OFFICE OF INSPECTOR GENERAL Audit Report Farm Credit Administra on’s Personnel Security and Suitability Program A‐15‐04 Auditor‐in‐Charge Tori Kaufman Issued September 29, 2015 FARM CREDIT ADMINISTRATION Farm Credit Administration Office of Inspector General 1501 Farm Credit Drive McLean, Virginia 22102-5090 September 29, 2015 The Honorable Kenneth A. Spearman, Board Chairman The Honorable Dallas P. Tonsager, Board Member The Honorable Jeffery S. Hall, Board Member Farm Credit Administration 1501 Farm Credit Drive McLean, Virginia 22102-5090 Dear Board Chairman Spearman and FCA Board Members Tonsager and Hall: The Office of Inspector General (OIG) completed an audit of FCA’s Personnel Security and Suitability Program. The objective of this audit was to determine whether FCA is effectively managing the Personnel Security and Suitability Program. During our audit, we found that the Office of Management Services (OMS) made important updates to the program. The Personnel Security Officer (PSO) reviewed security files and updated the investigation tracking spreadsheet with current information. In addition, substantial resources were dedicated to upgrading investigations. New investigations were initiated and completed for many employees, and an Alternate PSO had been selected. The PSO also used OPM systems to process investigations and evaluate reciprocity. Additional changes planned by the PSO and management and included in our recommendations will improve the efficiency and effectiveness of the Personnel Security and Suitability Program. In response to our audit, OMS agreed to the following actions: 1. Review and implement internal control procedures to ensure the PSO’s tracking spreadsheet, security files, and risk designations are accurate and complete. 2. Finalize the designation of an Alternate PSO so that appropriate resources are available to fulfill the requirements of the Personnel Security and Suitability Program. 3. Update procedures for: • deciding and documenting position risk level and sensitivity to ensure all positions have a PDT designation that is appropriate for the duties and responsibilities of the position. • maintaining and organizing PDT records. 4. Revise processes to ensure employees are cleared or pre-appointment investigative requirements are waived before entering high risk positions. We appreciate the courtesies and professionalism extended by FCA personnel to the OIG staff. If you have any questions about this audit, I would be pleased to meet with you at your convenience. Respectfully, Elizabeth M. Dean Inspector General Enclosure OBJECTIVE: To determine whether FCA is effectively managing its Personnel The Farm Credit Administration (FCA or Agency) made substantial updates to its Security and Suitability Personnel Security and Suitability Program. The current Personnel Security Officer Program. (PSO) started the position in May 2014. Prior to this personnel change, the program needed several improvements to ensure investigations were completed BACKGROUND: and documented appropriately. The PSO, with the support of management, took FCA’s Personnel Security action to repair these deficiencies. The PSO reviewed each employee’s security file and Suitability Program is and updated the tracking spreadsheet with current information. In addition, responsible for ensuring substantial resources were devoted to upgrading investigations for many Agency that employment and employees. For fiscal year 2014 and 2015, FCA allocated about $300,000 to retention within the complete background investigations. During the scope of our audit, from October federal service is 2013 to March 2015, the Agency completed about 100 background investigations. These efforts greatly advanced the program in progressing to its current status. consistent with the public trust and the interests of Our review revealed additional opportunities to continue and complete national security. Primary improvement of monitoring and the dynamic process for appropriately designating responsibility for the positions. Certain areas for improvement had been recommended as part of program is assigned to previous: 1) OIG, 2) FCA internal control, and 3) Office of Personnel Management FCA’s Office of (OPM) reviews. Specifically, we found: Management Services, with overall operations • Internal control procedures were not fully implemented. managed by the Personnel Security • Designation of an Alternate PSO needed to be finalized in order to ensure Officer. All positions are appropriate resources are available to fulfill program requirements. designated as high, • FCA’s internal Personnel Security Procedure reflected requirements to use moderate, or low risk OPM’s Position Designation Tool (PDT); however, the Agency did not based on the potential to always maintain PDT results or ensure that the tool was used to designate adversely impact the all Agency positions. efficiency or integrity of the service. Although FCA • On occasion, employees were not cleared, or waived of pre-appointment does not have a national investigative requirements, before entering high risk positions. security function, some positions have a national There are 4 agreed-upon actions to improve the Personnel Security and Suitability security sensitivity Program. designation. Risk designations are determined using OPM’s required Position Designation Tool. Table of Contents BACKGROUND _______________________________________________________ 1 Prior Reviews______________________________________________________________________ 3 AUDIT RESULTS______________________________________________________ 3 Monitoring Investigations ____________________________________________________________ 3 Agreed-Upon Actions 1-2 ____________________________________________________________ 5 Position Designations _______________________________________________________________ 6 Agreed-Upon Actions 3-4 ____________________________________________________________ 9 OBJECTIVE, SCOPE, AND METHODOLOGY ______________________________ 10 ACRONYMS ________________________________________________________ 11 BACKGROUND The Farm Credit Administration (FCA or Agency) is an independent federal agency responsible for regulating, examining, and supervising the Farm Credit System and the Federal Agricultural Mortgage Corporation. The core mission of the Agency is to ensure a safe, sound, and dependable source of credit and related services for agriculture and rural America. To fulfill federal requirements and its mission, there is a continuing need for systematic and timely security determinations for employees. FCA’s Personnel Security and Suitability Program is responsible for ensuring that employment and retention within the federal service is consistent with the public trust and the interests of national security. Primary responsibility for the program is assigned to FCA’s Office of Management Services (OMS), with overall operations managed by the Personnel Security Officer (PSO). Public trust in Agency operations is important. Executive Order 10450, Security Requirements for Government Employment, April 1953, requires all federal employees be subject to investigation. The scope of the investigation varies based on the nature of the position and the degree of harm an individual in that position could cause, which is the basis for the position’s risk level. Title 5 of the Code of Federal Regulations (CFR) Part 731, Suitability, requires agencies to designate all covered positions as high, moderate, or low risk based on the potential to adversely impact the efficiency or integrity of the service. High or moderate risk positions may involve policy making, major program responsibility, fiduciary responsibilities, protection of personal information, or control of financial records with significant risk for causing damage or realizing personal gain. Positions that could bring about a material adverse effect on national security must also receive a sensitivity designation of special-sensitive, critical-sensitive, or non-critical sensitive per 5 CFR Part 732, National Security Positions. Although FCA does not have a national security function, a few positions have a national security designation. However, the majority of FCA employees are designated high, moderate, or low risk, with no national security sensitivity. The types of investigations performed for these designations are: National Agency Low Risk Check and Inquiries (NACI) Moderate Risk Background Moderate Risk Investigation (MBI) Background High Risk Investigation (BI) Investigations of FCA employees are completed by the Office of Personnel Management (OPM). Each year costs are established for all OPM investigative products. For fiscal year (FY) 2014, the cost of a NACI was about $120, an MBI is about $900, and a BI is about $3,000. A higher level background 1 investigation, at a cost of about $4,000, is conducted for employees with a national security designation. Investigative costs increased in FY 2015. For FY 2014 and 2015, FCA allocated about $300,000 to complete background investigations. To designate the risk level and sensitivity of positions, FCA uses OPM’s required Position Designation Tool (PDT). The PDT is an automated questionnaire that guides agencies in determining the proper level of investigation based on an assessment of risk and national security sensitivity. Requirements to use the PDT were established in the August 2010 Federal Investigations Notice 10-06, Position Designation Requirements. Currently, the Human Resources and Training Team (HRTT) uses the position description to complete the PDT. Position descriptions are the Agency’s formal documentation of each position’s duties and responsibilities. When a new employee is hired or changes positions, a copy of the position description and PDT are provided to the PSO. The PSO reviews each document and determines the need for a background investigation. The PSO uses OPM’s Central Verification System (CVS) to determine if the employee already has a reciprocally acceptable investigation. If a reciprocally valid investigation exists, no new investigation is necessary until the employee is due for a periodic reinvestigation. Employees in high, moderate, and sensitive positions must be reinvestigated every five years. Reinvestigations are not required for low risk employees, but the PSO uses the tracking spreadsheet to prioritize and review low risk employees with the oldest dates of investigation. Periodic reinvestigations for public trust positions are roughly one-quarter or less the cost of a new investigation. When a new investigation is necessary, an account is established in OPM’s Electronic Questionnaires for Investigations Processing (e-QIP) system. In e-QIP, employees electronically enter, update, and transmit the data required for their investigation. The scope and type of information required is based on the position being filled and its required level of investigation. Examples of data required for a background investigation include: employment history, residence information, and references. Once an applicant or employee certifies the information in e-QIP is complete and correct, the Agency must submit a request for investigation to OPM within 14 days. FCA started using e-QIP during 2012. All background investigations are initiated and adjudicated by the PSO. Adjudication is the evaluation of pertinent data in a background investigation, as well as any other relevant and reliable information, to determine whether an employee is suitable for government employment. FCA makes suitability determinations based on: regulations covering adjudication requirements, OPM standards, the designated risk level and sensitivity of a position, and findings in background investigations. Background investigations and adjudication forms are contained in employees’ security files, which are maintained by the PSO. Certifications of investigation, signed and dated by the PSO, document the type of background investigation completed and position occupied and confirm that a suitability determination has been made. These forms are uploaded in the employee’s electronic official personnel folder (eOPF). To facilitate tracking reciprocity, suitability adjudications must be reported to OPM no later than 90 days after receipt of the final report of investigation. Personnel security and suitability is a challenging and ever moving target for a PSO, in part because, requirements have changed, and continue to change and evolve, with some regularity based on regulatory changes and the continuing development of technology. OPM issues Federal Investigations Notices to inform agencies of changes in the investigation process, policy clarification, or upcoming events. For FY 2015, OPM changed NACI and MBI investigations to “Tier 1” and “Tier 2” investigations, respectively. This change was part of the phased implementation of 2012 Federal Investigative 2 Standards, mandating a five-tiered investigative model by 2017. In addition, 5 CFR Part 1400, Designation of National Security Positions, became effective in July 2015 and sets forth additional requirements for evaluating and designating sensitive positions. OPM is updating the PDT to reflect these requirements. Prior Reviews In May 1999, the Office of Inspector General (OIG) issued a management letter based on work performed as part of an investigation. The letter identified weaknesses in performing timely background investigations and designating proper sensitivity levels for Agency positions. In 2001, OIG performed a follow-up inspection to determine if FCA made progress in addressing the suggested actions in the management letter. OIG’s inspection identified the following: • Policies and procedures needed updating • The Personnel Security Program lacked emphasis • Position sensitivity levels needed updating • Personnel security functions were not being performed for all workers The inspection resulted in 6 agreed-upon actions with various tasks to be completed. The agreed-upon actions were closed in 2002. In August 2012, OPM conducted a review of FCA’s Personnel Security and Suitability Program. This review resulted in several findings and recommendations for improvement. The review focused on OPM suitability performance goals and measurements for October 2010 through September 2011. OPM conducted a follow-up review in November 2014. AUDIT RESULTS FCA has made obvious strides in updating and improving its Personnel Security and Suitability Program. Specifically, the current PSO dedicated significant resources to updating the investigation tracking spreadsheet with current information and upgrading employees’ risk designations. In addition, the PSO uses OPM systems such as Electronic Questionnaires for Investigations Processing (e-QIP), the Central Verification System (CVS), and the Position Designation Tool (PDT). These systems are used to track required timeframes for initiating investigations, validate reciprocity, and ensure consistency in risk designations. Additional changes planned by the PSO and management and included in our recommendations will improve the efficiency and effectiveness of the Personnel Security and Suitability Program. Monitoring Investigations FCA made substantial updates to its Personnel Security and Suitability Program. The current PSO started the position in May 2014. The current PSO took over the position and began implementing needed improvements. Specifically, the PSO reviewed each employee’s security file and updated the tracking spreadsheet. The PSO stated this undertaking was time intensive and took concerted effort, along with juggling additional program responsibilities. During this security file review, the PSO made notes in the tracking spreadsheet about employees who did not have a security file, record of investigation in their 3 security file, or supporting documentation in CVS or e-QIP. The PSO also worked with management to devote substantial resources to upgrading investigations for a large portion of Agency employees. The PSO determined that several low risk employees should be upgraded to moderate risk, which required a new investigation to be completed. For fiscal year 2014 and 2015, FCA allocated about $300,000 to complete background investigations. During the scope of our audit, from October 2013 to March 2015, the Agency completed about 100 background investigations. The following steps are necessary to ensure items identified by the PSO are addressed and all Agency employees have the appropriate background investigation for their position: • Our scope included 160 employees with a start date, last investigation date, or due date of reinvestigation from October 2013 to March 2015, according to the PSO’s tracking spreadsheet. We also included in our scope employees whose information was blank in these categories. There were 22 of 160 employees with incomplete information in the tracking spreadsheet. The PSO made notes in the tracking spreadsheet on follow-up items for most of these employees. • The PSO also used the tracking spreadsheet to monitor and prioritize investigations and reinvestigations. 5 CFR Part 731 requires reinvestigation every five years for public trust positions designated at the high or moderate risk level. Positions designated as low risk do not require a periodic reinvestigation. However, due to the diligence of the PSO, several low risk positions needing reevaluation were identified and prioritized for review. Of the 160 employees in our scope, there were 50 for whom the tracking spreadsheet contained information that follow-up attention was necessary. The PSO noted in the tracking spreadsheet that 12 of these employees did not have a security file or record of investigation in their security file and 18 of these employees needed their background investigation upgraded to moderate. 4 additional employees were noted as needing both. The remaining 16 employees were due for reinvestigation or required additional review steps by the PSO. • Although we did not validate all data in the tracking spreadsheet, we judgmentally sampled 48 of the 160 employees in our scope and requested supporting documentation. Information in the tracking spreadsheet matched certifications of investigation for most employees in our sample. 8 employees in our sample had no security file or record of investigation in their security file. Three were noted as such in the tracking spreadsheet, but one of these employees had a certification of investigation from 2012 in their electronic official personnel folder (eOPF). Another employee was noted as having transferred in 1987 with a low risk background investigation, with no records in their security file, and a new investigation was in process. The remaining four employees without a security file or record of investigation in their security file included two employees who had worked at the Agency since 1988 and needed their investigation upgraded to moderate and two transfer employees, one newly hired in May 2014 and another hired in 2010. One employee had transferred with the appropriate level of investigation, and the PSO created a security file during our review. The other employee was noted as being reinvestigated in 2013, but there was no supporting documentation in their security file. FCA’s internal Personnel Security Procedure describes specific internal control processes, including: • quarterly reviews of security files, • an annual review and update of position designations by the PSO, and 4 • an annual audit by an Alternate PSO of recent investigations and corresponding documentation. The procedures require the results of the annual audit to be reported to the Director of the Office of Management Services (OMS) along with recommendations and corrective measures, as appropriate. Although planned, sufficient resources were not committed to the program to ensure reviews were performed. An Alternate PSO had not been designated for the program for many years; however, during our review, officials stated an employee hired in June 2015 had taken appropriate training and was in the process of obtaining a clearance in order to assist the PSO. Agency officials stated that once this clearance was granted, the intent would be for this employee to be the designated Alternate PSO. As the sole manager of the program with significant responsibilities outside of the Personnel Security and Suitability Program, the PSO needs additional resources and a backup to process, oversee, and monitor investigations for the Agency. As noted above, new investigations were initiated for many employees with upgraded risk levels and security files were reviewed to update the tracking spreadsheet. These efforts significantly contributed to resource requirements imposed on the current PSO. Once the PSO’s tracking spreadsheet is fully updated and internal control review processes are fully implemented, predictably, the program will be much more manageable and require fewer Agency resources. Although the Agency’s size supports keeping PSO responsibilities as a collateral duty, adequate resources are necessary to ensure program requirements are fulfilled. Historically, there had been a lack of appropriate emphasis on FCA’s Personnel Security and Suitability Program. Detailed control procedures were in place; however, these requirements were not prioritized and implemented as more and more investigations and reinvestigations were due and fell into a backlog. Conscientious attention and obvious improvements initiated by the current PSO and the support for these changes from management indicate an increased emphasis on bringing the Personnel Security and Suitability Program to a complete and comprehensive state. The OIG’s 2001 inspection of FCA’s Personnel Security Program also found that internal control reviews were not being conducted. The inspection included a finding that not conducting these reviews led to inaccuracies in the tracking spreadsheets, a condition which could have prevented the arduous workload inherited by the current PSO. It is important to review and upgrade risk designations and avoid investigative backlogs in order to limit the amount of time between investigations and, in turn, the risk that an employee is no longer suited to perform their duties and responsibilities. Budgeting for investigations is also directly tied to monitoring and the accuracy of the PSO’s tracking spreadsheet. Effectively and completely implementing control processes will allow the Agency to more accurately plan for investigative needs and avoid backlogs, which require many investigations to be initiated within the same budget cycle. Planning is necessary given the importance and resource requirements of the Personnel Security and Suitability Program. Agreed-Upon Actions 1-2 Although significant progress has been made, OMS agreed to: 1. Review and implement internal control procedures to ensure the PSO’s tracking spreadsheet, security files, and risk designations are accurate and complete. 5 2. Finalize the designation of an Alternate PSO so that appropriate resources are available to fulfill the requirements of the Personnel Security and Suitability Program. Position Designations There is a degree of subjectivity involved in determining risk designations. The results of the PDT are based on how each question is answered and information included in the position description. Position descriptions should describe the current requirements of each position, as the Agency’s formal record. Supervisors determine the duties and responsibilities incorporated in position descriptions. FCA’s internal Personnel Security Procedure included questions to consider for determining position sensitivity. If the answer to any of these questions is yes, duties having these elements must be reflected in the position description. Will the incumbent have access to highly sensitive or confidential information, the unauthorized disclosure of which would 1) compromise the overall integrity of an important agency function, 2) seriously inhibit the Agency's ability to carry out its mission or objectives, or 3) violate laws Will the incumbent perform functions that could impact the health and/or safety of others? Does the incumbent play a significant policy-making role or have significant influence on executive or policy decision- making at the agency? Does the incumbent have significant independent authority to authorize or control funds or resources? Does the position require that the incumbent have access to classified information? We reviewed position descriptions for 19 employees to determine whether their risk designations seemed appropriate based on their duties and responsibilities. It is important to acknowledge the process is dynamic because employees may transfer from one directorate to another and/or employee responsibilities continuously change over time, and the designation process is a point-in-time event. Ultimately, this determination is made by Human Resources Specialists on the Human Resources and Training Team (HRTT) and the PSO. Our review raised questions about a few employees’ designations: • A position description did not include a risk designation. FCA completed a moderate risk background investigation for this employee, but the individual was due for reinvestigation in October 2014. The position description states that the employee “may act for the CFO with full responsibility and authority in his/her absence or unavailability.” Because of the importance of the position and financial responsibilities, the risk designation should be evaluated and completed, and reinvestigations should be timely. • A senior policy analyst with a significant policy-making role was designated as low risk. The analyst’s position description was dated May 2006. Another analyst on the same team had been designated as moderate. 6 • Two Associate Director positions in the same office with similar responsibilities were designated at different levels. One Associate Director position was designated as moderate risk and the other as low risk. To FCA’s credit, the individual in the low risk position had a high risk background investigation from a previous position. We also identified employees that had an appropriate designation, but their investigation was conducted at a different level: • A technical editor position was designated as low risk, and a moderate risk background investigation was completed for the employee. • A Human Resources Specialist had a moderate risk background investigation completed although the position was designated as high risk. We also noted inconsistencies in the record keeping and documentation of position descriptions and PDT results. This data quality issue made it difficult to reconcile the background investigation that should have been conducted with the background investigation that was completed for the employee. For example, we requested position descriptions and corresponding PDT results for 19 employees. Five position descriptions did not include a sensitivity designation. Of the 19 employees, HRTT was able to provide PDT results for two positions and the PSO provided an additional five. However, one of the PDT results showed the tool was not run until June 2015, more than a year after the individual was placed in the position. Two other employees’ position descriptions included notes on the date the PDT was run, one in October 2014 and another in August 2014, but PDT results were not provided. Officials stated that they would not necessarily have a copy of the PDT for a position if it was not new or substantively changed and re-designated during the timeframe that the current PDT designation process was implemented. For example, if an employee is hired under a position description that has not been changed since 2006, the PDT may not be run or maintained for the position. Although the PDT is specific to the position, some position descriptions cover several employees. As an example, many associate examiners are under the same position description and, in turn, have the same risk designation. In July 2015, 5 CFR Part 1400, Designation of National Security Positions, set forth additional requirements for agencies to evaluate positions for a sensitivity designation commensurate with responsibilities by July 2017. OPM is updating the PDT to implement these requirements. Although FCA does not have a national security function, the agency may integrate this evaluation of employees to ensure that risk designations are appropriate and consistent for employees. Maintaining copies of the PDT and ensuring they are readily accessible to HRTT and the PSO will streamline the designation process. Through this process, a database will be developed with the appropriate risk level and sensitivity and required investigation for each position. An organized system of records will allow HRTT and the PSO to quickly determine whether a position description has an appropriate PDT designation and eliminates the need to re-run the PDT each time a position is filled. Saving copies of results also allows the PSO to evaluate how PDT questions were answered and review whether the designation is appropriate. Not re-running the PDT also decreases resource requirements for duplicative reviews by the PSO. This system will ensure all FCA positions have a current, consistent PDT designation as they are filled. This will become increasingly important as the PDT is updated to comply with designation requirements in 5 CFR Part 1400. 7 High Risk Positions Personnel security procedures are designed to ensure that employees have the level of investigation necessary for their position. Specifically, PPM 825, Personnel Security and Suitability Program, stated: “The PSO ensures employees are appropriately cleared before entering Critical Sensitive or High Risk positions. The PSO will obtain the CEO’s written approval for a waiver of the pre-appointment investigative requirement for placement in such positions wherever such action is construed as necessary in the national interest and consistent with the efficiency of the service. Documentation of such finding will be maintained in the personnel security files, in accordance with requirements specified in OMS’s personnel security program procedures.” Of the 48 employees in our sample, 9 were in positions that were designated as high risk. Officials stated that in practice, investigations are not completed before an employee is hired. Only five of these employees were hired directly into their high risk position with the remaining four moved internally for new positions. These four were not cleared or waived before starting their position. The positions included: two office Directors, an Executive Assistant, and a Special Assistant to a Board Member. One office director had been in their position for over three years and another for over two years before their high risk investigation was completed. Both had worked at the Agency since 1986. The Executive Assistant and Special Assistant each had an investigation completed less than a year before entering their high risk positions. Included in the employees that were hired directly into a high risk position was another office director. Based on documentation in eOPF, this employee had a low risk background investigation completed in a previous position at another federal agency. The required high risk level background investigation was ultimately completed over 3 years after the employee started with the Agency. Officials stated that this was an oversight by the prior PSO. The PSO stated there are often timing issues that affect employees’ background investigations. For example, if an employee’s investigation is in process or was recently completed before they are selected for a high risk position, it is not cost-effective to re-do an investigation that was just completed. If it is acceptable and in the best interest of the Agency not to re-do an employee’s investigation, the PSO should document this determination in the employee’s security file, per current procedures. Conducting background investigations at the appropriate level also has a financial impact to the Agency. Conducting a higher-than-necessary background investigation costs the Agency money. When a background investigation is conducted at a lower level than required for the position, the Agency has to budget for an additional, higher-level investigation to correct the error. Similar issues were noted in prior reviews. FCA conducted an internal control review in September 2013. The review included a recommendation to create and maintain a listing of all position description numbers and their risk designations so that position descriptions do not need to go through the PSO when a designation has already been determined. OPM’s 2012 review also included a recommendation for the Agency to establish procedures to correct disparities and ensure consistency of designations on the position description, security file, and request for personnel action. 8 Agreed-Upon Actions 3-4 To continue the efforts made to date to improve processes and documentation, OMS agreed to: 3. Update procedures for: • deciding and documenting position risk level and sensitivity to ensure all positions have a PDT designation that is appropriate for the duties and responsibilities of the position. • maintaining and organizing PDT records. 4. Revise processes to ensure employees are cleared or pre-appointment investigative requirements are waived before entering high risk positions. 9 OBJECTIVE, SCOPE, AND METHODOLOGY The objective of this audit was to determine whether FCA is effectively managing the Personnel Security and Suitability Program. We conducted fieldwork at FCA’s headquarters in McLean, VA from April 2015 through September 2015. We limited our scope to October 2013 through March 2015. We completed the following steps to accomplish the objective: • Reviewed applicable laws and regulations covering personnel security and suitability. • Interviewed the Personnel Security Officer (PSO) about internal policies and procedures, processes, and monitoring. • Reviewed results of Office of Personnel Management (OPM) reviews of FCA’s Personnel Security and Suitability Program. • Evaluated processes for initiating and documenting background investigations and risk designations. • Compared risk designations in the PSO’s tracking spreadsheet, the personnel system, and certifications of investigations. We judgmentally sampled 48 employees based on dates of investigation, notes in the PSO’s tracking spreadsheet, and risk designations. Because our sample was judgmental it could not be projected to the entire population. • Reviewed position descriptions for 19 employees in our sample. We reviewed position descriptions to determine whether a security designation was documented and appropriate based on duties and responsibilities required for the position. We also requested and reviewed results of the Position Designation Tool (PDT) for these 19 employees’ positions. • Reviewed employees in our sample in high risk positions to determine whether background investigations were completed before starting the position. This audit was performed in accordance with Generally Accepted Government Auditing Standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We assessed internal controls and compliance with laws and regulations to the extent necessary to satisfy the objective. Our review would not necessarily have disclosed all internal control deficiencies that may have existed at the time of our audit. We assessed the computer-processed data relevant to our audit objective and covered in the body of our report. We assessed the risk of fraud related to our audit objective in the course of evaluating audit evidence. Overall, we believe the evidence obtained provides a reasonable basis for our conclusions based on our audit objective. 10 ACRONYMS CFR Code of Federal Regulations CVS Central Verification System eOPF Electronic Official Personnel Folder e-QIP Electronic Questionnaires for Investigations Processing FCA Farm Credit Administration OIG Office of Inspector General OMS Office of Management Services OPM Office of Personnel Management PDT Position Designation Tool PPM Policies and Procedures Manual PSO Personnel Security Officer 11 R E P O R T Fraud | Waste | Abuse | Mismanagement FARM CREDIT ADMINISTRATION OFFICE OF INSPECTOR GENERAL Phone: Toll Free (800) 437-7322; (703) 883-4316 Fax: (703) 883-4059 E-mail: firstname.lastname@example.org Mail: Farm Credit Administration Office of Inspector General 1501 Farm Credit Drive McLean, VA 22102-5090
FCA's Personnel Security and Suitability Program
Published by the Farm Credit Administration, Office of Inspector General on 2015-09-29.
Below is a raw (and likely hideous) rendition of the original report. (PDF)