Management

DHS expanded the Insider Threat Program from monitoring user activity on its classified networks to monitoring cleared and non-cleared employees’ activity on unclassified networks. We initiated a project to determine Insider Threat Program progress in monitoring, detecting, and responding to malicious insider threats on unclassified DHS systems and networks. Before continuing its planned expansion of the Insider Threat Program, DHS needs to address several deficiencies that may hinder program effectiveness and efficiency. Although the expanded program was approved in January 2017, the Office of the Chief Security Officer has yet to revise, obtain approval for, and reissue required documentation.

The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting. KPMG noted that the financial statements present fairly, in all material respects, DHS’ financial position as of September 30, 2018.

KPMG issued an adverse opinion on DHS’ internal control over financial reporting of its financial statements as of September 30, 2018. The report identifies the following six significant deficiencies in internal control, the first two of which are considered material weaknesses, and four instances where DHS did not comply with laws and regulations.

Annual report, Major Management and Performance Challenges Facing the Department of Homeland Security. Pursuant to the Reports Consolidation Act of 2000, the Office of Inspector General is required to issue a statement that summarizes what the Inspector General considers to be the most serious management and performance challenges facing the agency and briefly assess the agency’s progress in addressing those challenges. We acknowledge past and ongoing efforts by Department’s senior leadership to address the challenges identified in this report. At the same time, our aim in this report is two-fold ― to identify areas that need continuing focus and improvement and to point out instances in which senior leadership’s goals and objectives are not executed throughout the Department. We highlight persistent management and performance challenges that hamper the Department’s efforts to accomplish the homeland security mission efficiently and effectively.

DHS did not complete an assessment of the security value of the Transportation Worker Identification Credential (TWIC) program as required by law.  This occurred because DHS experienced challenges identifying an office responsible for the effort.  As a result, Coast Guard does not have a full understanding of the extent to which the TWIC program addresses security risks in the maritime environment.  This will continue to impact the Coast Guard’s ability to properly develop and enforce regulations governing the TWIC program. For example, Coast Guard did not clearly define the applicability of facilities that have certain dangerous cargo in bulk when developing a final rule to implement the use of TWIC readers at high-risk maritime facilities.  Without oversight and policy improvements in the TWIC program, high-risk facilities may continue to operate without enhanced security measures, putting these facilities at an increased security risk. In addition, Coast Guard needs to improve its oversight of the TWIC program to reduce the risk of transportation security incidents.  Due to technical problems and lack of awareness of procedures, Coast Guard did not make full use of the TWIC card’s biometric features as intended by Congress to ensure only eligible individuals have unescorted access to secure areas of regulated facilities.  During inspections at regulated facilities from FYs 2016 through 2017, Coast Guard only used electronic readers to verify, on average, about one in every 15 TWIC cards against TSA’s canceled card list.  This occurred because the majority of the TWIC readers in the field have reached the end of their service life.  Furthermore, the Coast Guard’s guidance governing oversight of the TWIC program is fragmented, which led to confusion and inconsistent inspection procedures.  This resulted in fewer regulatory confiscations of TWIC cards.  The Department concurred with our four recommendations, and described the corrective actions it is taking and plans to take.

Since FY 2014, DHS improved conference spending reporting and implemented policies and procedures to ensure proper oversight and accurate and timely reporting. However, we found instances where DHS did not comply with annual conference reporting requirements. The Department failed to report two conferences costing more than $100,000 each. The Department also did not always report all hosted conferences costing more than $20,000 to OIG within 15 days of the conclusion of each conference. In addition, the Department did not always properly record actual costs accurately and within 45 days of the conclusion of each conference. Although DHS did not always comply with reporting requirements, in most cases, its FY 2016 conference expenses appeared appropriate, reasonable, and necessary.

Pursuant to the Federal Information Security Modernization Act of 2014, we reviewed the Department’s security program, including its policies, procedures, and system security controls for the enterprise-wide intelligence system. Since our FY 2016 evaluation, the Office of Intelligence and Analysis (I&A) has continued to provide effective oversight of the department-wide intelligence system and has implemented programs to monitor ongoing security practices. In addition, the United States Coast Guard is in the process of migrating its intelligence users to a system that is jointly managed by the Defense Intelligence Agency and the National Geospatial Agency.

The Government Charge Card Abuse Prevention Act of 2012 (Charge Card Act) requires the Office of Inspector General to conduct an annual risk assessment and periodic audits on agency charge card programs. We conducted this audit to determine whether the Department of Homeland Security implemented internal controls to prevent illegal, improper, and erroneous purchases and payments. During fiscal year 2016, DHS reported spending approximately $1.2 billion in purchase, travel, and fleet card transactions. Although the Department has established internal controls for its charge card programs, the components we reviewed did not always follow DHS’ procedures. Our testing results of purchase, travel, and fleet card transactions revealed internal control weaknesses. Specifically, we found major internal control weaknesses that persisted at the United States Coast Guard and some control weaknesses within CBP’s Fleet Card Program.

KPMG LLP (KPMG), under contract with DHS OIG, conducted an integrated audit of DHS’ FY 2016consolidated financial statements and internal control over financial reporting. KPMG expressed an unmodified (clean) opinion on the Department’s FY 2016 financial statements. However, KPMG identified six significant deficiencies in internal control; three of which are considered material weaknesses. Consequently, KPMG issued an adverse opinion on DHS’ internal control over financial reporting. KPMG also reported instances in which DHS did not comply with four laws and regulations. The Department concurred with all of the recommendations in the report.

This report summarizes what we consider the most serious management and performance challenges to both the Department as a whole, as well as individual components challenges.  We remain concerned about the systemic nature of these challenges, some of which span multiple Administrations and changes in Department leadership.  We also assess the Department’s progress in addressing those challenges.  This year, we are reporting the Department’s major challenges in the following areas: Unity of Effort, Employee Morale and Engagement, Acquisition Management, Grants Management, Cybersecurity, Management Fundamentals.  We did not make any new recommendations in this report.