Statement of Lorraine Lewis Inspector General U.S. Department of Education Before the Subcommittee on Oversight and Investigations Committee on Education and the Workforce U.S. House of Representatives September 19, 2000 Mr. Chairman and Members of the Subcommittee: I am here today at your invitation to discuss matters related to financial management and computer security at the Department of Education. Specifically, I will address: (1) the Department’s progress on fiscal year (FY) 1999 financial statement audit recommendations; (2) the status of the FY 2000 financial statement audit; (3) a summary of duplicate payments made in FY 2000; (4) recent OIG computer security reviews; and (5) recent investigations. Progress on FY 1999 Financial Statement Audit Recommendations On March 1, 2000, we testified before the Subcommittee on Oversight and Investigations and reported that a total of 139 recommendations had been made for the FY 1995 through the FY 1999 financial statement audits. At that time, 111 recommendations remained open, 28 were closed, and 74 were non-repetitive. Since that hearing, the Department provided us with a response to the FY 1999 financial statement audit and corrective action plans for all of the financial statement audits. 2 Through the cooperative efforts of the Department and my office, 95 recommendations have closed and 44 remain open. Thirty of the 44 recommendations open for corrective action are non-repetitive. Of the 24 recommendations contained in the FY 1999 financial statement audit, 18 are open and six are closed. The Department provided my office with updated corrective action plans for the FY 1995 through FY 1999 financial statement audits on September 15, 2000. Currently, we are assessing these corrective action plans. Fiscal Year 2000 Financial Statement Audits As a result of meeting the March 1, 2000, deadline for the FY 1999 audit, we are much further along in the audit of FY 2000 than we were this time last year for FY 1999. Timely reporting for FY 1999 has allowed us to plan earlier for this year's audit, with the greatest strides made in the coordination of our own systems audit efforts with those of Ernst & Young's information systems auditors. This coordination has helped increase the audit coverage in this important area of work. The Department has focused earlier on the financial statement preparation process. For example, the Department prepared two sets of interim statements, as of March 31 and June 30. The final financial statements are due to us on December 1. As Ernst & Young will testify, we are unable to forecast or speculate as to the ultimate opinion which will be rendered in March 2001. 3 Duplicate Payments At your request, I am providing this summary of duplicate payments issued by the Department in FY 2000. Four instances of duplicate payments occurred in FY 2000 and involved either grants or student financial assistance. Three of these instances were discovered soon after they occurred by the grantees or schools and the Department was subsequently informed. The other instance was identified by system controls in the electronic payment system. Two of the instances occurred in October 1999 and two occurred in December 1999. In October, a payment for $19 million was transmitted twice, then subsequently recovered by an electronic reversal. A second instance resulted in $125 million in duplicate payments being issued to approximately 48 grantees. In December 1999, duplicate payments totaling $663,472 were issued to 51 schools, and $6 million was issued to one school. All of these duplicate payments have been recovered. Computer Security Several recent OIG reports indicate that the Department needs to improve its computer security controls. Report on Security Posture, Policies, and Plans In February 2000, we issued an audit that reviewed the security posture, policies and plans for the Department’s 14 mission-critical information technology systems. Our objective was to determine the existence of required security documentation and its compliance with applicable requirements of the Computer Security Act [40 U.S.C. 1441 note], Paperwork 4 Reduction Act [44 U.S.C. 3506(g)(1)], and Appendix III of the Office of Management and Budget’s (OMB) Circular A-130. Specifically, we determined whether these systems had security plans in place, met requirements for a current security review, and had corrective action plans in place to correct identified deficiencies. We also determined whether the Department took steps to screen appropriate personnel and whether system security officers received security training. Our scope did not include a security review of the remaining 161 systems that the Department identifies as non-critical. During this review, we found the following weaknesses: (1) the Department has not completed revisions of its security policies; (2) systems security officers of student financial assistance systems do not report to managers that have functional authority over the process being automated; (3) security plans are not in place for six mission-critical systems; (4) the Department did not complete required security reviews for six mission-critical systems; (5) there is no process to ensure resolution of identified security deficiencies; (6) many employees responsible for overseeing computer security lack required technical security training; (7) the Department has not taken steps to ensure that appropriate personnel are screened. Two of these findings -- the lack of security plans and the lack of technical security training -- represent noncompliance with the Computer Security Act. All seven findings represent noncompliance with the OMB Circular A-130. Because the Department is not adhering to requirements in Circular A-130, it may not be in compliance with the Paperwork Reduction Act. The Department agreed with the overall content of our report and concurred with the seven findings. The Chief Information Officer (CIO) recently informed us that the security reviews have now been completed for the remaining six systems and that security plans should be in place for all critical systems by October 2000. The CIO has also updated its IT security 5 policy and submitted it for clearance as a Department directive. In July, the Deputy Secretary issued a memorandum requiring all Department staff to complete computer security awareness training. According to the Department, as of September 13, 2000, 85 percent of Department staff have completed this training. The CIO is also working to identify individuals who need more specialized training and to acquire the appropriate courses for these staff. As we recommended, the Department also reported security management as a material weakness in its 1999 Federal Managers’ Financial Integrity Act report. We will continue to monitor the Department’s corrective actions to address our findings and recommendations, as well as conduct an annual review of the Department’s security program. Reviews of GAPS and EDNet We have also performed detailed security audits of two critical systems in the Department -- the Grant Administration and Payment System (GAPS) and the Department-wide network (EDNet). The review of GAPS security was completed in September 1998. The report Review of EDNet Security was completed in July 2000 and evaluated the security posture of the Department’s information technology infrastructure. The EDNet is the Department’s primary network facility and is comprised of a telecommunications system and many connected resources, including large computers, printers, and local area networks (servers). Use of EDNet allows connectivity among all Departmental information technology resources. We identified several areas in these audits where the Department can strengthen controls to enhance overall accountability and control of these systems. We cannot disclose the specific findings and recommendations to the public since these audits contain sensitive security-related 6 information. The Department concurred with our findings and recommendations and we will continue to monitor the progress of their corrective actions. Review of PDD 63 Our office also recently completed work on an audit entitled Review of Planning and Assessment Activities for Presidential Decision Directive 63 – Critical Infrastructure Protection. Presidential Decision Directive 63 (PDD 63) is a national effort to assure the security of the nation’s critical infrastructures. We are participating in a government-wide review by the President’s Council on Integrity and Efficiency on implementation of PDD 63. Our current audit represents the first phase of this project. The objective for the first phase was to assess the adequacy of agency planning and assessment activities for protecting their critical, cyber-based infrastructures. We reviewed: (1) the adequacy of the Department’s plans; (2) its asset identification efforts; and (3) initial vulnerability assessments. We found that the Department needs to revise and implement its critical infrastructure protection plan, identify its critical infrastructure assets, and conduct vulnerability assessments of those assets. Overall, we made ten recommendations to the Department that address our findings. The Department has concurred with our findings and recommendations and we will monitor the progress of their corrective actions. Recent Actions Among those actions already implemented, the Department’s CIO designated a Deputy CIO for Information Assurance and assigned three additional staff members to the IT security area. The Department has also established the Information and Critical Infrastructure Assurance 7 Steering Committee (Steering Committee). Its mission is to advise the Deputy Secretary, CIO, and Chief Infrastructure Assurance Officer on Department-wide IT security and critical asset assurance policies and to coordinate and help implement the Department’s information security and critical information structure assurance program. The Committee is co-chaired by Deputy Secretary Frank Holleman and CIO Craig Luigart. Senior officers have designated principal office representatives. The Steering Committee has established several work groups to assist with: (1) security awareness and training, (2) incident handling, (3) background investigations, (4) continuity of operations in case of disaster, (5) authentication and public key infrastructure, (6) privacy protection, and (7) development and implementation of a Department-wide Critical Infrastructure Protection Plan. The CIO has informed us that the Department has established an interagency agreement to use the General Services Administration’s Safeguard Program to seek contractual support for identifying critical infrastructure assets by December 2000 and perform vulnerability assessments by April 2001. The CIO has informed us that he expects to submit a revised critical infrastructure protection plan to the Steering Committee in October 2000. These audits reflect the need for improved computer security at the Department. We have identified improvement of computer security posture, policies, and plans as a top management challenge and we will continue to closely monitor the Department’s corrective actions on our existing audits. Additionally, we plan to conduct an annual review of the Department’s computer security program. 8 Investigations As your staff requested verbally, I am providing information on pending investigations. Since the investigations are ongoing, I am providing only the information that is publicly available through court filings or other public disclosures. Investigation 1 We are conducting a vigorous investigation of individuals who, between 1997 and 1999, purchased equipment with federal funds for non-business related purposes, billed the Department for hours not worked, and received goods purchased with federal funds for personal use. These items include computers, printers, computer software, scanners, cordless telephones, a 61-inch television, walkie-talkies, compact disc players, and other equipment. The total cost of these items to the Department was over $300,000. In addition, it is estimated that between January 1, 1997, and November 30, 1999, approximately $634,000 in unworked hours were fraudulently charged to the Department by individuals involved in the case. Thus far, three individuals, Robert J. Sweeney, Joseph Dennis Morgan, and Raymond L. Morgan, Jr. have pled guilty based on their involvement in the case. Additionally, the U.S. Attorney’s Office for the District of Columbia has filed criminal charges against three other individuals associated with this criminal activity. These three individuals are current employees of the Department who have been placed on indefinite suspension without pay. 9 Investigation 2 On this matter, I can discuss only what has been made a matter of public record by the filing of a civil complaint to recover fraudulently misdirected Impact Aid funds. My office and the FBI are conducting a vigorous investigation, in conjunction with the U.S. Attorney’s Office for the District of Columbia. On July 13, 2000, the Department of Justice filed a verified civil complaint for forfeiture in rem to recover $1,657,980 from several bank accounts, two vehicles, and a building in Riverdale, Maryland. After serving the appropriate interested parties, publishing required notices and waiting the required periods during which time no answers or claims were filed, the Department of Justice filed a motion for default judgment of forfeiture, which is pending before the U.S. District Court for the District of Columbia. Background information set forth in the complaint states that $1.9 million in Impact Aid grant funds were fraudulently wired into two bank accounts. These Impact Aid funds should have been disbursed to two school districts in South Dakota. Nearly all the funds and property purchased with these funds have been seized by the United States. A lis pendens has been placed against the real property. The cars were located and seized in April and May 2000 by OIG, FBI, and local police in Maryland. Conclusion Our support for strong financial management and computer security is evidenced by the audits and investigations discussed above. In addition, we will continue to identify areas for improvement at the Department of Education. 10 Ultimately, the design and implementation of any internal control must be based on an analysis of costs and benefits. Even well designed and implemented internal controls cannot provide absolute assurance against fraud, waste, and abuse. There will always be factors such as human mistakes and acts of collusion that will be outside the control or influence of management. That is why we need to remain vigilant and maintain a credible deterrence through, among other things, a regular program of management reviews, an active hotline function, and vigorous audit, investigative, and inspection operations. Mr. Chairman, that concludes my prepared testimony. I am happy to answer any questions you or other members of the Subcommittee may have on these issues.
before the Subcommittee on Oversight and Investigations, Committee on Education and the Workforce Regarding Financial Management and Computer Security at the Department of Education.on September 19, 2000 PDF
Published by the Department of Education, Office of Inspector General on 2000-09-19.
Below is a raw (and likely hideous) rendition of the original report. (PDF)