U.S. Capitol Police: Progress Made in Addressing Prior GAO
Recommendations on Administrative and Management Operations
(16-JUL-08, GAO-08-1000T).
The United States Capitol Police (USCP) is responsible for
securing the 276-acre Capitol Complex, including protecting
Members of Congress, congressional facilities, national
treasures, and visitors. In response to heightened security
concerns, various requests, and legislative mandates over the
years, GAO has reported on management control problems in five
key areas: (1) establishing an accountability framework for
monitoring recommendations, (2) establishing a risk management
framework, (3) ensuring financial management, (4) ensuring
strategic and human capital planning, and (5) managing
information technology (IT). From January 2004 through March
2007, GAO made 46 recommendations aimed at improving USCP
administrative and management operations and achieving strategic
goals in these areas. This testimony reports on the status of
USCP's efforts to address GAO's recommendations. To conduct its
work, GAO analyzed USCP documentation, such as risk matrices,
budget documents, and strategic plans. GAO also conducted
interviews with USCP officials and contractors on their efforts
related to its recommendations. GAO performed this work from
October 2007 through April 2008, and updated its work on certain
financial management activities in July 2008. USCP generally
agreed with GAO's 46 prior recommendations and its findings on
the status of those recommendations.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-08-1000T
ACCNO: A82886
TITLE: U.S. Capitol Police: Progress Made in Addressing Prior
GAO Recommendations on Administrative and Management Operations
DATE: 07/16/2008
SUBJECT: Accountability
Employee training
Enterprise architecture
Federal enterprise architecture
framework
Financial management
Financial management systems
Hiring policies
Human capital management
Human capital planning
Information security
Information technology
Internal controls
IT acquisitions
IT investment management
Law enforcement
Law enforcement agencies
Passenger trains
Police
Reporting requirements
Risk assessment
Risk management
Staff utilization
Strategic planning
Training utilization
U.S. Capitol
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-08-1000T
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to [email protected].
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony:
Before the Committee on Rules and Administration, U.S. Senate:
United States Government Accountability Office:
GAO:
For Release on Delivery Expected at 10:00 a.m. EDT:
July 16, 2008:
U.S. Capitol Police:
Progress Made in Addressing Prior GAO Recommendations on Administrative
and Management Operations:
Statement of:
Richard M. Stana, Director Homeland Security and Justice:
Kay Daly, Director Financial Management and Assurance:
Bernice Steinhardt, Director Strategic Issues:
Valerie C. Melvin, Director Information Technology:
GAO-08-1000T:
GAO Highlights:
Highlights of GAO-08-1000T, a report to Committee on Rules and
Administration, U.S. Senate.
Why GAO Did This Study:
The United States Capitol Police (USCP) is responsible for securing the
276-acre Capitol Complex, including protecting Members of Congress,
congressional facilities, national treasures, and visitors. In response
to heightened security concerns, various requests, and legislative
mandates over the years, GAO has reported on management control
problems in five key areas: (1) establishing an accountability
framework for monitoring recommendations, (2) establishing a risk
management framework, (3) ensuring financial management, (4) ensuring
strategic and human capital planning, and (5) managing information
technology (IT). From January 2004 through March 2007, GAO made 46
recommendations aimed at improving USCP administrative and management
operations and achieving strategic goals in these areas. This testimony
reports on the status of USCP�s efforts to address GAO�s
recommendations. To conduct its work, GAO analyzed USCP documentation,
such as risk matrices, budget documents, and strategic plans. GAO also
conducted interviews with USCP officials and contractors on their
efforts related to its recommendations. GAO performed this work from
October 2007 through April 2008, and updated its work on certain
financial management activities in July 2008.
USCP generally agreed with GAO�s 46 prior recommendations and its
findings on the status of those recommendations.
What GAO Found:
USCP has made significant progress in addressing the 46 recommendations
GAO made since 2004. As shown in the table below, USCP has completed
actions on 15 recommendations, is making progress toward addressing 30
recommendations, and has not made progress on 1 recommendation. With
respect to the five areas, the status of USCP�s efforts to address
GAO�s recommendations is as follows:
* Accountability Framework for Monitoring Recommendations. USCP has
completed actions on creating a framework to monitor progress on
addressing GAO�s recommendations and on reporting this progress to
appropriate congressional committees and the USCP Police Board.
* Linking Resources to Risks, Threats, and Vulnerabilities. USCP has
taken steps to complete risk assessments for 18 of the 19 congressional
facilities. However, additional actions will be required to adequately
test and review its overall risk management approach.
* Financial Management. USCP has completed actions on 8 GAO
recommendations, including preparing its first full set of financial
statements. USCP is making progress in addressing another 15
recommendations related to staffing, training, policies, procedures,
and internal controls.
* Human Capital Management. USCP has implemented one recommendation by
adopting a hiring policy and is making progress on seven other
recommendations related to workforce planning and training. USCP has
not yet addressed a ninth recommendation to monitor and evaluate the
results of its strategic workforce plan because this plan is still
being developed.
* Information Technology. USCP has implemented four recommendations
related to IT management capabilities and is making progress toward
implementing the remaining five recommendations related to enterprise
architecture, IT investment management, information security, and
continuity of operations planning.
Table: Status of USCP Progress in Addressing GAO's Recommendations:
Issue area: Accountability framework for monitoring recommendations;
GAO recommendations since 2004: 2;
Status of recommendations: Competed: 2;
Status of recommendations: In progress: 0;
Status of recommendations: No progress: 0.
Issue area: Linking resources to risks, threats, and vulnerabilities;
GAO recommendations since 2004: 3;
Status of recommendations: Competed: 0;
Status of recommendations: In progress: 3;
Status of recommendations: No progress: 0.
Issue area: Financial management;
GAO recommendations since 2004: 23;
Status of recommendations: Competed: 8;
Status of recommendations: In progress: 15;
Status of recommendations: No progress: 0.
Issue area: Human capital management;
GAO recommendations since 2004: 9;
Status of recommendations: Competed: 1;
Status of recommendations: In progress: 7;
Status of recommendations: No progress: 1.
Issue area: Information technology;
GAO recommendations since 2004: 9;
Status of recommendations: Competed: 4;
Status of recommendations: In progress: 5;
Status of recommendations: No progress: 0.
Source: GAO analysis of USCP data.
[End of table]
What GAO Recommends:
To view the full product, including the scope
and methodology, click on [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-08-1000T]. For more information, contact Richard M.
Stana at (202) 512-8777 or [email protected].
[End of section]
Chairman Feinstein, Mr. Bennett, and Members of the Committee:
We appreciate the opportunity to be here today to discuss the United
States Capitol Police's (USCP) progress in implementing our prior
recommendations on administrative and management operations. The USCP
is responsible for securing the 276-acre Capitol Complex; protecting
members of Congress, their staff, visitors, 19 buildings, national
treasures; and regulating traffic within the Capitol grounds. Having
efficient and effective administrative and management operations is
important in the USCP's overall mission to protect the United States
Capitol Complex and the on-site public.
Over the years, in response to various requests and legislative
mandates, we have reported on USCP's efforts to address a range of (1)
operational, (2) financial management, (3) human capital management,
and (4) information technology (IT) management issues. Our reviews have
disclosed management control problems in these areas. As a result of
these reviews, we have made a number of recommendations that we believe
the USCP should implement to achieve its strategic goals and operate in
an efficient and effective manner.
In our March 2007 report, we noted that USCP's progress in implementing
many of our past recommendations in the four aforementioned areas had
been slow for reasons that included an absence of goals, time frames,
and accountability; a lack of continuity in leadership and staff; and a
tendency to focus on near-term operational demands to the exclusion of
longer-term challenges. To ensure greater accountability and
transparency, we recommended that the Chief of Police set goals and
timetables to track prior recommendations and to report semiannually to
the Capitol Police Board and congressional stakeholders on progress
towards addressing open recommendations (that is, recommendations not
yet fully implemented).
My remarks today are based on our recent review of USCP progress toward
addressing recommendations we have made from January 2004 through March
2007 in the following areas: (1) creating an accountability framework
for monitoring recommendations; (2) effectively linking USCP's resource
requirements and allocations to risks, threats, and vulnerabilities;
(3) ensuring adequate accountability for its assets and resources and
meeting its long-term goal of becoming a sound, fully functional
financial management operation; (4) ensuring strategic management of
its workforce; and (5) effectively leveraging information technology to
meet its strategic mission, goals, and outcomes.
To evaluate USCP's efforts in these areas, we reviewed documentation,
such as risk matrices, budget documents, financial reports, and
strategic plans in support of the current status of USCP actions to
improve management controls and close outstanding recommendations;
analyzed USCP operational, strategic and human capital planning, and IT
management information; reviewed USCP management and administrative
processes and written policies, procedures, plans, and directives; and
interviewed members of the USCP leadership team, contractors, and other
key USCP staff. In determining the status of financial management
recommendations we also supplemented our assessment with the agency
auditor's report findings. Prior experience with the auditors and our
review of their reports provided the basis for determining the
sufficiency and relevance of evidence provided in these documents. We
conducted our review from October 2007 through April 2008, and updated
our work in certain financial management activities in July 2008 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
Summary:
Since our March 2007 report, USCP has made significant progress toward
addressing 46 recommendations we made since 2004. As shown in table 1,
of the 46 recommendations we made, USCP has completed actions on 15
recommendations, is making progress toward addressing 30
recommendations, and has not made progress on 1 recommendation.
Table 1: USCP's Progress toward Addressing GAO's Recommendations:
Issue area: Accountability framework for monitoring recommendations;
GAO recommendations since 2004: 2;
Status of recommendations: Competed: 2;
Status of recommendations: In progress: 0;
Status of recommendations: No progress: 0.
Issue area: Linking resources to risks, threats, and vulnerabilities;
GAO recommendations since 2004: 3;
Status of recommendations: Competed: 0;
Status of recommendations: In progress: 3;
Status of recommendations: No progress: 0.
Issue area: Financial management;
GAO recommendations since 2004: 23;
Status of recommendations: Competed: 8;
Status of recommendations: In progress: 15;
Status of recommendations: No progress: 0.
Issue area: Human capital management;
GAO recommendations since 2004: 9;
Status of recommendations: Competed: 1;
Status of recommendations: In progress: 7;
Status of recommendations: No progress: 1.
Issue area: Information technology;
GAO recommendations since 2004: 9;
Status of recommendations: Competed: 4;
Status of recommendations: In progress: 5;
Status of recommendations: No progress: 0.
Source: GAO analysis of USCP data.
[End of table]
The following describes the actions taken and the work remaining to
address the recommendations in the five areas shown in table 1:
Accountability Framework for Monitoring Recommendations. USCP has
completed actions on both of our recommendations relating to creating a
framework for monitoring recommendations and holding management
accountable. USCP set goals and timetables for implementing each of
GAO's 46 recommendations, assigned responsibility to an appropriate
USCP official for ensuring that actions are taken to implement the
recommendations, and created a tracking system to monitor progress. In
addition, USCP now reports semiannually to the USCP Board, Senate and
House Appropriations Committees, the Senate Committee on Rules and
Administration, and the Committee on House Administration on progress
made in implementing our prior recommendations.
Linking Resources to Risks, Threats, and Vulnerabilities. USCP is
making progress toward implementing our three recommendations relating
to more effectively linking USCP's staffing and other resource needs to
the risks, threats, and vulnerabilities that the Capitol Complex faces.
USCP has taken steps to complete and apply a risk matrix that assesses
the security environment at 18 of the 19 Capitol Complex facilities,
and plans to apply it to six Library of Congress buildings when USCP
assumes responsibility for their security at the end of the fiscal
year. Moreover, initial steps have been taken to conduct both external
peer reviews and periodic testing of USCP's overall risk management
approach. While USCP has plans to periodically test and evaluate the
risk matrix, the process has yet to be formalized as a Standard
Operating Procedure (SOP).
Financial Management. Of the 23 GAO recommendations relating to
financial management, USCP has completed actions on 8 recommendations,
in areas such as assessing its staffing needs and procurement process
and issuing its first full set of financial statements in accordance
with generally accepted accounting principles in December 2007. USCP is
also making progress towards addressing 15 recommendations related to
staffing, training, policies, procedures, and internal controls.
Importantly, since April 2008, USCP has filled five financial
management vacancies, including the Chief Financial Officer position,
and the remaining positions are in the process of being filled.
Human Capital Management. Of the nine GAO recommendations relating to
human capital management, USCP has implemented one recommendation by
adopting a hiring policy and is making progress on seven other
recommendations related to workforce planning and training. USCP has
not yet addressed a ninth recommendation to monitor and evaluate the
results of its strategic workforce plan because this plan is still
being developed and it is still too soon for USCP Office of Human
Resources (OHR) officials to monitor and evaluate any progress on
achieving the human capital goals of the plan.
Information Technology (IT). Of our nine recommendations relating to
IT, USCP has implemented four recommendations and is making progress
toward implementing the remaining five. Specifically, USCP has made
progress towards establishing important IT management capabilities,
such as the use of disciplined system acquisition management practices.
However, more work remains to be done in the areas of enterprise
architecture, IT investment management, information security, and
continuity of operations planning.
I will briefly discuss each of the major areas where we have made
recommendations and USCP's progress to date in implementing those
recommendations. More detailed information on our recommendations and
USCP's efforts to implement them is included as an appendix to this
statement.
Creating an Accountability Framework for Monitoring Recommendations:
USCP Has Established a Framework:
USCP's progress in implementing many of our past recommendations had
been slow for reasons that included an absence of goals, time frames,
and accountability; a lack of continuity in leadership and staff; and a
tendency to focus on near-term operational demands to the exclusion of
longer-term challenges. To help ensure that actions were taken to
implement our recommendations, in March 2007, we recommended that the
USCP Chief of Police (1) set goals and timetables, and establish
accountability for implementing the recommendations, and (2) report
semiannually to the USCP Board, Senate and House Appropriations
Committees, the Senate Committee on Rules and Administration, and the
House Committee on House Administration on progress made in
implementing our recommendations.
To address our first recommendation, USCP appointed an Audit Liaison to
coordinate the tracking, reporting, and resolution of recommendations
made by GAO and the USCP Office of the Inspector General (OIG). In this
regard, USCP created a formal recommendation resolution process with
several components. Each recommendation is assigned to a designated
official who is responsible for establishing an action plan to outline
the actions needed to implement the recommendation, identify staff
responsible for taking the needed actions, establish a target
completion date, and track the status of related actions until
completion. In a larger sense, during the last year, USCP has taken
additional steps to strengthen management accountability and address
both our and OIG recommendations. For example, USCP has created a
formal process known as the Force Development Planning Process aimed at
ensuring that all organizationwide decision-making, planning, and
resource allocation processes incorporate elements of threat-based
planning. According to USCP, the process links seven previously
separate activities related to planning, investments, budget
formulation, execution, and performance evaluation into a single
process that integrates risk and operational and administrative
assessments. By linking these activities, USCP endeavors to establish
timetables and better accountability for planning and resource
requirements while ensuring that the overall department employs a more
strategic and results-oriented approach.
With respect to the second recommendation, USCP submitted two
semiannual reports during 2007 to stakeholders to provide an update on
progress made to implement both our and the OIG prior recommendations.
In these reports, the Chief of Police also linked USCP's progress
toward implementing the recommendations and improving overall USCP
management and operations to the steps necessary to realize the goals
in the USCP strategic plan and Concept of Operations (ConOps).
Linking Resources to Risks, Threats, and Vulnerabilities: Progress Made
in Implementing a Risk Management Approach:
Over the years, we have supported the use of a risk management approach
to help implement and assess responses to various national security and
terrorism concerns. We have concluded that without an approach that
provides insights about the present threat and vulnerabilities as well
as the organizational and technical requirements necessary to achieve a
program's goals, there is little assurance that programs are properly
prioritized and focused.
In the past, we have reported that to improve operations and better
support resource requirements, USCP would have to more effectively link
threats and vulnerabilities to its staffing and other resource needs.
In our 2005 report, we noted that according to USCP, continued
increases in its operational requirements were not being met with
necessary increases in its number of uniformed officers. We also noted
that USCP's ability to assess risk levels--relative to the
vulnerabilities of and threats to USCP security posts--would provide
USCP with information needed to more effectively allocate limited
resources to the areas of greatest need. In that regard, we worked with
USCP to develop a risk analytical management matrix that could be used
to assess risk relative to the threats and vulnerabilities of the
Capitol Complex. Moreover, we issued three recommendations to help USCP
develop a risk management framework that links threats and
vulnerabilities to allocation of resources.
In our March 2007 report, we noted that while USCP had taken several
steps to develop a risk management framework to address our
recommendations, its progress was slow. Since we issued that report,
USCP has made significant progress in addressing our recommendations
regarding the implementation of a risk management approach, although
further actions are needed.
Progress Has Been Made in Applying the Risk Matrix, but It Is Not Fully
Implemented:
USCP has made significant progress in applying the risk management
framework. Using the risk matrix and other tools, USCP has completed
risk assessments for 18 of 19 congressional facilities and is scheduled
to complete all assessments this fiscal year. According to USCP
officials, they will be required to complete a total of 25 assessments
after the department assumes responsibility for six additional
facilities from the Library of Congress at the end of the fiscal year.
USCP will need to complete the risk assessments of all the facilities
under its responsibility to fully address our recommendations.
Moreover, to ensure that USCP's resource requirements are better linked
to threats and vulnerabilities, USCP contracted with Enlightened
Leadership Solutions (ELS) to assess the department's manpower
configuration, law enforcement operations, and overall staffing
resources. According to USCP officials, the findings from the ELS
Manpower Study are currently being evaluated and integrated into its
Force Development Planning Process. Agency officials told us that upon
integration, the USCP will be able to more effectively link resource
requirements to threats and vulnerabilities.
Initial Steps Taken to Review and Test the Effectiveness of the Matrix;
However, Additional Actions Are Necessary:
While USCP has taken initial steps to review and test the effectiveness
of its risk management framework, further action is necessary to fully
implement our recommendation. For example, ELS examined the risk
management frameworks employed by comparable federal law enforcement
agencies to identify best practices and potential benchmarks. To do
this work, ELS conducted best practices research and interviewed high-
level officials in the Central Intelligence Agency (CIA), the Federal
Bureau of Investigation (FBI), the U.S. Department of State's Bureau of
Diplomatic Security, and the Department of Defense. Moreover, USCP
sought the assistance of three additional agencies--the General
Services Administration (GSA), the Transportation Security
Administration (TSA), and the U.S. Secret Service (USSS)--to conduct
peer reviews by reviewing USCP's risk management framework. According
to USCP, the agencies listed above share protective missions similar to
the USCP as well as conduct large physical security surveys. According
to USCP, regarding the risk management framework, these agencies all
concur with USCP's methodologies, processes, and reporting structures.
Although we did not validate the initial findings of the external peer
reviews, we believe that USCP is taking steps in the right direction to
review the effectiveness of its risk management framework.
To test the effectiveness of the risk matrix, according to USCP
officials, the department's Safety and Security Bureau (SSB) plans to
conduct an annual internal review and assessment of the risk matrix
after all risk assessments have been completed for all congressional
facilities. As a part of the review, SSB proposed to evaluate the
thoroughness and accuracy of each risk assessment; review whether or
not all existing vulnerabilities and mitigation options were correctly
identified; and suggest changes or updates to the risk matrix as a
result of the review. Agency officials told us that this plan has yet
to be formalized into their SOPs until all physical assessments of the
congressional facilities have been completed.
When fully integrated, the combination of these efforts should fulfill
our remaining recommendations regarding the linkage between risk
management and the necessary resource requirements to address those
risks in the most efficient and effective manner.
Financial Management: Progress Noted in Certain Areas, but Major
Financial Management Challenges Remain:
In our March 2007 report, we found that USCP continued to face major
challenges and had not made significant progress toward improving its
financial management operations. Major challenges reported included a
high level of staff turnover and open vacancies, which have continued
into fiscal year 2008 and prevented USCP's Office of Financial
Management (OFM) from stabilizing its financial management operations.
As you know, a stable and skilled workforce is needed to build a strong
foundation for financial management, internal control, and
accountability. Our March 2007 report also highlighted continuing
challenges related to financial reporting and the performance of
related physical inventories of assets, the implementation of a new
financial management system, and the need to follow through with plans
to develop and implement an internal control program. Further, we
reported that 23 previously issued financial management recommendations
covering general financial management and reporting, internal control
policies and training development, procurement, and staffing identified
during our reviews since 2004 had not been addressed.
During the past year, OFM has made important progress toward addressing
long-standing financial management issues in each of these areas,
including the issuance of its first full set of financial statements in
accordance with generally accepted accounting principles in December
2007. In addition to achieving this important milestone, USCP completed
actions in areas such as assessing its staffing needs and procurement
process that effectively addressed 8 of our 23 recommendations. In
addition, although USCP has made important progress toward addressing
the remaining 15 recommendations related to staffing, training,
policies and procedures, internal controls, and other financial
management activities, continued efforts are needed to ensure that
USCP's financial management operations meet their objectives and
stakeholder needs.
Addressing Staffing Shortages Is Critical for Sustained Improvements:
USCP effectively addressed two of our prior recommendations related to
evaluating its financial management staffing needs by conducting
internal assessments of current and future needs that included
assessing the need for additional staff or contractors to meet ongoing
needs and high-priority demands. USCP has made recent progress in
addressing two recommendations related to staffing shortages. As of
April 4, 2008, eight OFM positions, including the Chief Financial
Officer (CFO), Deputy CFO, Budget Officer, and Procurement Officer were
vacant, due to recurring turnovers and other factors. As a result of
these shortages, USCP financial statement auditors reported significant
weaknesses related to OFM's ability to effectively monitor its
financial management operations. Since that time, several of the
positions--including the CFO position--have been filled and others are
in the process of being filled.
Additional Efforts Needed to Build on Progress Made in Procurement
Activities and Credit Card Programs:
Collectively, USCP efforts effectively addressed three of our prior
recommendations related to procurement activities and credit card
programs; however, additional efforts are needed to address nine other
recommendations in these areas. For example, efforts to realign
procurement staff and implement workload efficiencies have enabled OFM
to eliminate previously reported backlogs and provided an effective
framework for meeting future activity. In addition, USCP monitored
purchase card activity to identify potential fraudulent activity,
improper usage, or abuses of these cards and initiated efforts to
monitor fleet and travel card activities. USCP has also made progress
toward providing training and guidance for staff involved in
procurement activities and credit card programs. However, continued
efforts are needed to further assess credit card program risks and
enhance existing guidance, training, and monitoring activities to
ensure consistent application of policies and procedures.
Financial Reporting and Internal Control Have Improved, but Challenges
Remain:
USCP effectively addressed three of our seven recommendations related
to financial reporting and general internal control by issuing its
first full set of financial statements, formalizing procedures related
to reprogramming transactions, and establishing electronic approval
paths in its new financial management system. By the end of fiscal year
2007 USCP had also issued or revised about 30 policies and procedures
covering a wide range of financial activities including payroll,
capitalized assets, and access to its financial management reporting
system. Although USCP has made substantial progress in formalizing its
policies and procedures, additional efforts are needed to address
issues identified in the four remaining recommendations. For example,
the USCP financial statement auditor noted in its 2007 audit report
instances where the lack of staff and improper implementation of USCP's
policies and procedures created deficiencies that ultimately
contributed to two material weaknesses[Footnote 1] and the auditor's
inability to issue an opinion on the financial statements.
Recognizing that annual financial statements audits provide a valuable
assessment of USCP's financial management operations and that auditors
reported significant deficiencies in December 2007, we encourage USCP
to continue to work with its auditors to address (1) the deficiencies
that prevented its auditors from expressing an unqualified opinion on
its financial statements, (2) significant internal control deficiencies
reported by the auditors including those considered to represent
material weaknesses related to payroll processing and financial
management, and (3) any instances of noncompliance with laws and
regulations reported by the auditors. Correcting these deficiencies
will not only permit USCP to obtain an unqualified opinion in the
future, but will also help in achieving its long-term goal of becoming
a fully functional financial management operation with a solid
foundation of internal control and accountability.
Human Capital Management: USCP Has Adopted Hiring Policy and Initiated
Efforts to Address Long-standing Workforce Planning and Training
Issues:
Since our prior review in March 2007, USCP has successfully implemented
our August 2004 recommendation to adopt a civilian hiring policy. USCP
has addressed this recommendation by issuing a policy that describes
the department's process for hiring both sworn and civilian staff and
outlines the responsibilities of managers and selecting officials in
this process. Additionally, USCP has made some initial steps to develop
a strategic workforce plan and a master training plan. Our past work
has identified the need for USCP to develop these plans to address
several long-standing human capital challenges, such as updating human
resource management policies and procedures, improving workforce
planning, and addressing employees' training needs. In January 2004, we
issued six recommendations proposing that USCP develop and implement a
strategic workforce planning process containing specific human capital
strategies addressing such areas as recruitment and training. We made
two additional recommendations regarding the implementation of this
process in our reports issued in 2005. Of these eight recommendations,
USCP has made progress on all but one recommendation--to monitor and
evaluate the results of its strategic workforce plan. Because USCP has
not yet fully developed its strategic workforce plan, it is still too
soon for officials from USCP's Office of Human Resources (OHR) to
monitor and evaluate the results of this plan.
USCP Has Adopted a Civilian Hiring Policy:
In our August 2004 report, we determined that USCP needed to adopt
clear, up-to-date policies and procedures for hiring individuals into
civilian positions. Specifically, both USCP's SOP that discusses the
roles and responsibilities managers have in the civilian hiring process
and the supplemental memorandum on the process for making job offers
were out-of-date and not consistently implemented by USCP officials. In
October 2007, USCP successfully implemented this recommendation by
issuing its Employment and Promotion Policy Plan that provides a
standardized hiring process for both sworn and civilian positions
within USCP. In addition to including a description of the department's
hiring process, this plan also outlines the responsibilities that
managers and selecting officials have in the hiring process, such as
determining whether vacant positions still need to be filled and
consulting with OHR officials on any changes in the position's duties,
responsibilities, or organizational placement. This plan was approved
by USCP's Chief of Police and applies to all personnel actions related
to filling USCP positions.
USCP Has Taken Initial Steps to Develop a Strategic Workforce Plan:
Our prior work examining the practices of leading organizations has
highlighted the importance of developing human capital strategies--the
programs, policies, and processes that organizations use to hire and
train staff; develop succession plans; administer a performance
management system; and use human capital flexibilities.[Footnote 2]
These strategies can assist an agency in addressing skill gaps within
its current workforce as well as acquiring skills needed in the future
to achieve an agency's mission and goals.
To address our eight recommendations relating to the development and
implementation of a strategic workforce planning process, USCP's Office
of Human Resources has completed an initial draft of a strategic
workforce plan, which discusses the importance of workforce planning,
demographic information on USCP's workforce, as well as a listing of
action items needed to develop a set of human capital strategies.
Although creating this initial draft plan is an important first step,
OHR officials acknowledge that the plan will need further refinement.
Specifically, as the draft plan is further developed, the action items
should be more fully developed and include such details as specific
tasks to complete, defined roles and responsibilities, milestones, and
resource requirements. Finally, because USCP has not yet fully
developed its strategic workforce plan, it is too soon for OHR
officials to monitor and evaluate their progress on achieving the human
capital goals of their planone of the eight recommendations we made
related to strategic planning.
Further Collaboration Needed to Complete Master Training Plan:
In our March 2007 report, we discussed USCP's efforts to establish a
well-designed training program that addresses the needs of both sworn
and civilian staff. Effective training and development programs are an
integral part of an agency's ability to ensure that its employees have
the information, skills, and competencies to work effectively. These
training programs can also enhance an agency's ability to attract and
retain employees with needed skills and competencies.
To address three of the recommendations related to developing USCP's
strategic workforce plan, USCP's Training Services Bureau (TSB)
officials have been working on a four-phase process to develop a master
training plan, which is to define and prioritize staff training needs
and requirements. TSB has completed the process' first phase by issuing
a training catalog containing all training courses available to USCP
staff through TSB as well as external training providers and
facilities. Currently, TSB is in the second phase of this process--
validating the competencies of USCP's position descriptions--which will
require further collaboration with OHR. According to OHR officials,
they have finished identifying the competencies for USCP's civilian
positions and are currently reviewing and revising competencies for the
sworn positions. Upon completion of this phase, TSB officials, working
with OHR and other stakeholders, plans to then identify appropriate
professional development and training curriculum for all USCP staff
based on the set of validated competencies. To complete the development
of the master training plan, TSB officials plan to develop specific
training strategies and procedures, such as formulating future training
needs.
Information Technology: USCP Has Made Progress toward Establishing IT
Management Capabilities, but Further Actions Are Needed to Address
Remaining Weaknesses:
USCP relies on information technology (IT) to support achievement of
its mission. For example, USCP depends on IT systems to schedule and
dispatch police officers, manage the maintenance of vehicles and
equipment, and perform numerous administrative functions, such as
preparing financial reports and paying employees. To effectively
leverage IT in achieving strategic mission goals and outcomes, an
organization such as USCP needs to institutionalize certain management
disciplines and capabilities. Accordingly, we have advised the agency
on the importance of (1) following disciplined system acquisition
management practices, (2) developing and implementing an enterprise
architecture, (3) establishing and implementing IT investment
management structures and processes, and (4) developing and
implementing an effective information security program and continuity
of operations plan. Our research of leading private and public sector
organizations shows that success in managing and leveraging IT can be
linked to these strategic IT management disciplines and capabilities.
USCP has made progress in addressing our recommendations related to
each of these IT management disciplines and capabilities, including the
use of disciplined system acquisition management practices.
Nevertheless, weaknesses remain in the areas of enterprise
architecture, investment management, information security, and
continuity of operations planning. Of nine recommendations we made in
January and August 2004 to improve USCP's IT management capabilities,
the department has completed actions on four of the recommendations and
has made progress toward completing the remaining five recommendations.
System Acquisition Policies and Procedures Have Been Developed and
Implemented:
USCP has completed the development and implementation of system
acquisition policies and procedures that are essential to reducing the
risk of acquiring systems that do not perform as intended, are
delivered late, and cost more than planned. Specifically, the agency's
policies and procedures provide for, among other things, developing
acquisition plans and maintaining them throughout the acquisition life-
cycle. Additionally, USCP has taken steps to ensure that system
acquisitions are conducted in accordance with the policies and
procedures. For example, as part of its acquisition of a new case
management system, USCP developed a project management plan, defined
requirements, and monitored project development costs. According to
USCP officials, the agency's policies and procedures are followed for
ongoing and planned system acquisitions. As a result of improving its
system acquisition management, USCP has reduced the risk of systems not
performing as intended, not being delivered on time, and not meeting
cost and schedule expectations.
Further Actions Needed to Develop and Implement Enterprise
Architecture:
USCP has a long-standing enterprise architecture program and, according
to agency officials, all but one of the agency's existing applications
are in compliance with the current architecture version. However,
progress within the last year toward effectively managing the program
in accordance with relevant guidance, such as our enterprise
architecture management maturity framework, has been limited. Further,
the agency's architecture products do not include the full breadth of
necessary content, particularly regarding descriptions of how security
will be achieved. Additionally, USCP officials have identified the need
to update their transition plan and for the revised plan to include a
current schedule for legacy systems replacement and the resource needs
for accomplishing this replacement. According to the officials, the
agency has not had sufficient staff resources to support its
architecture program, and thus, has requested funding for two full-time
architecture staff in its fiscal year 2009 budget request. Until USCP
addresses these weaknesses in its enterprise architecture program, the
agency will be challenged in its ability to implement systems that
optimally support mission operations.
IT Investment Management Process Has Been Developed, but Implementation
Has Limitations:
USCP has developed, but not yet fully implemented, a comprehensive IT
investment management process. The agency's IT Capital Planning and
Investment Control Guide defines a comprehensive process that includes
selection, control, and evaluation of proposed and ongoing investments.
While the agency has made progress toward implementing a process
consistent with its guide, the existing process is largely limited to
the selection of proposed investments, with little emphasis on
controlling and evaluating ongoing investments. For example, the
process does not yet require documentation of key decisions or include
assignment of responsibility for executing decisions during the control
and evaluation stages of the investment life cycle. In speaking to
these activities, USCP officials said they chose to focus their initial
investment management efforts on increasing discipline in the selection
of all (i.e., IT and non-IT) investments across the agency; however
they recognized the need to extend such discipline to the control and
evaluation of the agency's investments. Until USCP implements an
investment management process that includes control and evaluation of
investments, in addition to the already established selection process,
the agency will not be effectively positioned to provide the management
oversight and informed decision making that is necessary to ensure that
investments are performing as planned and delivering promised value.
Further Actions Needed to Fully Implement Information Security Program
and Continuity of Operations Plan:
USCP has implemented an information security program and performed
continuity of operations planning. The agency reported that it has
implemented 70 of 108 information security program activities that it
had identified as necessary. For example, it has completed the
execution of vulnerability assessments and network scans. Additionally,
according to agency officials, certification and accreditation of major
applications has been completed and information security plans have
been developed for major applications. Regarding continuity of
operations planning, USCP has revised its continuity of operations plan
and begun activities to implement the plan throughout the agency.
Specifically, in January 2008, the Chief of Police adopted the revised
plan and directed follow-on activities to be completed that include a
timeline for ensuring the integration of the plan with agency
operations. Nevertheless, USCP officials assert that the agency needs
additional staff resources to fully implement its remaining security
program activities and maintain an effective security program. To this
end, the agency has requested funding for two full-time IT security
staff in its fiscal year 2009 budget request. Until USCP completes its
security program activities, it will not be positioned to protect its
systems and critical information.
Concluding Remarks:
Over the years, we have recommended that USCP take actions to correct
deficiencies we identified in the areas of operations, financial
management, strategic and human capital planning, and IT management.
Since the issuance of our last report and as noted in this statement,
USCP has made significant progress in addressing our prior
recommendations. Notwithstanding the progress that has been made, there
is still substantial work that remains to be done. For example, in the
areas of linking resources to threats and vulnerabilities, USCP has yet
to fully integrate its risk management framework. Until this process is
completed, USCP will not be in the best position to effectively link
resources needs to threats and vulnerabilities. In the areas of
financial management, USCP has yet to fully address the challenges of
ongoing staff shortages and work imbalances. Until these
recommendations are implemented, USCP's ability to sustain improvement
efforts and meet long-term financial management goals will be limited.
In the area of human capital management, work still remains to complete
its strategic workforce plan and master training plan, which should
include long-term strategies for acquiring, developing, and retaining a
workforce with the critical skills and competencies needed to
accomplish the department's mission. In the area of information
technology, despite the progress made in addressing management
concerns, weaknesses remain in enterprise architecture, investment
management, and information security. Until these management and
operational issues are fully addressed and implemented, USCP will not
be in the best position to achieve its strategic goals and mission in
the most efficient and effective manner. This underscores Congress's
need to stay closely attuned to USCP's progress toward addressing the
administrative and management challenges we identified.
Madam Chair, this concludes our prepared statement. We would be happy
to respond to questions you or other members of the subcommittee may
have at this time.
For questions regarding this testimony, please contact Richard M. Stana
at (202) 512-8777 or [email protected]. Contact points for our offices of
Congressional Relations and Public Affairs may be found on the last
page of this statement.
[End of section]
Appendix I: Status of United States Capitol Police (USCP)
Recommendations:
This appendix provides a status summary of the progress made and
remaining actions by USCP in addressing prior GAO recommendations.
[See PDF for image]
Source: GAO.
[A] OMB Circular No. A-123, Management's Responsibilities for Internal
Control (revised Dec. 2004).
[End of table]
[End of section]
Appendix II: GAO Contact and Staff Acknowledgments:
GAO Contact:
Richard M. Stana, (202) 512-8777 or [email protected]:
Acknowledgments:
Individuals making key contributions to this statement were Bernice
Steinhardt, Director; Valerie Melvin, Director; Kay Daly, Acting
Director; Bill Crocker, Assistant Director; Elizabeth Martinez,
Assistant Director; Mark Bird, Assistant Director; Steven Lozano,
Assistant Director; John Mortin, Assistant Director; Josh A. Diosomito;
Heather Dunahoo; James Kernen; Teresa M. Neven; Kenrick Isaac; Lerone
Reid; Katherine Davis; Geoffrey Hamilton; Jacquelyn Hamilton; Franklin
Jackson; and Mike Volpe.
[End of section]
Footnotes:
[1] A material weakness is a significant deficiency, or a combination
of significant deficiencies, that result in more than a remote
likelihood that a material misstatement of the financial statements
will not be prevented or detected. A significant deficiency is a
control deficiency, or combination of control deficiencies, that
adversely affects the entity's ability to initiate, authorize, record,
process, or report financial data reliably in accordance with generally
accepted accounting principles such that there is more than a remote
likelihood that a misstatement of the entity's financial statements
that is more than inconsequential will not be prevented or detected.
[2] GAO, Human Capital: Agencies Need Leadership and the Supporting
Infrastructure to Take Advantage of New Flexibilities, GAO-05-616T
(Washington, D.C.: Apr. 21, 2005; and GAO, Human Capital: Effective Use
of Flexibilities Can Assist Agencies in Managing Their Workforces, GAO-
03-2 (Washington, D.C.: Dec. 6, 2002).
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: [email protected]:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, [email protected]:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, [email protected]:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
*** End of document. ***