[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]




 
   INTERNAL CONTROL WEAKNESSES AT THE DEPARTMENT OF HOMELAND SECURITY

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON GOVERNMENT ORGANIZATION,
                  EFFICIENCY AND FINANCIAL MANAGEMENT

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                            OCTOBER 27, 2011

                               __________

                           Serial No. 112-109

                               __________

Printed for the use of the Committee on Oversight and Government Reform


         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform



                  U.S. GOVERNMENT PRINTING OFFICE
73-167                    WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  

              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                 DARRELL E. ISSA, California, Chairman
DAN BURTON, Indiana                  ELIJAH E. CUMMINGS, Maryland, 
JOHN L. MICA, Florida                    Ranking Minority Member
TODD RUSSELL PLATTS, Pennsylvania    EDOLPHUS TOWNS, New York
MICHAEL R. TURNER, Ohio              CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina   ELEANOR HOLMES NORTON, District of 
JIM JORDAN, Ohio                         Columbia
JASON CHAFFETZ, Utah                 DENNIS J. KUCINICH, Ohio
CONNIE MACK, Florida                 JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan                WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma             STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan               JIM COOPER, Tennessee
ANN MARIE BUERKLE, New York          GERALD E. CONNOLLY, Virginia
PAUL A. GOSAR, Arizona               MIKE QUIGLEY, Illinois
RAUL R. LABRADOR, Idaho              DANNY K. DAVIS, Illinois
PATRICK MEEHAN, Pennsylvania         BRUCE L. BRALEY, Iowa
SCOTT DesJARLAIS, Tennessee          PETER WELCH, Vermont
JOE WALSH, Illinois                  JOHN A. YARMUTH, Kentucky
TREY GOWDY, South Carolina           CHRISTOPHER S. MURPHY, Connecticut
DENNIS A. ROSS, Florida              JACKIE SPEIER, California
FRANK C. GUINTA, New Hampshire
BLAKE FARENTHOLD, Texas
MIKE KELLY, Pennsylvania

                   Lawrence J. Brady, Staff Director
                John D. Cuaderes, Deputy Staff Director
                     Robert Borden, General Counsel
                       Linda A. Good, Chief Clerk
                 David Rapallo, Minority Staff Director

   Subcommittee on Government Organization, Efficiency and Financial 
                               Management

              TODD RUSSELL PLATTS, Pennsylvania, Chairman
CONNIE MACK, Florida, Vice Chairman  EDOLPHUS TOWNS, New York, Ranking 
JAMES LANKFORD, Oklahoma                 Minority Member
JUSTIN AMASH, Michigan               JIM COOPER, Tennessee
PAUL A. GOSAR, Arizona               GERALD E. CONNOLLY, Virginia
FRANK C. GUINTA, New Hampshire       ELEANOR HOLMES NORTON, District of 
BLAKE FARENTHOLD, Texas                  Columbia


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on October 27, 2011.................................     1
Statement of:
    Sherry, Peggy, Deputy Chief Financial Officer, U.S. 
      Department of Homeland Security, accompanied by Robert 
      West, Chief Information Security Officer; and John E. McCoy 
      II, Deputy Assistant Inspector General for Audits, Office 
      of the Inspector General, Department of Homeland Security..     5
        McCoy, John E., II,......................................    16
        Sherry, Peggy............................................     5
        West, Robert.............................................    15
Letters, statements, etc., submitted for the record by:
    Connolly, Hon. Gerald E., a Representative in Congress from 
      the State of Virginia, prepared statement of...............    40
    McCoy, John E., II, Deputy Assistant Inspector General for 
      Audits, Office of the Inspector General, Department of 
      Homeland Security, prepared statement of...................    18
    Sherry, Peggy, Deputy Chief Financial Officer, U.S. 
      Department of Homeland Security, prepared statement of.....     8
    Towns, Hon. Edolphus, a Representative in Congress from the 
      State of New York, prepared statement of...................     4


   INTERNAL CONTROL WEAKNESSES AT THE DEPARTMENT OF HOMELAND SECURITY

                              ----------                              


                       THURSDAY, OCTOBER 27, 2011

                  House of Representatives,
Subcommittee on Government Organization, Efficiency 
                          and Financial Management,
              Committee on Oversight and Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 2247, Rayburn House Office Building, Hon. Todd Russell 
Platts (chairman of the subcommittee) presiding.
    Present: Representatives Platts, Lankford, Amash, and 
Towns.
    Staff present: Linda Good, chief clerk; Hudson T. 
Hollister, counsel; Mark D. Marin, director of oversight; Tegan 
Millspaw, research analyst; Nadia A. Zahran, staff assistant; 
Jaron Bourke, minority director of administration; Beverly 
Britton Fraser, minority counsel; Jennifer Hoffman, minority 
press secretary; and Adam Koshkin, minority staff assistant.
    Mr. Platts. Good morning. The subcommittee will come to 
order.
    A quick housekeeping, our understanding is votes on the 
floor may happen, we thought 11, 11:30, now they are saying 
maybe as early as the next 20 to 30 minutes. So we're going to 
try to get through your testimony and hopefully a round of 
questions. My worry is that when the votes go up, it may be a 
long series. We are going to try not to have you sitting here 
waiting. We will hope for votes being a little later than 
expected.
    The purpose of today's hearing, I am going to shorten my 
opening remarks for the purpose of getting to your testimony as 
quickly as we can. But the purpose of today's hearing is to 
evaluate the effectiveness and security of financial systems at 
the Department of Homeland Security. DHS is one of the largest 
Federal departments and spent $56.4 billion on its operations 
in 2010. Because of the size and importance of DHS, it is 
crucial that we have strong financial management systems and 
that data is properly protected.
    However, in 2010, independent auditors found numerous 
weaknesses in DHS' financial management and information 
technology security systems. And this hearing will examine the 
results of that audit and DHS' progress in resolving the 
problems in its financial management systems.
    The audit was conducted by the independent auditing firm 
KPMG and identified 161 weaknesses in DHS' internal controls 
over crucial financial systems. Almost two-thirds of the 
weaknesses were repeats from KPMG's 2009 audit of the 
Department. The findings contributed to five significant 
weaknesses as well as one material weakness in information 
technology and financial system functionality.
    DHS has been working continuously to improve its financial 
Management and its efforts should be acknowledged. However, as 
this audit shows, there are still significant problems and the 
Department must address these problems. Many of these 
deficiencies are long-term that have never been resolved. This 
hearing is intended to review the findings of the audit and 
evaluate how we can better address these identified 
deficiencies.
    The subcommittee appreciates DHS' ongoing work to improve 
its financial management and its cooperation and assistance 
with the auditors. I certainly want to thank our witnesses for 
being here today and to share your expertise and insights with 
us to allow our committee in our oversight role to be more 
effective in partnering with you and the full committee in 
trying to achieve what we are all after, which is an efficient, 
well-run, accountable Department, and how we handle the 
public's funds and fulfill your mission, which is so important 
to our Nation's security.
    With that, I am going to submit my entire statement for the 
record and yield to the ranking member, Mr. Towns from New 
York, for the purposes of an opening statement.
    Mr. Towns. Thank you very much, Mr. Chairman, for holding 
this hearing on such an important issue.
    I thank our witnesses for their appearance before the 
committee and for their testimony today. Ms. Sherry, it is good 
to see you again.
    Federal Government information systems are constantly under 
threat of cyberattack. And the incidence of cyberattacks has 
escalated in recent years. It is critical that we maintain 
strong defenses to those attacks.
    The Department of Homeland Security is responsible for the 
cybersecurity of most of the executive branch agencies. It is 
also responsible for protecting its own information systems 
from attack.
    Our success at keeping our information systems safe depends 
on how well the Department executes internal controls over its 
components. Today we examine the weaknesses in the Department's 
internal controls and how we can eliminate them to improve 
defenses against present and future threats.
    In fiscal year 2010, the auditors from KPMG listed more 
than 161 findings, as the chairman mentioned. The audit 
concluded that old legacy computer systems are impairing the 
functionality of DHS' financial management system as a whole. 
The audit also found many weaknesses in controlling access to 
sensitive data facilities and financial information in the 
Department.
    These weaknesses go straight to the heart of protecting 
against outside threats and to equality of data that feeds the 
DHS financial system. I would like to get answers to at least 
two issues from this hearing today. First, what progress has 
the Department made in the months since the audit report was 
issued in addressing material weaknesses and IT control 
deficiencies that were identified? Second, what is the status 
of updating and integrating your old legacy computer system 
that is impairing financial accountability in the Department?
    As the Department successfully works through these issues, 
we should begin to see a decrease in internal control 
weaknesses over financial reporting and increased protection 
over information system from threats within and outside of the 
United States. This committee is here to assist you. This is 
not one of those ``I gotcha'' committees, even though they do 
exist here in this House. But this is not one. We are here to 
see how we can work together and to see how we can help you. 
And I know it, because at one time I was chairman, and the 
chairman was ranking. And now you can see he is chairman and I 
am ranking. So we have been working on this for quite some time 
and we are willing to continue to work with you.
    On that note, I yield back and I recognize the schedule, 
Mr. Chairman, and I am willing to cooperate with you in every 
way I can to make certain that we follow it.
    [The prepared statement of Hon. Edolphus Towns follows:]

    [GRAPHIC] [TIFF OMITTED] T3167.001
    
    Mr. Platts. I thank the gentleman, and I appreciate your 
very appropriate remarks, that our effort is about partnering, 
partnering between us in a non-partisan way, as chairman and 
ranking member, chairman and ranking member reversed in the 
past, and with you, and that we are all after that same goal.
    We are delighted to have several very distinguished 
witnesses before us who bring great insights into the issues 
that we are addressing here today. We are going to first start 
with Ms. Peggy Sherry, Deputy Chief Financial Officer, as well 
as Acting Chief Financial Officer at the Department of Homeland 
Security; Mr. Robert West, Chief Information Security Officer 
at the Department; Mr. John McCoy, Deputy Assistant Inspector 
General for Audits at the Office of Inspector General for the 
Department of Homeland Security.
    If I could, it is the practice of the committee that we 
swear in all of our witnesses. So if I could ask the three of 
you to stand and raise your right hands.
    [Witnesses sworn.]
    Mr. Platts. Thank you. You may be seated. The Clerk will 
reflect that the witnesses answered in the affirmative. And 
again, I apologize for the abbreviated introductions. But to 
try and accommodate everyone's schedules, we will go to your 
testimony. If you can try to limit it to about 5 minutes, your 
full testimonies are submitted for the record. Then we will get 
into questions.
    Ms. Sherry, if you could begin?

  STATEMENTS OF PEGGY SHERRY, DEPUTY CHIEF FINANCIAL OFFICER, 
  U.S. DEPARTMENT OF HOMELAND SECURITY, ACCOMPANIED BY ROBERT 
WEST, CHIEF INFORMATION SECURITY OFFICER; AND JOHN E. McCOY II, 
 DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS, OFFICE OF THE 
       INSPECTOR GENERAL, DEPARTMENT OF HOMELAND SECURITY

                   STATEMENT OF PEGGY SHERRY

    Ms. Sherry. Thank you very much. Thank you, Chairman 
Platts, Ranking Member Towns and members of the committee, for 
the opportunity to provide information on the fiscal year 2010 
audit findings and the processes that have been put in place to 
correct our internal control weaknesses.
    When DHS was formed, our initial audits identified 
pervasive material weakness conditions in the financial systems 
security controls across all DHS components. There was strong 
partnership between my office and the Chief Information 
Security Officer. We have been successful in correcting many IT 
control risks. And by fostering a positive working relationship 
with the Office of the Inspector General and our external 
auditors, we have been able to move the Department forward in 
addressing IT and financial management control weaknesses.
    Over the past few years, we have significantly reduced IT 
material weakness conditions and largely contained them to 
three components. We expect this year's audit to reflect 
significant progress at the U.S. Coast Guard, FEMA and at ICE.
    In addition to our strong partnership with the Chief 
Information Security Officer, we have also developed a focused 
approach to systematically evaluating the areas of greatest 
risk. Components developed action plans to target these high 
risk areas, and my office reviewed and provided input to ensure 
these plans are comprehensive, reasonable and address the root 
cause of our IT weaknesses.
    Over the past 5 years, the Department has made significant 
progress improving our internal control environment, including 
the IT environment. During 2007 and 2008, the CFO and CISO 
worked together to build an internal control program to assess 
controls over our CFO-designated systems. We provided 
comprehensive guidance to the entire Department on how to 
secure financially significant systems.
    In 2009, we used that guidance to perform a baseline IT 
internal control assessment at many of our components. This 
assessment included testing the design and effectiveness of IT 
controls. Due to the repeating nature of some IT findings, in 
fiscal year 2010, we focused on ensuring that the Department's 
IT plans of action were addressing and designed to address the 
root causes of the most material IT findings. And we used 
independent verification and validation techniques to ensure 
corrective actions were being implemented across the IT control 
environment.
    This targeted approach allowed us to address many of the 
causes of repeat IT NFRs with the goal of permanent correction. 
I would like to highlight some of the work undertaken this year 
to address specific component findings. The U.S. Coast Guard 
has created an oversight process to identify and evaluate 
systems scripts or computer processing code that have an impact 
on financial statements. The Coast Guard also updated their 
policies and procedures, developed a desk guide to provide 
training and created a segregation of duties policy.
    Along with my office and Mr. West's office, the FEMA CFO 
and CIO worked very closely this year, and as a result, 
significant progress in closing system audit findings occurred. 
They instituted a recertification process for users of the 
National Emergency Management Information System and remediated 
many control deficiencies surrounding the National Flood 
Insurance program.
    ICE also made progress this year, and in the coming months, 
they will be updating their data base server. This improvement 
will make needed corrections in ICE's financial system, and 
along with increased training and user awareness provide 
greater controls against duplicate payments in the future.
    This is just some of the work our components continue to do 
to remediate control deficiencies and demonstrate progress to 
adhere to the tenets of the Financial Accountability Act. Even 
though the Department has shown significant improvement over 
the past few years in financial Management and in improving 
systems security, financial management remains challenging as a 
result of IT functionality limitations in certain financial 
systems.
    Some legacy systems limit our ability to develop 
application controls to support financial reporting and 
operations, limit our ability to provide timely and accurate 
data, and contribute to inefficient labor-intensive processes 
and the need for extensive workarounds and compensating manual 
controls. Limitations include lack of integration in some of 
our systems, IT system configuration limitations, systems 
lacking key application controls, which are more efficient and 
effective and reliable than manual controls. These conditions 
hinder our ability to provide sustainable internal controls to 
support the audit as well as to ensure our control systems are 
designed to achieve our missions, which is another key 
objective of the Financial Accountability Act.
    These weaknesses highlight the need to modernize certain 
legacy systems, and this remains a priority for the Department. 
While we work with components to develop a path forward, we 
continue to help them to improve and standardize their business 
processes and internal controls. We are implementing a common 
line of accounting and we are developing common data standards, 
all very critical.
    Using the objectives outlined in the Accountability Act, we 
continue to make significant progress in improving financial 
Management. I am fortunate to work with the dedicated staff at 
DHS, as well as have the support of Department leadership and 
the Chief Information Security Officer and our auditors, as we 
continue these efforts.
    I thank you for and appreciate the efforts we have received 
from this committee and Congress, and I look forward to working 
with you in the future. I am happy to take questions later, 
sir.
    [The prepared statement of Ms. Sherry follows:]

    [GRAPHIC] [TIFF OMITTED] T3167.002
    
    [GRAPHIC] [TIFF OMITTED] T3167.003
    
    [GRAPHIC] [TIFF OMITTED] T3167.004
    
    [GRAPHIC] [TIFF OMITTED] T3167.005
    
    [GRAPHIC] [TIFF OMITTED] T3167.006
    
    [GRAPHIC] [TIFF OMITTED] T3167.007
    
    [GRAPHIC] [TIFF OMITTED] T3167.008
    
    Mr. Platts. Thank you, Ms. Sherry.
    Mr. West.

                    STATEMENT OF ROBERT WEST

    Mr. West. Chairman Platts, Ranking Member Towns and members 
of the committee, thank you and good morning. I am Robert West, 
Chief Information Security Officer for the Department of 
Homeland Security, and I would like to provide you an update on 
the Department's progress in addressing the Department's IT 
financial management control weaknesses. Department leadership 
takes all audit findings seriously and we are fully committed 
to resolving these issues as quickly as possible.
    First, I would like to acknowledge the progress that we 
have made in improving the Department's overall IT security 
posture since the standup of the Department in 2003. Over the 
last 8 years, we have reduced both IT security risks and costs 
by successfully transitioning from a highly decentralized IT 
environment to a modern enterprise ecosystem, with a robust set 
of shared services and common security controls.
    DHS inherited a complex legacy environment that included 
approximately 1,100 separate and unique IT systems and one 
where each system owner was individually accountable for all 
security controls. Today, our IT systems are more secure than 
ever before, due in large part to the fact that we have 
instituted an enterprise security architecture. We call it 
mission assurance through defense in depth.
    We have consolidated six legacy wide area networks into a 
single, secure, modern, fully encrypted backbone 
infrastructure, and we have also made significant progress in 
consolidating multiple data centers into two modern enterprise 
data centers. These new data centers have been designed also 
with a robust set of security controls that support all 
systems, including financial systems that operate in these 
environments. We have also consolidated our internet access 
behind redundant trusted internet connections.
    Within this enterprise environment, the Department today 
operates 783 systems in support of the various missions of the 
Department, and 32 of these systems support the Department's 
financial management and reporting and are considered material 
to the financial statements. Most of these financial systems 
have been in operation for many years, and they predate the 
Department's creation in 2003.
    While these systems are certainly more secure due to the 
fact that they operate within the enterprise environment that I 
explained, some of these systems are still missing a number of 
important systems-specific controls, and cannot fully support 
business processes that ensure accurate financial reporting. 
Heavily manual processes are still required to compensate for a 
lack of fully automated technical controls, highlighting the 
need to modernize these legacy systems.
    Second, I would like to briefly discuss the nature of 
audits themselves. Auditors necessarily report what they 
observe. And often those reported observations are only 
symptoms of larger issues. For this reason, the Department not 
only systematically reviews all notice of findings and 
recommendations with component leadership, we also require at 
least one action plan for each finding issued. Additionally, we 
also have institutionalized a three-phased approach to identify 
and better understand systemic issues. This approach includes a 
current state assessment, root cause analyses and independent 
validation and verification of component action plans by the 
Department.
    We have also provided root cause analysis training to 
components, so they can better develop realistic corrective 
action plans that address root causes.
    Finally, significant weaknesses identified in the 2010 IT 
management letter center around five key areas: access 
controls, configuration management, security management, 
contingency planning and segregation of duties. I have outlined 
specific actions taken to address each of these areas in 
written testimony. I would be happy to discuss each of those in 
more detail if you desire.
    In closing, I would like to reiterate that the Office of 
the CIO, including my office, along with the Office of the 
Chief Procurement Officer, Program Accountability and Risk 
Management Office and all appropriate component offices are 
working closely together to ensure financial modernization 
projects are planned and executed to meet reporting 
requirements and minimize costs for financial operations. DHS 
remains fully committed to improving our financial systems 
security in order to provide timely, accurate and complete 
financial information to our key stakeholders, including you, 
the Congress, and the American taxpayers.
    Thank you.
    Mr. Platts. Thank you, Mr. West.
    Mr. McCoy.

                 STATEMENT OF JOHN E. McCOY II

    Mr. McCoy. Good morning, Mr. Chairman, Ranking Member Towns 
and members of the committee. I am John McCoy, II, Deputy 
Assistant Inspector General for Audits with the Department of 
Homeland Security.
    Thank you for inviting me today to discuss financial 
management weaknesses at DHS. My testimony today will focus on 
information technology [IT] issues, identified during the 
fiscal year 2010 financial statement audit conducted by the 
independent accounting firm, KPMG.
    In fiscal year 2010, KPMG identified 161 IT deficiencies, 
of which approximately 65 percent are repeated from fiscal year 
2009. KPMG also noted that DHS's financial systems had many 
functional limitations that affect the Department's ability to 
implement and maintain internal controls.
    From a financial statement perspective, DHS's five most 
significant weaknesses are access controls, configuration 
Management, security management, contingency planning and 
segregation of duties. KPMG noted access control weaknesses at 
several of the DHS components that allowed excessive potential 
for unauthorized access to key financial systems. Also at 
several of the components, KPMG observed configuration 
management controls that were not fully defined, followed or 
effective.
    Security management weaknesses were identified at several 
DHS components where financial systems as well as general 
support systems were not properly certified and accredited. 
KPMG also found scenarios where roles and responsibilities were 
not clearly defined, a lack of policies and procedures and non-
compliance with existing policies.
    KPMG noted weaknesses in continency planning. There were 
instances of incomplete or outdated business continuity plans, 
systems with incomplete or outdated disaster recovery plans. 
Some plans were not adequately tested and did not contain 
current system information, emergency processing priorities or 
procedures for backup and storage.
    At several of the DHS components, KPMG noted a lack of 
proper segregation of duties for roles and responsibilities 
within financial systems. Collectively, these IT control 
deficiencies limited the Department's ability to ensure the 
confidentiality, integrity and availability of critical 
financial and operational data. KPMG considers these control 
deficiencies to collectively represent a material weaknesses 
for DHS under established professional auditing standards.
    The fiscal year 2010 audit also looked at the functionality 
of DHS's financial systems. Many of the Department's financial 
systems have not been substantially updated since the creation 
of DHS. Some components cannot modify IT system core software 
or install controls to prevent duplicate payments. This 
contributed to duplicate payments made by Immigration and 
Customs Enforcement in fiscal years 2009, 2010 and 2011. These 
and other IT system limitations also lead to extensive manual 
and redundant procedures to process transactions, verify the 
accuracy of data and prepare financial statements.
    DHS has made several attempts to modernize its financial 
systems. Its most recent initiative was the Transformation and 
Systems Consolidation [TASC]. TASC was canceled in March 2011 
after the Government Accountability Office sustained one of the 
bid projects. GAO recommended that DHS reevaluate the 
requirements with regard to the estimated scope and pace of 
work, as well as the integrated solution requirement.
    In September, the Under Secretary of Management announced 
the Department would now pursue a decentralized approach 
instead of an enterprise-wide solution. Implementation of a new 
financial systems solution combined with improving IT security 
controls should allow the Department to achieve greater 
effectiveness in its financial management.
    We will continue our positive working relationship with the 
Department by taking a proactive approach to overseeing DHS's 
financial management and IT security improvement efforts. We 
look forward to continuing our audit efforts and providing the 
results and solutions to the Secretary and to the Congress.
    Mr. Chairman, this concludes my prepared statement. Thank 
you for this opportunity. I welcome any questions from you or 
the Members.
    [The prepared statement of Mr. McCoy follows:]

    [GRAPHIC] [TIFF OMITTED] T3167.009
    
    [GRAPHIC] [TIFF OMITTED] T3167.010
    
    [GRAPHIC] [TIFF OMITTED] T3167.011
    
    [GRAPHIC] [TIFF OMITTED] T3167.012
    
    [GRAPHIC] [TIFF OMITTED] T3167.013
    
    [GRAPHIC] [TIFF OMITTED] T3167.014
    
    [GRAPHIC] [TIFF OMITTED] T3167.015
    
    Mr. Platts. Thank you, Mr. McCoy. Again, thanks to all 
three of you for your testimony here today, as well as your 
written testimony. Having that in advance certainly allowed me 
to be better prepared for today's hearing.
    I guess I want to start, one of the things that jumps out, 
and Mr. McCoy just referenced it in his testimony, the 65 
percent repeat deficiencies. This is the 2010 fiscal year that 
we are still looking at, 2011 has just ended. If each of you 
would want to comment based on the best of your ability at this 
point, what are we likely to see on the 2011 audit regarding 
repeat deficiencies, and what progress are we making?
    In the ones that are identified, we are doing a better job 
of closing them and shrinking that number, because we did 
start, as you referenced, Mr. West, in the legacy systems, some 
dramatic challenges. I think 18 material weaknesses when the 
Department was first formed. But that was 8 years ago. And we 
are now 8 years later. So if each of you could comment on the 
issue of the repeat weaknesses and what to expect in the coming 
audit.
    Ms. Sherry. Thank you, Chairman. Yes, that is something 
that clearly, Mr. West and I, when we had seen the number of 
the repeat findings, was something that we really realized that 
we did have to address. I think that the process that we have 
used over the last 5 years has really gotten us to the point 
where we will see some success this year, we will see more 
remediation.
    In particular, you will notice that the IG and the KPMG had 
pointed out that FEMA in particular had had issues in this 
area. As far as part of the process they identified at the 
beginning of the year, do they think they have actually 
corrected a particular finding? FEMA in particular had 
identified things that they thought were corrected, which in 
fact were not corrected.
    One of the approaches that we used this year for the last 
few years was really to identify, work very closely with the 
components to see if they were identifying the root causes of 
the NFRs. As Mr. West pointed out, sometimes it is just a 
symptom, it doesn't really point to exactly the reasons why you 
are having particular weaknesses.
    So his office and my office worked very closely with the 
CIO over at FEMA, as well as the CFO, which was a new paradigm 
for us. We had been working very closely together. Clearly it 
has worked well for the Department, encouraging the components 
to do that as well. So they worked very closely. And I think 
that what you will see this year is FEMA really was able to 
better assess which of those NFRs they would be able to 
correct. The reason they were able to do that is because they 
were, to be able to address the root causes, they were also 
able to work with their business partners within FEMA to really 
identify what those root causes are. So I think that what you 
will see this year is improvement in that particular area.
    Mr. Platts. I appreciate the focus on FEMA. I think over a 
third of the deficiencies are FEMA, and I think 80 percent of 
FEMA's are repeat deficiencies.
    Ms. Sherry. That is exactly right.
    Mr. Platts. So that focus, I think, in the big picture 
helps, and hopefully that carries across all the component 
agencies.
    Ms. Sherry. Yes, sir.
    Mr. Platts. Mr. West or Mr. McCoy.
    Mr. West. Yes, sir, I would like to make two comments. One, 
I don't want to minimize the importance of the findings, and we 
take all findings seriously. Our goal is to close all audit 
findings. We use the fact that some are associated with a 
material weakness as a way to prioritize our efforts.
    Mr. Platts. Right.
    Mr. West. But any finding is something that needs to be 
closed. And I want to acknowledge that up front.
    I haven't said that, when you look at the way the process 
works, unlike the FISMA audit, which is my other world, the 
FISMA audit is generally a snapshot in time, and it is just, 
this is the state of the program at a given date. With the 
financial systems audits, we have to show the auditors, we have 
to convince the auditors that controls have been effective for 
the entire audit cycle, generally a year, before we can close 
them.
    So the way the process works is that there will be a notice 
of findings and recommendations, sometimes with maybe as many 
as seven or eight specific findings within that one NFR. We 
remediate. At some point we believe that we fix the problem and 
we assert the next audit cycle back to the auditors that we 
think this is closed. The auditors then review that, and they 
can either agree and close the audit, they can--six of eight 
are closed, but you still have work to do. Or they in some 
cases even will get, a number of cases, frankly, will get 
audit, NFRs issued, whereas it is findings with no 
recommendations, meaning okay, we think the controls you have 
put in place are good, you have solved the problem, but we 
can't rely on it for the entire audit cycle, the whole year.
    So when we get repeat findings, I would temper that just a 
bit. I don't want to downplay it. Like I say, we take them all 
seriously. But there is an audit pace that goes with these. And 
it is generally 1 or 2 years before you actually get to the 
point where something is fully closed with the auditors.
    The second thing I want to mention real quick is with FEMA. 
The thing that I think, the issue in 2010 with FEMA being the 
large majority is that the way that they were looking at NFRs 
at that time, they were really kind of looking at them more 
from a FISMA perspective, as I talked about. So with the CFO 
and my office together, we went into FEMA, we did some training 
and the CFO and the CIO at FEMA really, they instituted a whole 
program around how to review NFRs before they make assertions 
back to the auditors that the findings have been closed.
    They put that process in place and the auditors can verify 
this, but in my view what FEMA is doing today in that regard is 
the best practice for the government. And as a result, I can't 
speak for the 2011 audit, we are still in the middle of it. I 
really don't know how we are going to end up. I hope we will 
end up, I am confident we will end up in a better place. But I 
think with FEMA, you will see significant progress for that 
very reason.
    Mr. Platts. Good. Mr. McCoy.
    Mr. McCoy. Yes, sir. We are identifying this year that the 
Department is making progress. As Mr. West said, the audit is 
ongoing. It will be over in approximately 2 weeks. At that 
point in time we will be issuing the report. We have identified 
improvement at FEMA. Last year, as noted in the report, FEMA 
said they had closed 80 percent plus of their NFRs at the 
beginning of the audit of those they identified, and KPMG 
disagreed with that. This year, all the ones that KPMG has 
completed looking at, KPMG concurs with management that the 
findings have in fact been closed. There is definite 
improvement this year.
    Mr. Platts. Thank you. I yield to the ranking member.
    And my intent is, the votes just went up. There is going to 
be one vote and then debate, motion to recommit debate, and 
then another series of votes. What my intent is is to go to 
about a quarter of, just get what we can in. I am going to go 
over, cast one vote, come back and it may just be me coming 
back, depending on the schedule. Because we will have maybe 
another 25 minute window, so you are not here waiting very 
long, come back, have another 20, 25 minutes, and then we will 
wrap up when we get back for the final series.
    With that, I yield to the ranking member.
    Mr. Towns. Thank you very much, Mr. Chairman.
    Ms. Sherry, I guess I will start with you. Given the 
absence of an integrated, streamlined financial management 
program at FEMA, will FEMA continue to produce a reliable 
financial data using its current information technology system, 
which is still antiquated?
    Ms. Sherry. Yes, sir, you make a very good point. FEMA's 
system is old, it is outdated, it is proprietary. I believe it 
is not even supported at this particular point.
    FEMA, like many of the components where they have a legacy 
system that is not completely modernized, either with the right 
patches in it, in the right configuration management, they have 
to have various compensating controls or manual controls, 
things that are outside of those application controls within a 
well-performing system in order to be able to compensate for 
some of those weaknesses. So FEMA is able to attest and 
represent to their balances at this particular point.
    As you know, sir, we are still just doing a balance sheet 
audit, as well as the custodial statement. But at this point, 
they are able to do it. But with a modern system, it would 
clearly be a more efficient process and one that would not have 
to, you would have to develop audit trails outside of the 
system. Instead, the auditors should be able to rely on those 
audit trails within the system, if you have strong application 
controls. So again, it is just not as efficient a process, and 
there are manual controls that are required, which is, as you 
know, are subject to, they are prone to errors, maybe not as 
accurate and certainly not as timely.
    Mr. Towns. Right. Let me ask this. If there is a situation 
where the auditor comes in and they make these recommendations 
and you feel that it is really not necessary, that your 
information is accurate and that there is no need to make any 
changes, what happens in a situation like that? Right down the 
line.
    Ms. Sherry. I will start real quickly. We have been very, 
very fortunate. Since I have been at the Department, for a 
little over 4\1/2\ years, we have had an incredible 
relationship with the IG, as well as with our external 
auditors. They have made every effort to get to know the 
component very well, and we have made every effort in my office 
to be able to make sure that we had a real good understanding 
of exactly what those recommendations are.
    So I am happy to report that there are, there really are 
not times where we just absolutely disagree with the auditors. 
As Mr. West had pointed out, many times your notice of finding 
of recommendations really highlights certain conditions. 
Sometimes they don't necessary go to the root cause.
    One of the best practices that the auditors implemented 
this year, actually maybe even last year, was to have the 
Department really take a look at what those root causes are. So 
what they do is when they give us a particular finding, they 
don't necessarily come right out and give you the road map on 
how to fix this. This has been really important in really 
developing competencies within the Department, really training 
people and really, how do you understand what is in that hot 
notice of finding of recommendation and how do you go about 
fixing it.
    So I am pleased to report that we really don't have 
disagreements with the auditors. They may not prescribe 
necessarily how we go about fixing something, leave it up to 
the Department to figure that out. And really the way we have 
been working since I have been with the Department, really 
building those competencies, so that we are able to address it, 
with recommendations that are actually going to fix the 
problems.
    Mr. Towns. Mr. West, do you want to comment on that?
    Mr. West. Yes, sir. I would make two comments. I would 
agree with Ms. Sherry completely about the auditors. I think we 
have really been fortunate in that we had a lot of continuity 
in the IG office for a number of years, pretty much since the 
beginning, as well as with the financial auditors, KPMG. It is 
the same audit team, with a few exceptions, or few changes, I 
guess, the same audit team has been our financial auditors for 
a number of years. As a result of that, we have gotten to know 
them and we have a very close working relationship as a result 
of that.
    The other thing I would say is that, I would agree with Ms. 
Sherry, there are very few times when there is just 
disagreement. And we generally sit down and work through what 
the issue is. And we generally come to an agreement.
    The one area where, in the past, maybe there has been, and 
this is going back to FEMA again, has been an issue that we 
have resolved in policy actually now, is around FISMA and the 
audit standards for FISMA and with the NIST standards, National 
Institute of Standards and Technology standard. And then the 
FISCAM, or the Financial Information Security Controls Audit 
Manual, published by GAO. And they really are coming at it from 
different perspectives. So we think something is good in the 
FISMA world, but there are additional things we need to do to 
be able to show controls were effective for the entire year, 
for example.
    So as a result of that, we have actually modified policy. 
We have systems that we believe are material to the financial 
statement, we call them in policy CFO-designated financial 
systems. And we put additional requirements in policy specific 
to those systems, so there really is no confusion. I won't say 
no, but we have really minimized the confusion. Generally when 
the auditors say this is an issue, they are referring back to 
our policy, and it is something that we would agree with.
    Mr. Towns. Do you want to add?
    Mr. McCoy. Yes, sir. As Ms. Sherry indicated, 2 years ago 
we started the policy of having the Department evaluate the NFR 
and come up with the best recommendation or the best way that 
the Department could remediate it. Management knows their core 
businesses better than the auditors. We identify the condition, 
but we may not always identify the root cause. So that 
definitely improved the remediations in 2009 and 2010, as well 
as 2011.
    Also I think this year, with the Department's involvement 
at FEMA, it has produced more of a culture change related to 
the financial statement audit and improvements with the 
financial statement NFRs and remediation . So there has 
definitely been improvement this year at FEMA.
    Mr. Towns. I am happy to hear that, because looking at it 
from the outside, you would think that even if recommendations 
are made that there would come a dispute and it would take 
years and years to work it through. So I am happy to know that 
is not the case.
    On that note, Mr. Chairman, I yield back.
    Mr. Platts. I thank the gentleman.
    Picking up on that issue, not so much disagreements between 
the Department and auditors, but the relationship between the 
Department and the components. One of the things I think that 
has helped get us heading in a strong direction is the 
relationship between Mr. West, Ms. Sherry, the two of you 
partnering and working hand in hand at the Department level. I 
think that has paid great dividends and will continue to. I 
thank you for that approach and that leadership you are 
providing.
    One of the challenges you have is you are called to testify 
here about the audits of the Department, and the challenge is 
in the audits of some of the specific components, FEMA in 
particular, ICE, Coast Guard. The relationship that you have 
with your counterparts, or I would say subordinates, they might 
not see it that way, but for the CFO at FEMA, CIO at FEMA or 
ICE, can you share, I guess, is there a chain of command that 
has been strengthened within the Department that, if you as 
acting CFO for the Department contact FEMA CFO about 
remediation requirements or whatever it may be in this area, 
that it is seen as that individual being given in essence an 
order or marching orders from a superior?
    Ms. Sherry. Yes, Chairman. I am happy to say that in the 
time that I have been at DHS, what I have really seen is a 
great evolution in that relationship. I do believe that the 
CFOs, the components, the CIOs as well as the security officers 
and the chief financial officers within each of the components 
do look to the Department really to set the tone on overall 
financial management and are not out there basically trying to 
circumvent the policies of the Department.
    We do this in many ways. We meet at the beginning of the 
year and then we meet periodically throughout the year to 
really jointly set what our strategic plan is for the 
Department. What we do is we set out what our objectives are. 
At the beginning of last year, we set out the very aggressive 
goal of obtaining a qualified opinion this year on our balance 
sheet. The primary reason we needed to do that is because we 
want to be able to have a full scope audit. Recognizing I was 
never going to be able to bring the Department to that, to be 
able to have that additional scrutiny over all of our 
statements until such time as we got a balance sheet, we 
jointly set out, all the CFOs jointly set out in our strategic 
plan was to be able to obtain a qualified opinion this year, 
which meant that, in particular the Coast Guard had a lot of 
work to do. But many of the other components had their 
objectives as well that they really needed to achieve.
    And then what we do is, we have statements that they sign 
off on to be able to agree to these particular goals. And the 
we meet with them periodically on them. I am happy to report 
that we have very little difficulty being able to work together 
on our overall objective as a community in DHS.
    Mr. Platts. That is good to hear. I guess a specific 
follow-up is, if in laying out that game plan, how to go 
forward, if you have, whether it is Coast Guard or FEMA, ICE, 
any of the component entities, that is not meeting what they 
need to do to have the overall departments succeed in this 
effort, how do you rectify that? Because you don't have any say 
in the hiring or firing of those component CFOs, is that 
correct?
    Ms. Sherry. Actually, the Department does have a role in 
being able to hire certain people within the components. That 
would include both the chief financial officer, the deputy 
chief financial officer and other key positions, such as the 
budget director.
    Mr. Platts. So would you go to the Under Secretary?
    Ms. Sherry. Absolutely. And if I had any issues at this 
particular point, I have direct lines to the Secretary as well 
as the Deputy Secretary and the Under Secretary. In fact, I 
meet with the Deputy Secretary on a very regular basis. Every 
Thursday morning, we get together. There is a group of her key 
leaders that get together with her and meet with her on a 
myriad of financial management issues. Clearly over the last 
couple of months, one of those key issues has been the audit.
    Mr. Platts. With the Deputy Secretary?
    Ms. Sherry. Yes, that is correct.
    Mr. Platts. Each Thursday?
    Ms. Sherry. Absolutely. And then we meet on a less regular 
basis with the Secretary, but we get that information up to her 
as well. The Under Secretary for Management, we meet with him 
on a bi-weekly basis. We meet with him very regularly, but we 
meet with him on a bi-weekly basis on specific audit issues. 
And the Deputy Secretary has made, in fact, a statement that 
she made to me 45 days ago or so was that if there is any time 
that you need me to be able to ``bang a head'' she said you 
call me at any time. She said it doesn't matter when it is, if 
you need me to get behind you in order to be able to make sure 
that we achieve the objectives that we set out this year, you 
reach out to me.
    Mr. Platts. I am glad to hear that, because that is one of 
the concerns, and we have seen it in the past with, Ranking 
Member Towns, I know you remember, NASA, a similar type 
challenge, where the administration at the senior level, but 
then you had all the separate NASA centers that weren't 
necessarily directly responding to the CFO. So I am glad to 
hear, that, and it also goes to the issue that we don't have, 
we are grateful for the great work you are doing, but a Senate-
confirmed compliance with the statute as written, Senate-
confirmed CFO, which I believe would give you even greater 
weight within the Department when you are out there with those 
component agencies. But I am glad to hear that the effort is to 
make sure that is what is happening from the top down.
    I am going to try to squeeze one more in question in here. 
As I said, I am going to then run over, cast one vote, come 
back, have about 20 minute or so for a couple more questions, 
and then we will not hold you again, because it will be a 
little while after that before the vote series ends.
    On the most significant weaknesses identified, access 
controls, and three in particular, access controls, segregation 
of duties, contingency planning, and I will maybe get into them 
in a little more detail when I come back. But I want to, I 
guess contingency planning, that one, this Department came out 
of the attack of 9/11. And the fact that we're a Nation under 
attack, and there was obviously an unprecedented emergency.
    Yet we have this Department not setting an example for the 
rest of the Federal Government as we like it to to better 
prepare for those types of emergencies in how you manage your 
data, your information technology systems. So where are we and 
what do we need to do to address that, that DHS, out of all the 
departments and agencies, is a role model for contingency 
planning when it comes to information security?
    Mr. West. Sir, I will speak to that. Specifically the 
financial systems in the 2010 audit, you are right, what can I 
say. But all systems, all financial systems and all NFRs 
associated with contingency planning in the 2010 audit, we went 
back directly to the components and said, you need to update 
your contingency plan, if you don't have one, you need to 
produce one. And every one of those systems now has a 
contingency plan that has been tested. We are still waiting on 
the results from the auditors as to how we close it out, with 
some exceptions. And those exceptions, we now have required a 
plan of action from each component for each system.
    Mr. Platts. Which components or systems?
    Mr. West. I would have to get back to you on the details, 
if you would like.
    Mr. Platts. Okay.
    Mr. West. But those, we do have plans of action for those. 
And we have given them 6 months. In some cases, big systems, 
there is a bit of a lift to get them, so we have given them 6 
months. But within 6 months, those will all be remediated.
    Mr. Platts. Okay, great. Good. I am glad to hear it. I 
think that is important, because again, setting that example, 
given how your department came to be formed in response to an 
emergency.
    On the issue of, I will try to squeeze this in here 
quickly, segregation of duties. Again, it seems to me, I look 
at it as a more basic internal control, that you can't be the 
one approving the check and writing the check and then checking 
if the check, I mean, why are we failing in that regard? A 
fairly straightforward internal control.
    Ms. Sherry. I agree, Chairman, it is absolutely one of the 
most important internal controls that you should have. And I 
think there are two pieces of it. One is from a functional 
standpoint, what are those particular roles and 
responsibilities that someone should have that potentially 
could be in conflict, to cause an internal control weakness.
    So kind of the best practice is, you shouldn't be able to 
certify a payment as well as initiate a p.o. or something, a 
purchase order or something. So the ability to be able to 
articulate what those conflicting roles are is very critical. 
The Department has been able to do that. We have done that for 
some time as part of our A123 process.
    The difficulty gets into is when you are actually in the 
system. If you have a particular system that allows you to do 
those types of things. So in other words, you know you 
shouldn't enter a purchase order and then turn around and 
approve a payment. But if the system either does not have those 
preventive application controls in them, or they are not 
configured appropriately, there is the possibility that you 
could go in there and do that as well.
    Mr. Platts. I assume we are trying to well identify those 
system weaknesses to then correct.
    Ms. Sherry. That is exactly right. And those are clearly 
what, those are the high risk ones. And one of the processes 
that we did, or our approach this year, over the last couple of 
years, in particular this year, was to really look at those 
high risk ones, such as segregation of duties. If you have a 
particular system that is not configured in a way that prevents 
you from doing that, where are those detective controls that 
you have out there.
    So developing those policies and procedures, training 
people so that they know that those are incompatible 
responsibilities, and then to the extent possible, going in 
behind and making sure that something hasn't happened.
    Mr. Platts. Get to that root cause.
    Ms. Sherry. Absolutely, yes, sir. That is right.
    Mr. Platts. With that, we are going to stand in recess for 
about 10 minutes. And I will be right back.
    [Recess.]
    Mr. Platts. I didn't realize I could be that quick. 
[Laughter.]
    I do appreciate your patience. On the floor, we have 10 
minutes of debate and another series of votes, which means we 
probably have about 15 to 20 minutes before running back 
across.
    The other issue, in addition to contingency planning, 
segregation of duties, is specifically the access control 
deficiency area. And maybe where we are on that, and I know 
with the new identification card and how that will play into 
trying to ensure that we are not allowing, and maybe especially 
the issue of former contractors or former employees who haven't 
been shut off after leaving the Department, if we could address 
that. Please, Mr. West?
    Mr. West. Yes, sir. You are exactly right about the issue. 
The biggest issue with access controls as identified in the 
audit center around the inability in some cases to quickly 
remove or deactivate accounts when people either move on for 
whatever reason, either they are an employee and they have left 
the Department, moved to another department, or component 
within the Department, and especially contractors who, frankly, 
come and go with the contract.
    So we have done some remediation work around that. The 
components have put processes in place to where they will 
review the account list, the approved account list on some 
periodicity. Generally it is like 90 days. I think in one case 
it may be 6 months. Don't quote me on that. But they have 
manual processes in place to review periodically the removal of 
accounts and determine which ones are still valid.
    That is kind of a band-aid on a bigger issue. And as you 
mentioned, the Department is aggressively deploying HSPD 12 
common access cards. And the goal is to get to the point where 
we can use those for mandatory logical access at some point. We 
are working on a plan to get to that as quickly as possible. 
The Deputy Secretary is very interested in that herself. The 
CIO and I also meet with her regularly and this is a key issue 
not just for financial systems but for the Department more 
generally.
    And then once we have HSPD 12 cards, then we will be able 
to upgrade the individual applications to take advantage of 
that, so that we will be able to remove people in more real 
time. But I think until we have that identity capability on 
sort of a core infrastructure, until we have that, we are going 
to still have to rely on these manual processes, reviewing 
access lists periodically like we are doing today.
    Mr. Platts. And the periodic 90-day review, double checking 
that no one is still on that list, ideally you get to where it 
is more automated, with the access card. But is there a more 
real basic internal control of a process when an employee 
leaves the Department, whoever their superior is, that I would 
think has a checklist of what you go through, you turn in your 
key, you turn in your badge. And I make sure that your access 
from a technology standpoint is cut off. I would assume that 
there is that type of more basic human-oriented internal 
control that is apparently not being followed. The fact that 
you have former employees or contractors staying on for some 
period of time.
    Mr. West. Yes, sir. With respect to employees, the 
components all have programs for that that are different. The 
Coast Guard is the fifth service, and they have a very DOD-
centric approach to that.
    I believe that the biggest issue centers around 
contractors. And as I said, contractors come and go with the 
contract, and in fact, some time the same contract, different 
people are swapped out for various, all kinds of reasons, 
business reasons. And it is keeping track of contractors, 
because they have access in some cases to our systems as well. 
That is probably the biggest challenge. And frankly, the best I 
can say, that is a challenge. Like I said, we need to get to 
the point where we have strong token-based authentication so 
that the system can do, in an automated way, can do the removal 
as opposed to having to rely on a contracting officer to tell 
the system administrator that this person has left. That has 
just been a challenge.
    And as I said, what we have put in place to mitigate that 
are these periodic reviews. And at the Department level, we 
have asked that we do that in as short a cycle as possible. It 
is labor-intensive. There is a drain for that. Generally it is 
90 days. That is kind of where we are with that. HSPD 12 gives 
us a lot of promise, and we are, like I said, we are really 
going after that.
    Mr. Platts. And just given the information that you, as a 
Department, hold within your data bases, a lot of very 
sensitive information, all the more important that access be a 
priority, and of those five major areas of weaknesses, that 
that continue to be focused on. Technology ultimately could be 
a wonderful solution. But in the meantime, whatever we need to 
do to make sure from a manual standpoint. Because we don't want 
to have it where it is always more of that Herculean effort to 
comply. We want to get to it. But in the meantime, because of 
the sensitivity of the information, whatever it takes is what 
needs to be done.
    Mr. West. Yes, sir.
    Mr. Platts. The financial system functionality issues, Mr. 
McCoy, you identify in your testimony about the example with 
ICE and the issue of duplicate payments. As a subcommittee, we 
focused on improper payments in a significant way. And the 
numbers are staggering, the official number, $125 billion in 
the most recent year available of improper payments. All sorts, 
including duplicate payments. And you reference in your 
testimony duplicate payments by ICE in fiscal years 2009, 2010, 
and 2011.
    Is there a ball park of what type, from a financial dollar 
standpoint that we are talking about there, the significance of 
those types of duplicate payments?
    Mr. McCoy. Yes, sir, I have the number for 2011, but I do 
not have the numbers, I can get those, for 2009 and 2010. For 
2011, the duplicate payments occurred on January 28th, and it 
was approximately $1.5 million.
    Mr. Platts. And what type of contract, or do you have those 
details with you?
    Mr. McCoy. I believe it was a vendor payment and it was 
scheduled multiple times. So multiple payments went to that 
vendor.
    Mr. Platts. All for $1.5 million?
    Mr. McCoy. All for $1.5 million went to one vendor. ICE is 
in the process, if they have not already recouped it all, will 
recoup it either through offsets or the money has been 
returned.
    Mr. Platts. So $1.5 million was the amount of the payment 
and it was made multiple times?
    Mr. McCoy. The $1.5 million was the total amount. It was 
multiple payments.
    Mr. Platts. Okay. So it might have been a $500,000 that was 
actually owed, paid three times, something of that nature?
    Mr. McCoy. I believe it is more along the lines of $80,000 
paid multiple times or something different. It is a smaller 
number, it was paid multiple times.
    Mr. Platts. The dollar amount being smaller may actually 
make me even more concerned. Because if it was $750,000 and we 
duplicate paid it once, that would be troubling and a risk to 
taxpayers. But if it was $100,000 and we did it 15 times, then 
that tells we have a real breakdown in the internal controls.
    Mr. McCoy. It is part of the functionality with that 
system. They have put a patch in to prevent that from happening 
again. It also has something to do with training, with 
certified officials.
    Mr. Platts. Ms. Sherry, is that one that you are familiar 
with, that case?
    Ms. Sherry. Yes, absolutely. In fact, since 2009, I believe 
ICE has had three separate duplicate payments that have been 
both a mixture of manual errors, as Mr. McCoy had indicated, as 
well as system issues. I think that the number is about $15 
million in total over the last 3 years. And that is in context 
of about $26 billion that they would have paid during that 
time. So relatively small percentage-wise, clearly something 
that is very concerning to us.
    As we identify these issues, again, the goal in any of 
this, any payment management controls, is to prevent that type 
of stuff. So clearly, relying on detective controls is not a 
best practice. That is not something that we want to do. But 
when ICE had identified these duplicate payments, and typically 
what would happen is on a particular schedule, when they go to 
make the payment, it has a myriad of individuals on that 
particular schedule. So what happens is when you pay it once, 
and then if you are allowed to pay it again, I believe either 
through a systems bug or a patch that didn't quite work, or the 
system allows certifiers to maybe, schedulers to certify the 
same schedule twice. Things of that nature, what ends up 
happening is you end up paying all those individuals again, and 
that is what is indicated then.
    We worked very closely with ICE, clearly, for the last 3 
years, to really identify the reason for the duplicate payment. 
Because what we really wanted to find out, number one, we 
wanted to prevent it from happening again. They detected it, 
how do we prevent if from happening again. They have 
successfully put in fixes for each of those. I believe in 
November they will be putting in a fix to the Oracle data 
server in order to be able to address any of the interface 
issues which I think contributed to this last duplicate 
payment. So we aggressively go after the fix of these.
    ICE also is very much making sure that they are forward 
looking. So in other words, if there is a particular schedule 
that is paid that is out of the ordinary, maybe it is expedited 
or it is not paid on their normal schedule, they are 
hypersensitive in really reviewing those, just to make sure 
that nothing abnormal actually happened.
    Mr. Platts. That focus, I appreciate the point that $15 
million out of $26 billion percentage, but $15 million of 
American taxpayers' hard-earned dollars is still $15 million.
    Ms. Sherry. I completely agree, sir, and we did recoup all 
the payments. So we aggressively go after them to make sure 
that we recoup them. And the Department has other programs in 
place, such as the improper payments. And doing recovery 
auditing, really using those forensics to go out there to 
determine whether or not there are duplicate payments out 
there, what we find happily through those forensic type looks 
is that duplicate payments is not really rampant throughout the 
Department. So it is not just at ICE.
    But what we want to do is again, we have to prevent them as 
opposed to just detecting them after the fact. Again, 
protecting the American taxpayer dollar is what we need to do. 
So one of the things that we will be doing this year, through 
the A123 process, is really that end to end review of our 
payment processes throughout the Department. And really 
training, we need to be able to make sure that if an improper 
payment is occurring because of a particular condition, we make 
sure that we don't just fix it at that one component, but 
instead, that all the components are addressing those 
particular issues.
    Mr. Platts. And I commend that approach. I think that has 
been a hallmark of your leadership at the Department. It really 
isn't just a one-time short fix, but a permanent solution. And 
getting to root causes that we are putting in place and what we 
have learned at ICE, let's make sure at FEMA or Coast Guard or 
wherever that we are not having to repeat the error to reinvent 
the wheel. Let's be comprehensive. I think that ultimately gets 
to where I know where you are trying to get, ultimately, to 
that clean audit in the long term.
    I am going to put in one more question and then we are 
going to have to wrap it up. That goes to the issue of the 
financial systems modernization. And back in March, with the 
cancellation of the transformation and systems consolidation 
approach, more of an enterprise-wide and then just last month, 
the announcement by the Under Secretary of the decentralized 
approach. I guess if I could have kind of a summary of where we 
stand on that change and that new approach, decentralized.
    And Mr. McCoy referenced in his testimony that in making 
the change to a decentralized approach that there would be 
prioritized system modernization for components with the most 
critical need. What is going to be the approach of that 
prioritization? Is it going to be from a sensitivity of the 
information? Dollar amounts that maybe are at risk? The history 
of that entity, ICE versus FEMA versus, if you look at FEMA 
with the number of repeat deficiencies, how are you going to 
prioritize in making this new approach decentralized?
    Ms. Sherry. Yes, sir. As you correctly point out, in March 
we had the sustainment of the protest. What we have done, what 
GAO had asked us to do was to really take a look at whether or 
not our requirements had changed. So what we did is we took 
that to heart and we took a look. We realized because of the 
changes that have really occurred since we originally went out 
with the solicitation, in particular in information technology, 
that in fact we were able to do this differently.
    So rather than bringing one system, one instance of a 
system within our data warehouse, within our data centers, that 
there was just a change in the security posture in general and 
change in IT as it relates to cloud computing. In addition to 
the fiscal pressures and the realization that you can't have 
10-year implementation, where it takes you 10 years, $10 
billion later, to be able to get to initial operating 
capability.
    So it has been something that our leadership has been very 
much focusing on, not just for financial systems, but for all 
of our IT projects, to be able to say, you need to be able to 
get to operating capability quicker. What they are really 
looking for, challenging us to be able to develop projects in 
smaller ways such that we can develop that capability quicker. 
So that is really what the intention is.
    So all of that together, really, the Department looked back 
and said, yes, there is a different way for us to be able to do 
this. We haven't exactly said that FEMA will go here, Coast 
Guard will go here, ICE will go here. Instead, what we are 
doing, we are working with each of those components and having 
them do an analysis of alternatives. They are doing their 
market research, they are looking what is out there, they are 
defining what their requirements are with the Department. What 
we are doing is we are setting forward kind of the standards. 
In the event that you were to be able to go out to a shared 
service provider or a commercial provider out in the cloud some 
place, here are the basic minimum internal controls you 
absolutely must have, the things that you must do.
    So we are working with the components in setting those 
particular standards. Also working with them on common data 
structures, such that we won't be overly proscriptive to be 
able to limit their ability to be able to go out there and find 
the right provider. But really the basics, such that in one of 
our components, in their accounting line, they don't have a 
budget year. So they don't have a budget year, which again, 
that causes so many problems, so many audit problems as well as 
workarounds and reconciliations. For my purposes, it causes me 
great concern from a funds control standpoint.
    So the basic chocolate and vanilla type standards that you 
must have out there, you have to have a budget year in your 
accounting line. So we worked very closely with them on that.
    We want to focus on those systems that are most critical, 
and they are critical for many fronts. What we are not doing is 
waiting until we modernize the systems to address those 
security issues. So the access controls, those key controls for 
security, we are working with them on that. Instead what we 
will do is look at those components that have, that basically 
are almost in extremis with their systems. FEMA in particular 
will be one that we had focused on initially for TASC that we 
were going to move forward with. We are moving forward very 
aggressively with FEMA right now as well to be able to replace 
their system.
    Working with the Coast Guard, I believe we will not be able 
to get a full scope audit done very effectively and efficiently 
without the Coast Guard doing something to their accounting 
system. And as we have talked about this morning, ICE, with 
their system issues as well as lack of integration, really is 
something that we need to address.
    Mr. Platts. The approach, and with the Department setting 
minimum standards, is there a relationship as you are working 
to do that between you and the CIO but also the IG in a 
prospective, proactive way, versus after the fact that you go 
this route and then IG and then internal and outside audits 
says, no, that is not going to work? How does that relationship 
proceed?
    Ms. Sherry. That is a great question, because it is 
something, one of the lessons learned as we have done TASC, 
which really is that we need to involve all of the key 
stakeholders, including the components, very early. But in 
particular, we need to involve the OIG as well as the GAO in 
really taking a look at them.
    So as part of, with the Department being on the high risk 
as it relates to many of these issues, financial management 
being one of them, we work very closely with the GAO. In fact, 
we briefed them just a few weeks ago on what this approach was. 
We took some recommendations from them. We also met with the IG 
just recently and gave them actually our data standards, here 
is the standardization that we are trying to do and we have 
invited both the GAO as well as the IG to provide comments to 
us on that.
    We will continue to share our documentation with them as we 
develop it. We are working on a concept of operations currently 
at the Department level, and then we work very closely with the 
components. So right now, we are working closely with FEMA as 
they develop their documentation and invite the IG in as well 
as the GAO to be able to help us with best practices, so that 
we can again look at that, not looking back and reading it in 
an audit report, but really trying to prevent these types of 
problems.
    Mr. Platts. And again, that approach I think is very 
commendable and ultimately what is going to help you succeed. 
As Mr. Towns well stated earlier, our role is trying to partner 
with you as you make that progress and go forward. And as the 
Deputy Secretary said, if you need help in banging some heads, 
we are glad to bring in any component entity before us to talk 
about what they are doing, if they are not in line with what 
you are trying to do as a Department. And again, not to play 
gotcha, but just to make sure they understand the importance 
that we all need to work together to get this done.
    And your reference to the approach I think is very 
important that, I think for the American people, it is hard for 
them to understand that when the Federal Government says, we 
have identified this problem and it is going to be 2 or 3 or 4 
or 5 or 10 years before we think we will fix is, in the private 
sector, the business would be closed and out of business. 
Because of the role Government plays, it will still be one and 
still just kind of doing its best while it is trying to fix the 
problem. The American people, I think understand, they approach 
it, what can we do and get it done, the sooner the better. And 
especially here, protecting tax dollars and sensitive 
information, so all the more important.
    With that, we are going to need to wrap up. I want to thank 
each of you again for your testimony, your knowledge that you 
share as we try to fulfill our responsibility as an oversight 
subcommittee and look forward to continuing to work with you. 
The 2011 audit will be coming out and hopefully set a stage 
here seeing some good news in just a few weeks.
    We will keep the record open for 7 days, if there is any 
additional information. I think I am good n the 2009 and 2010 
with the numbers you shared. For 2011, I don't need that 
additional information.
    Also I do want to thank Mr. West and Mr. McCoy, in addition 
to your work in your current positions, your prior service in 
uniform. I am very grateful. I love what I do, but what I do 
pales in comparison to you as a former Navy aviator and U.S. 
Marine. I should say former, not former, you are always a 
Marine, just no longer actively serving as a Marine. I am 
grateful for both of your service and collectively all three in 
your civilian positions, what you are doing on behalf of our 
country and our citizens.
    So with that, this hearing stands adjourned.
    [Whereupon, at 11:22 a.m., the subcommittee was adjourned.]
    [The prepared statement of Hon. Gerald E. Connolly 
follows:]

[GRAPHIC] [TIFF OMITTED] T3167.016

                                 
