OFFICE OF INSPECTOR GENERAL Audit Report The Farm Credit Administra on's Controls Over the Electronic Oﬃcial Personnel Folder A‐16‐03 Auditor‐in‐Charge Sonya Cerne Issued April 21,2016 FARM CREDIT ADMINISTRATION Farm Credit Administration Office of Inspector General 1501 Farm Credit Drive McLean, Virginia 22102-5090 April 21, 2016 The Honorable Kenneth A. Spearman, Board Chairman The Honorable Dallas P. Tonsager, Board Member The Honorable Jeffery S. Hall, Board Member Farm Credit Administration 1501 Farm Credit Drive McLean, Virginia 22102‐5090 Dear Board Chairman Spearman and FCA Board Members Tonsager and Hall: The Office of Inspector General (OIG) completed an audit of the Farm Credit Administration’s (FCA or Agency) Controls over the Electronic Official Personnel Folder (eOPF). The objective of this audit was to review the effectiveness of controls related to the eOPF. The Agency initiated actions to improve the eOPF process. FCA awarded two contracts; the first to ensure service computation dates were accurate and correctly documented. The second contract aimed to eliminate a backlog of documents to be scanned in the eOPFs. The Human Resources Team also conducted a benefits review in 2015 and is revising the eOPF Internal Procedures. We identified opportunities for further improvement to the controls over the eOPFs. In response to our report, the Office of Management Services agreed to: 1. Document decisions on those forms FCA is requiring in the eOPF and finalize the eOPF Internal Procedures. 2. Develop and implement policies, procedures, and/or controls for new, transfer, and promoted employees to ensure completeness. 3. Initiate a process to review and transfer eOPFs for separating personnel. Monitor status of transferred files on a quarterly basis to ensure folders are closed and can no longer be accessed. 4. Complete a plan to update missing information that includes finalizing the results from the contractor review. We appreciate the courtesies and professionalism extended by FCA personnel to the OIG staff. If you have any questions about this audit, I would be pleased to meet with you at your convenience. Respectfully, Elizabeth M. Dean Inspector General Enclosure RESULTS: The Farm Credit Administration (FCA or the Agency) initiated actions to improve the eOPF process. FCA awarded two contracts; the first to ensure service computation dates were accurate and The objective of the audit was to review the effectiveness of correctly documented. The second controls related to the Electronic Official Personnel Folder (eOPF). contract aimed to eliminate a backlog of documents to be scanned in the eOPFs. In order to improve the controls over the eOPF, the Office of The Human Resources Team also Management Services (OMS) agreed to: conducted a benefits review in 2015 and has been working to revise the internal 1. Document decisions on those forms FCA is requiring in the procedures for maintaining the eOPF. eOPF and finalize the eOPF Internal Procedures. We identified opportunities for further 2. Develop and implement policies, procedures, and/or improvement to the controls over the controls for new, transfer, and promoted employees to eOPFs. We found several themes of ensure completeness. missing and/or incomplete forms in sampled eOPFs. 3. Initiate a process to review and transfer eOPFs for separating personnel. Monitor status of transferred files 42 of the 92 eOPFs reviewed were on a quarterly basis to ensure folders are closed and can missing or had outdated position no longer be accessed. descriptions. 48 of the 85 eOPFs reviewed were 4. Complete a plan to update missing information that missing or had incomplete SF 144 includes finalizing the results from the contractor review. Statement of Prior Federal Service. 42 of the 85 eOPFs reviewed were OMS agreed with the report and provided specific tasks to be missing the Emergency Contact Form. completed to strengthen the controls over the eOPF. These tasks included documenting decisions on required forms, updating During our review of reports used to internal operating procedures, and implementing new controls. verify eOPF access levels and activity, we The Agency stated it would also complete a plan that includes a found that additional controls may need full review of current FCA employee eOPFs and all outstanding to be implemented. Former employees’ items from the 2014 contractor review. files remained on FCA’s listing and were not transferred in a timely manner contrary to Office of Personnel Management guidance. We also found outstanding items from a prior contractor review remained open. TABLE OF CONTENTS BACKGROUND _______________________________________________________________________ 1 Prior Reviews ______________________________________________________________________ 2 AUDIT RESULTS ______________________________________________________________________ 2 Incomplete or Missing Important Forms _________________________________________________ 3 eOPF Access Controls ________________________________________________________________ 6 Contractor Progress _________________________________________________________________ 6 Agreed‐Upon Actions 1‐4 _____________________________________________________________ 6 OBJECTIVE, SCOPE, AND METHODOLOGY _________________________________________________ 8 ACRONYMS _________________________________________________________________________ 9 BACKGROUND The Farm Credit Administration’s (FCA or Agency) is an independent Federal agency responsible for regulating, examining, and supervising the Farm Credit System and the Federal Agricultural Mortgage Corporation. The mission as a financial regulator is to ensure a safe, sound, and dependable source of credit and related services for agriculture and rural America. FCA currently has 289 employees to help accomplish this mission. For its employees, FCA has a responsibility to maintain official personnel records in accordance with Title 5, Code of Federal Regulations, Part 293 and related Office of Personnel Management’s (OPM) guidance. FCA joined with other small agencies to form the Small Agency Consortium. The Consortium worked together to contract for the creation of a system and to convert employee records into digital format. FCA signed an agreement for the OPM Enterprise Human Resources Integration, which is responsible for maintaining the integrity of the Electronic Official Personnel Folder (eOPF). FCA implemented the eOPF for the Agency in July 2009. OPM’s Guide to Personnel The eOPF is a re‐creation of the paper personnel folder that contains all Recordkeeping: official records required to document an employee’s Federal career. Federal employees access individual personnel folders through an “Civilian personnel records internet‐based, self‐service tool. Employees are allowed to view their are any records concerning own eOPF, but they cannot modify the documents. OPM and FCA’s an individual which are Human Resources Team (HR Team) use the documents in the eOPF to maintained and used in the make decisions about employees’ rights and benefits throughout their personnel management or career. personnel policy setting process. These include The personnel folders are under OPM’s control, although they are in the records that relate to the custody of the employing agencies and virtual custody of those agencies supervision over, and that recognize the eOPF as the official record. management of, Federal civilian employees; records When a new FCA employee is also new to the Federal government, FCA is on the general responsible for creating the employee’s eOPF. If the employee transfers administration and from another agency, FCA must coordinate with the former agency to operation of human gain control of the eOPF. If an employee separates from the Agency, the resource management eOPF is to be transferred to the gaining agency. If the employee is programs and functions; as leaving Federal service, the eOPF must be transferred to the National well as records that concern Personnel Records Center within 90 days unless there are exceptional individual employees.” circumstances that involve death benefits, grievances, or similarly unique issues. OPM issues Government‐wide guidance on documenting individuals’ Federal employment through two main documents: The Guide to Processing Personnel Actions ─ contains OPM’s instructions on how to prepare personnel actions. The Guide to Personnel Recordkeeping ─ contains the general personnel recordkeeping policies on establishing personnel records, filing documents, and reconstructing a personnel folder. 1 No two employees will have the same documents in their eOPF. Some items may apply to certain people based on their type of service and records. The OPM guidance establishes the procedures on where a document should be placed within the eOPF if it applies to an individual and what documents may be included in different sections. In order to assist with compliance, FCA created a checklist in the eOPF Internal Procedures that lists all documents considered by FCA to be “mandatory” for FCA employees’ eOPFs. The eOPFs must meet the National Archives and Records Administration’s standards for electronic records and the security requirements established under Office of Management and Budget (OMB) Circular No. A‐130. FCA contracted with OPM through the Small Agency Consortium for eOPF services and maintenance. OPM’s Enterprise Human Resources Integration eOPF project office is responsible for ensuring an adequate level of protection and security is afforded to the system. FCA documents the security of the contracted system through a security plan that is reviewed annually and follows internal procedures for the eOPF, which are currently being revised. Within FCA, Human Resource (HR) Specialists on the HR Team of the Office of Management Services (OMS) oversee the eOPF system. During the onboarding process, FCA has a packet of documents for new employees to complete. HR Specialists also gather additional documents from employees and former agencies, if applicable. Some forms are generated internally. OMS has an automation clerk who scans documents received by HR Specialists into the eOPF system. Prior Reviews We have previously reviewed elements of the eOPF system, including a required annual review of FCA’s compliance with the Federal Information Security Modernization Act (FISMA). During our FISMA review in 2013, we found OMS needed to improve controls over the eOPF system. OMS agreed to strengthen oversight of the eOPF system by: Clearly defining controls in the security plan including frequency of review and responsible party, Periodically reviewing access control lists to ensure access is appropriate and limited to authorized users, and Obtaining and reviewing the independent security assessment report regarding security of the system. The recommendation was addressed and closed in February 2014. AUDIT RESULTS The objective of this audit was to review the effectiveness of controls related to the eOPF. We found FCA implemented various controls since the eOPF implementation in 2009. The Agency created a security plan for the eOPF. FCA also uses a process to review a listing of records accessed and a roles report identifying personnel with access to employee eOPFs. 2 We also found the personnel actions performed in the eOPFs were timely. In fact, we identified no issues with pay adjustment for 2016 or promotion actions. For all employees tested, FCA consistently created eOPFs and received transferred records for employees previously at other agencies. FCA also initiated various actions to improve the eOPF process. FCA awarded two contracts; the first to ensure service computation dates were accurate and correctly documented. The second contract aimed to eliminate a backlog of documents to be scanned in the eOPFs. The HR Team conducted a benefits review in 2015 that focused on ensuring employee eOPFs contained the correct benefit election forms. The HR Team is also working to revise the eOPF Internal Procedures. Although FCA implemented these actions, we identified opportunities for further improvement to the controls over the eOPFs to ensure the records are accurate and updated. Incomplete or Missing Important Forms We tested controls over the eOPF by determining whether the Agency had implemented an adequate process to: ensure accuracy of information in files, create eOPFs for new employees, and properly document files in the eOPFs. OMS has an internal procedure. Within the procedures is a list of documents required by FCA. We used the list generated by OMS to determine if the following forms were in the eOPFs: Document1 Description DD‐214‐Certificate of Release or Documents military service creditable for leave accrual, reduction‐ Discharge from Active Duty in‐force, retirement or veterans’ preference. OF‐306‐Declaration for Federal Used to determine acceptability for Federal and Federal contract Employment employment. SF‐50‐Notification of Personnel Documents personnel actions such as promotions, pay changes, Action and position changes. SF‐61‐Appointment Affidavit Document supporting the Federal appointment signed by employee. SF‐144‐Statement of Prior Documents the employee’s creditable service from prior Federal Federal Service (civilian and military) service. SF‐2809‐Health Benefits Election Used to enroll or change elections to the Federal Employee Health Benefits Program. Documents enrollment and elections made by the employee. 1 Although the eOPFs were reviewed for these items, in some cases, the documents would not be required. For example, if a person did not serve in the military, they would not have a DD‐214 in their eOPF. 3 SF‐2817‐Life Insurance Election Used to make elections under the Federal Employees’ Group Life Insurance Program. Documents the election or waiver of the program by the employee. TSP‐1 and TSP‐1C‐Thrift Savings Documents the elections made for the Thrift Savings Plan and Plan Election catch‐up contributions. Emergency Contact Form Form used to document emergency contact information for FCA employees. Offer Letter Documents the offer FCA made to the employee during the hiring process and the employee’s acceptance of the offer. Resume Filed in the eOPF when submitted by applicant and used as basis for Federal appointments. Position Description Documents a position’s responsibilities, primary functions, pay plan, occupational code, pay grade. Transcripts Filed in the eOPF when the position has an education requirement. Our review indicated several themes of missing and/or incomplete forms2. Position Descriptions ─ The form was missing or contained outdated information in 42 of the 923 eOPFs reviewed. OPM states a position description is a statement of the major duties, responsibilities, and supervisory relationships of a position. It indicates the work to be performed in the position. The purpose is to document the major duties and responsibilities of a position, but not to spell out in detail every possible activity during the workday. Because of its importance and relation to other areas such as promotions, performance, and pay, it is essential for this form to be placed in the eOPF with current, updated information. There are no other “mandatory” documents placed in the eOPF that would capture this type of information. SF 144 Statement of Prior Federal Service ─ The form was missing or contained incomplete information in 48 of the 85 eOPFs reviewed. This form is used by the Agency to credit prior 2 We sampled eOPFs for employees promoted from January 1, 2015 to December 31, 2015. We reviewed personnel actions and position descriptions for the sampled files. We also reviewed items in the eOPFs for new and transferred employees arriving at FCA from January 1, 2013 to December 31, 2015. Our third sample was derived from other employees whose entry date to FCA was prior to 2013 and were not promoted in 2015 to ensure no overlap with other samples. We reviewed employees’ leave and earning statements for Pay Period 3 and compared deductions for Federal Health Benefits, Federal Group Life Insurance, and Thrifts Savings Plan elections to documents found in the eOPF. We also compared 2016 pay adjustment information to the SF‐50 personnel actions in the eOPF for the sampled individuals. Because the samples were judgmental, the results cannot be projected over the entire population. 3 The number of reviewed eOPFs for position descriptions is higher than other areas reviewed. This occurred because position descriptions were reviewed for the promoted individuals sampled. We reviewed personnel action forms and position descriptions. Other forms, such as those listed on this page were not reviewed in this sample. 4 Federal service for benefits. The form allows an employee to list prior civilian and uniformed service. Although this form is voluntary, HR personnel stated the form is useful because it reminds employees to document their prior service that could affect their leave accruals and retirement calculations. Emergency Contact Form ─ The form was missing in 42 of the 85 eOPFs reviewed. This form is collected when a person begins work at FCA so that the Agency has contact information in case of emergencies. This information is important to collect and maintain for emergency preparedness. HR personnel stated that while they believe the information is beneficial and should be collected, they did not believe that this information should be in the eOPFs, despite being listed as a mandatory item in the eOPF Internal Procedures. We also identified other missing items in the eOPFs. Of the eOPFs reviewed, 19 individuals were missing an OF‐306 Declaration for Federal Employment form, which is used, in part, to determine suitability for Federal employment. Agency personnel stated that for individuals that have been with the Agency for an extended amount of time, the forms may not exist. However, there may be an opportunity to place updated forms in the eOPF when the individual has their security review completed. FCA’s Personnel Security Officer gathers the document during background investigations; therefore, it would be available for placement in the eOPFs. Although not consistently found, in some instances there were documents, such as resumes or transcripts, missing from different eOPFs. The HR Team has addressed some of these items and stated they will continue to do so. OMS is also looking at implementing new checklists to be used for new, transferred, and promoted individuals. We found the incomplete and missing documents occurred because eOPF controls need to be further strengthened. Internal procedures are currently being revised. FCA needs to document decisions made on forms to be placed in the eOPF and finalize the eOPF Internal Procedures. Based on OPM guidance there are multiple ways to meet requirements. The Agency can make decisions on which documents will be collected and best practices to be utilized. Finalized procedures that include Agency decisions will provide a consistent method to be followed by the HR Team. There are gaps in the current process for new, transferred, and promoted employees. Numerous people are involved in the eOPF process (HR Specialists, former agency personnel, automation clerk, etc.). There is, however, a lack of accountability in the process with respect to which position is responsible for obtaining documentation and then loading it into the folder. Additional controls, such as checklists, would increase accountability and provide for easier follow up when there is missing documentation. The current approach to collecting emergency contact information is ineffective and inefficient in meeting the goal of being able to reach contacts in an emergency. Although internal procedures show the emergency contact form as a mandatory item, the information is neither easily updated because employees cannot add or change documents in the eOPF nor accessible in emergencies. 5 eOPF Access Controls All access in the eOPF system is logged. The eOPF system provides an audit trail capability that logs documents viewed, date viewed, who accessed the document, and why the authorized user reviewed the files. Each quarter, an HR Specialist issues two reports to the Human Resources and Training Team Associate Director and Director of OMS showing the audit trail records. One report shows all accesses for the quarter (access report). The other report shows individuals with group access responsibilities, who are mostly the HR Specialists (roles report). During our review of the first quarter access and roles reports, we found that additional controls may be necessary. We compared the employee names on the access report to a list of current employees and another list of employees separated over the last two years. OPM guidance states eOPF access should be transferred within 90 days. We identified seven former employees’ eOPFs listed on the quarterly report that were past the 90‐day threshold. Three of the seven employees separated from the Agency in 2012. We also identified three users that appeared on the access report, but were not identified as authorized users on the roles report. OMS is currently working on determining the reasons why the individuals accessed the files. FCA’s security plan states that quarterly reports will be issued showing roles and accesses to files. The reports were issued; however, the review did not reveal the access concerns listed above. Although the control was designed adequately, the implementation of the control needs improvement. In addition, the Agency does not have a process in place to review, track, and monitor files needing transfer within 90 days. Contractor Progress In 2014, FCA hired a contractor to determine an accurate service computation date for leave and retirement purposes for each employee. The contractor reviewed the eOPFs for complete Federal service history, salary, military service, and other creditable service. The contractors reported findings to OMS. OMS then issued the findings to individual employees when there were issues and concerns. HR Specialists worked to resolve some of the open issues and another contractor serving as a part‐time retirement services counselor is currently assigned responsibility over addressing items in this findings list. There are many open items remaining on the list. These items potentially affect the completeness of employee eOPFs. The contractor stated the findings list is not currently being addressed due to other needs of the Agency. While we understand priorities must be established, the goal of the original review was to ensure completeness and accuracy. Currently, there is not a plan with specific timeframes and goals to have the open items resolved. Therefore, a plan may be beneficial to establish timeframes and goals for resolution of the remaining items. Agreed‐Upon Actions 1‐4 In order to improve the controls over the eOPF, OMS agreed to: 1. Document decisions on those forms FCA is requiring in the eOPF and finalize the eOPF Internal Procedures. 6 2. Develop and implement policies, procedures, and/or controls for new, transfer, and promoted employees to ensure completeness. 3. Initiate a process to review and transfer eOPFs for separating personnel. Monitor status of transferred files on a quarterly basis to ensure folders are closed and can no longer be accessed. 4. Complete a plan to update missing information that includes finalizing the results from the contractor review. 7 OBJECTIVE, SCOPE, AND METHODOLOGY The objective of this audit was to review the effectiveness of controls related to the eOPF. We conducted fieldwork at FCA’s Headquarters in McLean, VA from February through April 2016. We limited our scope to FCA’s implementation efforts of the eOPF since 2009. We took the following steps to accomplish the objective: Identified and reviewed applicable Federal laws, regulations, OMB policy, and other guidance related to the objective. Reviewed prior audits, inspections, evaluations, and reviews related to the audit objective. Conducted interviews with the Chief Human Capital Officer, Assistant Director for the Human Resources and Training Team, Records Officer, and selected Human Resources personnel. Identified and reviewed applicable internal FCA policies and procedures. Reviewed current employee statistics date of entry, promotions dates, and onboarding codes. Sampled eOPFs for employees promoted from January 1, 2015 to December 31, 2015. We reviewed personnel actions and position descriptions for the sampled files. The sample was judgmental and cannot be projected over the entire population. Reviewed selected items in the eOPFs for new and transferred employees arriving at FCA from January 1, 2013 to December 31, 2015. Because the samples were judgmental, it cannot be projected over the entire population. Reviewed selected items in the eOPFs for other employees. We considered employee’s entry date to FCA and promotion dates to ensure no overlap with other samples. We also reviewed each sampled employee’s leave and earnings statement for Pay Period 3 (February 7‐20, 2016) and compared deductions for Federal Health Benefits, Federal Group Life Insurance, and Thrifts Savings Plan elections to documents found in the eOPF. We also compared 2016 pay adjustment information to the SF‐50 personnel actions in the eOPF for the sampled individuals. Because the sample was judgmental, it cannot be projected over the entire population. This audit was performed in accordance with the Generally Accepted Government Auditing Standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We assessed internal controls and compliance with laws and regulations to the extent necessary to satisfy the objective. Because our review was limited, it would not necessarily have disclosed all internal control deficiencies that may have existed at the time of our audit. We assessed the computer‐ processed data relevant to our audit objective through comparing multiple types of data to various sources and assessing risk. We determined that the data was sufficiently reliable. We assessed the risk of fraud related to our audit objectives in the course of evaluating audit evidence. Overall, we believe the evidence obtained provides a reasonable basis for our conclusions based on our audit objective. 8 ACRONYMS DD Department of Defense eOPF Electronic Official Personnel Folder FCA Farm Credit Administration FCS Farm Credit System FISMA Federal Information Security Modernization Act FY Fiscal Year HR Human Resources OF Optional Form OIG Office of Inspector General OMB Office of Management and Budget OMS Office of Management Services OPM Office of Personnel Management SF Standard Form TSP Thrift Savings Plan 9 R E P O R T Fraud | Waste | Abuse | Mismanagement FARM CREDIT ADMINISTRATION OFFICE OF INSPECTOR GENERAL Phone: Toll Free (800) 437‐7322; (703) 883‐4316 Fax: (703) 883‐4059 E‐mail: fca‐ig‐firstname.lastname@example.org Mail: Farm Credit Administration Office of Inspector General 1501 Farm Credit Drive McLean, VA 22102‐5090
FCA's Controls Over the Electronic Official Personnel Folder
Published by the Farm Credit Administration, Office of Inspector General on 2016-04-21.
Below is a raw (and likely hideous) rendition of the original report. (PDF)