USSS

KPMG LLP, under contract with DHS OIG, audited the United States Secret Service’s financial statements and internal control over financial.  The resulting management letter discusses four observations related to internal control for management’s consideration.  The auditors identified internal control deficiencies in several processes including financial reporting; time and attendance approval; invoice entry and disbursements; and confidential financial disclosure reporting.  These deficiencies are not considered significant and were not required to be reported in our Independent Auditors' Report on DHS’ FY 2016 Financial Statements and Internal Control over Financial Reporting, dated November 14, 2016, included in the DHS FY 2016 Agency Financial Report.

Most of the deficiencies identified by the independent public accounting firm KPMG, LLP were related to access controls, segregation of duties, and configuration management.  The deficiencies collectively limited USSS’ ability to ensure that critical financial and operational data were maintained in such a manner as to ensure their confidentiality, integrity, and availability.  We recommend that USSS, in coordination with the Department of Homeland Security’s Chief Information Officer and Acting Chief Financial Officer, make improvements to USSS’ financial management systems and associated information.

The Protective Mission Panel (PMP) made a number of recommendations in its December 2014 classified report.  The objective of this review was to determine whether the Secret Service has taken or plans to take action to implement the PMP’s classified recommendations, which primarily relate to security gaps and vulnerabilities at the White House Complex (WHC).  The Secret Service has clearly taken these recommendations seriously.  Using funding appropriated for PMP initiatives, the Secret Service began enhancing security and refreshing technology at the WHC.  Fully implementing many of the PMP’s classified recommendations will depend on staff increases, sustained funding, and a multi-year commitment by Secret Service and Department leadership to ensure actions continue even during times of increased protective mission demands and unexpected priorities.  We made no recommendations in this report.

We determined that the U.S. Secret Service has clearly taken the Protective Mission Panel’s (PMP) recommendations seriously, which it has demonstrated by making a number of significant changes.  Specifically, it has improved communication within the workforce, better articulated its budget needs, increased hiring, and committed to more training.  However, fully implementing many of the PMP’s recommendations will require long-term financial planning, further staff increases, consistent re-evaluation of the initiated actions’ effectiveness, and a multi-year commitment by Secret Service and Department of Homeland Security leadership.  We have made five recommendations.

We determined that the U.S. Secret Service (USSS) did not have adequate protections in place on systems to which Master Central Index (MCI) information was migrated.  These problems occurred because USSS has not consistently made IT management a priority.  The USSS Chief Information Officer (CIO) lacked authority for all IT resources and was not effectively positioned to provide necessary oversight, inadequate attention was given to updating USSS IT policies, and high turnover and vacancies within the Office of the CIO meant a lack of leadership to ensure IT systems were properly managed.  In addition, USSS personnel were not adequately trained to successfully perform their duties. We made 10 recommendations to USSS and 1 recommendation to the DHS Privacy Office to reduce the risk of future unauthorized access and disclosure of sensitive information. The USSS and the DHS Privacy Officer concurred with these recommendations.

The Secret Service responded immediately to a November 2011 incident in which shots fired from an assault rifle hit the White House and participated in the ensuing investigation. However, the Secret Service did not conduct a formal after action review or a detailed analysis of its protective operations or investigative response, so it is not clear whether protective policies were followed. After the incident, the Secret Service spent at least $17 million to improve infrastructure around the White House and increase patrols; however, without a formal after action review and detailed analysis, the Secret Service cannot be certain these changes were necessary, would have minimized the potential threat, or improved the response to the incident.

Secret Service has a dual mission of protection and criminal investigations. To support its protective mission, officers carry radios, which are their first line of communication for events such as fence jumpers, suspicious packages, or protests. These radio systems are critical for day-to-day protective operations. Secret Service needs to upgrade the radio systems used around the White House complex, the Vice President’s Residence, and Foreign Diplomatic Embassies. If Secret Service continues to use these outdated radio communications systems, it may negatively impact their protective operations.