oversight

FCA's Personnel Security and Suitability Program

Published by the Farm Credit Administration, Office of Inspector General on 2015-09-29.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

OFFICE OF
INSPECTOR GENERAL       Audit Report  
                    Farm Credit Administra on’s
                        Personnel Security
                      and Suitability Program
                             A‐15‐04

                         Auditor‐in‐Charge
                           Tori Kaufman

                    Issued September 29, 2015




                      FARM CREDIT ADMINISTRATION
Farm Credit Administration                                       Office of Inspector General
                                                                 1501 Farm Credit Drive
                                                                 McLean, Virginia 22102-5090




September 29, 2015

The Honorable Kenneth A. Spearman, Board Chairman
The Honorable Dallas P. Tonsager, Board Member
The Honorable Jeffery S. Hall, Board Member
Farm Credit Administration
1501 Farm Credit Drive
McLean, Virginia 22102-5090

Dear Board Chairman Spearman and FCA Board Members Tonsager and Hall:

The Office of Inspector General (OIG) completed an audit of FCA’s Personnel Security and
Suitability Program. The objective of this audit was to determine whether FCA is effectively
managing the Personnel Security and Suitability Program.

During our audit, we found that the Office of Management Services (OMS) made important
updates to the program. The Personnel Security Officer (PSO) reviewed security files and
updated the investigation tracking spreadsheet with current information. In addition,
substantial resources were dedicated to upgrading investigations. New investigations were
initiated and completed for many employees, and an Alternate PSO had been selected. The
PSO also used OPM systems to process investigations and evaluate reciprocity.

Additional changes planned by the PSO and management and included in our
recommendations will improve the efficiency and effectiveness of the Personnel Security and
Suitability Program. In response to our audit, OMS agreed to the following actions:

        1. Review and implement internal control procedures to ensure the PSO’s tracking
           spreadsheet, security files, and risk designations are accurate and complete.

        2. Finalize the designation of an Alternate PSO so that appropriate resources are
           available to fulfill the requirements of the Personnel Security and Suitability
           Program.
        3. Update procedures for:
             • deciding and documenting position risk level and sensitivity to ensure all
                positions have a PDT designation that is appropriate for the duties and
                responsibilities of the position.
             • maintaining and organizing PDT records.

        4. Revise processes to ensure employees are cleared or pre-appointment
           investigative requirements are waived before entering high risk positions.

We appreciate the courtesies and professionalism extended by FCA personnel to the OIG staff.
If you have any questions about this audit, I would be pleased to meet with you at your
convenience.

Respectfully,



Elizabeth M. Dean
Inspector General

Enclosure
OBJECTIVE:
To determine whether
FCA is effectively
managing its Personnel
                             The Farm Credit Administration (FCA or Agency) made substantial updates to its
Security and Suitability     Personnel Security and Suitability Program. The current Personnel Security Officer
Program.                     (PSO) started the position in May 2014. Prior to this personnel change, the
                             program needed several improvements to ensure investigations were completed
BACKGROUND:                  and documented appropriately. The PSO, with the support of management, took
FCA’s Personnel Security     action to repair these deficiencies. The PSO reviewed each employee’s security file
and Suitability Program is   and updated the tracking spreadsheet with current information. In addition,
responsible for ensuring     substantial resources were devoted to upgrading investigations for many Agency
that employment and          employees. For fiscal year 2014 and 2015, FCA allocated about $300,000 to
retention within the         complete background investigations. During the scope of our audit, from October
federal service is           2013 to March 2015, the Agency completed about 100 background investigations.
                             These efforts greatly advanced the program in progressing to its current status.
consistent with the public
trust and the interests of   Our review revealed additional opportunities to continue and complete
national security. Primary   improvement of monitoring and the dynamic process for appropriately designating
responsibility for the       positions. Certain areas for improvement had been recommended as part of
program is assigned to       previous: 1) OIG, 2) FCA internal control, and 3) Office of Personnel Management
FCA’s Office of              (OPM) reviews. Specifically, we found:
Management Services,
with overall operations          •   Internal control procedures were not fully implemented.
managed by the
Personnel Security               •   Designation of an Alternate PSO needed to be finalized in order to ensure
Officer. All positions are           appropriate resources are available to fulfill program requirements.
designated as high,
                                 •   FCA’s internal Personnel Security Procedure reflected requirements to use
moderate, or low risk
                                     OPM’s Position Designation Tool (PDT); however, the Agency did not
based on the potential to
                                     always maintain PDT results or ensure that the tool was used to designate
adversely impact the                 all Agency positions.
efficiency or integrity of
the service. Although FCA        •   On occasion, employees were not cleared, or waived of pre-appointment
does not have a national             investigative requirements, before entering high risk positions.
security function, some
positions have a national    There are 4 agreed-upon actions to improve the Personnel Security and Suitability
security sensitivity         Program.
designation. Risk
designations are
determined using OPM’s
required Position
Designation Tool.
                                    Table of Contents



BACKGROUND _______________________________________________________ 1

 Prior Reviews______________________________________________________________________ 3

AUDIT RESULTS______________________________________________________ 3

 Monitoring Investigations ____________________________________________________________ 3

 Agreed-Upon Actions 1-2 ____________________________________________________________ 5

 Position Designations _______________________________________________________________ 6

 Agreed-Upon Actions 3-4 ____________________________________________________________ 9

OBJECTIVE, SCOPE, AND METHODOLOGY ______________________________ 10

ACRONYMS ________________________________________________________ 11
BACKGROUND

    The Farm Credit Administration (FCA or Agency) is an independent federal agency responsible for
    regulating, examining, and supervising the Farm Credit System and the Federal Agricultural Mortgage
    Corporation. The core mission of the Agency is to ensure a safe, sound, and dependable source of credit
    and related services for agriculture and rural America. To fulfill federal requirements and its mission,
    there is a continuing need for systematic and timely security determinations for employees. FCA’s
    Personnel Security and Suitability Program is responsible for ensuring that employment and retention
    within the federal service is consistent with the public trust and the interests of national security.
    Primary responsibility for the program is assigned to FCA’s Office of Management Services (OMS), with
    overall operations managed by the Personnel Security Officer (PSO).

    Public trust in Agency operations is important. Executive Order 10450, Security Requirements for
    Government Employment, April 1953, requires all federal employees be subject to investigation. The
    scope of the investigation varies based on the nature of the position and the degree of harm an
    individual in that position could cause, which is the basis for the position’s risk level. Title 5 of the Code
    of Federal Regulations (CFR) Part 731, Suitability, requires agencies to designate all covered positions as
    high, moderate, or low risk based on the potential to adversely impact the efficiency or integrity of the
    service. High or moderate risk positions may involve policy making, major program responsibility,
    fiduciary responsibilities, protection of personal information, or control of financial records with
    significant risk for causing damage or realizing personal gain. Positions that could bring about a material
    adverse effect on national security must also receive a sensitivity designation of special-sensitive,
    critical-sensitive, or non-critical sensitive per 5 CFR Part 732, National Security Positions.

    Although FCA does not have a national security function, a few positions have a national security
    designation. However, the majority of FCA employees are designated high, moderate, or low risk, with
    no national security sensitivity. The types of investigations performed for these designations are:


                                                                National Agency
                                       Low Risk                    Check and
                                                                Inquiries (NACI)


                                                                 Moderate Risk
                                                                  Background
                                   Moderate Risk                 Investigation
                                                                     (MBI)


                                                                   Background
                                       High Risk                  Investigation
                                                                       (BI)


    Investigations of FCA employees are completed by the Office of Personnel Management (OPM). Each
    year costs are established for all OPM investigative products. For fiscal year (FY) 2014, the cost of a
    NACI was about $120, an MBI is about $900, and a BI is about $3,000. A higher level background


                                                          1
investigation, at a cost of about $4,000, is conducted for employees with a national security designation.
Investigative costs increased in FY 2015. For FY 2014 and 2015, FCA allocated about $300,000 to
complete background investigations.

To designate the risk level and sensitivity of positions, FCA uses OPM’s required Position Designation
Tool (PDT). The PDT is an automated questionnaire that guides agencies in determining the proper level
of investigation based on an assessment of risk and national security sensitivity. Requirements to use
the PDT were established in the August 2010 Federal Investigations Notice 10-06, Position Designation
Requirements. Currently, the Human Resources and Training Team (HRTT) uses the position description
to complete the PDT. Position descriptions are the Agency’s formal documentation of each position’s
duties and responsibilities.

When a new employee is hired or changes positions, a copy of the position description and PDT are
provided to the PSO. The PSO reviews each document and determines the need for a background
investigation. The PSO uses OPM’s Central Verification System (CVS) to determine if the employee
already has a reciprocally acceptable investigation. If a reciprocally valid investigation exists, no new
investigation is necessary until the employee is due for a periodic reinvestigation. Employees in high,
moderate, and sensitive positions must be reinvestigated every five years. Reinvestigations are not
required for low risk employees, but the PSO uses the tracking spreadsheet to prioritize and review low
risk employees with the oldest dates of investigation. Periodic reinvestigations for public trust positions
are roughly one-quarter or less the cost of a new investigation.

When a new investigation is necessary, an account is established in OPM’s Electronic Questionnaires for
Investigations Processing (e-QIP) system. In e-QIP, employees electronically enter, update, and transmit
the data required for their investigation. The scope and type of information required is based on the
position being filled and its required level of investigation. Examples of data required for a background
investigation include: employment history, residence information, and references. Once an applicant or
employee certifies the information in e-QIP is complete and correct, the Agency must submit a request
for investigation to OPM within 14 days. FCA started using e-QIP during 2012.

All background investigations are initiated and adjudicated by the PSO. Adjudication is the evaluation of
pertinent data in a background investigation, as well as any other relevant and reliable information, to
determine whether an employee is suitable for government employment. FCA makes suitability
determinations based on: regulations covering adjudication requirements, OPM standards, the
designated risk level and sensitivity of a position, and findings in background investigations. Background
investigations and adjudication forms are contained in employees’ security files, which are maintained
by the PSO. Certifications of investigation, signed and dated by the PSO, document the type of
background investigation completed and position occupied and confirm that a suitability determination
has been made. These forms are uploaded in the employee’s electronic official personnel folder (eOPF).
To facilitate tracking reciprocity, suitability adjudications must be reported to OPM no later than 90 days
after receipt of the final report of investigation.

Personnel security and suitability is a challenging and ever moving target for a PSO, in part because,
requirements have changed, and continue to change and evolve, with some regularity based on
regulatory changes and the continuing development of technology. OPM issues Federal Investigations
Notices to inform agencies of changes in the investigation process, policy clarification, or upcoming
events. For FY 2015, OPM changed NACI and MBI investigations to “Tier 1” and “Tier 2” investigations,
respectively. This change was part of the phased implementation of 2012 Federal Investigative



                                                     2
     Standards, mandating a five-tiered investigative model by 2017. In addition, 5 CFR Part 1400,
     Designation of National Security Positions, became effective in July 2015 and sets forth additional
     requirements for evaluating and designating sensitive positions. OPM is updating the PDT to reflect
     these requirements.

     Prior Reviews

     In May 1999, the Office of Inspector General (OIG) issued a management letter based on work
     performed as part of an investigation. The letter identified weaknesses in performing timely
     background investigations and designating proper sensitivity levels for Agency positions. In 2001, OIG
     performed a follow-up inspection to determine if FCA made progress in addressing the suggested
     actions in the management letter. OIG’s inspection identified the following:

          •   Policies and procedures needed updating
          •   The Personnel Security Program lacked emphasis
          •   Position sensitivity levels needed updating
          •   Personnel security functions were not being performed for all workers

     The inspection resulted in 6 agreed-upon actions with various tasks to be completed. The agreed-upon
     actions were closed in 2002.

     In August 2012, OPM conducted a review of FCA’s Personnel Security and Suitability Program. This
     review resulted in several findings and recommendations for improvement. The review focused on
     OPM suitability performance goals and measurements for October 2010 through September 2011. OPM
     conducted a follow-up review in November 2014.


AUDIT RESULTS

     FCA has made obvious strides in updating and improving its Personnel Security and Suitability Program.
     Specifically, the current PSO dedicated significant resources to updating the investigation tracking
     spreadsheet with current information and upgrading employees’ risk designations. In addition, the PSO
     uses OPM systems such as Electronic Questionnaires for Investigations Processing (e-QIP), the Central
     Verification System (CVS), and the Position Designation Tool (PDT). These systems are used to track
     required timeframes for initiating investigations, validate reciprocity, and ensure consistency in risk
     designations. Additional changes planned by the PSO and management and included in our
     recommendations will improve the efficiency and effectiveness of the Personnel Security and Suitability
     Program.

     Monitoring Investigations

     FCA made substantial updates to its Personnel Security and Suitability Program. The current PSO started
     the position in May 2014. The current PSO took over the position and began implementing needed
     improvements. Specifically, the PSO reviewed each employee’s security file and updated the tracking
     spreadsheet. The PSO stated this undertaking was time intensive and took concerted effort, along with
     juggling additional program responsibilities. During this security file review, the PSO made notes in the
     tracking spreadsheet about employees who did not have a security file, record of investigation in their



                                                        3
security file, or supporting documentation in CVS or e-QIP. The PSO also worked with management to
devote substantial resources to upgrading investigations for a large portion of Agency employees. The
PSO determined that several low risk employees should be upgraded to moderate risk, which required a
new investigation to be completed. For fiscal year 2014 and 2015, FCA allocated about $300,000 to
complete background investigations. During the scope of our audit, from October 2013 to March 2015,
the Agency completed about 100 background investigations. The following steps are necessary to
ensure items identified by the PSO are addressed and all Agency employees have the appropriate
background investigation for their position:

    •   Our scope included 160 employees with a start date, last investigation date, or due date of
        reinvestigation from October 2013 to March 2015, according to the PSO’s tracking spreadsheet.
        We also included in our scope employees whose information was blank in these categories.
        There were 22 of 160 employees with incomplete information in the tracking spreadsheet. The
        PSO made notes in the tracking spreadsheet on follow-up items for most of these employees.

    •   The PSO also used the tracking spreadsheet to monitor and prioritize investigations and
        reinvestigations. 5 CFR Part 731 requires reinvestigation every five years for public trust
        positions designated at the high or moderate risk level. Positions designated as low risk do not
        require a periodic reinvestigation. However, due to the diligence of the PSO, several low risk
        positions needing reevaluation were identified and prioritized for review. Of the 160 employees
        in our scope, there were 50 for whom the tracking spreadsheet contained information that
        follow-up attention was necessary. The PSO noted in the tracking spreadsheet that 12 of these
        employees did not have a security file or record of investigation in their security file and 18 of
        these employees needed their background investigation upgraded to moderate. 4 additional
        employees were noted as needing both. The remaining 16 employees were due for
        reinvestigation or required additional review steps by the PSO.

    •   Although we did not validate all data in the tracking spreadsheet, we judgmentally sampled 48
        of the 160 employees in our scope and requested supporting documentation. Information in
        the tracking spreadsheet matched certifications of investigation for most employees in our
        sample. 8 employees in our sample had no security file or record of investigation in their
        security file. Three were noted as such in the tracking spreadsheet, but one of these employees
        had a certification of investigation from 2012 in their electronic official personnel folder (eOPF).
        Another employee was noted as having transferred in 1987 with a low risk background
        investigation, with no records in their security file, and a new investigation was in process. The
        remaining four employees without a security file or record of investigation in their security file
        included two employees who had worked at the Agency since 1988 and needed their
        investigation upgraded to moderate and two transfer employees, one newly hired in May 2014
        and another hired in 2010. One employee had transferred with the appropriate level of
        investigation, and the PSO created a security file during our review. The other employee was
        noted as being reinvestigated in 2013, but there was no supporting documentation in their
        security file.

FCA’s internal Personnel Security Procedure describes specific internal control processes, including:

    •   quarterly reviews of security files,
    •   an annual review and update of position designations by the PSO, and



                                                     4
    •   an annual audit by an Alternate PSO of recent investigations and corresponding documentation.

The procedures require the results of the annual audit to be reported to the Director of the Office of
Management Services (OMS) along with recommendations and corrective measures, as appropriate.
Although planned, sufficient resources were not committed to the program to ensure reviews were
performed.

An Alternate PSO had not been designated for the program for many years; however, during our review,
officials stated an employee hired in June 2015 had taken appropriate training and was in the process of
obtaining a clearance in order to assist the PSO. Agency officials stated that once this clearance was
granted, the intent would be for this employee to be the designated Alternate PSO. As the sole
manager of the program with significant responsibilities outside of the Personnel Security and Suitability
Program, the PSO needs additional resources and a backup to process, oversee, and monitor
investigations for the Agency. As noted above, new investigations were initiated for many employees
with upgraded risk levels and security files were reviewed to update the tracking spreadsheet. These
efforts significantly contributed to resource requirements imposed on the current PSO. Once the PSO’s
tracking spreadsheet is fully updated and internal control review processes are fully implemented,
predictably, the program will be much more manageable and require fewer Agency resources. Although
the Agency’s size supports keeping PSO responsibilities as a collateral duty, adequate resources are
necessary to ensure program requirements are fulfilled.

Historically, there had been a lack of appropriate emphasis on FCA’s Personnel Security and Suitability
Program. Detailed control procedures were in place; however, these requirements were not prioritized
and implemented as more and more investigations and reinvestigations were due and fell into a
backlog. Conscientious attention and obvious improvements initiated by the current PSO and the
support for these changes from management indicate an increased emphasis on bringing the Personnel
Security and Suitability Program to a complete and comprehensive state.

The OIG’s 2001 inspection of FCA’s Personnel Security Program also found that internal control reviews
were not being conducted. The inspection included a finding that not conducting these reviews led to
inaccuracies in the tracking spreadsheets, a condition which could have prevented the arduous
workload inherited by the current PSO. It is important to review and upgrade risk designations and
avoid investigative backlogs in order to limit the amount of time between investigations and, in turn, the
risk that an employee is no longer suited to perform their duties and responsibilities. Budgeting for
investigations is also directly tied to monitoring and the accuracy of the PSO’s tracking spreadsheet.
Effectively and completely implementing control processes will allow the Agency to more accurately
plan for investigative needs and avoid backlogs, which require many investigations to be initiated within
the same budget cycle. Planning is necessary given the importance and resource requirements of the
Personnel Security and Suitability Program.

Agreed-Upon Actions 1-2

Although significant progress has been made, OMS agreed to:

    1. Review and implement internal control procedures to ensure the PSO’s tracking spreadsheet,
       security files, and risk designations are accurate and complete.




                                                    5
    2. Finalize the designation of an Alternate PSO so that appropriate resources are available to fulfill
       the requirements of the Personnel Security and Suitability Program.

Position Designations

There is a degree of subjectivity involved in determining risk designations. The results of the PDT are
based on how each question is answered and information included in the position description. Position
descriptions should describe the current requirements of each position, as the Agency’s formal record.
Supervisors determine the duties and responsibilities incorporated in position descriptions.
FCA’s internal Personnel Security Procedure included questions to consider for determining position
sensitivity. If the answer to any of these questions is yes, duties having these elements must be
reflected in the position description.


 Will the incumbent have access to highly sensitive or confidential information, the unauthorized disclosure of which
 would 1) compromise the overall integrity of an important agency function, 2) seriously inhibit the Agency's ability to
 carry out its mission or objectives, or 3) violate laws


 Will the incumbent perform functions that could impact the health and/or safety of others?



 Does the incumbent play a significant policy-making role or have significant influence on executive or policy decision-
 making at the agency?


 Does the incumbent have significant independent authority to authorize or control funds or resources?



 Does the position require that the incumbent have access to classified information?




We reviewed position descriptions for 19 employees to determine whether their risk designations
seemed appropriate based on their duties and responsibilities. It is important to acknowledge the
process is dynamic because employees may transfer from one directorate to another and/or employee
responsibilities continuously change over time, and the designation process is a point-in-time event.
Ultimately, this determination is made by Human Resources Specialists on the Human Resources and
Training Team (HRTT) and the PSO. Our review raised questions about a few employees’ designations:

     •    A position description did not include a risk designation. FCA completed a moderate risk
          background investigation for this employee, but the individual was due for reinvestigation in
          October 2014. The position description states that the employee “may act for the CFO with full
          responsibility and authority in his/her absence or unavailability.” Because of the importance of
          the position and financial responsibilities, the risk designation should be evaluated and
          completed, and reinvestigations should be timely.

     •    A senior policy analyst with a significant policy-making role was designated as low risk. The
          analyst’s position description was dated May 2006. Another analyst on the same team had
          been designated as moderate.



                                                               6
     •    Two Associate Director positions in the same office with similar responsibilities were
          designated at different levels. One Associate Director position was designated as moderate
          risk and the other as low risk. To FCA’s credit, the individual in the low risk position had a high
          risk background investigation from a previous position.

We also identified employees that had an appropriate designation, but their investigation was
conducted at a different level:

    •    A technical editor position was designated as low risk, and a moderate risk background
         investigation was completed for the employee.

    •    A Human Resources Specialist had a moderate risk background investigation completed
         although the position was designated as high risk.

We also noted inconsistencies in the record keeping and documentation of position descriptions and
PDT results. This data quality issue made it difficult to reconcile the background investigation that
should have been conducted with the background investigation that was completed for the employee.
For example, we requested position descriptions and corresponding PDT results for 19 employees. Five
position descriptions did not include a sensitivity designation. Of the 19 employees, HRTT was able to
provide PDT results for two positions and the PSO provided an additional five. However, one of the PDT
results showed the tool was not run until June 2015, more than a year after the individual was placed in
the position. Two other employees’ position descriptions included notes on the date the PDT was run,
one in October 2014 and another in August 2014, but PDT results were not provided.

Officials stated that they would not necessarily have a copy of the PDT for a position if it was not new or
substantively changed and re-designated during the timeframe that the current PDT designation process
was implemented. For example, if an employee is hired under a position description that has not been
changed since 2006, the PDT may not be run or maintained for the position. Although the PDT is specific
to the position, some position descriptions cover several employees. As an example, many associate
examiners are under the same position description and, in turn, have the same risk designation.

In July 2015, 5 CFR Part 1400, Designation of National Security Positions, set forth additional
requirements for agencies to evaluate positions for a sensitivity designation commensurate with
responsibilities by July 2017. OPM is updating the PDT to implement these requirements. Although FCA
does not have a national security function, the agency may integrate this evaluation of employees to
ensure that risk designations are appropriate and consistent for employees.

Maintaining copies of the PDT and ensuring they are readily accessible to HRTT and the PSO will
streamline the designation process. Through this process, a database will be developed with the
appropriate risk level and sensitivity and required investigation for each position. An organized system
of records will allow HRTT and the PSO to quickly determine whether a position description has an
appropriate PDT designation and eliminates the need to re-run the PDT each time a position is filled.
Saving copies of results also allows the PSO to evaluate how PDT questions were answered and review
whether the designation is appropriate. Not re-running the PDT also decreases resource requirements
for duplicative reviews by the PSO. This system will ensure all FCA positions have a current, consistent
PDT designation as they are filled. This will become increasingly important as the PDT is updated to
comply with designation requirements in 5 CFR Part 1400.




                                                      7
High Risk Positions

Personnel security procedures are designed to ensure that employees have the level of investigation
necessary for their position. Specifically, PPM 825, Personnel Security and Suitability Program, stated:



            “The PSO ensures employees are appropriately cleared before entering Critical
            Sensitive or High Risk positions. The PSO will obtain the CEO’s written approval for a
            waiver of the pre-appointment investigative requirement for placement in such
            positions wherever such action is construed as necessary in the national interest and
            consistent with the efficiency of the service. Documentation of such finding will be
            maintained in the personnel security files, in accordance with requirements specified
            in OMS’s personnel security program procedures.”




Of the 48 employees in our sample, 9 were in positions that were designated as high risk. Officials
stated that in practice, investigations are not completed before an employee is hired. Only five of these
employees were hired directly into their high risk position with the remaining four moved internally for
new positions. These four were not cleared or waived before starting their position. The positions
included: two office Directors, an Executive Assistant, and a Special Assistant to a Board Member. One
office director had been in their position for over three years and another for over two years before
their high risk investigation was completed. Both had worked at the Agency since 1986. The Executive
Assistant and Special Assistant each had an investigation completed less than a year before entering
their high risk positions. Included in the employees that were hired directly into a high risk position was
another office director. Based on documentation in eOPF, this employee had a low risk background
investigation completed in a previous position at another federal agency. The required high risk level
background investigation was ultimately completed over 3 years after the employee started with the
Agency. Officials stated that this was an oversight by the prior PSO.

The PSO stated there are often timing issues that affect employees’ background investigations. For
example, if an employee’s investigation is in process or was recently completed before they are selected
for a high risk position, it is not cost-effective to re-do an investigation that was just completed. If it is
acceptable and in the best interest of the Agency not to re-do an employee’s investigation, the PSO
should document this determination in the employee’s security file, per current procedures.

Conducting background investigations at the appropriate level also has a financial impact to the Agency.
Conducting a higher-than-necessary background investigation costs the Agency money. When a
background investigation is conducted at a lower level than required for the position, the Agency has to
budget for an additional, higher-level investigation to correct the error.

Similar issues were noted in prior reviews. FCA conducted an internal control review in September
2013. The review included a recommendation to create and maintain a listing of all position description
numbers and their risk designations so that position descriptions do not need to go through the PSO
when a designation has already been determined. OPM’s 2012 review also included a recommendation
for the Agency to establish procedures to correct disparities and ensure consistency of designations on
the position description, security file, and request for personnel action.


                                                       8
Agreed-Upon Actions 3-4

To continue the efforts made to date to improve processes and documentation, OMS agreed to:

   3. Update procedures for:
         • deciding and documenting position risk level and sensitivity to ensure all positions have
             a PDT designation that is appropriate for the duties and responsibilities of the position.
         • maintaining and organizing PDT records.

   4. Revise processes to ensure employees are cleared or pre-appointment investigative
      requirements are waived before entering high risk positions.




                                                  9
OBJECTIVE, SCOPE, AND METHODOLOGY

     The objective of this audit was to determine whether FCA is effectively managing the Personnel Security
     and Suitability Program. We conducted fieldwork at FCA’s headquarters in McLean, VA from April 2015
     through September 2015. We limited our scope to October 2013 through March 2015.

     We completed the following steps to accomplish the objective:

         •   Reviewed applicable laws and regulations covering personnel security and suitability.

         •   Interviewed the Personnel Security Officer (PSO) about internal policies and procedures,
             processes, and monitoring.

         •   Reviewed results of Office of Personnel Management (OPM) reviews of FCA’s Personnel Security
             and Suitability Program.

         •   Evaluated processes for initiating and documenting background investigations and risk
             designations.

         •   Compared risk designations in the PSO’s tracking spreadsheet, the personnel system, and
             certifications of investigations. We judgmentally sampled 48 employees based on dates of
             investigation, notes in the PSO’s tracking spreadsheet, and risk designations. Because our
             sample was judgmental it could not be projected to the entire population.

         •   Reviewed position descriptions for 19 employees in our sample. We reviewed position
             descriptions to determine whether a security designation was documented and appropriate
             based on duties and responsibilities required for the position. We also requested and reviewed
             results of the Position Designation Tool (PDT) for these 19 employees’ positions.

         •   Reviewed employees in our sample in high risk positions to determine whether background
             investigations were completed before starting the position.

     This audit was performed in accordance with Generally Accepted Government Auditing Standards.
     Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence
     to provide a reasonable basis for our findings and conclusions based on our audit objective. We
     assessed internal controls and compliance with laws and regulations to the extent necessary to satisfy
     the objective. Our review would not necessarily have disclosed all internal control deficiencies that may
     have existed at the time of our audit. We assessed the computer-processed data relevant to our audit
     objective and covered in the body of our report. We assessed the risk of fraud related to our audit
     objective in the course of evaluating audit evidence. Overall, we believe the evidence obtained provides
     a reasonable basis for our conclusions based on our audit objective.




                                                        10
ACRONYMS


           CFR     Code of Federal Regulations

           CVS     Central Verification System

           eOPF    Electronic Official Personnel Folder

           e-QIP   Electronic Questionnaires for Investigations Processing

           FCA     Farm Credit Administration

           OIG     Office of Inspector General

           OMS     Office of Management Services

           OPM     Office of Personnel Management

           PDT     Position Designation Tool

           PPM     Policies and Procedures Manual

           PSO     Personnel Security Officer




                                                11
    R E P O R T

Fraud | Waste | Abuse | Mismanagement




      FARM CREDIT ADMINISTRATION
      OFFICE OF INSPECTOR GENERAL

   Phone: Toll Free (800) 437-7322; (703) 883-4316

                Fax: (703) 883-4059

           E-mail: fca-ig-hotline@rcn.com

          Mail: Farm Credit Administration
            Office of Inspector General
               1501 Farm Credit Drive
              McLean, VA 22102-5090