U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Subject: AUDIT OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S SECURITY GUARD CONTRACT Report No. 4A-CA-OO-09-043 ( \ Date: January 21, 2010 . , .. ,. ..... :. : ":':', ... . .... . '.;' ~ "'-', --CAUTION- This audit report has be~n distributed to Federal officials who are 'responsible for the administration of the audited program. This audit report may contain proprietary data which is protected by Federal law (18 U.S.c. 1905). Therefore, wbile this audit report is available umler the Freedom of III formation Act and made available to the publk on the OIG web page, caution needs to be extrci$Cd before releasing the report 10 Ihe general public as it may contain proprietary information tbal was redacted from the publ,icly distributed copy. " .... , UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 Office of the Inspector General AUDIT REPORT AUDIT OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S SECURITY GUARD CONTRACT Report No. 4A-CA-OO-09-043 Date: January 21, 2010 ~~ Michael R. Esser Assistant Inspector General for Audits www.opm.gov www.usajobs.gov UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 Office of the Inspector General EXECUTIVE SUMMARY AUDIT OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S SECURITY GUARD CONTRACT Report No. 4A-CA-OO-09-043 Date: January 21, 2010 The Office of the Inspector General has completed a performance audit of the U.S. Office of .PersOimel Management's (OPM's) Security Guard Contract. Our main objective was to determine whether the Center for Security and Emergency Actions (CSEA) is providing effective oversight ofOPM's Security Guard Contract. In order to make this determination, our audit included the following specific objectives: (1) to detemline if the OPM security guards working under the cunent contract meet the qualifications and training requirements; and (2) to detelmine ifCSEA is effectively monitoring the perfonnance of the contracted guard force. Our audit was conducted fiom July 20,2009 through September 30, 2009 at OPM's headqumters in Washington, D.C. OUf audit identified three areas requiring improvement. A. Security Guard Qualifications 1. Lack of Training and Certification Policies Procedural The Center for Security and Emergency Actions did not have documented policies aIld procedures in place to ensure that all security guards working on the OPM contract had cunent training and certifications. www.opm.goy www.usajobs.goY B. Security Guard Contract Oversight 1. Inadequate Quality Assurance Surveillance Plan (QASP) Procedural Performance Measurements The current QASP is ineffective in measuring the true performance of the security guard contract. 2. Post Inspection Policy Not Followed Procedural CSEA has not effectively followed its Post Inspection policy to ensure that the security guards are properly securing the Theodore Roosevelt Building. 11 TABLE OF CONTENTS EXECUTIVE SUMMARY ..................................................... . I. INTRODUCTION AND BACKGROUND......... ......... ...... ..... ...... 1 II. OBJECTIVES, SCOPE, AND METHODOLOGy...................... 3 III. AUDIT FINDINGS AND RECOMMENDATIONS.................... 5 A. Security Guard Qualifications 1. Lack of Training and Certification Policies...... ............ ...... 5 B. Security Guard Contract Oversight 1. Inadequate Quality Assurance Surveillance Plan Performance Measurements .......................................... 7 2. Post Inspection Policy Not Followed........ ............... ..... ..... 8 IV. MAJOR CONTRlBUTORS TO THIS REPORT.................... ..... 10 APPENDIX (Center for Security and Emergency Actions Response, dated November 19, 2009, to our draft report) I. INTRODUCTION AND BACKGROUND Introduction This final audit report details the findings, conclusions, and recommendations resulting from our performance audit ofthe U.S. Office of Personnel Management's (OPM) Security Guard Contract. The audit was performed by OPM's Office of the Inspector General (OIG), as authorized by the Inspector General Act of 1978, as amended. Background 41 CFR 102-81.10 states that "Federal agencies on Federal property under the charge and control of the Administrator and having a security delegation of authority from the Secretary of Homeland Security must provide for the security and protection of the real estate they occupy, including the protection of persons within the property." OPM's Management Services Division's (MSD) Center for Security and Emergency Actions (CSEA) administers and provides oversight ofOPM's Security Guard Contract. The Contracting Officer Technical Representative (COTR) is responsible for the administration of the contract and for assuring compliance by the contractor with the requirements of the contract. CSEA's primary mission is to ensure a safe and secure work environment so that OPM business can proceed in an uninterrupted fashion at the Theodore Roosevelt Building (TRB). OPM provides for the protection of the TRB via contract security guards. OPM awarded a fixed price contract (Contract no. P00407000425) through the General Services Administration schedule in August 2007 to American Security Programs (ASP). The base year of the contract was from September 1,2007 to August 31, 2008 with four one-year renewal options through December 28,2012. American Security Programs is currently in the second of the four one-year renewal options. The contract states that the contractor shall provide armed guard services and appropriate supervision to satisfactorily perform the access control and security services at the TRB in accordance with established post orders. In addition, the contract maintains that the contractor shall use properly trained employees at all times to perform the services, as prescribed in the contract. The contractor will certify completion of all training requirements. No employee will be assigned to perfonn under the contract without written notice to the contractor from the Contracting Officer's Representative (COR), approving the firearms licensing and qualifications ofthe individual employees. The Federal Protective Service (FPS) Security Guard Information Manual provides information on the primary responsibilities of security guards to control access to Federal property and to assist in ensuring the safety of Federal property, employees, and visitors. Access controls include checking visitors' and employees' identification; operating security equipment, such as X-ray machines and Magnetometers to screen for prohibited materials; and reporting crimes and incidents to security personnel. 1 OPM's Post Instructions and Orders provide the duties required of the security guards at each guard post. The post instructions contain all current policies, orders/instructions, emergency procedures, and any other information deemed pertinent to the TRB. The security guards are to comply with all post instructions detailing responsibilities and duties to be performed at each post, including general security guard code of conduct policies. Contractor performance is evaluated via the Quality Assurance Surveillance Plan (QASP). The QASP contains performance metrics that the security guards are evaluated against in terms of compliance with the tenns of the contract and related policies and procedures and contractor responsibilities. These include staffing, physical security, updating and maintaining certifications, reconciliation of 139s (Record of Time of Arrival and Departure Contract Guard Duty Register), management and customer service/public relations, and professionalism. The categories of performance have an acceptable quality level (AQL) with payment incentives/reductions based on the actual level of perfonnance attained as compared to the AQL. The recommendations from our previous audit of OPM's Security Guard Contract (Report No. 4A-CA-OO-03-034), dated July 23, 2003, have been satisfactorily resolved. 2 II. OBJECTIVES, SCOPE, AND METHODOLOGY Objectives Our audit objective was to detemline whether OPM has effective oversight ofOPM's Security Guard Contract. Specifically, our objectives were to: • Determine if the OPM security guards working under the current contract meet the qualification and training requirements. • Determine if CSEA is monitoring performance of the security guard force according to the QASP. The recommendations included in this final report address these objectives. Scope and Methodology We conducted this performance audit in accordance with generally accepted government auditing standards as established by the Comptroller General of the United States. Those standards required that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The scope of our audit covered OPM's current contract with ASP. We performed our audit from July 20 to September 30, 2009 at OPM headquarters in Washington, D.C. To accomplish the audit objectives noted above, we: • Sampled, reviewed, and tested guard qualifications and certifications for compliance with requirements; • Sampled, reviewed, and tested CSEA's implementation of the QASP; • Sampled, reviewed, and tested CSEA's post inspection policies and procedures; and, • Interviewed key representatives from CSEA responsible for managing the security guard contract. In planning our work we gained an understanding of the internal controls over CSEA's oversight ofthe security guard contract. We also considered the internal control structure to the extent necessary to develop our audit procedures. These procedures mainly were substantive in nature. We did gain an understanding of management procedures and controls to the extent necessary to develop our audit objectives. The purpose of our audit is not to provide an opinion on internal controls, but merely to evaluate controls over the processes that were included in the scope of our audit. Our audit included tests of 3 contract guard training and certification files~ verification and validation of QASP results and post inspections; and other auditing procedures as we considered necessary under the circumstances. The resuJts of our tests indicate that CSEA has adequate controls in place for providing effective oversight ofOPM's security guard contract (P00407000425), except for the areas set forth in the details of this audit report. In conducting our audit, we judgmentally selected 24 of 67 security guards assigned to work on OPM ContractP00407000425. We reviewed training folders in order to determine if each security guard received the following training: • Basic training as described in the FPS Security Guard Information Manual; • Supervisory training (for supervisory level guards); • 40-hour firearms training course and yearly recertification; • Cardiopulmonary resuscitation (CPR) training with yearly recertification; • First Aid course with recertification every three years; and • Baton training course with recertification every two years. In addition, we randomly selected four months (February, April, May and June) ofQASP results and post inspections from the current contract period to test CSEA's oversight of the security guard contract. The results from the various samples were not projected to the population. 4 III. AUDIT FINDINGS AND RECOMMENDATIONS Our audit disclosed that, with respect to the items tested, OPM has adequate controls in place for providing effective oversight of its security guard contract, except for the areas set forth in the details of this audit report. The areas requiring improvements are described below. A. Security Guard Qualifications 1. Lack of Training and Certification Policies CSEA did not have documented policies and procedures in place to ensure that all security guards working on the OPM Contract had current training and certifications. During our audit, we found that 3 of the 24 security guards' training folders sampled did not contain evidence of training or certification for one or more of the required training classes and certifications. FPS stipulates the following training requirements and certifications that all contract guards in Federal buildings must complete: • Basic training as described in the FPS Security Guard Information Manual; • Supervisory training (for supervisory level guards); • 40-hour firearms training course and yearly recertification; • Cardiopulmonary resuscitation training with yearly recertification; • First Aid course with recertification every three years; and • Baton training course with recertification every two years. Contract P00407000425 states that the contractor shall use properly trained employees at all times to perform the services as prescribed in the Contract and will certify completion of all training requirements. No employee will be assigned to perform under the Contract without written notice to the contractor from the COR or COTR, approving the firearms licensing and qualifications of the individual employees. In addition, no contractor employee shall work under the Contract without a valid Federal Protective Service (FPS) certification card. CSEA does not proactively evaluate the training and certifications of the security guards working on the OPM Contract. While all missing documentation was provided during the course of our audit, the lack of documented policies and procedures for obtaining and maintaining evidence of training increases the risk that the contracted security guards responsible for securing the Theodore Roosevelt Building may be working on the OPM Contract without proper training. Recommendation 1 We recommend that CSEA perform a comprehensive review of all security guards' training and certification documentation to ensure that training and certifications are current and available. 5 Recommendation 2 We recommend that CSEA develop policies and procedures for reviewing training and certification documentation for contracted security guards. CSEA~s Response: "While there is no regulatory, statutory or contractual requirement for the tracking or maintenance of documentation of each individual training!certification element which comprises the FPS A-I certification, CSEA has traditionally tracked this infonnation as an added assurance that guards working on the TRB contract are appropriately trained and vetted. While the training records CSEA maintains were incomplete for 3 of the 24 individuals sampled, it is important to note that all 3 individuals maintained valid FPS A-I certifications. As such, at no time were any of the guards assigned to OPM posts without proper and valid training certifications." "As recommended, CSEA has conducted a thorough review of all the training and certifications for each guard. Documentation for each individual training/certification element is current. The OIG has been provided with evidence to show that the 3 individuals missing training records were in fact current at the time of the OIG review. We will continue to maintain up-to-date training and certifications for all guards. As noted in the OIG draft report, we have prepared a draft standard operating procedure (SOP) for our COR in an effort to improve our oversight ofthe guard program. We look forward to working with the OIG closely to fine tune the SOP prior to issuance." OIG Comment for Recommendation 1: CSEA provided documentation to support the review of all security guards' training files and the creation of a binder to maintain and support training and certification of all security - guards working on the contract. We have reviewed the documentation and consider this recommendation closed. OIG Comment for Recommendation 2: CSEA provided documented standard operating procedures for reviewing security guard training and certification documentation. The procedures detail the training and certification documentation that must be obtained and documented for each security guard workingon the contract. We have reviewed the documentation and consider this recommendation closed. 6 B. Security Guard Contract Oversight 1. Inadequate Qualitv Assurance Surveillance Plan (QASP) Performance Measurements The current QASP is ineffective in measuring the true performance of the security guard contract. Specifically, the performance measures used in evaluating security guard performance and completing the QASP are primarily SUbjective. During our audit, we were unable to validate how actual perfonnance levels were obtained for the months sampled. The COTR provided explanations of how the QASP actual perfonnance levels are calculated, which include post inspections, incident reporting, customer complaints (non-verbal), and reviewing Form 139s, which record the security guards' time of arrival and departure. However, the COTR also utilizes undocumented measures, such as individual knowledge of the contractor's operations, daily observation, and verbal customer complaints to measure the contractor's performance. Contract P00407000425 states that the QASP is OPM's codification of its method of implementing FAR 37.601, which requires that performance-based contracts describe requirements in terms of results rather than methods of work perfonnance; use measurable performance standards (i.e., quality, timeliness, quantity, etc,) and quality assurance surveillance plans; and specify the procedures used in reducing fees or the price of a fixed price contract when services are not performed or do not meet contract requirements. The Contract also states that the QASP should contain a performance standard element in which important items are measurable; performance is auditable and capable of validation (less subjective, quantifiable measures are preferred); and have a level of detail that corresponds to the intent of the stated measure and expectation. Based on the current QASP, the COTR does not have an effective tool to measure ASP's contract performance. Recommendation 3 We recommend that OPM's CSEA work with the Contracting Officer to revise its QASP to ensure that it includes perfonnance measures that are auditable and capable of validation. CSEA's Response: "Toe QASP was incorporated in the Guard Services Contract, OPMP0040700042[5], and modification 002, as required by Federal Acquisition Regulation (FAR) 37.601. The QASP identifies critical categories, performance standards of those categories, the acceptable quality level, and the method in which those categories would be monitored. Furthermore, the QASP established performance incentives and addressed disincentives in compliance with the FAR. We believe the measures are objective, though we welcome all infOlmation on how to improve the performance measures." 7 OIG Comment: CSEA provided its revised draft QASP for review. The revised QASP contains measurable performance standards, and the QASP procedures define exactly how to measure each standard. This recommendation will remain open until the revised QASP is approved by Contracting and CSEA has implemented the QASP and provides actual performance results for verification and validation. 2. Post Inspection Policy Not Followed CSEA has not effectively followed its Post Inspection policy to ensure that the security guards are properly securing the TRB. Based on our review of documented post inspections for the four months sampled, CSEA was not able to substantiate that post inspections were conducted in accordance with CSEA policy (two times per week). CSEA only conducted one post inspection for each of the months tested. From the documentation provided we established that: • CSEA did not perform the required number afpast inspections for the months sampled, and • There is no weighting of post inspections as it applies to the QASP. During our physical inspections, the following deficiencies were noted: • One guard was reading while on duty; • Some guards on duty stated they had not received random radio checks once every hour; and • Post Orders were not in the proper locations (at the post for which the orders were established) . .-In addition, during our physical post inspection review, we observed an ASP training exercise where the contractor's test subject successfully gained access to the TRB with a "'fake" gun concealed in the bottom of a laptop case. Following the exercise, all TRB security guards were instructed in the proper handling of laptops. Furthermore, signage has been posted at TRB guard posts requesting the removal of laptops from bags prior to scanning. CSEA's Contract Guard and Post Inspection policy states that the COTR or designated representative is responsible for conducting inspections of contract security guards and posts at least twice a week during duty hours and at least once every other week during non-duty hours.. If posts are not properly maintained, TRB security may be at risk. 8 Recommendation 4 We recommend that OPM's CSEA follow its Post Inspection policy and perfonn inspections at least twice a week during duty hours and at least once every other week during non-duty hours. . CSEA's Response: "CSEA is currently conducting daily post inspections. Since CSEA has a 24 hour, 7 days per week presence within the TRB, we have the ability to provide continuous oversight of the guard contract to include weekends, holidays and non-core duty hours. We also confer daily with the guard Project Manager to ensure proper compliance with our requirements. CSEA has developed a draft updated CSEA Post Inspection Report checklist, which has been provided to the OIG." OIG Comment: We evaluated the COTR's SOPs for the post inspections, which include specific requirements for the post inspection process, such as defining what a post and post inspections are and the types of post inspections that should be completed. CSEA also provided a revised version of the post inspection checklist. CSEA has defined in their SOP's what the post inspection process entails and has redesigned the checklist so that each guard on duty can be evaluated at each post. We obtained the Post lnspection checklists for the month of October and have validated that the inspections are being performed according to CSEA's new "policy" of conducting daily post inspections. We consider this recommendation closed. . 9 IV. MAJOR CONTRIBUTORS TO THIS REPORT Internal Audits Group . Team Leader Jr., Chief 10 APPENDIX UNITED STATES OFFICE OF PERSONNEL MANAGEMENT .,' .•... - .. 2009 NOV 20 f+t1~tn4~, DC 20415 Management Services Division November 19, 2009 MEMORANDUM FOR Chief, Internal Audits Group Office of Inspector Geneml FROM: DEAN S. HUNTER Deputy Associate Director - ~~ Center for Security and rgency Actions SUBJECT: Response to Draft Report on the Audit of the U.S. Office of Personnel Management's (OPM) Security Guard Contract Please accept my sincere thanks and appreciation for the Office ofInspector General's (OIG) -F audit of the Theodore Roosevelt Building (TRB) security guard contract (Report No. 4A-CA-OO- . 00-043). The security and safety of OPM employees, contractors and visitors at the TRB require our strong commitment to provide a safe and secure work environment. Your audit provides an o. opportunity to examine and improve our guard operations, as appropriate. Our response to the OIG draft audit report findings and recommendations is provided below: OIG Finding #1: Ineffective Training and Certification Policies: The Center for Security and Emergency Actions does not have policies and procedures in place to ensure that all secl.lrity guards working on the OPM contract have current training and certifications. OIG Recommendation #1: We recommend that CSEA perform'a comprehensive review of all security guards' training and certification documentation to ensure that training and certifications are current and available. OIG Recommendation #2: We recommend that CSEA develop policy and procedures for reviewing training and certification documentation for contracted security guards. CSEA Response: In accordance with the contract, a guard must obtain and maintain Federal Protective Service (FPS) A-I certification. The guard demonstrates adherence to the A-I certification by possession ofICE Form 78-3527, DHS Contract Guard Certification Card, or Section J, Exhibit 4A, Contractor's Certification of Basic Tmining, which are both issued by FPS, a component of the Department of Homeland Security (DHS). Possession of the FPS Contract Guard Certification Cardandlor Section J, Exhibit 4A, Contractor's Certification of Basic Training, satisfies by contract that the guard meets the training and certification requirements for performance as a guard at OPM. www.opm.gov Our mission is to ensure the Federal Government has an effective civilian workforce www.usaJ.obs.gov While there is no regulatory, statutory or contractual requirement for the tracking or maintenance of documentation of each individual training/certification element which comprises the FPS A-1 certification, CSEA has traditionally tracked this information as an added assurance that guards working on the TRB contract are appropriately trained and vetted. While the training records CSEA maintains were incomplete for 3 of the 24 individuals sampled, it is important to note that all 3 individuals maintained valid FPS A I certifications. As such, at no time were any of the guards assigned to OPM posts without proper and valid training and certifications. Before assignment of a guard at OPM, the guard company presents appropriate training and certification documentation to our COR. Upon favorable review of the training and certification by the COR the guard is permitted to perfonn as a guard at OPM. For example, we have recently completed the background investigation on 3 new guards, but they are not being permitted onsite at OPM to perfonn as a guard lllltil we receive validation of the guard training and certification requirements from the guard company. Additionally, the COR has a very close and daily relationship with the guard company Project Manager who is onsite at OPM, and our COR aggressively monitors any change in our guard's training, certification, or performance. As recommended, CSEA has conducted a thorough review of al] the training and certifications of each guard. Documentation for each individual training/certification element is current. The OIG has been provided with evidence to show that the 3 individuals missing training records were in fact current at the time of the OIG review. We win continue to maintain up-to-date training and certifications for all guards. As noted in the OIG draft report, we have prepared a draft standard operating procedure (SOP) for our COR in an effort to improve our oversight of the guard program. We look forward to working with the OIG closely to fme tune the SOP prior to issuance. In addition to the actions noted above, CSEA has undertaken additional efforts above and beyond the current contract to ensure that the TRB guard force is capable of ensuring the safety and security of OPM employees and visitors on a daily basis. CSEA has secured advanced x-ray and magnetometer training for all guards from the Federal Protective Service. Further, CSEA recently procured and provided to the guards advanced x ray/video training for enhanced detection of explosives, which is accessible at any time during our x-ray operations. Our COR has attended guard firearm training qualifications and has provided enhanced training to the guards on response operations at OPM in event of an H1NI flu epidemic. In addition, we have partnered with the guard company in the development of a contract guard proficiency exam, as well as a covert testing of guard x ray screening capabilities. These measures are not required by contract, but demonstrate CSEA's commitment to ensure high quality security guard services at the TRB. OIG Finding # 2: Inadequate Quality Assurance Surveillance Plan (QASP) Performance Measurements: The current QASP is ineffective in measuring the true perfonnance of the security guard contract. OIG Recommendation #3: We recommend that OPM's CSEA revise its QASP to ensure that it includes quantifiable measures for evaluating guard performance. CSEA Response: TJIe QASP was incorporated in the Guard Services Contract, OPMP0040700042, and modification 002, as required by Federal Acquisition Regulation (FAR) 37.60L The QASP identifies critical categories, performance standards of those categories, the acceptable quality level, and the method in which those categories would be monitored. Furthermore, the QASP established performance incentives and addressed disincentives in compliance with the FAR. We believe the measures are objective, though we welcome all information on how to ~prove the performance measures. We are actively working with the OIG to address these issues. OIG Finding #3: Ineffective Post Inspection Policy: CSEA's post inspection policy is not effective in ensuring that OPM is properly secured. Recommendation #4 deleted by OPM/OIG/IAG. Recommendation #5 (below) is now Recommendation #4. OIG Recommendation #5: We recommend that OPM's CSEA follow its post inspection policy and perform inspections at least twice a week during duty hours and at least once every other week during non-duty hours: CSEA Response: CSEA is currently conducting daily post inspections. Since CSEA has a 24 hour, 7days per week presence within the TRB, we have the ability to provide continuous oversight of the guard contract to include weekends, holidays and non-core duty hours. We also confer daily with the guard Project Manager to ensure proper compliance with our requirements. CSEA has developed a draft updated CSEA Post Inspection Report checklist, which has been provided to the OIG. The post inspection process and depth ofreview/inspection recommended by the OIG does pose a concern to CSEA in regards to compliance with the existing contract. We will consult with the OPM Contracting Officer to ensure that revised inspection procedures are com~istent with the existing contract and do not constitute a personal services contract, which we understand is not permitted. Our staff comment about their "inspection" of the guards is actually surveillance of guard performance as it relates to the QASP. The QASP is the contractual vehicle by which we survey the guard company compliance with our security requirements. Again, we thank you for your efforts to improve the contract guard services at the TRB and we appreciate the opportunity to comment on the draft audit report.. If additional information is required, please have a member of your staff contact Chief, Security Services Group, at (202) 606_
Audit of the U.S. Office of Personnel Management's Security Guard Contract
Published by the Office of Personnel Management, Office of Inspector General on 2010-01-21.
Below is a raw (and likely hideous) rendition of the original report. (PDF)