DHS OIG, OIG-14-96, Information Technology Management Letter for the FY 2013 United States Customs and Border Protection Financial Statement Audit (2014)
DHS OIG
DHS OIG
Department of Homeland Security 2IÀFHRI,QVSHFWRU*HQHUDO Information Technology Management Letter for the FY 2013 United States Customs and Border Protection Financial Statement Audit OIG-14-96 May 2014 MEMORANDUMFOR: FROM: SUBJECT: OFFICE OF INSPECTOR GENERAL Department of Homeland Security Washington, DC 20528 / www.oig.dhs.gov May28,2014 CharlesArmstrong ChiefInformationOfficer U.S.CustomsandBorderProtection DeborahSchilling ChiefFinancialOfficer U.S.CustomsandBorde rProtection RichardHarsche ActingAssistantInspectorGeneral OfficeofInformationTechnologyAudits InformationTechnologyManagementLetterfortheFY 2013UnitedStatesCustomsandBorderProtection FinancialStatementAudit Attachedforyourinformationisourfinalreport,InformationTechnologyManagement LetterfortheFY2013UnitedStatesCustomsandBorderProtectionFinancialStatement Audit.Thisreportcontainscommentsandrecommendationsrelatedtoinformation technologyinternalcontroldeficienciesthatwerenotrequiredtobereportedinthe IndependentAuditors’Report. WecontractedwiththeindependentpublicaccountingfirmKPMGLLP(KPMG)to conducttheauditofDepartmentofHomelandSecurityfiscalyear2013consolidated financialstatements.ThecontractrequiredthatKPMGperformitsauditaccordingto generallyacceptedgovernmentauditingstandardsandguidancefromtheOfficeof ManagementandBudgetandtheGovernmentAccountabilityOffice.KPMGis responsiblefortheattachedmanagementletterdatedMarch19,2014,andthe conclusionexpressedinit. Pleasecallmewithanyquestions,oryourstaffmaycontactSharonHuiswoud,Director, InformationSystemsAuditDivision,at(202)254Ͳ5451. Attachment KPMG LLP Suite 12000 1801 K Street, NW Washington, DC 20006 March 19, 2014 Office of Inspector General, Chief Information Officer and Chief Financial Officer, U.S. Department of Homeland Security Chief Information Officer and Chief Financial Officer, U.S. Customs and Border Protection Ladies and Gentlemen: In planning and performing our audit of the consolidated balance sheets of the U.S. Customs and Border Protection (CBP), a component of the U.S. Department of Homeland Security (DHS), and the related consolidated statements of net cost, changes in net position, and custodial activity, and the combined statements of budgetary resources as of and for the years ended September 30, 2013 and 2012 (hereinafter, referred to as “consolidated financial statements”), in accordance with auditing standards generally accepted in the United States of America, we considered CBP’s internal control over financial reporting (internal control) as a basis for designing audit procedures that are appropriate in the circumstances for the purpose of expressing our opinion on the consolidated financial statements, but not for the purpose of expressing an opinion on the effectiveness of CBP’s internal control. We limited our internal control testing to those controls necessary to achieve the objectives described in Government Auditing Standards and the Office of Management and Budget (OMB) Bulletin No. 14- 02, Audit Requirements for Federal Financial Statements. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act of 1982. Accordingly, we do not express an opinion on the effectiveness of CBP’s internal control.
In accordance with Government Auditing Standards, our Independent Auditors’ Report, dated January 30, 2014, included internal control deficiencies identified during our audit that represented a significant deficiency in information technology (IT) controls at CBP. This letter represents the separate limited distribution report mentioned in that report. During our audit we noted certain matters involving internal control and other operational matters that are presented for your consideration. These comments and recommendations, all of which have been discussed with the appropriate members of management and communicated through Notices of Findings and Recommendations (NFRs), are intended to improve internal control or result in other operating efficiencies and are summarized as described below.
With respect to CBP’s financial systems’ IT controls, we noted certain matters in the areas of security management, access controls, configuration management, contingency planning, and IT application controls. These matters are described in the General IT Control Findings and Recommendations and IT Application Controls sections of this letter. The Table of Contents identifies each section of the letter. We have provided a description of key CBP financial systems and IT infrastructure within the scope of the FY 2013 CBP consolidated financial KPMG LLP is a Delaware limited liability partnership, the U.S. member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. statement audit engagement in Appendix A, and a list of each IT NFR communicated to management during our audit in Appendix B. Our audit procedures are designed primarily to enable us to form an opinion on the financial statements, and therefore may not bring to light all deficiencies in policies or procedures that may exist.
We aim, however, to use our knowledge of CBP’s organization gained during our work to make comments and suggestions that we hope will be useful to you. We would be pleased to discuss these comments and recommendations with you at any time. The purpose of this letter is solely to describe comments and recommendations intended to improve internal control or result in other operating efficiencies. Accordingly, this letter is not suitable for any other purpose.
Very truly yours, Department of Homeland Security Information Technology Management Letter Customs and Border Protection September 30, 2013 TABLE OF CONTENTS Objective, Scope, and Approach Summary of Findings General IT Control Findings and Recommendations Findings Security Management Access Controls Configuration Management Contingency Planning Recommendations Security Management Access Controls Configuration Management Contingency Planning IT Application Controls APPENDICES Subject Description of Key CBP Financial Systems and IT Infrastructure within the Scope of the FY 2013 CBP Financial Statement Audit FY 2013 IT Notices of Findings and Recommendations at CBP Appendix A B Page 2 4 5 5 5 5 6 6 6 6 6 8 8 8 Page 9 12 1 Department of Homeland Security Information Technology Management Letter Customs and Border Protection September 30, 2013 OBJECTIVE, SCOPE, AND APPROACH Objective We have audited the consolidated balance sheets of the U.S. Customs and Border Protection (CBP), a component of the U.S. Department of Homeland Security (DHS), as of September 30, 2013 and 2012, and the related consolidated statements of net cost, changes in net position, and custodial activity, and the combined statements of budgetary resources (referred to herein as the “fiscal year (FY) 2013 consolidated financial statements”). In connection with our engagement to audit CBP’s consolidated financial statements, we performed an evaluation of selected general information technology (IT) controls (GITCs) and IT application controls at CBP to assist in planning and performing our audit engagement. Scope The scope of our GITC and IT application control test work is described in Appendix A, which provides a description of the key CBP financial systems and IT infrastructure within the scope of the FY 2013 CBP consolidated financial statement audit engagement. Approach General Information Technology Controls The Federal Information System Controls Audit Manual (FISCAM), issued by the U.S. Government Accountability Office, formed the basis of our GITC evaluation procedures.
FISCAM was designed to inform financial statement auditors about IT controls and related audit concerns to assist them in planning their audit work and to integrate the work of auditors with other aspects of the financial statement audit. FISCAM also provides guidance to auditors when considering the scope and extent of review that generally should be performed when evaluating GITCs and the IT environment of a Federal agency. FISCAM defines the following five control categories to be essential to the effective operation of GITCs and the IT environment: x Security Management – Controls that provide a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of computer-related security controls. x In conjunction with our test work of security management GITCs, limited after-hours physical security testing at select CBP facilities was conducted to identify potential control deficiencies in non-technical aspects of IT security. x Access Control – Controls that limit or detect access to computer resources (data, programs, equipment, and facilities) and protect against unauthorized modification, loss, and disclosure. x Configuration Management – Controls that help to prevent unauthorized changes to information system resources (software programs and hardware configurations) and provide reasonable assurance that systems are configured and operating securely and as intended. 2 Department of Homeland Security Information Technology Management Letter Customs and Border Protection September 30, 2013 x We performed technical information security testing for key CBP network and system devices.
The technical security testing was performed from within select DHS facilities and focused on production devices that directly support CBP’s financial processing and key general support systems. x Segregation of Duties – Controls that constitute policies, procedures, and an organizational structure to manage who can control key aspects of computer-related operations. x Contingency Planning – Controls that involve procedures for continuing critical operations without interruption, or with prompt resumption, when unexpected events occur. IT Application Controls We performed testing over selected key IT application controls on financial systems and applications to assess the financial systems’ internal controls over the input, processing, and output of financial data and transactions. FISCAM defines application controls as the structure, policies, and procedures that apply to separate, individual application systems, such as accounts payable, inventory, or payroll. 3 Department of Homeland Security Information Technology Management Letter Customs and Border Protection September 30, 2013 SUMMARY OF FINDINGS During FY 2013, CBP took corrective action to address certain prior year IT control deficiencies.
For example, CBP made improvements over designing and implementing certain configuration management and security management controls over CBP information systems, as well as strengthening and improving controls around physical and logical access (including enforcement of segregation of duties). However, during FY 2013, we continued to identify IT application control deficiencies related to financial system functionality, and GITC deficiencies related to controls over physical and logical access (including the generation and review of audit logs), configuration management, and contingency planning, for CBP core financial and feeder systems and associated General Support System (GSS) environments. Collectively, the IT control deficiencies limited CBP’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these deficiencies negatively impacted CBP’s internal controls over financial reporting and its operations.
We consider certain deficiencies to represent a significant deficiency at CBP under standards established by the American Institute of Certified Public Accountants. Of the 29 IT Notices of Findings and Recommendations (NFRs) issued during our FY 2013 testing, 17 were repeat findings, either partially or in whole from the prior year, and 12 were new findings. The 29 IT NFRs issued represent deficiencies in four of the five FISCAM general IT control categories, as well as in the area of IT application controls. The majority of findings resulted from the lack of properly documented, fully designed and implemented, adequately detailed, and consistently implemented financial system controls to comply with DHS Sensitive Systems Policy Directive 4300A, Information Technology Security Program, requirements and National Institute of Standards and Technology (NIST) guidance.
Specifically, the findings stem from: 1. Inadequately designed and ineffective access control policies and procedures relating to the management of logical and physical access to financial applications, databases, and support systems; 2. Insufficient logging of system events and monitoring of audit logs; 3. Patch, configuration, and vulnerability management control deficiencies within systems; 4.
Inconsistently implemented backup management controls; and 5. System functionality limitations preventing adequate implementation of automated preventative or detective controls to support management and implementation of custodial revenue and drawback processes. These deficiencies may increase the risk that the confidentiality, integrity, and availability of system controls and CBP financial data could be exploited, thereby compromising the integrity of CBP financial data used by management and reported in the consolidated financial statements. While the recommendations made by us should be considered by CBP, it is the ultimate responsibility of CBP management to determine the most appropriate method(s) for addressing the deficiencies identified.
4 Department of Homeland Security Information Technology Management Letter Customs and Border Protection September 30, 2013 GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS Findings During our audit of the FY 2013 CBP consolidated financial statements, we identified the following GITC deficiencies. Certain deficiencies, in the aggregate, are considered a significant deficiency at CBP. For our assessment of the deficiencies, see Appendix B. Security Management x Separation clearance actions for separated or transferred Federal employees and contractors were not consistently or timely documented or implemented in accordance with DHS and CBP policy. After-Hours Physical Security Testing On June 26 and July 22, 2013, we performed after-hours physical security testing to identify risks related to non-technical aspects of IT security.
These non-technical IT security aspects included physical access to printed or electronic media, equipment, or credentials residing within a CBP employee’s or contractor’s work area or shared workspaces which could be used by others to gain unauthorized access to financial systems or other systems containing sensitive information. The testing was performed at various CBP locations in the Washington, DC, metropolitan area and Indianapolis, Indiana that process, maintain, and/or have access to financial data. We observed 123 instances where passwords, sensitive IT information (such as server names or IP addresses), keys, unsecured or unlocked credentials, credit cards, laptops, remote access devices, and external media, and printed materials marked “For Official Use Only” or containing sensitive Personally Identifiable Information were accessible by individuals without a “need to know”. Access Controls x Segregation of duties conflicts existed relative to administrator accounts on configuration management utilities used for CBP financial applications, and compensating controls to log and review administrator activity were not consistently implemented. x DHS and CBP requirements for password complexity and lifetime were not fully implemented for accounts on the Systems, Applications, and Products (SAP) UNIX server, Automated Commercial Environment (ACE) Advanced Interactive eXecutive (AIX) operating system, and ACE Database 2 (DB2). x Audit logs, including logs of emergency developer access to the production environment, for components of the SAP and Automated Commercial System (ACS) environments (including the application, database, and operating system/mainframe layers) were not consistently reviewed by management in accordance with DHS and CBP policy, and risk assessments were not performed to identify relevant security events subject to requirements for logging and periodic review.
5 Department of Homeland Security Information Technology Management Letter Customs and Border Protection September 30, 2013 x Developers were granted emergency access functions within the ACS production environment in violation of the principles of least privilege as referenced in NIST. The access granted was not commensurate with job responsibilities. x Account management activities on CBP financial systems (including the application, database, and operating system/mainframe layers) and the District of Columbia (DC) Metropolitan (Metro) Local Area Network (LAN), including authorization of new access, periodic recertification of access, and revocation of access from separated or transferred Federal employees and contractors, were not consistently or timely documented or implemented in accordance with DHS and CBP policy. x Logs of visitor access to the server room within the National Data Center were not consistently maintained. x DHS and CBP requirements for the assignment of unique application account identifiers were not consistently implemented. Configuration Management x Security patch management and configuration deficiencies were identified during the vulnerability assessment on hosts supporting the SAP environment. x Access to CBP application test and development environments was not consistently or timely documented or authorized in accordance with DHS and CBP policy. Contingency Planning x Backup parameters were not configured in accordance with CBP requirements.
Recommendations We recommend that the CBP Office of the Chief Information Officer (OCIO) and Office of the Chief Financial Officer (OCFO) make the following improvements to CBP’s financial management systems and associated IT security program (in accordance with CBP and DHS requirements, as applicable). Security Management x Continue to maintain and enforce existing security awareness campaigns, enhance focus on conducting periodic desktop reviews, and consider adding penalties for users with multiple recurring documented violations of security awareness policies and physical security requirements. Access Controls x Evaluate and enforce the configuration management Administrator access audit log process to ensure that configuration management Administrator access audit logs are being reviewed on a monthly basis, documented and audit log review evidence is maintained. 6 Department of Homeland Security Information Technology Management Letter Customs and Border Protection September 30, 2013 x Implement technical controls, including a password value check, to ensure that passwords for CBP operating system and database accounts are configured in accordance with DHS and CBP requirements for complexity and lifetime. x Perform and document a risk assessment to identify relevant security events on the SAP and ACS environments which should be subject to requirements for logging and periodic review. x Conduct a cost-benefit analysis to determine the feasibility of implementing a tool or enhanced system functionality to automate the aggregation and review of system logs. x x Implement monitoring controls over the audit log review process in the SAP and ACS environments to ensure that audit logs, including logs of emergency developer access to the production environment, are being reviewed by management on a periodic basis, are documented, and audit log review evidence is maintained .
Implement monitoring controls over the account management process within the ACS production environment, including relative to developer emergency access to production, to ensure that access granted is limited to necessary application functions commensurate with job responsibilities. x Perform a root cause analysis to determine the source of instances of non-compliance with the annual account recertification process and, if appropriate, develop an enterprise-level solution to implement monitoring controls to ensure that all accounts are recertified annually. x Implement monitoring controls over the account management process, including escalation to management for follow-up and enforcement as appropriate, to ensure that all users are granted access to CBP systems. x Perform a root cause analysis to determine the source of instances of non-compliance with separation and transfer clearance and account revocation processes for Federal employees and contractors and implement monitoring controls to ensure that all access to CBP systems is revoked in a timely manner. x Review and, if appropriate, update, disseminate and implement monitoring controls to enforce revised CBP directives to ensure that the process for tracking contractor employees is consistent. x Review and, if appropriate, update, disseminate, and implement monitoring controls to enforce the physical security and visitor access management policies and procedures to ensure that visitor access to the server room is consistently logged. x Implement monitoring controls over the account provisioning process to ensure that all users are assigned unique application account identifiers. 7 Department of Homeland Security Information Technology Management Letter Customs and Border Protection September 30, 2013 Configuration Management x Implement the specific vendor-recommended corrective actions detailed in the NFRs that were issued for deficiencies identified during the vulnerability assessment. x Document and implement a formal access management policy for granting access to CBP application test and environments to ensure that access is consistently and timely documented and authorized. Contingency Planning x Implement monitoring controls over backup processes and system configurations to ensure that backups continue to be performed daily. IT APPLICATION CONTROLS ication control and During the FY 2013 CBP financial statement audit, we identified the following IT appl financial system functionality deficiency that, when aggregated with the GITC deficiencies, is considered a significant deficiency at CBP: Finding x ACS lacks the controls necessary to prevent, or detect and correct excessive drawback claims.
Specifically, the programming logic for the system does not link drawback claims to imports at a detailed, line item level. This would potentially allow the importer to receive payment in excess of an allowable amount. Recommendation x We recommend that the CBP OCIO and OCFO continue to pursue alternative compensating or automated controls and measures that may ultimately remediate the risk of overpayment and identify the potential revenue loss exposure to CBP. These alternative internal controls over drawback claims may enhance CBP’s ability to compare, verify, and track essential information on drawback claims and identify duplicate or excessive drawback claims.
8 Department of Homeland Security Information Technology Management Letter Customs and Border Protection September 30, 2013 Appendix A Description of Key CBP Financial Systems and IT Infrastructure within the Scope of the FY 2013 CBP Financial Statement Audit 9 Department of Homeland Security Information Technology Management Letter Customs and Border Protection September 30, 2013 Appendix A Below is a description of significant CBP financial management systems and supporting IT infrastructure included in the scope of the CBP FY 2013 financial statement audit. Systems, Applications, and Products (SAP) Enterprise Central Component (ECC) SAP is CBP’s financial system of record. SAP is a major integrated client/server-based financial management system implemented by CBP to manage assets (e.g., budget, logistics, procurement, and related policy) and revenue (e.g., accounting and commercial operations: trade, tariff, and law enforcement), and to provide information for strategic decision making. The SAP instance includes several modules (including ECC 6.0, Intelligent Procurement, and Budget Tools) that provide system functionality for Funds Management, Budget Control, General Ledger, Real Estate, Property, Internal Orders, Sales and Distribution, Special Purpose Ledger, and Accounts Payable functionality, among others.
The SAP ECC financial management system was included within the scope of the FY 2013 financial statement audit. The Border Enforcement and Management Systems (BEMS) Program Office and the Enterprise Data Management and Engineering (EDME) Program Office own the SAP application, UNIX and Windows operating systems and Oracle database located in Virginia (VA). Automated Commercial Environment (ACE) ACE is the commercial trade processing system being developed and implemented by CBP to replace the Automated Commercial System (ACS). The mission of ACE is to implement a secure, integrated, government-wide system for the electronic collection, use, and dissemination of international trade and transportation data essential to Federal agencies.
ACE is a custom-developed, internet-facing, multi-tier system with high availability characteristics, and it processes sensitive data. ACE is being deployed in phases over several years. As a result, some financial modules will remain in the ACS operating environment until they can be developed and deployed in ACE. Since ACE was partially implemented during FY 2013, it was included within the scope of the FY 2013 financial statement audit.
The Cargo Systems Program Office (CSPO), the Enterprise Networks and Technology Support (ENTS) Program Office and the EDME Program Office own the ACE application, AIX operating system and DB2 database located in VA. Automated Commercial System (ACS) ACS is a collection of seven mainframe-based sub-systems used by the CBP to track, control, and process commercial goods and conveyances entering the United States territory, for the purpose of collecting import duties, fees, and taxes owed to the Federal Government. ACS collects duties at ports, collaborates with financial institutions to process duty and tax payments, and provides automated duty filing for trade clients, and shares information with the Federal Trade Commission on trade violations, illegal imports and terrorist activities. The ACS system was included within the scope of the FY 2013 financial statement audit.
The CSPO and the ENTS Program Office own the ACS application and mainframe located in VA. District of Columbia Metropolitan Local Area Network (DC Metro LAN) The DC Metro LAN provides CBP’s DC area employees and contractors user access to enterprise-wide applications and systems. The mission of the DC Metro LAN is to support the mission of CBP 10 Department of Homeland Security Information Technology Management Letter Customs and Border Protection September 30, 2013 Appendix A operational elements in the DC Metro LAN region of the organization. The boundary of the DC Metro LAN includes tools such as personal computers, laptop computers, printers and file/print servers which enable CBP officers and agents to interact with all other applications and systems in the CBP environment.
The DC Metro LAN supports ACE, ACS, and SAP and provides authentication mechanisms that are used by SAP for single sign on capability; as a result, the DC Metro LAN was included within the scope of the FY 2013 financial statement audit. The Field Support Program Office and the EDME Program Office own the DC Metro LAN located in VA. 11 Department of Homeland Security Information Technology Management Letter Customs and Border Protection September 30, 2013 FY 2013 IT Notices of Findings and Recommendations at CBP Appendix B 12 B x i d n e p p A 2 e r o M t n a c i f i n g i S t a e p e R e u s s I w e N e u s s I X X X X X X X X . a t a d X X X X X X X X X X X X X r e t t e L y t n t i n o r u e i m t c c e e e S t g o a d r n n P a a r e M e l m d y r o g o H l o B o d n n h a t c n e e s m T m o n t r t o a s i u p t e a C m D r o f n I f o 3 1 0 2 , 0 3 r e b m e t p e S a e r A l o r t n o C M A C S I F e l t i T R F N 1 # R F N 3 1 0 2 Y F s l o r t n o C s s e c c A I X N U P A S r o f s r e t e m a r a P d r o w s s a P d e r u g i f n o C y l e t a i r p o r p p a n I 1 0 - 3 1 - T I - P B C ) S O ( m e t s y S g n i t a r e p O s l o r t n o C s s e c c A ) B D ( e s a b a t a D e l c a r O P A S r o f d e w e i v e R t o N s g o L y t i v i t c A t i d u A 2 0 - 3 1 - T I - P B C s l o r t n o C s s e c c A g n i n n a l P y c n e g n i t n o C s l o r t n o C s s e c c A s l o r t n o C s s e c c A s g o L I t i d u A S O X N U P A S f o w e i v e R f o e c n e d i v E f o k c a L 5 0 - 3 1 - T I - P B C s g o L t i d u A n o i t a c i l p p A S C A f o w e i v e R f o k c a L 6 0 - 3 1 - T I - P B C s t n u o c c A S O s w o d n i W P A S f o w e i v e R f o k c a L 3 0 - 3 1 - T I - P B C I s p u k c a B S O X N U P A S e t e l p m o c n I 4 0 - 3 1 - T I - P B C t n e m e g a n a M y t i r u c e S l a c i s y h P s r u o H - r e t f A g n i r u d d e i f i t n e d I s e u s s I s s e n e r a w A y t i r u c e S 7 0 - 3 1 - T I - P B C P B C t a g n i t s e T y t i r u c e S s l o r t n o C s s e c c A n o i t c u d o r P S C A e h t o t s s e c c A r e p o l e v e D f o w e i v e R f o k c a L 8 0 - 3 1 - T I - P B C a t a D n o i t a c i l p p A s l o r t n o C s s e c o r P s s e n i s u B S C A e h t n i y t i l a n o i t c n u F f o k c a L 1 1 - 3 1 - T I - P B C s l o r t n o C s s e c c A I s r e t e m a r a P d r o w s s a P S O X A E C A d e r u g i f n o C y l e t a i r p o r p p a n I 9 0 - 3 1 - T I - P B C s l o r t n o C s s e c c A s r e t e m a r a P d r o w s s a P e s a b a t a D 2 B D E C A d e r u g i f n o C y l e t a i r p o r p p a n I 0 1 - 3 1 - T I - P B C s l o r t n o C s s e c c A s l o r t n o C s s e c c A s l o r t n o C s s e c c A s r e s U d e g e l i v i r P e m a r f n i a M f o n o i t a c i f i t r e c e R l a u n n A f o k c a L 3 1 - 3 1 - T I - P B C s t n u o c c A e s a b a t a D 2 B D E C A f o w e i v e R f o k c a L 2 1 - 3 1 - T I - P B C s g o L s r o t i s i V r o o l F d e s i a R e t e l p m o c n I 4 1 - 3 1 - T I - P B C 3 1 l a i c n a n i f . e P c n B e C u f q o e s y t m i r g o e r f t n i d e t e t h i t o t k s i r m o y l l a n d o i e s t n a e e r t n c n i i n a e r e w 2 3 - 3 o 1 t - d T I e - n P i B m r C e t d e n d a e s o p e w 7 2 t - a 3 h 1 t - T s e I i - c P nB C e i c i f e d , 6 2 - 3 l o 1 r - t T n I o - c P B t n C e s , e 1 r 2 p - e 3 r 1 - ” T t n I a - c P i B f C n g i S e r o , 5 1 - 3 1 - T M i “ s a I - P B d C e t s a n r e g b i s m e u d n s R R F F N N 1 2 B x i d n e p p A r e t t e L y t n t i n o r u e i m t c c e e e S t g o a d r n n P a a r e M e l m d y r o g o H l o B o d n n h a t c n e e s m T m o n t r t o a s i u p t e a C m D r o f n I f o 3 1 0 2 , 0 3 r e b m e t p e S e r o M t n a c i f i n g i S t a e p e R e u s s I w e N e u s s I a e r A l o r t n o C M A C S I F e l t i T R F N # R F N 3 1 0 2 Y F X X X X X X X X X X X X X X X X X X X X X X X X t n e m e g a n a M n o i t a r u g i f n o C s e s s e n k a e W e n i l e s a B n o i t a r u g i f n o C P A S 0 2 - 3 1 - T I - P B C s l o r t n o C s s e c c A g n i t s i L r e s U e m a r f n i a M n o l e n n o s r e P d e t a r a p e S 2 2 - 3 1 - T I - P B C t n e m e g a n a M n o i t a r u g i f n o C e h t n i s t n u o c c A r e s U E C A w e N g n i t n e m u c o D n i s e s s e n k a e W 3 2 - 3 1 - T I - P B C s t n e m n o r i v n E g n i t s e T d n a t n e m p o l e v e D s l o r t n o C s s e c c A n o i t c u d o r P e h t r e v o s e s s e n k a e W s e i t u D f o n o i t a g e r g e S S C A 4 2 - 3 1 - T I - P B C t n e m n o r i v n E s l o r t n o C s s e c c A s l o r t n o C s s e c c A S C A r o f s r e i f i t n e d I t n u o c c A e u q i n U f o k c a L 5 2 - 3 1 - T I - P B C s e s s e n k a e W n o i t a c i f i t r e c e R n o i t a c i l p p A S C A 8 2 - 3 1 - T I - P B C s l o r t n o C s s e c c A s w o d n i W P A S r o f d e w e i v e R r o d e t a r e n e G t o N s g o L y t i v i t c A t i d u A 9 2 - 3 1 - T I - P B C s l o r t n o C s s e c c A s l o r t n o C s s e c c A s l o r t n o C s s e c c A s l o r t n o C s s e c c A s t n u o c c A N A L o r t e M C D w e N g n i t a e r C n i s e s s e n k a e W 6 1 - 3 1 - T I - P B C g n i t s i L r e s U n o i t a c i l p p A P A S n o l e n n o s r e P d e t a r a p e S 7 1 - 3 1 - T I - P B C s t n u o c c A E C A w e N g n i t a e r C n i s e s s e n k a e W 8 1 - 3 1 - T I - P B C s t n u o c c A S C A w e N g n i t a e r C n i s e s s e n k a e W 9 1 - 3 1 - T I - P B C s l o r t n o C s s e c c A s l o r t n o C s s e c c A t n e m e g a n a M y t i r u c e S t n e m e g a n a M y t i r u c e S g n i t s i L r e s U N A L o r t e M C D n o l e n n o s r e P d e t a r a p e S 0 3 - 3 1 - T I - P B C g n i t s i L r e s U n o i t a c i l p p A E C A n o l e n n o s r e P d e t a r a p e S 1 3 - 3 1 - T I - P B C s s e c o r P n o i t a r a p e S e e y o l p m E e h t r e v o s e s s e n k a e W 4 3 - 3 1 - T I - P B C s e s s e n k a e W s s e c o r P n o i t a r a p e S r o t c a r t n o C 3 3 - 3 1 - T I - P B C S O 4 1 OFFICE OF INSPECTOR GENERAL Department of Homeland Security AppendixA ReportDistribution DepartmentofHomelandSecurity Secretary DeputySecretary ChiefofStaff DeputyChiefofStaff GeneralCounsel ExecutiveSecretary Director,GAO/OIGLiaisonOffice AssistantSecretaryforOfficeofPolicy AssistantSecretaryforOfficeofPublicAffairs AssistantSecretaryforOfficeofLegislativeAffairs UnderSecretaryforManagement ChiefFinancialOfficer ChiefInformationOfficer ChiefInformationSecurityOfficer ChiefPrivacyOfficer OfficeofManagementandBudget Chief,HomelandSecurityBranch DHSOIGBudgetExaminer Congress CongressionalOversightandAppropriationsCommittees,asappropriate www.oig.dhs.gov OIG-14-96 ADDITIONAL INFORMATION To view this and any of our other reports, please visit our website at: www.oig.dhs.gov. For further information or questions, please contact Office of Inspector General (OIG) Office of Public Affairs at: [email protected], or follow us on Twitter at: @dhsoig.
To expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any other kinds of criminal or noncriminal misconduct relative to Department of Homeland Security (DHS) programs and operations, please visit our website at www.oig.dhs.gov and click on the red tab titled "Hotline" to report. You will be directed to complete and submit an automated DHS OIG Investigative Referral Submission Form. Submission through our website ensures that your complaint will be promptly received and reviewed by DHS OIG. Should you be unable to access our website, you may submit your complaint in writing to: Department of Homeland Security Office of Inspector General, Mail Stop 0305 Attention: Office of Investigations Hotline 245 Murray Drive, SW Washington, DC 20528-0305 You may also call 1(800) 323-8603 or fax the complaint directly to us at (202) 254-4297.
The OIG seeks to protect the identity of each writer and caller.
Ask CiteLaw's AI Navigator anything about this agency guidance, verify citations, and research related authorities. Sign up for CiteLaw free today to get started.