U.S. OFFICE OF PERSONNEL MANAGEMENT
OFFICE OF THE INSPECTOR GENERAL
OFFICE OF AUDITS
Final Audit Report
Subject:
AUDIT OF THE U.S. OFFICE OF PERSONNEL
MANAGEMENT'S SECURITY GUARD CONTRACT
Report No. 4A-CA-OO-09-043 (
\
Date: January 21, 2010
. , .. ,.
..... :. :
":':', ... . .... . '.;' ~
"'-',
--CAUTION-
This audit report has be~n distributed to Federal officials who are 'responsible for the administration of the audited program.
This audit report may contain proprietary data which is protected by Federal law (18 U.S.c. 1905). Therefore, wbile this
audit report is available umler the Freedom of III formation Act and made available to the publk on the OIG web page, caution
needs to be extrci$Cd before releasing the report 10 Ihe general public as it may contain proprietary information tbal was
redacted from the publ,icly distributed copy.
" .... ,
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
Washington, DC 20415
Office of the
Inspector General
AUDIT REPORT
AUDIT OF THE U.S. OFFICE OF PERSONNEL
MANAGEMENT'S SECURITY GUARD CONTRACT
Report No. 4A-CA-OO-09-043 Date: January 21, 2010
~~
Michael R. Esser
Assistant Inspector General
for Audits
www.opm.gov www.usajobs.gov
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
Washington, DC 20415
Office of the
Inspector General
EXECUTIVE SUMMARY
AUDIT OF THE U.S. OFFICE OF PERSONNEL
MANAGEMENT'S SECURITY GUARD CONTRACT
Report No. 4A-CA-OO-09-043 Date: January 21, 2010
The Office of the Inspector General has completed a performance audit of the U.S. Office of
.PersOimel Management's (OPM's) Security Guard Contract. Our main objective was to
determine whether the Center for Security and Emergency Actions (CSEA) is providing effective
oversight ofOPM's Security Guard Contract. In order to make this determination, our audit
included the following specific objectives: (1) to detemline if the OPM security guards working
under the cunent contract meet the qualifications and training requirements; and (2) to detelmine
ifCSEA is effectively monitoring the perfonnance of the contracted guard force.
Our audit was conducted fiom July 20,2009 through September 30, 2009 at OPM's headqumters
in Washington, D.C. OUf audit identified three areas requiring improvement.
A. Security Guard Qualifications
1. Lack of Training and Certification Policies Procedural
The Center for Security and Emergency Actions did not have
documented policies aIld procedures in place to ensure that
all security guards working on the OPM contract had cunent
training and certifications.
www.opm.goy www.usajobs.goY
B. Security Guard Contract Oversight
1. Inadequate Quality Assurance Surveillance Plan (QASP) Procedural
Performance Measurements
The current QASP is ineffective in measuring the true
performance of the security guard contract.
2. Post Inspection Policy Not Followed Procedural
CSEA has not effectively followed its Post Inspection policy
to ensure that the security guards are properly securing the
Theodore Roosevelt Building.
11
TABLE OF CONTENTS
EXECUTIVE SUMMARY ..................................................... .
I. INTRODUCTION AND BACKGROUND......... ......... ...... ..... ...... 1
II. OBJECTIVES, SCOPE, AND METHODOLOGy...................... 3
III. AUDIT FINDINGS AND RECOMMENDATIONS.................... 5
A. Security Guard Qualifications
1. Lack of Training and Certification Policies...... ............ ...... 5
B. Security Guard Contract Oversight
1. Inadequate Quality Assurance Surveillance Plan
Performance Measurements .......................................... 7
2. Post Inspection Policy Not Followed........ ............... ..... ..... 8
IV. MAJOR CONTRlBUTORS TO THIS REPORT.................... ..... 10
APPENDIX (Center for Security and Emergency Actions Response, dated
November 19, 2009, to our draft report)
I. INTRODUCTION AND BACKGROUND
Introduction
This final audit report details the findings, conclusions, and recommendations resulting from our
performance audit ofthe U.S. Office of Personnel Management's (OPM) Security Guard
Contract. The audit was performed by OPM's Office of the Inspector General (OIG), as
authorized by the Inspector General Act of 1978, as amended.
Background
41 CFR 102-81.10 states that "Federal agencies on Federal property under the charge and control
of the Administrator and having a security delegation of authority from the Secretary of
Homeland Security must provide for the security and protection of the real estate they occupy,
including the protection of persons within the property." OPM's Management Services
Division's (MSD) Center for Security and Emergency Actions (CSEA) administers and provides
oversight ofOPM's Security Guard Contract. The Contracting Officer Technical Representative
(COTR) is responsible for the administration of the contract and for assuring compliance by the
contractor with the requirements of the contract. CSEA's primary mission is to ensure a safe and
secure work environment so that OPM business can proceed in an uninterrupted fashion at the
Theodore Roosevelt Building (TRB).
OPM provides for the protection of the TRB via contract security guards. OPM awarded a fixed
price contract (Contract no. P00407000425) through the General Services Administration
schedule in August 2007 to American Security Programs (ASP). The base year of the contract
was from September 1,2007 to August 31, 2008 with four one-year renewal options through
December 28,2012. American Security Programs is currently in the second of the four one-year
renewal options.
The contract states that the contractor shall provide armed guard services and appropriate
supervision to satisfactorily perform the access control and security services at the TRB in
accordance with established post orders. In addition, the contract maintains that the contractor
shall use properly trained employees at all times to perform the services, as prescribed in the
contract. The contractor will certify completion of all training requirements. No employee will
be assigned to perfonn under the contract without written notice to the contractor from the
Contracting Officer's Representative (COR), approving the firearms licensing and qualifications
ofthe individual employees.
The Federal Protective Service (FPS) Security Guard Information Manual provides information
on the primary responsibilities of security guards to control access to Federal property and to
assist in ensuring the safety of Federal property, employees, and visitors. Access controls
include checking visitors' and employees' identification; operating security equipment, such as
X-ray machines and Magnetometers to screen for prohibited materials; and reporting crimes and
incidents to security personnel.
1
OPM's Post Instructions and Orders provide the duties required of the security guards at each
guard post. The post instructions contain all current policies, orders/instructions, emergency
procedures, and any other information deemed pertinent to the TRB. The security guards are to
comply with all post instructions detailing responsibilities and duties to be performed at each
post, including general security guard code of conduct policies.
Contractor performance is evaluated via the Quality Assurance Surveillance Plan (QASP). The
QASP contains performance metrics that the security guards are evaluated against in terms of
compliance with the tenns of the contract and related policies and procedures and contractor
responsibilities. These include staffing, physical security, updating and maintaining
certifications, reconciliation of 139s (Record of Time of Arrival and Departure Contract Guard
Duty Register), management and customer service/public relations, and professionalism. The
categories of performance have an acceptable quality level (AQL) with payment
incentives/reductions based on the actual level of perfonnance attained as compared to the AQL.
The recommendations from our previous audit of OPM's Security Guard Contract (Report No.
4A-CA-OO-03-034), dated July 23, 2003, have been satisfactorily resolved.
2
II. OBJECTIVES, SCOPE, AND METHODOLOGY
Objectives
Our audit objective was to detemline whether OPM has effective oversight ofOPM's
Security Guard Contract. Specifically, our objectives were to:
• Determine if the OPM security guards working under the current contract
meet the qualification and training requirements.
• Determine if CSEA is monitoring performance of the security guard force
according to the QASP.
The recommendations included in this final report address these objectives.
Scope and Methodology
We conducted this performance audit in accordance with generally accepted government
auditing standards as established by the Comptroller General of the United States. Those
standards required that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our
audit objectives. We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives.
The scope of our audit covered OPM's current contract with ASP.
We performed our audit from July 20 to September 30, 2009 at OPM headquarters in
Washington, D.C.
To accomplish the audit objectives noted above, we:
• Sampled, reviewed, and tested guard qualifications and certifications for
compliance with requirements;
• Sampled, reviewed, and tested CSEA's implementation of the QASP;
• Sampled, reviewed, and tested CSEA's post inspection policies and
procedures; and,
• Interviewed key representatives from CSEA responsible for managing the
security guard contract.
In planning our work we gained an understanding of the internal controls over CSEA's
oversight ofthe security guard contract. We also considered the internal control structure
to the extent necessary to develop our audit procedures. These procedures mainly were
substantive in nature. We did gain an understanding of management procedures and
controls to the extent necessary to develop our audit objectives. The purpose of our audit
is not to provide an opinion on internal controls, but merely to evaluate controls over the
processes that were included in the scope of our audit. Our audit included tests of
3
contract guard training and certification files~ verification and validation of QASP results
and post inspections; and other auditing procedures as we considered necessary under the
circumstances. The resuJts of our tests indicate that CSEA has adequate controls in place
for providing effective oversight ofOPM's security guard contract (P00407000425),
except for the areas set forth in the details of this audit report.
In conducting our audit, we judgmentally selected 24 of 67 security guards assigned to
work on OPM ContractP00407000425. We reviewed training folders in order to
determine if each security guard received the following training:
• Basic training as described in the FPS Security Guard Information Manual;
• Supervisory training (for supervisory level guards);
• 40-hour firearms training course and yearly recertification;
• Cardiopulmonary resuscitation (CPR) training with yearly recertification;
• First Aid course with recertification every three years; and
• Baton training course with recertification every two years.
In addition, we randomly selected four months (February, April, May and June) ofQASP
results and post inspections from the current contract period to test CSEA's oversight of
the security guard contract.
The results from the various samples were not projected to the population.
4
III. AUDIT FINDINGS AND RECOMMENDATIONS
Our audit disclosed that, with respect to the items tested, OPM has adequate controls in place for providing
effective oversight of its security guard contract, except for the areas set forth in the details of this audit
report. The areas requiring improvements are described below.
A. Security Guard Qualifications
1. Lack of Training and Certification Policies
CSEA did not have documented policies and procedures in place to ensure that all security
guards working on the OPM Contract had current training and certifications. During our
audit, we found that 3 of the 24 security guards' training folders sampled did not contain
evidence of training or certification for one or more of the required training classes and
certifications.
FPS stipulates the following training requirements and certifications that all contract guards
in Federal buildings must complete:
• Basic training as described in the FPS Security Guard Information Manual;
• Supervisory training (for supervisory level guards);
• 40-hour firearms training course and yearly recertification;
• Cardiopulmonary resuscitation training with yearly recertification;
• First Aid course with recertification every three years; and
• Baton training course with recertification every two years.
Contract P00407000425 states that the contractor shall use properly trained employees at all
times to perform the services as prescribed in the Contract and will certify completion of all
training requirements. No employee will be assigned to perform under the Contract without
written notice to the contractor from the COR or COTR, approving the firearms licensing and
qualifications of the individual employees. In addition, no contractor employee shall work
under the Contract without a valid Federal Protective Service (FPS) certification card.
CSEA does not proactively evaluate the training and certifications of the security guards
working on the OPM Contract. While all missing documentation was provided during the
course of our audit, the lack of documented policies and procedures for obtaining and
maintaining evidence of training increases the risk that the contracted security guards
responsible for securing the Theodore Roosevelt Building may be working on the OPM
Contract without proper training.
Recommendation 1
We recommend that CSEA perform a comprehensive review of all security guards' training
and certification documentation to ensure that training and certifications are current and
available.
5
Recommendation 2
We recommend that CSEA develop policies and procedures for reviewing training and
certification documentation for contracted security guards.
CSEA~s Response:
"While there is no regulatory, statutory or contractual requirement for the tracking or
maintenance of documentation of each individual training!certification element which
comprises the FPS A-I certification, CSEA has traditionally tracked this infonnation as an
added assurance that guards working on the TRB contract are appropriately trained and
vetted. While the training records CSEA maintains were incomplete for 3 of the 24
individuals sampled, it is important to note that all 3 individuals maintained valid FPS A-I
certifications. As such, at no time were any of the guards assigned to OPM posts without
proper and valid training certifications."
"As recommended, CSEA has conducted a thorough review of all the training and
certifications for each guard. Documentation for each individual training/certification
element is current. The OIG has been provided with evidence to show that the 3 individuals
missing training records were in fact current at the time of the OIG review. We will continue
to maintain up-to-date training and certifications for all guards. As noted in the OIG draft
report, we have prepared a draft standard operating procedure (SOP) for our COR in an effort
to improve our oversight ofthe guard program. We look forward to working with the OIG
closely to fine tune the SOP prior to issuance."
OIG Comment for Recommendation 1:
CSEA provided documentation to support the review of all security guards' training files and
the creation of a binder to maintain and support training and certification of all security
- guards working on the contract. We have reviewed the documentation and consider this
recommendation closed.
OIG Comment for Recommendation 2:
CSEA provided documented standard operating procedures for reviewing security guard
training and certification documentation. The procedures detail the training and certification
documentation that must be obtained and documented for each security guard workingon the
contract. We have reviewed the documentation and consider this recommendation closed.
6
B. Security Guard Contract Oversight
1. Inadequate Qualitv Assurance Surveillance Plan (QASP) Performance Measurements
The current QASP is ineffective in measuring the true performance of the security guard
contract. Specifically, the performance measures used in evaluating security guard
performance and completing the QASP are primarily SUbjective. During our audit, we were
unable to validate how actual perfonnance levels were obtained for the months sampled. The
COTR provided explanations of how the QASP actual perfonnance levels are calculated,
which include post inspections, incident reporting, customer complaints (non-verbal), and
reviewing Form 139s, which record the security guards' time of arrival and departure.
However, the COTR also utilizes undocumented measures, such as individual knowledge of
the contractor's operations, daily observation, and verbal customer complaints to measure the
contractor's performance.
Contract P00407000425 states that the QASP is OPM's codification of its method of
implementing FAR 37.601, which requires that performance-based contracts describe
requirements in terms of results rather than methods of work perfonnance; use measurable
performance standards (i.e., quality, timeliness, quantity, etc,) and quality assurance
surveillance plans; and specify the procedures used in reducing fees or the price of a fixed
price contract when services are not performed or do not meet contract requirements.
The Contract also states that the QASP should contain a performance standard element in
which important items are measurable; performance is auditable and capable of validation
(less subjective, quantifiable measures are preferred); and have a level of detail that
corresponds to the intent of the stated measure and expectation.
Based on the current QASP, the COTR does not have an effective tool to measure ASP's
contract performance.
Recommendation 3
We recommend that OPM's CSEA work with the Contracting Officer to revise its QASP to
ensure that it includes perfonnance measures that are auditable and capable of validation.
CSEA's Response:
"Toe QASP was incorporated in the Guard Services Contract, OPMP0040700042[5], and
modification 002, as required by Federal Acquisition Regulation (FAR) 37.601. The QASP
identifies critical categories, performance standards of those categories, the acceptable
quality level, and the method in which those categories would be monitored. Furthermore,
the QASP established performance incentives and addressed disincentives in compliance
with the FAR. We believe the measures are objective, though we welcome all infOlmation
on how to improve the performance measures."
7
OIG Comment:
CSEA provided its revised draft QASP for review. The revised QASP contains measurable
performance standards, and the QASP procedures define exactly how to measure each
standard. This recommendation will remain open until the revised QASP is approved by
Contracting and CSEA has implemented the QASP and provides actual performance results
for verification and validation.
2. Post Inspection Policy Not Followed
CSEA has not effectively followed its Post Inspection policy to ensure that the security
guards are properly securing the TRB. Based on our review of documented post inspections
for the four months sampled, CSEA was not able to substantiate that post inspections were
conducted in accordance with CSEA policy (two times per week). CSEA only conducted
one post inspection for each of the months tested. From the documentation provided we
established that:
• CSEA did not perform the required number afpast inspections for the months
sampled, and
• There is no weighting of post inspections as it applies to the QASP.
During our physical inspections, the following deficiencies were noted:
• One guard was reading while on duty;
• Some guards on duty stated they had not received random radio checks once every
hour; and
• Post Orders were not in the proper locations (at the post for which the orders were
established) .
.-In addition, during our physical post inspection review, we observed an ASP training
exercise where the contractor's test subject successfully gained access to the TRB with a
"'fake" gun concealed in the bottom of a laptop case. Following the exercise, all TRB
security guards were instructed in the proper handling of laptops. Furthermore, signage has
been posted at TRB guard posts requesting the removal of laptops from bags prior to
scanning.
CSEA's Contract Guard and Post Inspection policy states that the COTR or designated
representative is responsible for conducting inspections of contract security guards and posts
at least twice a week during duty hours and at least once every other week during non-duty
hours..
If posts are not properly maintained, TRB security may be at risk.
8
Recommendation 4
We recommend that OPM's CSEA follow its Post Inspection policy and perfonn inspections
at least twice a week during duty hours and at least once every other week during non-duty
hours. .
CSEA's Response:
"CSEA is currently conducting daily post inspections. Since CSEA has a 24 hour, 7 days per
week presence within the TRB, we have the ability to provide continuous oversight of the
guard contract to include weekends, holidays and non-core duty hours. We also confer daily
with the guard Project Manager to ensure proper compliance with our requirements. CSEA
has developed a draft updated CSEA Post Inspection Report checklist, which has been
provided to the OIG."
OIG Comment:
We evaluated the COTR's SOPs for the post inspections, which include specific
requirements for the post inspection process, such as defining what a post and post
inspections are and the types of post inspections that should be completed. CSEA also
provided a revised version of the post inspection checklist. CSEA has defined in their SOP's
what the post inspection process entails and has redesigned the checklist so that each guard
on duty can be evaluated at each post. We obtained the Post lnspection checklists for the
month of October and have validated that the inspections are being performed according to
CSEA's new "policy" of conducting daily post inspections. We consider this
recommendation closed. .
9
IV. MAJOR CONTRIBUTORS TO THIS REPORT
Internal Audits Group
. Team Leader
Jr., Chief
10
APPENDIX
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
.,' .•... - ..
2009 NOV 20 f+t1~tn4~, DC 20415
Management Services
Division November 19, 2009
MEMORANDUM FOR
Chief, Internal Audits Group
Office of Inspector Geneml
FROM: DEAN S. HUNTER
Deputy Associate Director -
~~
Center for Security and rgency Actions
SUBJECT: Response to Draft Report on the Audit of the U.S. Office of Personnel
Management's (OPM) Security Guard Contract
Please accept my sincere thanks and appreciation for the Office ofInspector General's (OIG) -F
audit of the Theodore Roosevelt Building (TRB) security guard contract (Report No. 4A-CA-OO- .
00-043). The security and safety of OPM employees, contractors and visitors at the TRB require
our strong commitment to provide a safe and secure work environment. Your audit provides an o.
opportunity to examine and improve our guard operations, as appropriate. Our response to the
OIG draft audit report findings and recommendations is provided below:
OIG Finding #1: Ineffective Training and Certification Policies: The Center for Security and
Emergency Actions does not have policies and procedures in place to ensure that all secl.lrity
guards working on the OPM contract have current training and certifications.
OIG Recommendation #1: We recommend that CSEA perform'a comprehensive
review of all security guards' training and certification documentation to ensure that
training and certifications are current and available.
OIG Recommendation #2: We recommend that CSEA develop policy and procedures
for reviewing training and certification documentation for contracted security guards.
CSEA Response: In accordance with the contract, a guard must obtain and maintain
Federal Protective Service (FPS) A-I certification. The guard demonstrates adherence to
the A-I certification by possession ofICE Form 78-3527, DHS Contract Guard
Certification Card, or Section J, Exhibit 4A, Contractor's Certification of Basic Tmining,
which are both issued by FPS, a component of the Department of Homeland Security
(DHS). Possession of the FPS Contract Guard Certification Cardandlor Section J,
Exhibit 4A, Contractor's Certification of Basic Training, satisfies by contract that the
guard meets the training and certification requirements for performance as a guard at
OPM.
www.opm.gov Our mission is to ensure the Federal Government has an effective civilian workforce www.usaJ.obs.gov
While there is no regulatory, statutory or contractual requirement for the tracking or
maintenance of documentation of each individual training/certification element which
comprises the FPS A-1 certification, CSEA has traditionally tracked this information as
an added assurance that guards working on the TRB contract are appropriately trained
and vetted. While the training records CSEA maintains were incomplete for 3 of the 24
individuals sampled, it is important to note that all 3 individuals maintained valid FPS A
I certifications. As such, at no time were any of the guards assigned to OPM posts
without proper and valid training and certifications.
Before assignment of a guard at OPM, the guard company presents appropriate training
and certification documentation to our COR. Upon favorable review of the training and
certification by the COR the guard is permitted to perfonn as a guard at OPM. For
example, we have recently completed the background investigation on 3 new guards, but
they are not being permitted onsite at OPM to perfonn as a guard lllltil we receive
validation of the guard training and certification requirements from the guard company.
Additionally, the COR has a very close and daily relationship with the guard company
Project Manager who is onsite at OPM, and our COR aggressively monitors any change
in our guard's training, certification, or performance.
As recommended, CSEA has conducted a thorough review of al] the training and
certifications of each guard. Documentation for each individual training/certification
element is current. The OIG has been provided with evidence to show that the 3
individuals missing training records were in fact current at the time of the OIG review.
We win continue to maintain up-to-date training and certifications for all guards. As
noted in the OIG draft report, we have prepared a draft standard operating procedure
(SOP) for our COR in an effort to improve our oversight of the guard program. We look
forward to working with the OIG closely to fme tune the SOP prior to issuance.
In addition to the actions noted above, CSEA has undertaken additional efforts above and
beyond the current contract to ensure that the TRB guard force is capable of ensuring the
safety and security of OPM employees and visitors on a daily basis. CSEA has secured
advanced x-ray and magnetometer training for all guards from the Federal Protective
Service. Further, CSEA recently procured and provided to the guards advanced x
ray/video training for enhanced detection of explosives, which is accessible at any time
during our x-ray operations. Our COR has attended guard firearm training qualifications
and has provided enhanced training to the guards on response operations at OPM in event
of an H1NI flu epidemic. In addition, we have partnered with the guard company in the
development of a contract guard proficiency exam, as well as a covert testing of guard x
ray screening capabilities. These measures are not required by contract, but demonstrate
CSEA's commitment to ensure high quality security guard services at the TRB.
OIG Finding # 2: Inadequate Quality Assurance Surveillance Plan (QASP) Performance
Measurements: The current QASP is ineffective in measuring the true perfonnance of the
security guard contract.
OIG Recommendation #3: We recommend that OPM's CSEA revise its QASP to
ensure that it includes quantifiable measures for evaluating guard performance.
CSEA Response: TJIe QASP was incorporated in the Guard Services Contract,
OPMP0040700042, and modification 002, as required by Federal Acquisition Regulation
(FAR) 37.60L The QASP identifies critical categories, performance standards of those
categories, the acceptable quality level, and the method in which those categories would
be monitored. Furthermore, the QASP established performance incentives and addressed
disincentives in compliance with the FAR. We believe the measures are objective,
though we welcome all information on how to ~prove the performance measures. We
are actively working with the OIG to address these issues.
OIG Finding #3: Ineffective Post Inspection Policy: CSEA's post inspection policy is not
effective in ensuring that OPM is properly secured.
Recommendation #4 deleted by OPM/OIG/IAG. Recommendation #5 (below) is now
Recommendation #4.
OIG Recommendation #5: We recommend that OPM's CSEA follow its post
inspection policy and perform inspections at least twice a week during duty hours and at
least once every other week during non-duty hours:
CSEA Response: CSEA is currently conducting daily post inspections. Since CSEA has
a 24 hour, 7days per week presence within the TRB, we have the ability to provide
continuous oversight of the guard contract to include weekends, holidays and non-core
duty hours. We also confer daily with the guard Project Manager to ensure proper
compliance with our requirements. CSEA has developed a draft updated CSEA Post
Inspection Report checklist, which has been provided to the OIG.
The post inspection process and depth ofreview/inspection recommended by the OIG
does pose a concern to CSEA in regards to compliance with the existing contract. We
will consult with the OPM Contracting Officer to ensure that revised inspection
procedures are com~istent with the existing contract and do not constitute a personal
services contract, which we understand is not permitted. Our staff comment about their
"inspection" of the guards is actually surveillance of guard performance as it relates to
the QASP. The QASP is the contractual vehicle by which we survey the guard
company compliance with our security requirements.
Again, we thank you for your efforts to improve the contract guard services at the TRB and we
appreciate the opportunity to comment on the draft audit report.. If additional information is
required, please have a member of your staff contact Chief, Security Services
Group, at (202) 606_
Audit of the U.S. Office of Personnel Management's Security Guard Contract
Published by the Office of Personnel Management, Office of Inspector General on 2010-01-21.
Below is a raw (and likely hideous) rendition of the original report. (PDF)