oversight

FHFA's Offboarding Controls over Access Cards, Sensitive IT Assets, and Records Were Not Always Documented or Followed During 2016 and 2017

Published by the Federal Housing Finance Agency, Office of Inspector General on 2019-03-13.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

          Federal Housing Finance Agency
              Office of Inspector General




FHFA’s Offboarding Controls over
 Access Cards, Sensitive IT Assets,
  and Records Were Not Always
 Documented or Followed During
          2016 and 2017




 Audit Report • AUD-2019-004 • March 13, 2019
                 Executive Summary
                 The Federal Housing Finance Agency (FHFA or Agency) was established by
                 the Housing and Economic Recovery Act of 2008 and is responsible for the
                 supervision, regulation, and housing mission oversight of Fannie Mae, Freddie
                 Mac, and the Federal Home Loan Bank System. Since September 2008, it has
                 also served as the conservator for Fannie Mae and Freddie Mac. FHFA is an
AUD-2019-004     independent agency with a workforce, as of December 31, 2017, of 603 that
                 included examiners; economists; financial and policy analysts; attorneys;
March 13, 2019   subject matter experts in banking, insurance, technology, accounting, and
                 legal matters; and support personnel.

                 When employees separate from FHFA, they are required to go through
                 an “offboarding” process, which has several elements. FHFA developed
                 offboarding processes to collect from separating employees and departing
                 contractor employees: (a) access cards issued by FHFA and by the
                 Enterprises; (b) sensitive information technology (IT) assets; and (c) Agency
                 records. It also has an offboarding process to educate separating employees
                 about post-employment restrictions and financial disclosure requirements,
                 separate from these offboarding processes.

                 Sound offboarding processes are important because the failure by an agency
                 to adopt and implement effective offboarding controls could lead to facilities
                 being wrongfully accessed and assets, including information, being lost,
                 stolen, or misused.

                 Today, we are issuing two separate audit reports. This report reviews
                 offboarding controls over access cards, sensitive IT assets, and records. The
                 other report reviews FHFA’s offboarding controls over post-employment
                 restrictions and financial disclosure requirements: FHFA’s Controls over
                 Post-Employment Restrictions and Financial Disclosure Requirements for
                 Offboarded Employees Were Followed During 2016 and 2017 (AUD-2019-
                 005), online at www.fhfaoig.gov/reports/auditsandevaluations.

                 This report sets forth findings from our assessment of the adequacy of
                 FHFA’s controls over its offboarding processes for facility access cards,
                 sensitive IT assets, and Agency records for two calendar years, 2016 and 2017
                 (review period). Initially, we tested the universe of separating employees and
                 departing contractor employees. We found no exceptions to FHFA’s count
                 of separating employees during the review period (125). Our testing for
                 departing contractor employees during the review period found that FHFA
                 identified 161 contractor employees who departed but we found 109 who
                 departed.
                 We then performed tests to examine both the adequacy of the offboarding
                 controls FHFA put into place and the adequacy of its implementation of
                 controls to offboard these 234 individuals – 125 separating employees and
                 109 departing contractor employees. From these tests, we found that some of
                 FHFA’s offboarding controls and some of its implementation of other controls
                 were inadequate.

AUD-2019-004     For example, our testing identified inadequate implementation of the control
                 requiring collection of Personal Identity Verification (PIV) cards and
March 13, 2019   Enterprise access cards. FHFA’s inadequate record-keeping frustrated our
                 efforts to determine whether FHFA collected PIV cards from 10 individuals
                 who offboarded during the review period. Because we could not make that
                 determination, we tested whether building access had been deactivated for
                 these 10 individuals. We found that it was deactivated for nine of the
                 individuals. However, one contractor employee who departed from FHFA
                 in April 2017, retained building access until January 2019.

                 Our testing identified that Enterprise records reflected that five separated
                 employees and two departed contractor employees had active Enterprise
                 access cards in 2018. We determined that (1) FHFA did not maintain a list
                 of separated employees and/or departed contractor employees who returned
                 Enterprise access cards and (2) FHFA did not have written procedures for the
                 collection and deactivation of access cards for FHFA facilities and collection
                 and transfer of Enterprise access cards.

                 During the review period, separating FHFA employees were required to
                 complete a Pre-Exit Clearance Form, which required them to collect sign-off
                 signatures from each identified FHFA office that its offboarding requirements
                 had been satisfied. FHFA’s comprehensive records schedule required it to
                 maintain the completed form for the 125 employees who separated during the
                 review period. (Departing contractor employees were not required to complete
                 this form during the review period.) Out of the pool of 125 separating
                 employees, our testing found that FHFA maintained 122 of the forms.
                 According to FHFA, the other three forms were collected and reviewed by
                 staff who were not familiar with the offboarding retention requirements and
                 the forms could not be located. Our review of the 122 retained forms found
                 that 95 (78%) of the 122 forms were completed and 27 (22%) were not.

                 During the review period, FHFA required the use of a checklist to track the
                 return of sensitive IT assets from separating employees. Beginning in 2017, it
                 required departing contractor employees to complete the checklist. Of the 125
                 separated employees and 66 departing contractor employees who left during
                 2017, FHFA provided a checklist for 7 (4%) of them. FHFA explained that
                 the lack of checklists for the remaining 184 individuals was a records
                 management failure by a former Help Desk contractor.

                 We also tested FHFA’s offboarding form for the return of Agency records
                 and disposition of nonrecords, which all separating employees and departing
                 contractor employees were required to complete. FHFA could only provide
                 160 (68%) of the offboarding forms. Of the 160 forms provided, we found
AUD-2019-004     that 28 were not completed properly.

March 13, 2019   We make five recommendations in this report to address the shortcomings
                 we identified. In a written management response, FHFA agreed with the
                 recommendations.

                 This report was prepared by Tara Lewis, Audit Director; Terese Blanchard,
                 Auditor-in-Charge; and Brian Maloney, Auditor; with assistance from Bob
                 Taylor, Senior Advisor. We appreciate the cooperation of FHFA staff, as well
                 as the assistance of all those who contributed to the preparation of this report.

                 This report has been distributed to Congress, the Office of Management and
                 Budget, and others and will be posted on our website, www.fhfaoig.gov.

                 Marla A. Freedman, Deputy Inspector General for Audit /s/
TABLE OF CONTENTS ................................................................
EXECUTIVE SUMMARY .............................................................................................................2

ABBREVIATIONS .........................................................................................................................7

BACKGROUND .............................................................................................................................8
      FHFA’s Offboarding Procedures for Collection of IT Assets and Records .............................8
      FHFA’s Offboarding Processes for Employees and Contractor Employees Regarding
      Access Cards, Sensitive IT Assets, and Agency Records ........................................................9
             Office of Facilities Operations Management (OFOM)...................................................10
             Office of Technology and Information Management (OTIM) .......................................11
             Office of Human Resources Management (OHRM) ......................................................13

FACTS AND ANALYSIS.............................................................................................................14
      FHFA Was Unable to Provide an Accurate Count of Contractor Employees who
      Departed during the Review Period ........................................................................................14
      Testing Identified Inadequate Controls in FHFA’s Offboarding Processes ...........................14
      Testing Identified No Separated Employees or Departed Contractor Employees Had
      an Active Kastle Card as of June 2018 But Testing Identified Inadequate Controls
      Over FHFA’s Offboarding Process that Resulted in PIV Cards and Enterprise Access
      Cards either Not Being Accounted for or Not Collected ........................................................15
      Testing Identified that FHFA Failed to Maintain Required Offboarding Forms, as
      Mandated by its Records Retention Schedule ........................................................................17
      Offboarding Policies and Procedures Are Incomplete ...........................................................19

FINDINGS .....................................................................................................................................19
      FHFA Was Unable to Provide an Accurate Count of Departed Contractor Employees ........19
      PIV Cards and Enterprise Access Cards Were Either Not Accounted for or Not
      Collected .................................................................................................................................19
      FHFA Offboarding Forms Were Not Always Maintained or Properly Completed ...............20
             Checklist .........................................................................................................................20
             Records Form..................................................................................................................20

CONCLUSION AND RECOMMENDATIONS ..........................................................................20



                                            OIG • AUD-2019-004 • March 13, 2019                                                                 5
FHFA COMMENTS AND OIG RESPONSE ...............................................................................21

OBJECTIVE, SCOPE, AND METHODOLOGY .........................................................................21

APPENDIX 1: FHFA’S PRE-EXIT CLEARANCE FORM USED IN 2016 AND 2017 ............24

APPENDIX 2: ONE VERSION OF THE HELP DESK ASSET RECOVERY &
ACCOUNT TERMINATION CHECKLIST USED IN 2016 AND 2017 ....................................25

APPENDIX 3: RECORDS AND INFORMATION MANAGEMENT EXIT
CLEARANCE FORM USED DURING 2016 AND 2017............................................................26

APPENDIX 4: FHFA MANAGEMENT RESPONSE .................................................................27

ADDITIONAL INFORMATION AND COPIES .........................................................................29




                                  OIG • AUD-2019-004 • March 13, 2019                                         6
ABBREVIATIONS .......................................................................

ACS                   Access Control System

COR                   Contracting Officer Representative

Enterprises           Fannie Mae and Freddie Mac

FHFA or Agency        Federal Housing Finance Agency

FIPS                  Federal Information Processing Standards

Green Book            Standards for Internal Control in the Federal Government

HSPD-12               Homeland Security Presidential Directive 12

IT                    Information Technology

OFOM                  Office of Facilities Operations Management

OHRM                  Office of Human Resources Management

OIG                   Federal Housing Finance Agency Office of Inspector General

OTIM                  Office of Technology and Information Management

PIV                   Personal Identity Verification




                         OIG • AUD-2019-004 • March 13, 2019                        7
BACKGROUND ..........................................................................

FHFA’s Offboarding Procedures for Collection of IT Assets and Records

The Federal Government, through Office of Management and Budget Circular No. A-123,
Management’s Responsibility for Enterprise Risk Management and Internal Control (Circular
A-123), establishes management’s responsibility for internal controls in Federal agencies.
Circular A-123 emphasizes the need to integrate and coordinate risk management and strong
and effective internal controls into existing business activities. It also establishes an
assessment process based on the Standards for Internal Control in the Federal Government 1
(known as the Green Book) that management must implement to assess and improve internal
controls. The Green Book provides an overall framework for establishing and maintaining an
effective internal control system. One of the controls in an effective internal control system is
written policies and/or procedures that are implemented by management.

FHFA’s Office of Technology and Information Management (OTIM) promulgated and
implemented two written procedures to establish and implement internal controls over
sensitive IT assets and Agency records for its employees and contractor employees that were
in effect during 2016 and 2017. The procedures were:

    •   Asset Management Standard Operating Procedure – defines FHFA’s methodology
        to accept, safeguard, validate, issue, inventory, transfer, maintain records, track,
        manage, and report on sensitive IT assets, including procedures for separating
        employees and departing contractor employees. Sensitive IT assets, as defined in the
        procedure, include: laptops; desktop computers; iPhone devices; blackberry devices;
        tablets, iPads, and other mobile computing devices; external storage devices, including
        authorized USB devices; and security tokens. 2

    •   Records Management Exit Procedures – provides records exit procedures for
        separating employees and departing contractor employees.


1
  31 U.S.C. § 3512(c) and (d) requires the Comptroller General to issue standards for internal control in the
federal government. The Green Book is published by the Government Accountability Office; see GAO-14-
704G (Sept. 2014) (online at www.gao.gov/products/GAO-14-704G). The Green Book adapts for the
government environment the principles related to the five components of internal control (control environment,
risk assessment, control activities, information and communication, and monitoring) introduced by the
Committee of Sponsoring Organizations of the Treadway Commission.
2
  A May 2018 revision to the Asset Management Standard Operation Procedures, after our review period, no
longer identifies blackberry devices (which according to FHFA are no longer used) and security tokens as
sensitive IT assets subject to the procedures.




                                   OIG • AUD-2019-004 • March 13, 2019                                           8
FHFA officials reported to us that FHFA had no written procedure relating to the collection
and deactivation of access cards to FHFA and Enterprise physical space during 2016 and
2017.

FHFA’s Offboarding Processes for Employees and Contractor Employees Regarding
Access Cards, Sensitive IT Assets, and Agency Records

FHFA developed offboarding processes to collect from separating employees and departing
contractor employees: (a) access cards issued by FHFA and by the Enterprises; (b) sensitive
IT assets; and (c) Agency records. 3

This audit focused on the adequacy of FHFA’s offboarding processes, if any, and their
implementation regarding FHFA and Enterprise access cards, sensitive IT assets, and FHFA
records from separating employees and departing contractor employees during calendar years
2016 and 2017 (review period), and whether those processes were operating effectively. Our
audit excluded OIG’s controls over its offboarding process, which is separate from FHFA’s
process.

During the review period, FHFA also had an established process to brief separating
employees on post-employment restrictions and financial disclosure requirements, separate
from these offboarding processes. We are also issuing today an audit on FHFA’s offboarding
controls over post-employment restrictions and financial disclosure requirements. 4

For an employee who left FHFA during the review period, these offboarding processes were
triggered when the employee notified (either directly or through his or her manager) the
Office of Human Resources Management (OHRM) of his or her pending separation. For a
contractor employee who departed during the review period, that process began when the
appropriate FHFA Contracting Officer Representative (COR) settled on a departure date with
the contractor (which was most often at the end of the contract’s period of performance).

During the review period, OHRM or the COR were responsible for entering the pending
separation information, to include name and separation date, into FHFA’s offboarding system,
called the Access Control System (ACS). FHFA employees reported to us that, beginning on
October 23, 2017, FHFA transitioned from use of ACS to use of its Identity Access and
3
  This report does not consider FHFA employees who die during the course of their employment to “separate”
for purposes of offboarding. We recognize the need for FHFA to collect sensitive information technology
assets and FHFA records relating to deceased employees but this collection falls outside the scope of this
report.
4
 OIG, FHFA’s Controls over Post-Employment Restrictions and Financial Disclosure Requirements for
Offboarded Employees Were Followed During 2016 and 2017 (Mar. 13, 2019) (AUD-2019-005) (online at
www.fhfaoig.gov/reports/auditsandevaluations).




                                  OIG • AUD-2019-004 • March 13, 2019                                        9
Management system for entering and maintaining offboarding information for contractor
employees. 5 Both systems generated email notifications to FHFA offices with offboarding
responsibilities for employees and contractor employees.

During the review period, FHFA had a process requiring separating FHFA employees to
complete a Pre-Exit Clearance Form prior to their departure. This Pre-Exit Clearance Form
identified collection of access cards assigned to the individual and incorporated by reference
the completion of other offboarding forms regarding the collection of sensitive IT assets and
return of Agency records. When a separating employee returned an asset to the responsible
office, that office was required to sign-off on the form certifying that its offboarding
requirements had been satisfied. Appendix 1 is a version of the Pre-Exit Clearance Form used
by separating employees during the review period. 6

FHFA’s retention period for the Pre-Exit Clearance Form is seven years. FHFA did not
require departing contractor employees to complete the form during the review period.

Following are three FHFA offices that were involved in this portion of the offboarding
process during the review period.

    Office of Facilities Operations Management (OFOM)

    FHFA building access cards. FHFA officials explained that FHFA issued PIV cards 7 to
    employees and contractor employees who were expected to work for FHFA for more than
    six months and issued Kastle cards to those who were expected to work for FHFA for less
    than six months. FHFA officials reported to us that FHFA did not have a written policy or
    procedure for requirements related to the collection and deactivation of PIV and Kastle
    cards during the review period for separating employees and departing contractor
    employees.


5
  During 2016 and 2017, FHFA only used ACS to track FHFA’s employee offboarding processes. FHFA
began a process to transition from ACS to Identity Access and Management, because FHFA sought to capture
all sign-offs electronically in one database. FHFA officials reported to us that FHFA plans to transition to
Identity Access and Management for all separating employees and paid interns, beginning in March 2019.
6
 Although there were several versions of this form used during 2016 and 2017, the information to be recorded
was the same in all versions.
7
  Homeland Security Presidential Directive 12 (HSPD-12) establishes the requirements for a common standard
for identity credentials issued by Federal departments and agencies to employees and contractor employees.
HSPD-12 directed the Department of Commerce to develop a Federal Information Processing Standards (FIPS)
publication to define a common identity credential. FIPS Publication 201-2, Personal Identity Verification
(PIV) of Federal Employees and Contractors, requires access to federal buildings or systems to be deactivated
when an employee separates from federal service or when a contractor employee no longer needs access. The
requirements state that if a PIV card cannot be collected upon separation, deactivation should be completed
within 18 hours.



                                  OIG • AUD-2019-004 • March 13, 2019                                           10
   OFOM officials explained to us the unwritten process that should have been followed
   during the review period. OFOM was responsible for collecting FHFA building access
   cards (both PIV and Kastle cards) from separating employees and departing contractor
   employees. An OFOM physical security specialist was assigned to collect the PIV or
   Kastle card from each separating employee or departing contractor employee and certify
   on the Pre-Exit Clearance Form that the PIV or Kastle card had been collected. Use of the
   Pre-Exit Clearance Form was not required for contractor employees during the review
   period.

   OFOM was tasked with notifying building management to deactivate access to FHFA’s
   offices for separated employees and departed contractor employees. In addition, OFOM
   was responsible for recording collected PIV cards as “destroyed” in USAccess. For Kastle
   cards, OFOM was tasked with removing access for the separated employee or departed
   contractor employee from the Kastle card system. OFOM informed us that it shreds
   collected PIV cards on a periodic basis and returns Kastle cards to stock for reissuance.

   Enterprise building access cards. Again, FHFA officials reported to us that FHFA
   lacked a written policy or procedure for requirements related to the collection and transfer
   of Enterprise access cards from separating employees or departing contractor employees.
   OFOM officials explained to us the unwritten process during the review period. An
   OFOM physical security specialist collected any Enterprise-issued access card from a
   separating employee or departing contractor employee. OFOM signed off on the Pre-Exit
   Clearance Form that Enterprise access cards were collected from separating employees.
   Monthly, the physical security specialist transferred the collected Enterprise access cards
   to FHFA employees at Fannie Mae and Freddie Mac for deactivation by the Enterprise.

   Office of Technology and Information Management (OTIM)

During the review period, OTIM was responsible for collecting sensitive IT assets and
ensuring that separating employees acknowledged FHFA’s records requirements. OTIM used
two separate checklists that were rolled into the Pre-Exit Clearance Form: Help Desk Asset
Recovery & Account Termination Checklist (for sensitive IT assets) and Records and
Information Management Exit Clearance Form (for FHFA records). FHFA’s retention period
for these two forms is seven years.

   Sensitive IT assets. OTIM used a checklist during the review period, called the Help
   Desk Asset Recovery & Account Termination Checklist (Checklist), to identify both the
   collected and uncollected sensitive IT assets from a separating employee. It used the same
   Checklist in 2017 for departing contractor employees.




                             OIG • AUD-2019-004 • March 13, 2019                                  11
     For separating employees in 2016 and 2017 for whom OTIM completed the Checklist and
     collected sensitive IT assets, OTIM certified on the Pre-Exit Clearance Form that this
     Checklist had been completed.

     Because contractor employees were not required to complete the Pre-Exit Clearance Form
     during the review period, OTIM was not required to certify completion of the Checklist.
     Appendix 2 is one version of the Checklist used during the review period. 8

     FHFA records. According to FHFA’s Records Management Exit Procedures, separating
     employees and departing contractor employees were required to complete a Records and
     Information Management Exit Clearance Form (Records Form) during the review period.
     This Records Form sought to capture the individual’s acknowledgement of his or her
     records management responsibilities, including transferring all Agency records 9 to his or
     her supervisor (in the case of employees) or COR (in the case of contractor employees)
     and removing nonrecords 10 from his or her Agency computers, such as personal emails
     and documents. The Records Form contained four sections:

         o Section 1: Completion of Records Management Responsibilities – The
           individual was required to certify that records management responsibilities had
           been completed, including the return of all records and deletion of all personal
           emails and documents.

         o Section 2: Certification of Non-Removal of Records – The individual was
           required to certify that he or she did not remove any paper or electronic Agency
           records.

     On the Records Form, the separating employee or departing contractor employee was
     required to certify either to Section 3 or Section 4 regarding nonrecords:




8
 Although there were several versions of this checklist used during 2016 and 2017, the information to be
captured was the same in all versions.
9
 The Records Management Exit Procedures define records as all recorded information, regardless of form or
characteristics, made or received by FHFA relating to the transaction of public business and preserved or
appropriate for preservation as evidence of the organization, functions, policies, decisions, procedures,
operations, or other activities or because of the informational value of data in them.
10
   The Records Management Exit Procedures define nonrecords as all informational materials used for
reference or convenience but did not meet the statutory definition of record or have been excluded from
coverage by the definition (i.e., working files that consist of rough notes, drafts, or calculations not needed to
support the decision trail).



                                     OIG • AUD-2019-004 • March 13, 2019                                             12
        o Section 3: Certification of Non-Removal of Nonrecords – The individual
          certified that he or she was not removing any paper or electronic Agency
          nonrecords from FHFA.

        o Section 4: Certification of Removal of Nonrecords – The individual certified
          that he or she was removing paper or electronic Agency nonrecords from FHFA
          and was directed to provide a list of the hard copy nonrecords and/or a DVD of the
          electronic nonrecords with the completed form.

     During the review period, the Records Management Exit Procedures required each
     separating employee and departing contractor employee to sign and date the Records
     Form and to cause his or her supervisor/COR (and for the removal of any nonrecords, an
     Office of General Counsel official) to sign and date that form.

     Appendix 3 contains a copy of the Records Form used during the review period.

     Office of Human Resources Management (OHRM)

During the review period, every separating employee was required to sign and date the
completed Pre-Exit Clearance Form and provide the following attestation:

        I do not have in my possession any Government property, including software,
        hardware, keys, records, books, files, or other official documents or nonpublic
        materials issued or furnished to me (and the property of) the FEDERAL
        HOUSING FINANCE AGENCY.

Each employee’s completed Pre-Exit Clearance Form was required to be reviewed by OHRM
to determine if every necessary sign-off had been obtained, which was reflected by OHRM’s
sign-off. OHRM retained all completed Pre-Exit Clearance Forms. After OHRM certified that
the Pre-Exit Clearance Form was complete and after the employee separated from FHFA,
OHRM removed the separated employee from FHFA’s Human Resource Information System.

Recent reports by other Offices of Inspector General have highlighted the importance of an
effective employee offboarding process to mitigate reputational, security, and other risks to
federal agencies. 11 As those reports indicate, the failure by an agency to adopt and implement



11
   See Board of Governors of the Federal Reserve System and Consumer Financial Protection Bureau OIG,
The CFPB Can Further Strengthen Controls Over Certain Offboarding Processes and Data (Jan. 22, 2018)
(2018‑MO‑C‑OO1) (online at https://oig.federalreserve.gov/reports/cfpb-offboarding-processes-data-
jan2018.htm) and Federal Deposit Insurance Corporation OIG, Controls Over Separating Personnel’s Access
to Sensitive Information (Sept. 2017) (EVAL-17-007) (online at
www.fdicoig.gov/sites/default/files/publications/17-007EV_0.pdf).



                                 OIG • AUD-2019-004 • March 13, 2019                                      13
effective offboarding controls could lead to facilities being wrongfully accessed and assets,
like information, being lost, stolen, or misused.


FACTS AND ANALYSIS ...............................................................

FHFA Was Unable to Provide an Accurate Count of Contractor Employees who
Departed during the Review Period

FHFA provided us with a list of 125 employees who separated during the review period
generated from the Human Resource Information System: 59 employees separated in 2016
and 66 employees separated in 2017. 12 Our completeness testing found no exceptions.

We also asked FHFA to provide a list of contractor employees who departed from FHFA
during the same period. While FHFA officials reported that FHFA did not track the number
of contractor employees who departed, they committed to compile a list of those individuals.
FHFA prepared three different lists of contractor employees who departed during the review
period, using three different internal FHFA systems, totaling 161 contractor employees. The
three lists, after removal of duplicates, totaled 127 contractor employees. Our testing found
that this total incorrectly included 8 contractor employees who departed from FHFA prior to
the review period; 20 contractor employees who never completed the onboarding process to
begin working for FHFA (and did not work for FHFA); and 3 contractor employees who were
still working at FHFA as of January 2019. We also found that the three lists improperly
omitted 13 contractor employees who departed from FHFA during the review period.
Applying these adjustments, 13 we found that 109 contractor employees departed FHFA during
the review period: 43 contractor employees in 2016 and 66 contractor employees in 2017.

Testing Identified Inadequate Controls in FHFA’s Offboarding Processes

In this audit, we sought to assess the adequacy of FHFA’s controls over its offboarding
processes for facility access cards, sensitive IT assets, and Agency records. We performed
a number of audit tests to examine the rigor of these controls for the 234 individuals – 125
employees and 109 contractor employees – who separated or departed from FHFA during the
review period. We identified inadequacies with the internal controls in six of the seven tests.


12
   One FHFA employee passed away during the review period. As explained previously, deceased employees
are excluded from the scope of this audit.
13
  FHFA officials explained that these were recordkeeping errors and some could have occurred because
FHFA CORs could “pre-populate” contractor employees’ departure dates in ACS with contract end-dates and
might not have updated the information in ACS to reflect the actual departure dates.



                                 OIG • AUD-2019-004 • March 13, 2019                                      14
Testing Identified No Separated Employees or Departed Contractor Employees Had an
Active Kastle Card as of June 2018 But Testing Identified Inadequate Controls Over
FHFA’s Offboarding Process that Resulted in PIV Cards and Enterprise Access Cards
either Not Being Accounted for or Not Collected

We performed three audit tests to assess the adequacy of FHFA’s controls over its access
cards and over Enterprise access cards for separating employees and departing contractor
employees during the review period.

   •   Compare the universe of the 125 separated employees and 109 departed contractor
       employees during the review period to a list of active Kastle card holders as of
       June 21, 2018, to determine whether any of these individuals were on that list.

       Result of Test: We found that none of the separated employees and departed
       contractor employees were on the list of Kastle card holders as of June 21, 2018.

   •   Compare the universe of the separated employees and departed contractor employees
       during the review period who had been issued PIV cards, according to USAccess, to
       the universe of individuals whose PIV cards were recorded in USAccess as
       “destroyed” as of December 14, 2018. If a PIV card was not recorded as destroyed in
       USAccess, we determined whether FHFA removed building access from the card(s).
       According to USAccess, 104 of the 234 individuals who left during the review period
       had been issued PIV cards (58 separated employees and 46 departed contractor
       employees).

       Result of Test: We reviewed the USAccess report for PIV cards as of December 14,
       2018, to determine whether FHFA had recorded the PIV cards for the 104 separated
       and departed individuals as destroyed. We found that FHFA recorded in USAccess
       that PIV cards for 94 of the 104 individuals (90%) as destroyed.

       For the 10 individuals (6 separated employees and 4 departed contractor employees)
       whose PIV cards were not recorded by FHFA as destroyed in USAccess, FHFA
       officials represented that each lost his or her PIV card so FHFA was unable to collect
       them. However, OFOM attested on the Pre-Exit Clearance Form for the 6 separated
       employees that it collected a PIV card from each one. Because of the conflicting
       evidence, we could not determine whether FHFA collected the PIV cards from these
       6 employees.

       We could not determine whether OFOM certified that it had collected the PIV cards
       from the 4 departed contractor employees because FHFA did not require departing
       contractor employees to use the Pre-Exit Clearance Form during the review period.


                             OIG • AUD-2019-004 • March 13, 2019                                15
    The PIV cards for these 4 contractor employees were not recorded by FHFA as
    destroyed in USAccess.

    Last, we sought to determine whether building access had been deactivated for the 10
    individuals whose PIV cards may not have been collected. Our review of building
    access logs found that access was deactivated for 9 of the 10 individuals at or near the
    time of their departure. One contractor employee departed from FHFA on April 14,
    2017, but retained access to the building until January 9, 2019, because FHFA failed
    to notify building management of the contractor employee’s departure.

•   Compare the universe of separated employees and departed contractor employees
    during the review period to Fannie Mae and Freddie Mac records of FHFA personnel
    with active access cards, as of May 15, 2018, and February 18, 2018, respectively.

    Result of Test: We found that Enterprise records reflected that five separated
    employees and two departed contractor employees continued to have active Enterprise
    access cards in 2018. Specifically, Fannie Mae’s badging system showed that three
    separated employees and two departed contractor employees had active access cards
    as of May 15, 2018, and Freddie Mac’s badging system showed that two separated
    employees had active access cards as of February 18, 2018.

    An OFOM official explained to us that FHFA did not maintain a list of separated
    employees and/or departed contractor employees who returned Enterprise access
    cards, apart from the attestations found on the Pre-Exit Clearance Form. OFOM
    officials reported to us that OFOM had no written procedure related to the collection
    and return of Enterprise access cards.

    For each of the five separated employees, the completed Pre-Exit Clearance Form
    reflected that OFOM attested that the Enterprise access cards had been collected. We
    asked the Enterprises if FHFA had returned the access cards for these five separated
    employees. Fannie Mae responded that it had no record of the return of access cards
    for the three separated employees. Freddie Mac confirmed receipt of one access card
    from a separated employee but its system continued to show that the other individual
    had an active access card.

    Because FHFA did not require contractor employees to use the Pre-Exit Clearance
    Form during the review period, we could not determine whether the two departed
    contractor employees returned their Fannie Mae access cards.




                          OIG • AUD-2019-004 • March 13, 2019                                  16
Testing Identified that FHFA Failed to Maintain Required Offboarding Forms, as
Mandated by its Records Retention Schedule

We previously explained that FHFA required all separating employees to complete a Pre-Exit
Clearance Form during the review period. We performed the following tests to determine
whether this requirement had been followed.

   •   Determine whether FHFA maintained a Pre-Exit Clearance Form for the 125
       employees who separated during the review period.

       Result of Test: Our review found that FHFA maintained a Pre-Exit Clearance Form
       for 122 of the 125 employees (98%) who separated during the review period. When
       we inquired about the form for the other three employees (2%), OHRM officials
       asserted that those forms were collected and reviewed by OHRM staff who were not
       familiar with the offboarding retention requirements and that OHRM could not locate
       forms for these individuals.

   •   Determine whether the Pre-Exit Clearance Forms maintained by FHFA were
       completed.

       Result of Test: Of the 122 employees who separated during the review period for
       whom a Pre-Exit Clearance Form was provided, we found that the forms for 95
       employees (78%) were completed. For the other 27 employees (22%), the forms were
       not complete: either they lacked sign-off by all of the required offices (10), or by the
       separating individual (14), or both (3). According to an FHFA official, there may have
       been instances when a separating employee was unable to obtain sign-off from one of
       the required offices. Assuming the validity of this explanation, it does not address the
       lack of attestation by 17 of the separating employees.

As discussed previously, FHFA tracked the collection of sensitive IT assets from employees
who separated during the review period with a Checklist and used the same Checklist for
departing contractor employees in 2017. For employees who separated during the review
period for whom OTIM completed the Checklist and collected sensitive IT assets, OTIM
certified on the Pre-Exit Clearance Form that this Checklist had been completed. FHFA also
required all separating employees and departing contractor employees to complete a Records
Form during the review period. We performed the following tests to determine whether these
requirements had been followed.

   •   Determine whether a Checklist (which reported collection of sensitive IT assets
       during the offboarding process) was maintained by OTIM for the 125 employees who
       separated during the review period and for the 66 contractor employees who departed
       during 2017.

                             OIG • AUD-2019-004 • March 13, 2019                                  17
         Result of Test: FHFA provided us with a completed Checklist for only 7 of these 191
         individuals (4%), all of whom were departed contractor employees. (FHFA provided
         no Checklists for the 125 separated employees.)

         As discussed, the Pre-Exit Clearance Form, which all separating employees were
         required to complete during the review period, required OTIM to sign-off that the
         Checklist had been completed. We found there was OTIM sign-off on the Pre-Exit
         Clearance Form for 119 separated employees (95%). For the other 6 employees (5%),
         either OTIM did not sign the form (3) or FHFA did not produce a Pre-Exit Clearance
         Form (3).

         When asked about the missing Checklists, an OTIM official explained that this was a
         records management failure by the prior Help Desk contractor who did not properly
         maintain the Checklists.

     •   Determine whether a Records Form had been maintained for the 234 individuals who
         separated or departed from FHFA during the review period (125 employees and 109
         contractor employees).

         Result of Test: FHFA provided us with a Records Form for 160 of the 234 individuals
         (68%) who separated or departed during the review period (110 separated employees
         and 50 departed contractor employees). For the 160 individuals for whom FHFA did
         provide a Records Form, we found the form was not properly completed for 28 of
         them. 14

         For the remaining 74 individuals, (32%) (15 separated employees and 59 departed
         contractor employees), FHFA was unable to provide us with the completed Records
         Form. For 14 of the 15 separated employees, FHFA provided a Pre-Exit Clearance
         Form reflecting OTIM’s sign-off that the Records Form had been completed (FHFA
         did not provide a Pre-Exit Clearance Form for the other separated employee).

         For the 59 departing contractor employees who were not required to complete a Pre-
         Exit Clearance Form, we were unable to determine whether OTIM had signed off that
         the Records Form had been completed. We determined that FHFA lacked a control
         during the review period to ensure the Records Form was completed by contractor
         employees prior to departure.




14
  For these 28 individuals: 15 did not complete all required sections of the form; and 13 individuals signed
both Sections 3 and 4, contradictorily signing off that they were not removing nonrecords and were removing
nonrecords.



                                   OIG • AUD-2019-004 • March 13, 2019                                         18
Offboarding Policies and Procedures Are Incomplete

The Green Book provides broad guidance on internal controls and states that management
should design and document in policies control activities to achieve objectives and respond to
risk. These controls may be documented in management directives, administrative policies, or
operating manuals.

FHFA did not have written procedures or processes during the review period for two critical
elements of its offboarding processes: collection and deactivation of access cards for FHFA
facilities and collection and transfer of Enterprise access cards.


FINDINGS .................................................................................

FHFA Was Unable to Provide an Accurate Count of Departed Contractor Employees

FHFA officials reported that FHFA did not track the number of contractor employees who
departed; however, they committed to compile a list of those individuals. FHFA prepared
three different lists of contractor employees who departed during the review period from three
different internal FHFA systems, totaling 161 contractor employees. We found that FHFA’s
count required multiple adjustments, such as removing duplicate names. After making the
adjustments, we determined that 109 contractor employees departed FHFA during the review
period. By not having an accurate record of contractor personnel who departed, FHFA cannot
be assured that access to its facilities is limited to authorized personnel, all assets are
accounted for, and Agency information is secure.

PIV Cards and Enterprise Access Cards Were Either Not Accounted for or Not Collected

OFOM was responsible for collecting and deactivating FHFA building access cards (Kastle
cards and PIV cards), and collecting and transferring Enterprise access cards from separating
employees and departing contractor employees. However, we found that during the
offboarding process, FHFA did not always collect and deactivate PIV cards and did not
account for Enterprise access cards from the individuals to whom they were issued. For
example, we could not determine whether FHFA had collected PIV cards from 10 individuals
who offboarded during the review period. One contractor employee who departed from FHFA
in April 2017, continued to have building access until January 2019.

Further, we found that Enterprise records reflected that Enterprise access cards issued to
five employees and two contractor employees, who separated or departed during our review
period, were still active as of the dates of our inquiry (May 15, 2018, for one Enterprise and
February 18, 2018, for the other Enterprise).


                              OIG • AUD-2019-004 • March 13, 2019                                19
We determined that FHFA did not have written procedures for the collection and deactivation of
PIV cards and the collection and transfer of Enterprise access cards.

FHFA Offboarding Forms Were Not Always Maintained or Properly Completed

FHFA is required to maintain its offboarding forms (Pre-Exit Clearance Form, Checklist, and
the Records Form) for seven years. However, FHFA was unable to produce many of these
forms and for the forms it did produce, many were not properly completed.

   Pre-Exit Clearance Form. We found that FHFA did not maintain the Pre-Exit Clearance
   Form for 3 of the 125 separated employees who were required to complete the form
   during the review period (departing contractor employees were not required to complete
   this form). Further, our analysis showed 27 of the 122 forms (22%) were incomplete:
   either not signed by all required offices, not signed by the separating individual, or both.

   Checklist. Of the 191 individuals for whom FHFA was required to complete the
   Checklist, FHFA could only provide 7 Checklists (4%). FHFA’s only explanation for this
   was a records management failure by the prior Help Desk contractor.

   Records Form. We found that of the 234 Records Forms that should have been
   maintained, FHFA could only provide 160 (68%). Further, of the 160 forms that were
   provided, we found that 28 were not completed properly. We also determined that during
   the review period, FHFA lacked a control to ensure the Records Form was completed by
   contractor employees prior to departure.


CONCLUSION AND RECOMMENDATIONS .................................

Circular A-123 establishes management’s responsibility for internal controls in Federal
agencies and emphasizes the need to integrate and coordinate risk management and strong and
effective internal controls into existing business activities. One control in an effective internal
control system is written policies and/or procedures that are implemented by management.

As demonstrated by the findings above, we found shortcomings in the design of and
compliance with FHFA’s controls over its offboarding process for separated employees and
departed contractor employees during the review period. These shortcomings demand closer
attention by FHFA management to its offboarding policies, procedures, and practices to
prevent unauthorized access to its facilities and to ensure accountability for Agency property
and records.

We recommend that FHFA:


                               OIG • AUD-2019-004 • March 13, 2019                                    20
   1. Develop and implement written procedures for all offboarding activities, to include
      procedures for the collection and deactivation of access cards for FHFA facilities and
      the collection and transfer of Enterprise access cards.

   2. Ensure that PIV cards are collected, and building access is deactivated, for all
      separated and departed individuals to whom cards were issued. For unaccounted/lost
      PIV cards, ensure that building access associated with those cards is promptly
      deactivated.

   3. Implement controls to ensure all departed contractor employees complete applicable
      offboarding requirements.

   4. Reinforce, through training and supervision, that offices with offboarding
      responsibilities ensure offboarding forms are properly completed.

   5. Ensure that offboarding documentation is maintained in accordance with FHFA’s
      retention requirement.


FHFA COMMENTS AND OIG RESPONSE .....................................

We provided FHFA an opportunity to respond to a draft of this audit report. FHFA provided
technical comments on the draft report and those comments were considered in finalizing this
report. FHFA also provided a management response, which is included as Appendix 4 to this
report. In the management response, FHFA agreed with all five of our recommendations and
included its planned corrective actions to be taken by October 1, 2019. We consider FHFA’s
planned corrective actions responsive to our recommendations.


OBJECTIVE, SCOPE, AND METHODOLOGY .................................

We performed this audit to (1) determine FHFA’s controls over its offboarding process for
separating FHFA employees and departing contractor employees to ensure the collection of
FHFA and Enterprise access cards, sensitive IT assets, and FHFA records and (2) assess
whether those controls were operating effectively. The audit covered calendar years 2016 and
2017 (review period). (Our audit excluded OIG’s controls over the offboarding process.)

To accomplish our objectives, we:

   1. Researched and identified applicable laws, regulations, and other requirements related
      to property and records management.


                             OIG • AUD-2019-004 • March 13, 2019                               21
2. Obtained and reviewed available FHFA policies and procedures on property and
   records management as they related to FHFA’s offboarding process.

3. Interviewed FHFA officials to gain an understanding of FHFA’s offboarding process
   and controls related to property and records management.

4. Obtained and analyzed information provided by FHFA related to the universe of
   FHFA employees and contractor employees who separated or departed FHFA during
   the review period.

5. Reviewed a list of active Kastle card holders (access cards to the FHFA building) as of
   June 21, 2018, to determine whether any separated employees or departed contractor
   employees during our review period were on that list.

6. Reviewed FHFA records related to the status of PIV cards during the review period to
   identify separated employees or departed contractor employees who still had active
   PIV cards after separation from FHFA. We inquired of FHFA officials about
   exceptions found.

7. Reviewed records obtained from the Enterprises regarding the status of Enterprise
   building access cards to identify separated employees and departed contractor
   employees during the review period who still had active Enterprise access cards after
   separation or departure. For all such individuals, we inquired of FHFA and Enterprise
   officials about whether they had possession of the Enterprise access card.

8. Determined for each FHFA employee and contractor employee that separated or
   departed from FHFA during our review period whether FHFA’s property, Enterprise
   access cards, and records management offboarding requirements were met. We did
   this by testing the collection of certain sensitive IT assets (laptops, desktop computers,
   iPhone devices, blackberry devices, Tablets/iPads, external storage devices (i.e.,
   USBs), and RSA tokens) by FHFA and by obtaining and analyzing the following
   FHFA offboarding documents related to property and records: (1) Pre-Exit Clearance
   Form, (2) Checklist, and (3) Records Form.

   o We reviewed Pre-Exit Clearance Forms provided by FHFA for employees who
     separated during the review period to determine whether they completed FHFA’s
     offboarding process, caused all the responsible FHFA officials to sign off on the
     form, and signed the form themselves. We inquired of FHFA officials about any
     exceptions found. (The completion of the Pre-Exit Clearance Form was not
     required for contractor employees.)




                          OIG • AUD-2019-004 • March 13, 2019                                   22
       o We reviewed the Checklists provided by FHFA to determine whether OTIM had
         completed a Checklist for all FHFA employees who separated and contractor
         employees who departed during the review period. We inquired of FHFA officials
         about any exceptions found.

       o We reviewed the Records Forms provided by FHFA to determine whether a
         Records Form had been completed by all separated employees and departed
         contractor employees during the review period, whether the forms included the
         required certifications, and whether the forms were maintained in accordance with
         FHFA’s records retention requirements. We inquired of FHFA officials of any
         exceptions found.

We conducted this performance audit from March 2018 through March 2019 in accordance
with generally accepted government auditing standards. Those standards require that we plan
and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis
for the findings and conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions based on our audit
objectives.




                             OIG • AUD-2019-004 • March 13, 2019                                 23
APPENDIX 1: FHFA’S PRE-EXIT CLEARANCE FORM USED IN
2016 AND 201715 ......................................................................




15
   The yellow-highlighted sections on the Pre-Exit Clearance Form were marked by FHFA. We have redacted
the names of the FHFA officials responsible for signing off on the form. FHFA updated this form several times
during 2016 and 2017 for changes in the responsible FHFA officials.



                                  OIG • AUD-2019-004 • March 13, 2019                                           24
APPENDIX 2: ONE VERSION OF THE HELP DESK ASSET
RECOVERY & ACCOUNT TERMINATION CHECKLIST USED IN
2016 AND 201716 ......................................................................




16
   We redacted sensitive information from this example of the Help Desk Asset Recovery and Account
Termination Checklist. There were several versions of this checklist used during 2016 and 2017; the
information to be captured was similar in all versions.



                                  OIG • AUD-2019-004 • March 13, 2019                                 25
APPENDIX 3: RECORDS AND INFORMATION MANAGEMENT
EXIT CLEARANCE FORM USED DURING 2016 AND 2017 ............




                 OIG • AUD-2019-004 • March 13, 2019    26
APPENDIX 4: FHFA MANAGEMENT RESPONSE ..........................




                   OIG • AUD-2019-004 • March 13, 2019       27
OIG • AUD-2019-004 • March 13, 2019   28
ADDITIONAL INFORMATION AND COPIES .................................


For additional copies of this report:

   •   Call: 202-730-0880

   •   Fax: 202-318-0239

   •   Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

   •   Call: 1-800-793-7724

   •   Fax: 202-318-0358

   •   Visit: www.fhfaoig.gov/ReportFraud

   •   Write:

                FHFA Office of Inspector General
                Attn: Office of Investigations – Hotline
                400 Seventh Street SW
                Washington, DC 20219




                               OIG • AUD-2019-004 • March 13, 2019                         29