S&T

In FY 2018, S&T did not always adhere to DHS and internal purchase card policies and procedures.  Of 421 purchase card transactions selected for review, we identified 394 transactions that did not have required supporting documentation, separation of key transaction duties, approvals and other required signatures, or compliance with other risk-based procedures.  According to S&T officials, these issues were due to shortfalls in program oversight and training, as well as outdated policy.  We identified $63,213 in questionable costs associated with purchase card transactions.  We made four recommendations to improve S&T’s adherence to DHS policies and procedures for its Bankcard Program.  S&T concurred with the four recommendations. 

We determined that DHS needs to improve the collection and management of data across its multiple components to better serve and safeguard the public.  The data access, availability, accuracy, completeness, and relevance issues we identified presented numerous obstacles for DHS personnel who did not have essential information they needed for decision making or to effectively and efficiently carry out day-to-day mission operations.  Although DHS has improved its information security program and developed plans to improve quality and management of its data, follow through and continued improvement will be essential to address the internal control issues underlying the data deficiencies highlighted in the report.  We made no recommendations in the summary report.

We determined that despite requirements of the Homeland Security Act of 2002, as amended, the Science and Technology Directorate (S&T) did not effectively coordinate and integrate department-wide research and development (R&D) activities.  In August 2015, S&T established Integrated Product Teams (IPTs) as the central mechanism to identify, track, and coordinate department-wide priority R&D efforts.  However, S&T did not follow its IPT process as intended.  Specifically, not all components submitted all information on capability gaps to the IPTs; S&T did not effectively gather, track, and manage data on the Department’s R&D gaps and activities; and S&T did not adequately monitor the IPT process to ensure it was effective.  As a result, S&T may not be able to provide the Secretary of Homeland Security and Congress with an accurate profile of the Department’s R&D activities or justify funding needs for a wide range of missions, including securing the border, detecting nuclear devices, and screening airline passengers.  We made three recommendations to improve S&T’s coordination of R&D activities across DHS.  S&T concurred with our recommendations.

The Department of Homeland Security (DHS) did not promptly fulfill its first requirement mandated by Public Law 114-278. Specifically, DHS delayed commissioning a comprehensive assessment of the effectiveness of the Transportation Security Card Program in enhancing security and reducing security risks for facilities and vessels. The public law required the assessment to begin no later than 60 days after its enactment. However, DHS did not award a work order for the assessment for more than a year after the deadline.  TSA only partially complied with requirements mandated by the public law. Of the six required actions, TSA partially complied with two and fully complied with four. We have concerns with aspects of TSA’s responses to all of the required actions.

In November 2017, CBP awarded Accenture a $297 million contract to help meet the demands of recruiting and hiring agents and officers under the President’s January 25, 2017 Executive Order, Border Security and Immigration Enforcement Improvements. The contract includes 1 base year, with 4 option years, to hire 7,500 fully qualified applicants, including Customs and Border Protection Officers, Border Patrol Agents, and Air and Marine Interdiction Agents. In its first year, CBP’s contract with Accenture has already taken longer to deploy and delivered less capability than promised. Accenture is nowhere near satisfying its 7,500-person hiring goal over the next 5 years. Further, CBP has used significant staffing and resources to help Accenture do the job for which it was contracted. As such, we are concerned that CBP may have paid Accenture for services and tools not provided. Without addressing the issues we have identified, CBP risks wasting millions of taxpayer dollars on a hastily approved contract that is not meeting its proposed performance expectations. CBP must hold the contractor accountable, mitigate risk, and devise a strategy to ensure results without additional costs to the Government.

We conducted our review of the Science and Technology’s (S&T) insider threat program between January 2017 and June 2017.  S&T is the primary research arm of the Department of Homeland Security (DHS).  Its mission is to strengthen the Nation’s security and resiliency by providing knowledge products and innovative solutions to support DHS mission operations.  Specifically, Congress created S&T in 2003 to conduct basic and applied research, development, demonstration, testing, and evaluation activities relevant to any or all elements of the Department.  S&T oversees laboratories where scientists perform mission-critical research on chemical and biological threats, radiological and nuclear detection, animal diseases, transportation security, and explosives trace identification.  S&T employees, contractors, and business partners—especially those with special or elevated privileges—can potentially use their inside knowledge and access to exploit vulnerabilities and cause harm to mission-critical systems and operations.  We made nine recommendations that, if implemented, should strengthen S&T’s management of insider threat risks.  The Department concurred with all of the recommendations.

DHS did not comply with IPERA because it did not meet one of the six IPERA requirements. Specifically, DHS did not meet its annual reduction targets for 2 of 14 programs. Additionally, we determined that DHS did not provide adequate oversight of the component’s improper testing and reporting.

KPMG LLP, under contract with DHS OIG, audited the S&T financial statements and internal control over financial reporting.  The resulting management letter discusses three observations related to internal control for management’s consideration.  The auditors identified internal control deficiencies in several processes including journal entry review processes; procurement and financial management system reconciliations; and intra-governmental payment and collection expense review and approval.  These deficiencies are not considered significant and were not required to be reported in our Independent Auditors' Report on DHS’ FY 2016 Financial Statements and Internal Control over Financial Reporting, dated November 14, 2016, included in the DHS FY 2016 Agency Financial Report.

The Science and Technology Directorate (S&T) main financial application is owned and operated by U.S. Immigration and Customs Enforcement (ICE).  As a service provider, ICE provides support to S&T.  KPMG identified general information technology control deficiencies at ICE that could potentially impact S&T’s financial data, and as such, issued a finding.  The deficiencies collectively limited S&T’s ability to ensure that critical financial and operational data were maintained in such a manner as to ensure their confidentiality, integrity, and availability.  We recommended that S&T, in coordination with the Department of Homeland Security’s CIO and ACFO, make improvements to S&T’s financial management systems and associated information technology security program.