

Objective(s):

The objective of our audit was to assess the Department’s compliance with OMB Memorandum
M-06-20, FY 2006 Reporting Instructions for the Federal Information Security Management Act,
and OMB Memorandum M-06-16, Protection of Sensitive Agency Information.

Finding(s):

1.    The Department did not ensure compliance with privacy laws and guidance as specified in
      the OMB and Department directives as they relate to establishing protection controls for
      privacy information.

Recommendation(s) Not Yet Implemented by the Department:

1.2   Update the Department's plans to ensure compliance with OMB Memorandum M-06-16.
                  · Status – Resolved.
                  · Planned Completion Date – 6/30/2008.
                  · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                  · Other Non-monetary Benefits – Increased compliance with laws and/or
                     regulations; strengthen internal control.




                                              50
Report Title:                  Review of the Department’s Incident Handling Program
                               and Intrusion Detection System
Issue Date:                    9/28/2006
Audit Report Number:           A11G0001
Link to Report:                Not posted, sensitive data

Objective(s):

Our objective was to evaluate the effectiveness of the Department’s Incident Handling (IH)
Intrusion Detection System (IDS) in identifying and responding to aggressive Internet-based
attacks in accordance with FISMA.

Finding(s):

1.    The Department’s incident handling program and intrusion detection system deployment
      needs improvement.

Recommendation(s) Not Yet Implemented by the Department:

1.1   Review security evaluations and correct the identified Domain Name System security
      configuration weaknesses.
                   · Status – Resolved.
                   · Planned Completion Date – 6/30/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Increased system security, reduced risks.

1.2   Develop and implement consistent enterprise IH event monitoring policies and procedures
      that will define types of incidents, events, and appropriate actions to take; and, reinforce an
      enterprise-wide communication channel between the Department- and FSA-managed IH
      and IDS.
                    · Status – Resolved.
                    · Planned Completion Date – 6/30/2008.
                    · Estimated Cost Savings - Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Compliance with laws, enhanced policies
                        and procedures for safeguarding resources, improved communication.

1.3   Ensure effective monitoring of the IDS console.
                   · Status – Resolved.
                   · Planned Completion Date – 6/30/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Increased system security.




                                                 51
1.4   Develop enterprise policies and procedures for IDS deployment, maintenance, evaluation,
      and risk assessment.
                   · Status – Resolved.
                   · Planned Completion Date – 6/30/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Enhanced assessments of risk, ensure that
                      personnel will effectively identify and respond to malicious activity.

1.6   Ensure that clear and measurable service level agreements exist for outsourced IDS
      management.
                   · Status – Resolved.
                   · Planned Completion Date – 6/30/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Establish measurable components of
                       performance management.




                                             52
Report Title:                System Security Review of the Education Data Center
                             for FY 2006
Issue Date:                  9/28/2006
Report Number:               A11G0002
Link to Report:              Not posted, sensitive data

Objective(s):

The audit objectives were to evaluate management, operational, and technical controls of the
Department’s system security program in accordance with FISMA.

Finding(s):

1.    Management controls need improvement.
2.    Operational security controls need improvement.
3.    Technical security controls need improvement.

Recommendation(s) Not Yet Implemented by the Department:

1.2   Revise the Plan of Action and milestones for OMB Memorandum M-06-16 to meet all of
      the security control requirements set forth in OMB's memo and weaknesses identified in
      this report.
                    · Status – Resolved.
                    · Planned Completion Date – 06/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Compliance with laws and/or regulations.

2.1 Correct the Education Data Center physical data center weaknesses.
                 · Status – Resolved.
                 · Planned Completion Date – 6/30/2008.
                 · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                 · Other Non-monetary Benefits – Physical data center protection,
                    strengthened internal control.

2.3   Establish policies and procedures to address identified tape handling control weaknesses.
                   · Status – Resolved.
                   · Planned Completion Date – 6/30/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Improved protective controls over mission
                       critical and sensitive data.




                                               53
2.4   Establish and implement enterprise-wide technical security configuration standards for its
      operating systems, database applications, web services applications, and network devices
      based on industry security standards.
                   · Status – Resolved.
                   · Planned Completion Date – 6/30/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Strengthened internal control.

2.7   Consider two-factor authentication as a means to strengthen user access controls.
                  Status – Resolved.
                  Planned Completion Date – 6/30/2008.
                  Estimated Cost Savings – Not applicable, non-monetary recommendation.
                  Other Non-monetary Benefits – Strengthened internal control.




                                               54
Report Title:                 The Reading First Program’s Grant Application Process
Issue Date:                   9/22/2006
Report Number:                I13F0017 (Inspection Report)
Link to Report:               http://www.ed.gov/about/offices/list/oig/aireports/i13f0017.pdf

Objective(s):

The objectives of our inspection were to:

1.    Determine if the Department selected the expert review panel in accordance with the
      NCLB, Section 1203(c), and if the Department adequately screened the panel members for
      possible conflict of interest issues;
2.    Determine if the expert review panel adequately documented its reasons for stating that an
      application was not ready for funding; and
3.    Determine if the expert review panel reviewed the applications in accordance with
      established criteria and applied the criteria consistently.

Finding(s):

1.    The Department did not select the expert review panel in compliance with the requirements
      of NCLB.
2.    While not required to screen for conflicts of interest, the screening process the Department
      created was not effective.
3.    The Department did not follow its own guidance for the peer review process.
4.    The Department awarded grants to states without documentation that the subpanels
      approved all criteria.
5.    The Department included requirements in the criteria used by the expert review panels that
      were not specifically addressed in NCLB.
6.    In implementing the Reading First program, Department officials obscured the statutory
      requirements of the Elementary and Secondary Education Act of 1965, as amended
      (ESEA); acted in contravention of the Government Accountability Office Standards for
      Internal Control in the Federal Government; and took actions that call into question
      whether they violated the prohibitions included in the DEOA.

Recommendation(s) Not Yet Implemented by the Department:

1.1   Develop internal management policies and procedures for the Office of Elementary and
      Secondary Education (OESE) program offices that address when legal advice will be
      solicited from the OGC and how discussions between OGC and the program staff will be
      resolved to ensure that programs are managed in compliance with applicable laws and
      regulations.
                    · Status – Unresolved.
                    · Planned Completion Date – Not applicable, unresolved.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Strengthened internal control, enhanced
                       program effectiveness and compliance.


                                                55
1.2   Review the management and staff structure of the Reading First program office and make
      changes, as appropriate, to ensure that the program is managed and implemented consistent
      with the statutory requirements of NCLB.
                    · Status – Resolved.
                    · Planned Completion Date – 06/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Enhanced program effectiveness and
                       compliance.

6.2   Request that OGC develop guidance for OESE on the prohibitions imposed by §3403(b) of
      the DEOA.
                   · Status – Unresolved.
                   · Planned Completion Date – Not applicable, unresolved.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits –Strengthened internal controls, enhanced
                     program effectiveness and compliance.

6.4   Rely upon the internal advisory committee to: (a) determine whether the implementation of
      Reading First harmed the Federal interest and what course of action is required to resolve
      any issues identified; and (b) ensure that future programs, including other programs for
      which the Department is considering using Reading First as a model, have internal controls
      in place to prevent similar problems from occurring.
                    · Status – Resolved.
                    · Planned Completion Date – 06/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Enhanced program effectiveness and
                       compliance.

6.5   Convene a discussion with a broad range of state and local education representatives to
      discuss issues with Reading First as part of the reauthorization process.
                   · Status – Resolved.
                   · Planned Completion Date – 06/30/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Enhanced program effectiveness and
                       compliance.




                                               56
Report Title:                 Telecommunications Billing Accuracy
Issue Date:                   2/01/2006
Report Number:                A19F0009
Link to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a19f0009.pdf

Objective(s):

The objective of our audit was to determine the effectiveness of the Department’s validation of
the billing accuracy for its telecommunications services.

Finding(s):

1.    The Office of the Chief Information Officer needs to improve internal control over
      telecommunications billings.

Recommendation(s) Not Yet Implemented by the Department:

1.2   Based on the risk assessment conducted for Recommendation 1.1, allocate adequate
      staffing to the Telecom Services Group to establish appropriate internal control and allow
      effective management of telecommunications services and expenditures.
                    · Status – Resolved.
                    · Planned Completion Date – 9/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Strengthened internal control, enhanced
                        management effectiveness.

1.4   Ensure Telecommunications Automated Tracking System (TATS) or other appropriate
      information technology resources are fully developed and operational to assist in the
      management of telecommunications services.
                   · Status – Resolved.
                   · Planned Completion Date – 8/31/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Strengthened internal control, and
                      enhanced monitoring and oversight.

1.6   Ensure telephone lines are disconnected timely when staff move. Take immediate action to
      correct issues noted during our audit – disconnect/discontinue services identified as not
      necessary, and update records to correctly identify holders of wireless services.
                    · Status – Resolved.
                    · Planned Completion Date – 2/28/2008.
                    · Estimated Cost Savings – Not quantified.
                    · Other Non-monetary Benefits – Strengthened internal control, better use
                       of resources, enhanced management effectiveness.




                                               57
1.7   Ensure Department policies and the TATS user manual accurately reflect information
      regarding what is accessible to POs within the TATS application to effectively monitor
      telecommunications costs.
                  · Status – Resolved.
                  · Planned Completion Date – 3/30/2008.
                  · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                  · Other Non-monetary Benefits – Strengthened internal control, and
                      enhanced monitoring and oversight.




                                             58
Report Title:                  Audit of the Department’s IT Contingency Planning Program
                               – Asset Classification
Issue Date:                    1/31/2006
Report Number:                 A11F0006
Link to Report:                Not posted, sensitive data

Objective(s):

The objective of our audit was to evaluate the Department’s process for categorization of
information and information systems to determine whether the categories are properly assigned
to ensure continuity of operations.

Finding(s):
1.    Identification and classification activities inconsistently categorize IT assets and do not
      effectively ensure continuity of operations.

Recommendation(s) Not Yet Implemented by the Department:

1.1   Establish a fully integrated process to identify and classify information resources, ensuring
      that Department asset identification and valuation activities are conducted as an integral
      part of Enterprise Architecture activities, and classifications support broad decision making
      throughout the asset's full life cycle (i.e. ratings meet the needs of all management
      components that make use of such data).
                    · Status – Resolved.
                    · Planned Completion Date – 06/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Strengthened internal control over
                        resources, increased oversight coordination regarding inventory
                        development and classification of assets.

1.2   Establish effective oversight controls (e.g., accountability for monitoring, coordination and
      validation) to ensure that established procedures and guidance are followed; a reliable
      system of record for the Department's portfolio/inventory of IT assets is established, and
      listing and classifications to date are validated; and assets are reliably identified and
      classified over time and across the agency as a whole.
                    · Status – Resolved.
                    · Planned Completion Date – 06/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Enhanced resource management;
                        complete and consistent accounting and rating of Department IT assets.




                                                 59
1.3   Modify official guidance (i.e., ACS directives) to ensure that Department guidance is
      consistent with federal guidelines and fully documents an integrated and repeatable process
      to identify, define and classify/categorize assets and subcomponents; and Department
      guidance includes categories and ratings that offer sufficient differentiation to support their
      intended use, and logical mapping across rating definitions, where pertinent.
                    · Status – Resolved.
                    · Planned Completion Date – 06/30/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Improved guidance for providing
                        enterprise-wide validation and verification of various classification results.

1.4   Provide training to ensure consistency in the application of the Department's guidance.
                   · Status – Resolved.
                   · Planned Completion Date – 06/30/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Increased protection of Department assets.




                                                 60
Report Title:                 Department’s Activities Relating
                              to Consolidating Funds in Schoolwide Programs Provisions
Issue Date:                   12/29/2005
Report Number:                A07F0014
Link to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a07f0014.pdf

Objective(s):

The objectives of our audit were to determine what the Department has done to assist state
educational agencies (SEA) in modifying or eliminating state fiscal and accounting barriers to
consolidating funds and encouraging schools to consolidate funds in their schoolwide programs,
and what the Department could do to further assist SEAs in these two areas.

Finding(s):

1.    The Department could do more to support SEAs in fulfilling their responsibilities under the
      schoolwide consolidating funds provisions by publishing the guidance on schoolwide
      programs it promised in the July 2, 2004, notice in the Federal Register.
2.    Even though Department site-visitors have found that SEAs generally have not encouraged
      Local Educational Agencies (LEAs) and schools to consolidate funds in their schoolwide
      programs, they have not included these findings in site-visit reports.

Recommendation(s) Not Yet Implemented by the Department:

1.1   Require the Director of Student Achievement and School Accountability Programs to
      ensure that her staff develop and issue guidance on consolidating federal, state, and local
      funds in schoolwide programs that would include: (1) options on consolidating funds that
      would best accommodate federal programmatic and reporting requirements; and (2)
      information about the potential advantages of consolidating funds.
                   · Status – Resolved.
                   · Planned Completion Date – 03/31/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Strengthened internal control, enhanced
                        program effectiveness and compliance.

1.2   Require the Director of Student Achievement and School Accountability Programs to
      ensure that her staff, as part of developing new guidance on consolidating funds, meet with
      officials from the three SEAs that we found to have developed the most extensive guidance
      on consolidating funds in order to ensure that the Department's guidance in this area takes
      advantage of the most promising practices, and learn what SEAs perceive to be federal
      barriers to consolidating funds.
                    · Status – Resolved.
                    · Planned Completion Date – 03/31/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Strengthened internal control, enhanced
                        program effectiveness and compliance.


                                               61
2.1   Require the Director of Student Achievement and School Accountability Programs to
      ensure that her staff follow the Department's current SEA monitoring procedures with
      respect to the consolidating funds responsibilities of SEAs.
                    · Status – Resolved.
                    · Planned Completion Date – 03/31/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Enhanced program effectiveness and
                        compliance, improved monitoring and oversight.

2.2   Require the Director of Student Achievement and School Accountability Programs to
      ensure that her staff include in reports for SEA program reviews findings, and
      recommendations for corrective action, regarding any failures on the part of SEAs to fulfill
      their responsibilities under the provisions in the ESEA, Title I, Part A, §§ 1111(c) (9) and
      (10).
                   · Status – Resolved.
                   · Planned Completion Date – 03/31/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Enhanced program effectiveness and
                        compliance, improved reporting, monitoring, and oversight




                                                62
Report Title:                 Death and Total and Permanent Disability Discharges of FFEL
                              and Direct Loan Program Loans
Issue Date:                   11/14/2005
Report Number:                A04E0006
Link to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a04e0006.pdf

Objective(s):

The objective of our audit was to determine whether FSA has implemented effective policies,
procedures, and internal controls over the process for discharging William D. Ford Federal
Direct Loan and FFEL program loans, based on the death or total and permanent disability of the
borrower.

Finding(s):

1.    The regulatory three-year conditional discharge period is inadequate for determining
      eligibility of all borrowers.
2.    Regulations that excuse a borrower from paying interest should be reconsidered.
3.    FSA did not update National Student Loan Data System, as required.

Recommendation(s) Not Yet Implemented by the Department:

2.1   Revise the Department's regulations to ensure that, if a borrower's loans are reinstated from
      a conditional discharge status, the borrower is required to pay any interest that accrued on
      his or her loans through the end of the conditional discharge.
                    · Status – Resolved
                    · Planned Completion Date – 03/31/2008.
                    · Estimated Cost Savings – Not quantified.
                    · Other Non-monetary Benefits – Enhanced program effectiveness,
                        increased recovery of interest accrued.




                                                63
Report Title:                 Review of the Department's Incident Handling Program and
                              EDNet Security Controls
Issue Date:                   10/06/2005
Report Number:                A11F0002
Link to Report:               Not posted, sensitive data

Objective(s):

Our audit objectives were to evaluate the effectiveness of the Department’s IH Program to
identify and respond to aggressive Internet based attacks against mission critical systems residing
at Education data centers, and evaluate platform level security controls of select systems residing
on the EDNet in accordance FISMA.

Finding(s):

1.    The IH program needs improvement.
2.    EDNet configuration management controls need improvement.

Recommendation(s) Not Yet Implemented by the Department:

1.1   Review existing remote data center contracts and require contracts to be modified to ensure
      that contractors and sub-contractors comply with and follow Department policies and
      procedures for reporting all computer security incidents per Department policy.
                    · Status – Resolved.
                    · Planned Completion Date – 02/29/2008.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Improved compliance with laws and/or
                        regulations.

1.3   Implement comprehensive IDS and IH policies and procedures to promptly and effectively
      detect, respond, and report malicious scans and covert attacks from internal and external
      sources.
                   · Status – Resolved.
                   · Planned Completion Date – 3/31/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Increased systems security, reduced risk.

1.7   Communicate the Department's ACS Handbook for Information Security Incident
      Response and Reporting Procedures, to the remote data centers to clearly define who will
      perform forensic analysis in the event of a system compromise.
                  · Status – Resolved.
                  · Planned Completion Date – 3/31/2008.
                  · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                  · Other Non-monetary Benefits – Strengthened internal control over
                      resources/actions.


                                                64
1.8   Develop clear policies and procedures within the ACS Handbook for Information Security
      Incident Response and Reporting Procedures, to ensure that sensitive information
      regarding computer security incidents is encrypted before being transmitted within the
      Department and to outside organizations.
                   · Status – Resolved.
                   · Planned Completion Date – 6/30/2008.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Strengthened internal control, increased
                      system security.




                                             65
Report Title:                 Review of Department Identified Contracts and Grants for
                              Public Relations Services
Issue Date:                   9/01/2005
Report Number:                I13F0012 (Inspection Report)
Link to Report:               http://www.ed.gov/about/offices/list/oig/aireports/i13f0012.pdf

Objective(s):

The objective of our inspection was to determine whether any of 35 Department-identified
contracts and grants resulted in publicity or propaganda paid with appropriated funds.

Finding(s):

1.    Department contract and grant personnel did not understand their responsibilities with
      regard to the prohibition on the use of appropriated funds for publicity or propaganda.
2.    Contract and grant files were incomplete and lacked documentation of deliverables.
3.    Grants that resulted in materials that may have been publications did not include the
      Education Department General Administrative Regulations (EDGAR) disclaimer.

Recommendation(s) Not Yet Implemented by the Department:

1.1   Ensure that Department grant and contract personnel understand the prohibition on the use
      of appropriated funds for publicity or propaganda and ensure that this information is
      communicated to grantees.
                   · Status – Unresolved.
                   · Planned Completion Date – Not applicable, unresolved.
                   · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                   · Other Non-monetary Benefits – Enhanced program effectiveness and
                       compliance, improved monitoring and oversight.

1.2   Ensure that contract and grant personnel understand when disclosure of the Department's
      role is required and ensure that the language is included in contracts as appropriate, and
      that the EDGAR requirements are clearly communicated to grantees.
                    · Status – Unresolved.
                    · Planned Completion Date – Not applicable, unresolved.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Enhanced program effectiveness and
                        compliance, improved monitoring and oversight.




                                                66
2.1   Monitor contracts and grants and ensure that files are complete and appropriately
      documented. For contracts, files should also include proof of production of the
      deliverables.
                    · Status – Unresolved.
                    · Planned Completion Date – Not applicable, unresolved.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Enhanced program effectiveness and
                      compliance, improved monitoring and oversight.

2.2   Obtain copies of the contract deliverables not available for our review, determine if there
      were any violations of the covert propaganda prohibition, and report any resulting
      violations of the Antideficiency Act to the President, Congress, and the Comptroller General
      in accordance with the instructions of OMB Circular A-11. In the review of these
      deliverables the Department should also assess compliance with 48 C.F.R. § 3452.227-70,
      as appropriate.
                    · Status – Unresolved.
                    · Planned Completion Date – Not applicable, unresolved.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Enhanced program effectiveness and
                        compliance, improved reporting, monitoring, and oversight.

3.1   Determine the amount of improper expenditures associated with the publication of opinion-
      editorial pieces under the grants identified in our review and initiate a recovery action for
      the unallowable use of funds.
                    · Status – Unresolved.
                    · Planned Completion Date – Not applicable, unresolved.
                    · Estimated Cost Savings – Not quantified. Implementation includes
                        determining the amount of any improper expenditures.
                    · Other Non-monetary Benefits – Enhanced program effectiveness and
                        compliance, improved monitoring and oversight.

3.2   Review the materials produced under the grants identified in our review to determine if the
      items without EDGAR disclaimers were publications. If so, determine the amount of
      improper expenditures and, if appropriate, initiate a recovery action for the unallowable use
      of funds.
                  · Status – Unresolved.
                  · Planned Completion Date – Not applicable, unresolved.
                  · Estimated Cost Savings – Not quantified. Implementation includes
                      determining the amount of any improper expenditures.
                  · Other Non-monetary Benefits – Enhanced program effectiveness and
                      compliance.




                                                67
Report Title:                 Departmental Actions to Ensure Charter Schools’ Access to
                              Title I and Individuals with Disabilities Education Act, Part B
                              Funds
Issue Date:                   10/26/2004
Report Number:                A09E0014
Link to Report:               http://www.ed.gov/about/offices/list/oig/auditreports/a09e0014.pdf

Objective(s):

The objective of the audit was to determine whether the Department has taken sufficient action to
ensure that states and LEAs within those states provide new or expanding charter schools with
timely and meaningful information about the ESEA Title I and Individuals with Disabilities
Education Act (IDEA), Part B funds for which these schools may be eligible, and have
management controls that ensure charter schools, including new or expanding charter schools, are
allocated the proportionate amount of Title I and IDEA Part B funds for which these schools are
eligible.

Finding(s):

1.    The Department should identify the cognizant program office(s) responsible for oversight
      of SEA compliance with the ESEA § 5206 provisions.
2.    The Department should issue guidance on the need for SEA and LEA notification
      procedures for expanding charter schools.
3.    The Department should enhance Title I and IDEA Part B monitoring procedures to ensure
      new or expanding charter school LEAs and charter schools receive proportionate and
      timely access to Federal funds.
4.    The Office of Special Education and Rehabilitative Services should consider issuing
      guidance on the application of the IDEA Part B funding formula for charter school LEAs
      that did not have a student with disabilities enrolled in the first year of operation.

Recommendation(s) Not Yet Implemented by the Department:

2.1   Direct the appropriate program office(s) to provide guidance to SEAs on the need to
      establish written procedures on SEA or LEA notification requirements and the definition of
      "significant expansion of enrollment." The guidance should instruct SEAs to annually
      distribute this information to all charter schools, charter authorizers, and LEAs, to ensure
      that they are aware of the requirements and their respective responsibilities.
                    · Status – Resolved.
                    · Planned Completion Date – 12/31/2007.
                    · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                    · Other Non-monetary Benefits – Strengthened internal control, enhanced
                         program effectiveness and compliance.




                                                68
Report Title:                      FSA Audits on Administrative Stay
Issue Date:                        5/04/2004
Report Number:                     L19E0008 (Alert Memorandum)

Objective(s):

The purpose of this alert memorandum is to inform the Department of concerns relating to FSA
audits on administrative stay.

Finding(s):

      1.      FSA placed 13 audits on administrative stay for excessive periods of time.
      2.      FSA did not follow Department guidelines for its use of administrative stays.
      3.      FSA did not maintain appropriate documentation of the audit resolution process.

Recommendation(s) Not Yet Implemented by the Department:

1.2        Ensure the two professional judgment audits, and the prior professional judgment audit, are
           promptly resolved as soon as a decision is received from the Secretary.
                        · Status – Unresolved.
                        · Planned Completion Date – Not applicable, unresolved.
                        · Estimated Cost Savings – Not applicable, non-monetary recommendation.
                        · Other Non-monetary Benefits – Enhanced monitoring and compliance.

Department Explanation of Any Delays in Implementing Recommendations:

The prior professional judgment audit has been remanded to the Office of Hearings and Appeals
for further review. FSA will resolve the audits as soon as a final decision is made on the case.




                                                    69
Report Title:                Contract Unliquidated Balances Converted From Department
                             of Education’s Payment Management System
Issue Date:                  8/29/2002
Report Number:               L07C0020 (Alert Memorandum)

Objective(s):

The purpose of this memorandum is to alert OCFO to an issue we identified concerning the
conversion of unliquidated contract obligations from Education Payment Management System
(EDPMS) to the Education Central Automated Processing System (EDCAPS). The net
unliquidated balances converted to EDCAPS may have been were significantly overstated upon
conversion and determination of the actual amount paid under those contracts may require
extensive research and reconciliation.

Finding(s):

1.    Conversion of unliquidated contract balances from EDPMS to EDCAPS.

Recommendation(s) Not Yet Implemented by the Department:

1.1   Reconcile the actual payments made to total contract expenditures for the 11 contracts
      listed in the alert memo prior to contract closeout. Ensure that the reconciliation process
      for these contracts includes reviewing potentially overstated unliquidated obligations
      converted from EDPMS to EDCAPS.
                     · Status – Resolved.
                     · Planned Completion Date – 01/30/2008.
                     · Estimated Cost Savings – Not quantified. Implementation includes
                         determining the amount of any overstated obligations.
                     · Other Non-monetary Benefits – Increased data reliability/accuracy, strengthened
                         internal control.




                                               70
             Appendix A - Acronym Listing

AARTS        Audit Accountability and Resolution Tracking System
ACS          Administrative Communications System
C&A          Certification and Accreditation
CAM          Contracts and Acquisitions Management
CFO          Chief Financial Officer
CIO          Chief Information Officer
CO           Contracting Officer
COD          Common Origination and Disbursement
COO          Chief Operating Officer
COR          Contracting Officer’s Representative
CPIC         Capital Planning and Investment Control
Department   U.S. Department of Education
DEOA         Department of Education Organization Act
EDCAPS       Education Central Automated Processing System
EDGAR        Education Department General Administrative Regulations
EDNet        Department’s computer network system
EDPMS        Education Payment Management System
EIA          Temporary Emergency Impact Aid
ESEA         Elementary and Secondary Education Act
EVMS         Earned Value Management System
FAFSA        Free Application for Federal Student Aid
FFEL         Federal Family Education Loan
FIE          Fund for the Improvement of Education
FIPSE        Fund for the Improvement of Postsecondary Education
FISMA        Federal Information Security Management Act
FMSS         Financial Management Support System
FSA          Federal Student Aid
GPOS         Grants Policy and Oversight Staff
HEA          Higher Education Act of 1965, as amended
IAMS         Investment Acquisition Management Services
IDEA         Individuals with Disabilities Education Act
IDS          Intrusion Detection System
IH           Incident Handling
IP           Internet Protocol
IPS          Intrusion Prevention System
IT           Information Technology
IV&V         Independent Verification & Validation
LEA          Local Educational Agency
LDE          Louisiana Department of Education
MRC          Modified Repeat Condition
MEO          Most Effective Organization
NCLB         No Child Left Behind Act of 2001
NIST         National Institute of Standards and Technology
OCFO   Office of the Chief Financial Officer
OESE   Office of Elementary and Secondary Education
OGC    Office of General Counsel
OIG    Office of Inspector General
OMB    Office of Management and Budget
OPE    Office of Postsecondary Education
PII    Personally Identifiable Information
PO     Principal Office
RLA    Reading Leadership Academies
SEA    State Educational Agency
SLM    Student Loan Model
TATS   Telecommunications Automated Tracking System
TEA    Texas Education Agency
VIDE   Virgin Island Department of Education
         Appendix B

Request from Chairman Waxman