U.S. Capitol Police: Status of Efforts to Address Prior GAO	 
Recommendations on Administrative and Management Operations	 
(01-MAY-08, GAO-08-540T).					 
                                                                 
The United States Capitol Police (USCP) is responsible for	 
securing the 276-acre Capitol Complex, including protecting	 
Members of Congress, visitors, and congressional facilities. In  
response to heightened security concerns, various requests, and  
legislative mandates over the years, GAO has reported on	 
management control problems in five key areas: (1) establishing  
an accountability framework for monitoring recommendations, (2)  
establishing a risk management framework, (3) ensuring financial 
management, (4) ensuring strategic and human capital planning,	 
and (5) managing information technology (IT). From January 2004  
through March 2007, GAO made 46 recommendations aimed at	 
improving USCP administrative and management operations and	 
achieving strategic goals. This testimony reports on the status  
of USCP's efforts to address GAO's recommendations. To conduct	 
its work, GAO analyzed USCP documentation, such as risk matrices,
budget documents, and strategic plans. GAO also conducted	 
interviews with USCP officials and contractors on their efforts  
related to its recommendations. GAO performed this work from	 
October 2007 through April 2008. USCP generally agreed with GAO's
46 prior recommendations and GAO's assessment of the status of	 
USCP's efforts to implement those recommendations. Along these	 
lines, USCP needs to complete those actions in progress and	 
address those where there has been no progress. 		 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-540T					        
    ACCNO:   A81942						        
  TITLE:     U.S. Capitol Police: Status of Efforts to Address Prior  
GAO Recommendations on Administrative and Management Operations  
     DATE:   05/01/2008 
  SUBJECT:   Accountability					 
	     Employee retention 				 
	     Employee training					 
	     Employees						 
	     Enterprise architecture				 
	     Facility security					 
	     Financial management				 
	     Financial statement audits 			 
	     Financial statements				 
	     Human capital					 
	     Human capital management				 
	     Human capital planning				 
	     Information security				 
	     Information technology				 
	     Internal controls					 
	     Law enforcement personnel				 
	     Monitoring 					 
	     Program evaluation 				 
	     Program management 				 
	     Risk assessment					 
	     Risk management					 
	     Staff utilization					 
	     Strategic planning 				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-540T

   

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Testimony: 

Before the Subcommittee on Capitol Security, Committee on House 
Administration, House of Representatives: 

United States Government Accountability Office: 

GAO: 

For Release on Delivery Expected at 11:30 a.m. EDT: 

May 1, 2008: 

U.S. Capitol Police: 

Status of Efforts to Address Prior GAO Recommendations on 
Administrative and Management Operations: 

Statement of: 

Richard M. Stana, Director Homeland Security and Justice: 

Kay L. Daly, Director Financial Management and Assurance: 

Bernice Steinhardt, Director Strategic Issues: 

Valerie C. Melvin, Director Information Technology: 

GAO-08-540T: 

GAO Highlights: 

Highlights of GAO-08-540T, testimony before the Subcommittee on Capitol 
Security, Committee on House Administration, House of Representatives 

Why GAO Did This Study: 

The United States Capitol Police (USCP) is responsible for securing the 
276-acre Capitol Complex, including protecting Members of Congress, 
visitors, and congressional facilities. In response to heightened 
security concerns, various requests, and legislative mandates over the 
years, GAO has reported on management control problems in five key 
areas: (1) establishing an accountability framework for monitoring 
recommendations, (2) establishing a risk management framework, (3) 
ensuring financial management, (4) ensuring strategic and human capital 
planning, and (5) managing information technology (IT). From January 
2004 through March 2007, GAO made 46 recommendations aimed at improving 
USCP administrative and management operations and achieving strategic 
goals. This testimony reports on the status of USCPï¿½s efforts to 
address GAOï¿½s recommendations. To conduct its work, GAO analyzed USCP 
documentation, such as risk matrices, budget documents, and strategic 
plans. GAO also conducted interviews with USCP officials and 
contractors on their efforts related to its recommendations. GAO 
performed this work from October 2007 through April 2008. 

USCP generally agreed with GAOï¿½s 46 prior recommendations and GAOï¿½s 
assessment of the status of USCPï¿½s efforts to implement those 
recommendations. Along these lines, USCP needs to complete those 
actions in progress and address those where there has been no progress. 

What GAO Found: 

USCP has made significant progress in addressing the 46 recommendations 
GAO made since 2004. As shown in the table below, USCP has completed 
actions on 15 recommendations, is making progress toward addressing 28 
recommendations, and has not made progress on 3 recommendations. With 
respect to the five areas, the status of USCPï¿½s efforts to address 
GAOï¿½s recommendations is as follows: 

* Accountability Framework for Monitoring Recommendations. USCP has 
completed actions on creating a framework to monitor progress on 
addressing GAOï¿½s recommendations and on reporting this progress to 
appropriate congressional committees and the USCP Police Board. 

* Linking Resources to Risks, Threats, and Vulnerabilities. USCP has 
taken steps to complete risk assessments for 18 of the 19 congressional 
facilities. However, additional actions will be required to adequately 
test and review its overall risk management approach. 

* Financial Management. USCP has completed actions on 8 GAO 
recommendations, including preparing its first full set of financial 
statements. USCP is making progress in addressing another 13 
recommendations related to training, policies, procedures, and internal 
controls, but did not make progress toward addressing ongoing staff 
shortages and work imbalances. 

* Human Capital Management. USCP has implemented one recommendation by 
adopting a hiring policy and is making progress on seven other 
recommendations related to workforce planning and training. USCP has 
not yet addressed a ninth recommendation to monitor and evaluate the 
results of its strategic workforce plan because this plan is still 
being developed. 

* Information Technology. USCP has implemented four recommendations 
related to IT management capabilities and is making progress toward 
implementing the remaining five recommendations related to enterprise 
architecture, IT investment management, information security, and 
continuity of operations planning. 

Table: Status of USCP Progress in Addressing GAO's Recommendations: 

Issue area: Accountability framework for monitoring recommendations; 
GAO recommendations since 2004: 2; 
Status of recommendations: Completed: 2; 
Status of recommendations: In progress: 0; 
Status of recommendations: No progress: 0. 

Issue area: Linking resources to risks, threats, and vulnerabilities; 
GAO recommendations since 2004: 3; 
Status of recommendations: Completed: 0; 
Status of recommendations: In progress:3; 
Status of recommendations: No progress: 0. 

Issue area: Financial management; 
GAO recommendations since 2004: 23; 
Status of recommendations: Completed: 8; 
Status of recommendations: In progress: 13; 
Status of recommendations: No progress: 2. 

Issue area: Human capital management; 
GAO recommendations since 2004: 9; 
Status of recommendations: Completed: 1; 
Status of recommendations: In progress: 7; 
Status of recommendations: No progress: 1. 

Issue area: Information technology; 
GAO recommendations since 2004: 9; 
Status of recommendations: Completed: 4; 
Status of recommendations: In progress: 5; 
Status of recommendations: No progress: 0. 

Total; 
GAO recommendations since 2004: 46; 
Status of recommendations: Completed: 15; 
Status of recommendations: In progress: 28; 
Status of recommendations: No progress: 3. 

Source: GAO analysis of USCP data. 

[End of figure] 

To view the full product, including the scope
and methodology, click on [http://www.gao.gov/cgi-bin/getrpt?GAO-08-
540T]. For more information, contact Richard M. Stana at (202) 512-8777 
or [email protected] 

[End of section] 

Chairman Capuano, Mr. Lungren, and Members of the Subcommittee: 

We appreciate the opportunity to be here today to discuss the United 
States Capitol Police's (USCP) progress in implementing our prior 
recommendations on administrative and management operations. The USCP 
is responsible for securing the 276-acre Capitol Complex; protecting 
members of Congress, their staff, visitors, 19 buildings, national 
treasures; and regulating traffic within the Capitol grounds. Having 
efficient and effective administrative and management operations is 
important in the USCP's overall mission to protect the United States 
Capitol Complex and the on-site public. 

Over the years, in response to various requests and legislative 
mandates, we have reported on USCP's efforts to address a range of (1) 
operational, (2) financial management, (3) human capital management, 
and (4) information technology (IT) management issues. Our reviews have 
disclosed management control problems in these areas. As a result of 
these reviews, we have made a number of recommendations that we believe 
the USCP should implement to achieve its strategic goals and operate in 
an efficient and effective manner. 

In our March 2007 report, we noted that USCP's progress in implementing 
many of our past recommendations in the four aforementioned areas had 
been slow for reasons that included an absence of goals, time frames, 
and accountability; a lack of continuity in leadership and staff; and a 
tendency to focus on near-term operational demands to the exclusion of 
longer-term challenges. To ensure greater accountability and 
transparency, we recommended that the Chief of Police set goals and 
timetables to track prior recommendations and to report semiannually to 
the Capitol Police Board and congressional stakeholders on progress 
towards addressing open recommendations (that is, recommendations not 
yet fully implemented). 

My remarks today are based on our recent review of USCP's progress 
toward addressing recommendations we have made from January 2004 
through March 2007 in the following areas: (1) creating an 
accountability framework for monitoring recommendations; (2) 
effectively linking USCP's resource requirements and allocations to 
risks, threats, and vulnerabilities; (3) ensuring adequate 
accountability for its assets and resources and meeting its long-term 
goal of becoming a sound, fully functional financial management 
operation; (4) ensuring strategic management of its workforce; and (5) 
effectively leveraging information technology to meet its strategic 
mission, goals, and outcomes. 

To evaluate USCP's efforts in these areas, we reviewed documentation, 
such as risk matrices, budget documents, financial reports, and 
strategic plans in support of the current status of USCP actions to 
improve management controls and close outstanding recommendations; 
analyzed USCP operational, strategic and human capital planning, and IT 
management information; reviewed USCP management and administrative 
processes and written policies, procedures, plans, and directives; and 
interviewed members of the USCP leadership team, contractors, and other 
key USCP staff. In determining the status of financial management 
recommendations we also supplemented our assessment with the agency 
auditor's report findings. Prior experience with the auditors and our 
review of their reports provided the basis for determining the 
sufficiency and relevance of evidence provided in these documents. We 
conducted our performance audit from October 2007 through April 2008 in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

Summary: 

Since our March 2007 report, USCP has made significant progress toward 
addressing 46 recommendations we made since 2004. As shown in table 1, 
of the 46 recommendations we made, USCP has completed actions on 15 
recommendations, is making progress toward addressing 28 
recommendations, and has not made progress on 3 recommendations. 

Table 1: USCP's Progress toward Addressing GAO's Recommendations: 

Issue area: Accountability framework for monitoring recommendations; 
GAO recommendations since 2004: 2; 
Status of recommendations: Completed: 2; 
Status of recommendations: In progress: 0; 
Status of recommendations: No progress: 0. 

Issue area: Linking resources to risks, threats, and vulnerabilities; 
GAO recommendations since 2004: 3; 
Status of recommendations: Completed: 0; 
Status of recommendations: In progress:3; 
Status of recommendations: No progress: 0. 

Issue area: Financial management; 
GAO recommendations since 2004: 23; 
Status of recommendations: Completed: 8; 
Status of recommendations: In progress: 13; 
Status of recommendations: No progress: 2. 

Issue area: Human capital management; 
GAO recommendations since 2004: 9; 
Status of recommendations: Completed: 1; 
Status of recommendations: In progress: 7; 
Status of recommendations: No progress: 1. 

Issue area: Information technology; 
GAO recommendations since 2004: 9; 
Status of recommendations: Completed: 4; 
Status of recommendations: In progress: 5; 
Status of recommendations: No progress: 0. 

Total; 
GAO recommendations since 2004: 46; 
Status of recommendations: Completed: 15; 
Status of recommendations: In progress: 28; 
Status of recommendations: No progress: 3. 

Source: GAO analysis of USCP data. 

[End of figure] 

The following describes the actions taken and the work remaining to 
address the recommendations in the five areas shown in table 1: 

Accountability Framework for Monitoring Recommendations. USCP has 
completed actions on both of our recommendations relating to creating a 
framework for monitoring recommendations and holding management 
accountable. USCP set goals and timetables for implementing each of our 
46 recommendations, assigned responsibility to an appropriate USCP 
official for ensuring that actions are taken to implement the 
recommendations, and created a tracking system to monitor progress. In 
addition, USCP now reports semiannually to the USCP Board, Senate and 
House Appropriations Committees, the Senate Committee on Rules and 
Administration, and the Committee on House Administration on progress 
made in implementing our prior recommendations. 

Linking Resources to Risks, Threats, and Vulnerabilities. USCP is 
making progress toward implementing our three recommendations relating 
to more effectively linking USCP's staffing and other resource needs to 
the risks, threats, and vulnerabilities that the Capitol Complex faces. 
USCP has taken steps to complete and apply a risk matrix that assesses 
the security environment at 18 of the 19 Capitol Complex facilities, 
and plans to apply it to six Library of Congress buildings when USCP 
assumes responsibility for their security at the end of the fiscal 
year. Moreover, initial steps have been taken to conduct both external 
peer reviews and periodic testing of USCP's overall risk management 
approach. While USCP has plans to periodically test and evaluate the 
risk matrix, the process has yet to be formalized as a Standard 
Operating Procedure (SOP). 

Financial Management. Of our 23 recommendations relating to financial 
management, USCP has completed actions on 8 recommendations, in areas 
such as assessing its staffing needs and procurement process and 
issuing its first full set of financial statements in accordance with 
generally accepted accounting principles in December 2007. USCP is also 
making progress towards addressing 13 recommendations related to 
training, policies, procedures, and internal controls. However, USCP 
has not made progress on 2 recommendations to fill vacancies that are 
critical in helping its Office of Financial Management stabilize its 
workforce. 

Human Capital Management. Of our nine recommendations relating to human 
capital management, USCP has implemented one recommendation by adopting 
a hiring policy and is making progress on seven other recommendations 
related to workforce planning and training. USCP has not yet addressed 
a ninth recommendation to monitor and evaluate the results of its 
strategic workforce plan because this plan is still being developed and 
it is still too soon for USCP Office of Human Resources (OHR) officials 
to monitor and evaluate any progress on achieving the human capital 
goals of the plan. 

Information Technology (IT). Of our nine recommendations relating to 
IT, USCP has implemented four recommendations and is making progress 
toward implementing the remaining five. Specifically, USCP has made 
progress towards establishing important IT management capabilities, 
such as the use of disciplined system acquisition management practices. 
However, more work remains to be done in the areas of enterprise 
architecture, IT investment management, information security, and 
continuity of operations planning. 

I will briefly discuss each of the major areas where we have made 
recommendations and USCP's progress to date in implementing those 
recommendations. More detailed information on our recommendations and 
USCP's efforts to implement them is included as an appendix to this 
statement. 

Creating an Accountability Framework for Monitoring Recommendations: 
USCP Has Established a Framework: 

USCP's progress in implementing many of our past recommendations had 
been slow for reasons that included an absence of goals, time frames, 
and accountability; a lack of continuity in leadership and staff; and a 
tendency to focus on near-term operational demands to the exclusion of 
longer-term challenges. To help ensure that actions were taken to 
implement our recommendations, in March 2007, we recommended that the 
USCP Chief of Police (1) set goals and timetables, and establish 
accountability for implementing the recommendations, and (2) report 
semiannually to the USCP Board, Senate and House Appropriations 
Committees, the Senate Committee on Rules and Administration, and the 
House Committee on House Administration on progress made in 
implementing our recommendations. 

To address our first recommendation, USCP appointed an Audit Liaison to 
coordinate the tracking, reporting, and resolution of recommendations 
made by us and the USCP Office of the Inspector General (OIG). In this 
regard, USCP created a formal recommendation resolution process with 
several components. Each recommendation is assigned to a designated 
official who is responsible for establishing an action plan to outline 
the actions needed to implement the recommendation, identify staff 
responsible for taking the needed actions, establish a target 
completion date, and track the status of related actions until 
completion. In a larger sense, during the last year, USCP has taken 
additional steps to strengthen management accountability and address 
both our and OIG recommendations. For example, USCP has created a 
formal process known as the Force Development Planning Process aimed at 
ensuring that all organizationwide decision-making, planning, and 
resource allocation processes incorporate elements of threat-based 
planning. According to USCP, the process links seven previously 
separate activities related to planning, investments, budget 
formulation, execution, and performance evaluation into a single 
process that integrates risk and operational and administrative 
assessments. By linking these activities, USCP endeavors to establish 
timetables and better accountability for planning and resource 
requirements while ensuring that the overall department employs a more 
strategic and results-oriented approach. 

With respect to the second recommendation, USCP submitted two 
semiannual reports during 2007 to stakeholders to provide an update on 
progress made to implement both our and the OIG prior recommendations. 
In these reports, the Chief of Police also linked USCP's progress 
toward implementing the recommendations and improving overall USCP 
management and operations to the steps necessary to realize the goals 
in the USCP strategic plan and Concept of Operations (ConOps). 

Linking Resources to Risks, Threats, and Vulnerabilities: Progress Made 
in Implementing a Risk Management Approach: 

Over the years, we have supported the use of a risk management approach 
to help implement and assess responses to various national security and 
terrorism concerns. We have concluded that without an approach that 
provides insights about the present threat and vulnerabilities as well 
as the organizational and technical requirements necessary to achieve a 
program's goals, there is little assurance that programs are properly 
prioritized and focused. 

In the past, we have reported that to improve operations and better 
support resource requirements, USCP would have to more effectively link 
threats and vulnerabilities to its staffing and other resource needs. 
In our 2005 report, we noted that according to USCP, continued 
increases in its operational requirements were not being met with 
necessary increases in its number of uniformed officers. We also noted 
that USCP's ability to assess risk levels--relative to the 
vulnerabilities of and threats to USCP security posts--would provide 
USCP with information needed to more effectively allocate limited 
resources to the areas of greatest need. In that regard, we worked with 
USCP to develop a risk analytical management matrix that could be used 
to assess risk relative to the threats and vulnerabilities of the 
Capitol Complex. Moreover, we issued three recommendations to help USCP 
develop a risk management framework that links threats and 
vulnerabilities to allocation of resources. 

In our March 2007 report, we noted that while USCP had taken several 
steps to develop a risk management framework to address our 
recommendations, its progress was slow. Since we issued that report, 
USCP has made significant progress in addressing our recommendations 
regarding the implementation of a risk management approach, although 
further actions are needed. 

Progress Has Been Made in Applying the Risk Matrix, but It Is Not Fully 
Implemented: 

USCP has made significant progress in applying the risk management 
framework. Using the risk matrix and other tools, USCP has completed 
risk assessments for 18 of 19 congressional facilities and is scheduled 
to complete all assessments this fiscal year. According to USCP 
officials, they will be required to complete a total of 25 assessments 
after the department assumes responsibility for six additional 
facilities from the Library of Congress at the end of the fiscal year. 
USCP will need to complete the risk assessments of all the facilities 
under its responsibility to fully address our recommendations. 
Moreover, to ensure that USCP's resource requirements are better linked 
to threats and vulnerabilities, USCP contracted with Enlightened 
Leadership Solutions (ELS) to assess the department's manpower 
configuration, law enforcement operations, and overall staffing 
resources. According to USCP officials, the findings from the ELS 
Manpower Study are currently being evaluated and integrated into its 
Force Development Planning Process. Agency officials told us that upon 
integration, the USCP will be able to more effectively link resource 
requirements to threats and vulnerabilities. 

Initial Steps Taken to Review and Test the Effectiveness of the Matrix; 
However, Additional Actions Are Necessary: 

While USCP has taken initial steps to review and test the effectiveness 
of its risk management framework, further action is necessary to fully 
implement our recommendation. For example, ELS examined the risk 
management frameworks employed by comparable federal law enforcement 
agencies to identify best practices and potential benchmarks. To do 
this work, ELS conducted best practices research and interviewed high- 
level officials in the Central Intelligence Agency (CIA), the Federal 
Bureau of Investigation (FBI), the U.S. Department of State's Bureau of 
Diplomatic Security, and the Department of Defense. Moreover, USCP 
sought the assistance of three additional agencies--the General 
Services Administration (GSA), the Transportation Security 
Administration (TSA), and the U.S. Secret Service (USSS)--to conduct 
peer reviews by reviewing USCP's risk management framework. According 
to USCP, the agencies listed above share protective missions similar to 
the USCP as well as conduct large physical security surveys. According 
to USCP, regarding the risk management framework, these agencies all 
concur with USCP's methodologies, processes, and reporting structures. 
Although we did not validate the initial findings of the external peer 
reviews, we believe that USCP is taking steps in the right direction to 
review the effectiveness of its risk management framework. 

To test the effectiveness of the risk matrix, according to USCP 
officials, the department's Safety and Security Bureau (SSB) plans to 
conduct an annual internal review and assessment of the risk matrix 
after all risk assessments have been completed for all congressional 
facilities. As a part of the review, SSB proposed to evaluate the 
thoroughness and accuracy of each risk assessment; review whether or 
not all existing vulnerabilities and mitigation options were correctly 
identified; and suggest changes or updates to the risk matrix as a 
result of the review. Agency officials told us that this plan is to be 
formalized into their SOPs when all physical assessments of the 
congressional facilities have been completed. 

When fully integrated, the combination of these efforts should fulfill 
our remaining recommendations regarding the linkage between risk 
management and the necessary resource requirements to address those 
risks in the most efficient and effective manner. 

Financial Management: Progress Noted in Certain Areas, but Major 
Financial Management Challenges Remain: 

In our March 2007 report, we found that USCP continued to face major 
challenges and had not made significant progress toward improving its 
financial management operations. Major challenges reported included a 
high level of staff turnover and open vacancies, which have continued 
into fiscal year 2008 and prevented USCP's Office of Financial 
Management (OFM) from stabilizing its financial management operations. 
As you know, a stable and skilled workforce is needed to build a strong 
foundation for financial management, internal control, and 
accountability. Our March 2007 report also highlighted continuing 
challenges related to financial reporting and the performance of 
related physical inventories of assets, the implementation of a new 
financial management system, and the need to follow through with plans 
to develop and implement an internal control program. Further, we 
reported that 23 previously issued financial management recommendations 
covering general financial management and reporting, internal control 
policies and training development, procurement, and staffing identified 
during our reviews since 2004 had not been addressed. 

During the past year, OFM has made important progress toward addressing 
long-standing financial management issues in each of these areas, 
including the issuance of its first full set of financial statements in 
accordance with generally accepted accounting principles in December 
2007. In addition to achieving this important milestone, USCP completed 
actions in areas such as assessing its staffing needs and procurement 
process that effectively addressed 8 of our 23 recommendations. 
However, despite these efforts, USCP did not make progress toward 
addressing ongoing staff shortages and work imbalances, which 
significantly limit its ability to sustain improvement efforts and meet 
long-term financial management goals and prevented us from noting 
progress in 2 recommendations. In addition, although USCP has made 
important progress toward addressing the remaining 13 recommendations 
related to training, policies and procedures, internal controls, and 
other financial management activities, continued efforts are needed to 
ensure that USCP's financial management operations meet their 
objectives and stakeholder needs. 

Addressing Staffing Shortages Is Critical for Sustained Improvements: 

USCP effectively addressed two of our prior recommendations related to 
evaluating its financial management staffing needs by conducting 
internal assessments of current and future needs that included 
assessing the need for additional staff or contractors to meet ongoing 
needs and high-priority demands. However, USCP has not made progress in 
addressing two recommendations to fill vacancies that are critical in 
helping OFM stabilize its workforce, reduce risk associated with 
workload and staffing imbalances, improve its financial operations and 
meet its long-term goals. For example, eight OFM positions, including 
the Chief Financial Officer (CFO), Deputy CFO, Budget Officer, and 
Procurement Officer, remained vacant as of April 4, 2008, due to 
recurring turnovers and other factors. As a result of these shortages, 
USCP financial statement auditors reported significant weaknesses 
related to OFM's ability to effectively monitor its financial 
management operations. 

Additional Efforts Needed to Build on Progress Made in Procurement 
Activities and Credit Card Programs: 

Collectively, USCP efforts effectively addressed three of our prior 
recommendations related to procurement activities and credit card 
programs; however, additional efforts are needed to address nine other 
recommendations in these areas. For example, efforts to realign 
procurement staff and implement workload efficiencies have enabled OFM 
to eliminate previously reported backlogs and provided an effective 
framework for meeting future activity. In addition, USCP monitored 
purchase card activity to identify potential fraudulent activity, 
improper usage, or abuses of these cards and initiated efforts to 
monitor fleet and travel card activities. USCP has also made progress 
toward providing training and guidance for staff involved in 
procurement activities and credit card programs. However, continued 
efforts are needed to further assess credit card program risks and 
enhance existing guidance, training, and monitoring activities to 
ensure consistent application of policies and procedures. 

Financial Reporting and Internal Control Have Improved, but Challenges 
Remain: 

USCP effectively addressed three of our seven recommendations related 
to financial reporting and general internal control by issuing its 
first full set of financial statements, formalizing procedures related 
to reprogramming transactions, and establishing electronic approval 
paths in its new financial management system. By the end of fiscal year 
2007, USCP had also issued or revised about 30 policies and procedures 
covering a wide range of financial activities including payroll, 
capitalized assets, and access to its financial management reporting 
system. Although USCP has made substantial progress in formalizing its 
policies and procedures, additional efforts are needed to address 
issues identified in the four remaining recommendations. For example, 
the USCP financial statement auditor noted in its 2007 audit report 
instances where the lack of staff and improper implementation of USCP's 
policies and procedures created deficiencies that ultimately 
contributed to two material weaknesses[Footnote 1] and the auditor's 
inability to issue an opinion on the financial statements. 

Recognizing that annual financial statements audits provide a valuable 
assessment of USCP's financial management operations and that auditors 
reported significant deficiencies in December 2007, we encourage USCP 
to continue to work with its auditors to address (1) the deficiencies 
that prevented its auditors from expressing an unqualified opinion on 
its financial statements, (2) significant internal control deficiencies 
reported by the auditors including those considered to represent 
material weaknesses related to payroll processing and financial 
management, and (3) any instances of noncompliance with laws and 
regulations reported by the auditors. Correcting these deficiencies 
will not only permit USCP to obtain an unqualified opinion in the 
future, but will also help in achieving its long-term goal of becoming 
a fully functional financial management operation with a solid 
foundation of internal control and accountability. 

Human Capital Management: USCP Has Adopted Hiring Policy and Initiated 
Efforts to Address Long-standing Workforce Planning and Training 
Issues: 

Since our prior review in March 2007, USCP has successfully implemented 
our August 2004 recommendation to adopt a civilian hiring policy. USCP 
has addressed this recommendation by issuing a policy that describes 
the department's process for hiring both sworn and civilian staff and 
outlines the responsibilities of managers and selecting officials in 
this process. Additionally, USCP has made some initial steps to develop 
a strategic workforce plan and a master training plan. Our past work 
has identified the need for USCP to develop these plans to address 
several long-standing human capital challenges, such as updating human 
resource management policies and procedures, improving workforce 
planning, and addressing employees' training needs. In January 2004, we 
issued six recommendations proposing that USCP develop and implement a 
strategic workforce planning process containing specific human capital 
strategies addressing such areas as recruitment and training. We made 
two additional recommendations regarding the implementation of this 
process in our reports issued in 2005. Of these eight recommendations, 
USCP has made progress on all but one recommendation--to monitor and 
evaluate the results of its strategic workforce plan. Because USCP has 
not yet fully developed its strategic workforce plan, it is still too 
soon for officials from USCP's Office of Human Resources (OHR) to 
monitor and evaluate the results of this plan. 

USCP Has Adopted a Civilian Hiring Policy: 

In our August 2004 report, we determined that USCP needed to adopt 
clear, up-to-date policies and procedures for hiring individuals into 
civilian positions. Specifically, both USCP's SOP that discusses the 
roles and responsibilities managers have in the civilian hiring process 
and the supplemental memorandum on the process for making job offers 
were out-of-date and not consistently implemented by USCP officials. In 
October 2007, USCP successfully implemented this recommendation by 
issuing its Employment and Promotion Policy Plan that provides a 
standardized hiring process for both sworn and civilian positions 
within USCP. In addition to including a description of the department's 
hiring process, this plan also outlines the responsibilities that 
managers and selecting officials have in the hiring process, such as 
determining whether vacant positions still need to be filled and 
consulting with OHR officials on any changes in the position's duties, 
responsibilities, or organizational placement. This plan was approved 
by USCP's Chief of Police and applies to all personnel actions related 
to filling USCP positions. 

USCP Has Taken Initial Steps to Develop a Strategic Workforce Plan: 

Our prior work examining the practices of leading organizations has 
highlighted the importance of developing human capital strategies--the 
programs, policies, and processes that organizations use to hire and 
train staff; develop succession plans; administer a performance 
management system; and use human capital flexibilities.[Footnote 2] 
These strategies can assist an agency in addressing skill gaps within 
its current workforce as well as acquiring skills needed in the future 
to achieve an agency's mission and goals. 

To address our eight recommendations relating to the development and 
implementation of a strategic workforce planning process, USCP's Office 
of Human Resources has completed an initial draft of a strategic 
workforce plan, which discusses the importance of workforce planning, 
demographic information on USCP's workforce, as well as a listing of 
action items needed to develop a set of human capital strategies. 
Although creating this initial draft plan is an important first step, 
OHR officials acknowledge that the plan will need further refinement. 
Specifically, as the draft plan is further developed, the action items 
should be more fully developed and include such details as specific 
tasks to complete, defined roles and responsibilities, milestones, and 
resource requirements. Finally, because USCP has not yet fully 
developed its strategic workforce plan, it is too soon for OHR 
officials to monitor and evaluate their progress on achieving the human 
capital goals of their plan one of the eight recommendations we made 
related to strategic planning. 

Further Collaboration Needed to Complete Master Training Plan: 

In our March 2007 report, we discussed USCP's efforts to establish a 
well-designed training program that addresses the needs of both sworn 
and civilian staff. Effective training and development programs are an 
integral part of an agency's ability to ensure that its employees have 
the information, skills, and competencies to work effectively. These 
training programs can also enhance an agency's ability to attract and 
retain employees with needed skills and competencies. 

To address three of the recommendations related to developing USCP's 
strategic workforce plan, USCP's Training Services Bureau (TSB) 
officials have been working on a four-phase process to develop a master 
training plan, which is to define and prioritize staff training needs 
and requirements. TSB has completed the process' first phase by issuing 
a training catalog containing all training courses available to USCP 
staff through TSB as well as external training providers and 
facilities. Currently, TSB is in the second phase of this process-- 
validating the competencies of USCP's position descriptions--which will 
require further collaboration with OHR. According to OHR officials, 
they have finished identifying the competencies for USCP's civilian 
positions and are currently reviewing and revising competencies for the 
sworn positions. Upon completion of this phase, TSB officials, working 
with OHR and other stakeholders, plan to then identify appropriate 
professional development and training curriculum for all USCP staff 
based on the set of validated competencies. To complete the development 
of the master training plan, TSB officials plan to develop specific 
training strategies and procedures, such as formulating future training 
needs. 

Information Technology: USCP Has Made Progress toward Establishing IT 
Management Capabilities, but Further Actions Are Needed to Address 
Remaining Weaknesses: 

USCP relies on information technology (IT) to support the achievement 
of its mission. For example, USCP depends on IT systems to schedule and 
dispatch police officers, manage the maintenance of vehicles and 
equipment, and perform numerous administrative functions, such as 
preparing financial reports and paying employees. To effectively 
leverage IT in achieving strategic mission goals and outcomes, an 
organization such as USCP needs to institutionalize certain management 
disciplines and capabilities. Accordingly, we have advised the agency 
on the importance of (1) following disciplined system acquisition 
management practices, (2) developing and implementing an enterprise 
architecture, (3) establishing and implementing investment management 
structures and processes, and (4) developing and implementing an 
effective information security program and continuity of operations 
plan. Our research of leading private and public sector organizations 
shows that success in managing and leveraging IT can be linked to these 
strategic IT management disciplines and capabilities. 

USCP has made progress in addressing our recommendations related to 
each of these IT management disciplines and capabilities, including the 
use of disciplined system acquisition management practices. 
Nevertheless, weaknesses remain in the areas of enterprise 
architecture, investment management, information security, and 
continuity of operations planning. Of nine recommendations we made in 
January and August 2004 to improve USCP's IT management capabilities, 
the department has completed actions on four of the recommendations and 
has made progress toward completing the remaining five recommendations. 

System Acquisition Polices and Procedures Have Been Developed and 
Implemented: 

USCP has completed the development and implementation of system 
acquisition policies and procedures that are essential to reducing the 
risk of acquiring systems that do not perform as intended, are 
delivered late, and cost more than planned. Specifically, the agency's 
policies and procedures provide for, among other things, developing 
acquisition plans and maintaining them throughout the acquisition life- 
cycle. Additionally, USCP has taken steps to ensure that system 
acquisitions are conducted in accordance with the policies and 
procedures. For example, as part of its acquisition of a new case 
management system, USCP developed a project management plan, defined 
requirements, and monitored project development costs. According to 
USCP officials, the agency's policies and procedures are followed for 
ongoing and planned system acquisitions. As a result of improving its 
system acquisition management, USCP has reduced the risk of systems not 
performing as intended, not being delivered on time, and not meeting 
cost and schedule expectations. 

Further Actions Needed to Develop and Implement Enterprise 
Architecture: 

USCP has a long-standing enterprise architecture program and, according 
to agency officials, all but one of the agency's existing applications 
are in compliance with the current architecture version. However, 
progress within the last year toward effectively managing the program 
in accordance with relevant guidance, such as our enterprise 
architecture management maturity framework, has been limited. Further, 
the agency's architecture products do not include the full breadth of 
necessary content, particularly regarding descriptions of how security 
will be achieved. Additionally, USCP officials have identified the need 
to update their transition plan and for the revised plan to include a 
current schedule for legacy systems replacement and the resource needs 
for accomplishing this replacement. According to the officials, the 
agency has not had sufficient staff resources to support its 
architecture program, and thus, has requested funding for two full-time 
architecture staff in its fiscal year 2009 budget request. Until USCP 
addresses these weaknesses in its enterprise architecture program, the 
agency will be challenged in its ability to implement systems that 
optimally support mission operations. 

IT Investment Management Process Has Been Developed, but Implementation 
Has Limitations: 

USCP has developed, but not yet fully implemented, a comprehensive IT 
investment management process. The agency's IT Capital Planning and 
Investment Control Guide defines a comprehensive process that includes 
selection, control, and evaluation of proposed and ongoing investments. 
While the agency has made progress toward implementing a process 
consistent with its guide, the existing process is largely limited to 
the selection of proposed investments, with little emphasis on 
controlling and evaluating ongoing investments. For example, the 
process does not yet require documentation of key decisions or include 
assignment of responsibility for executing decisions during the control 
and evaluation stages of the investment life cycle. In speaking to 
these activities, USCP officials said they chose to focus their initial 
investment management efforts on increasing discipline in the selection 
of all (i.e., IT and non-IT) investments across the agency; however 
they recognized the need to extend such discipline to the control and 
evaluation of the agency's investments. Until USCP implements an 
investment management process that includes control and evaluation of 
investments, in addition to the already established selection process, 
the agency will not be effectively positioned to provide the management 
oversight and informed decision making that is necessary to ensure that 
investments are performing as planned and delivering promised value. 

Further Actions Needed to Fully Implement Information Security Program 
and Continuity of Operations Plan: 

USCP has implemented an information security program and performed 
continuity of operations planning. The agency reported that it has 
implemented 70 of 108 information security program activities that it 
had identified as necessary. For example, it has completed the 
execution of vulnerability assessments and network scans. Additionally, 
according to agency officials, certification and accreditation of major 
applications has been completed and information security plans have 
been developed for major applications. Regarding continuity of 
operations planning, USCP has revised its continuity of operations plan 
and begun activities to implement the plan throughout the agency. 
Specifically, in January 2008, the Chief of Police adopted the revised 
plan and directed follow-on activities to be completed that include a 
timeline for ensuring the integration of the plan with agency 
operations. Nevertheless, USCP officials assert that the agency needs 
additional staff resources to fully implement its remaining security 
program activities and maintain an effective security program. To this 
end, the agency has requested funding for two full-time IT security 
staff in its fiscal year 2009 budget request. Until USCP completes its 
security program activities, it will not be positioned to protect its 
systems and critical information. 

Concluding Remarks: 

Over the years, we have recommended that USCP take actions to correct 
deficiencies we identified in the areas of operations, financial 
management, strategic and human capital planning, and IT management. 
Since the issuance of our last report and as noted in this statement, 
USCP has made significant progress in addressing our prior 
recommendations. Notwithstanding the progress that has been made, there 
is still substantial work that remains to be done. For example, in the 
areas of linking resources to threats and vulnerabilities, USCP has yet 
to fully integrate its risk management framework. Until this process is 
completed, USCP will not be in the best position to effectively link 
resource needs to threats and vulnerabilities. In the areas of 
financial management, USCP has yet to fully address the challenges of 
ongoing staff shortages and work imbalances. Until these 
recommendations are implemented, USCP's ability to sustain improvement 
efforts and meet long-term financial management goals will be limited. 
In the area of human capital management, work still remains to complete 
its strategic workforce plan and master training plan, which should 
include long-term strategies for acquiring, developing, and retaining a 
workforce with the critical skills and competencies needed to 
accomplish the department's mission. In the area of information 
technology, despite the progress made in addressing management 
concerns, weaknesses remain in enterprise architecture, investment 
management, and information security. Until these management and 
operational issues are fully addressed and implemented, USCP will not 
be in the best position to achieve its strategic goals and mission in 
the most efficient and effective manner. This underscores Congress's 
need to stay closely attuned to USCP's progress toward addressing the 
administrative and management challenges we identified. 

Mr. Chairman, this concludes our prepared statement. We would be happy 
to respond to questions you or other members of the subcommittee may 
have at this time. 

For questions regarding this testimony, please contact Richard M. Stana 
at (202) 512-8777 or [email protected]. Contact points for our offices of 
Congressional Relations and Public Affairs may be found on the last 
page of this statement. 

[End of section] 

Appendix I: Status of United States: 

Capitol Police (USCP) Recommendations: 

This appendix provides a status summary of the progress made and 
remaining actions by USCP in addressing prior GAO recommendations. 

Table: 

[See PDF for image] 

[A] OMB Circular No. A-123, Management's Responsibilities for Internal 
Control (revised Dec. 2004). 

[End of table] 

[End of section] 

Appendix II: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Richard M. Stana, (202) 512-8777 or [email protected]: 

Acknowledgments: 

Individuals making key contributions to this statement were Bernice 
Steinhardt, Director; Valerie Melvin, Director; Kay Daly, Acting 
Director; Bill Crocker, Assistant Director; Elizabeth Martinez, 
Assistant Director; Mark Bird, Assistant Director; Steven Lozano, 
Assistant Director; John Mortin, Assistant Director; Josh A. Diosomito; 
Heather Dunahoo; James Kernen; Teresa M. Neven; Kenrick Isaac; Lerone 
Reid; Katherine Davis; Geoffrey Hamilton; Jacquelyn Hamilton; Franklin 
Jackson; and Mike Volpe. 

[End of section] 

Footnotes:  

[1] A material weakness is a significant deficiency, or a combination 
of significant deficiencies, that result in more than a remote 
likelihood that a material misstatement of the financial statements 
will not be prevented or detected. A significant deficiency is a 
control deficiency, or combination of control deficiencies, that 
adversely affects the entity's ability to initiate, authorize, record, 
process, or report financial data reliably in accordance with generally 
accepted accounting principles such that there is more than a remote 
likelihood that a misstatement of the entity's financial statements 
that is more than inconsequential will not be prevented or detected. 

[2] GAO, Human Capital: Agencies Need Leadership and the Supporting 
Infrastructure to Take Advantage of New Flexibilities, GAO-05-616T 
(Washington, D.C.: Apr. 21, 2005); and GAO, Human Capital: Effective 
Use of Flexibilities Can Assist Agencies in Managing Their Workforces, 
GAO-03-2 (Washington, D.C.: Dec. 6, 2002). 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability.  

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates."  

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:  

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548:  

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061:  

To Report Fraud, Waste, and Abuse in Federal Programs:  

Contact:  

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470:  

Congressional Relations:  

Ralph Dawn, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548:  

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: 

*** End of document. ***