[Audit Report on Personnel and Payroll Processing Policies and Procedures, National Business Center/Products and Services, Office of the Secretary, Department of the Interior
]
[From the U.S. Government Printing Office, www.gpo.gov]

Report No. 01-I-131

Title: Audit Report on Personnel and Payroll Processing Policies
       and Procedures, National Business Center/Products and Services,
       Office of the Secretary, Department of the Interior

 
 Date: January 22, 2001

  **********DISCLAIMER********** 
  This file contains an ASCII representation of an OIG report. No attempt has been made to 
  display graphic images or illustrations. Some tables may be included, but may not resemble 
  those in the printed version. A printed copy of this report may be obtained by referring to the  
  PDF file or by calling the Office of Inspector General, Division of Acquisition and 
  Management Operations at (202) 219-3841. 
  ****************************** 
 U.S. Department of the Interior   Office of Inspector General
  
  
 EXECUTIVE SUMMARY
                              
 Personnel and Payroll Processing Policies and Procedures,
 National Business Center/Products and Services,
 Office of the Secretary, Department of the Interior
 Report No. 01-I-131
 January 2001
                              
  The Department of the Interior's National Business Center/ Products and Services (NBC/PS),
  located in Lakewood, Colorado, implemented the Department's Federal Personnel Payroll
  System (FPPS) at the end of 1998.  NBC/PS provides automated personnel and payroll
  services for its clients, the Department of the Interior and its bureaus and other Federal
  agencies, such as the Department of Education and the Social Security Administration. 
  During 1999, NBC/PS processed payroll of approximately $8 billion for approximately
  175,000 Federal employees.  NBC/PS receives funding through the Department of the
  Interior's working capital fund and through direct charges to client appropriations.  During
  fiscal year 1999, NBC/PS charged its clients about $29 million. 
  
  The objective of the audit was to determine whether NBC/PS's policies and procedures
  provided reasonable assurance that personnel and payroll transactions were processed and
  reported accurately and timely and were in compliance with applicable Federal laws and
  regulations.
  
  We concluded that NBC/PS's policies and procedures generally provided for accurate and
  timely processing of personnel and payroll transactions in compliance with applicable
  personnel and payroll laws and regulations.  In addition, we found that there may be
  opportunities to operate NBC/PS personnel and payroll processing and reporting functions
  more efficiently and to decrease the risk of unauthorized access to, modification of, and
  disclosure of personnel and payroll data and of critical systems not being recovered in the
  event of a disaster or a system failure.  Based on our audit, NBC/PS began or completed
  developing a strategic plan for its operations, programing all required functions in FPPS,
  instituting all necessary security policies, and maintaining sufficient internal controls over
  software change management and separation of duties. 
  
  We made 12 recommendations for improving operations.  
  
  AUDITEE COMMENTS AND OFFICE OF INSPECTOR GENERAL EVALUATION
  
  Based on NBC/PS's response to the recommendations, we considered seven
  recommendations resolved and implemented and five recommendations resolved but not
  implemented.  
  
     A-IN-OSS-001-99-M
  
  January 22, 2001
  
  AUDIT REPORT
  Memorandum
  
   To:  Director, National Business Center, Office of the Secretary
  
   From:  Roger La Rouche
   Acting Assistant Inspector General for Audits
  
   Subject:  Audit Report on Personnel and Payroll Processing Policies and Procedures,
   National Business Center/Products and Services, Office of the Secretary,
   Department of the Interior (No. 01-I-131)
  
   INTRODUCTION
  
  This report presents the results of our audit of personnel and payroll processing policies and
  procedures at the Department of the Interior's National Business Center/Products and
  Services (NBC/PS).  The objective of this audit was to determine whether NBC/PS's policies
  and procedures provided reasonable assurance that personnel and payroll transactions were
  processed and reported accurately and timely, were in compliance with applicable Federal
  laws and regulations, and were processed efficiently.  We performed this audit to support the
  Office of Inspector General's opinions on the annual financial statements of the Department
  of the Interior and its bureaus and offices.
  
  BACKGROUND
  
  During 1990, NBC/PS (formerly known as the Bureau of Reclamation's Denver
  Administrative Service Center), located in Lakewood, Colorado, began to develop the
  Federal Personnel Payroll System (FPPS) to replace the Department of the Interior's payroll
  and personnel system, PAY/PERS.  By the end of 1998, NBC/PS had fully implemented
  FPPS.
  
  FPPS, which resides on an IBM mainframe computer, was developed by the Bureau of
  Reclamation using Natural programming language with ADABAS as the database
  management system.  The enhanced features of FPPS include increased management
  information; paperless processing of personnel and payroll actions through on-line approvals;
  and immediate responses to on-line editing, updating, and query requests.  
  
  NBC/PS provides automated personnel and payroll services for its clients, the Department
  of the Interior and its bureaus, and other Federal agencies (see Appendix 1).  Offices within
  NBC/PS that have responsibilities related to personnel and payroll processing are as follows:
  
       - The ADP Services Division is responsible for managing the computer center
  where the IBM mainframe computer is located and for ensuring that telecommunications are
  operational and secure.  
  
       - The Payroll Operations Division (POD) is responsible for developing,
  implementing, operating, and maintaining the FPPS general support system, known as the
  Automated Payroll System (APS), which resides on a Digital Alpha server.  The APS
  includes the applications of Health Benefits Reporting, Thrift Lost Earnings, Debt
  Management, and Check Collection.  POD is also responsible for reporting accurate payroll
  data to the clients and other Federal agencies, such as the Office of Personnel Management
  and the Department of the Treasury. 
  
       - The Applications Management Office's FPPS Program Management Division is
  responsible for developing, implementing, operating, and maintaining FPPS.
  
       - The Management and Technical Service Division's Planning and Performance
  Support Branch is responsible for providing training for NBC/PS clients. 
  
  During 1999, NBC/PS processed payroll of approximately $8 billion for approximately
  175,000 Federal employees.  NBC/PS receives funding through the Department of the
  Interior's working capital fund and through direct charges to client appropriations.  During
  fiscal year 1999, NBC/PS charged its clients about $29 million (about $160 per account). 
  
  SCOPE OF AUDIT
  
  To accomplish our objective, we reviewed and tested policies and procedures that were in
  place during fiscal year 1999 for personnel and payroll processing at NBC/PS.  We also
  interviewed NBC/PS personnel and NBC/PS contractor personnel, reviewed application and
  system documentation, analyzed network security, and evaluated service continuity
  procedures and testing.  We did not review the internal controls over input that updates FPPS
  personnel data or the internal controls over data entry functions for time and attendance.
  
  We also used Internet Scanner software developed by Internet Security Systems to identify
  vulnerabilities in NBC/PS's network.  A list of the vulnerabilities identified by the Internet
  Scanner software was provided to NBC/PS management.  For the vulnerabilities identified,
  NBC/PS management made appropriate changes to improve the security of its network.  
  
  Our audit was made in accordance with the "Government Auditing Standards," issued by the
  Comptroller General of the United States.  Accordingly, we included such tests of records
  and other auditing procedures that were considered necessary under the circumstances.
  
  PRIOR AUDIT COVERAGE
  
  During the past 5 years, neither the Office of Inspector General nor the General Accounting
  Office has not issued any audit reports related to FPPS. 
  
                      RESULTS OF AUDIT
  
  We concluded that NBC/PS's policies and procedures generally provided for the accurate
  and timely processing of personnel and payroll transactions in compliance with applicable
  personnel and payroll laws and regulations.  However, we identified areas needing
  improvement.  Specifically, NBC/PS did not develop a strategic plan for NBC/PS operations,
  program all required functions in FPPS, institute all necessary security policies, and maintain
  sufficient internal controls over software change management and separation of duties.  As
  a result, there may be opportunities to operate NBC/PS personnel and payroll processing and
  reporting functions more efficiently and to decrease the risk of unauthorized access to,
  modification of, and disclosure of personnel and payroll data and of critical systems not
  being recovered in the event of a disaster or a system failure.  
  
  Strategic Plan
  
  NBC/PS management had not developed a strategic plan for NBC/PS operations. A strategic
  plan is needed  to establish an agency's goals and match activities to mission and objectives,
  and it should include information on how to set priorities and allocate resources.  Office of
  Management and Budget Circular A-123, "Management Accountability and Control," states,
  "Developing a written strategy for internal agency use may help ensure that appropriate
  action is taken throughout the year to meet the objectives of the Integrity Act."
  
  NBC/PS management said that they did not believe a strategic plan was necessary at the
  NBC/PS organizational level because it would be more appropriate to develop an NBC
  strategic plan that would include all services that NBC provides.  We believe that without
  a strategic plan, NBC/PS is at risk of developing and implementing system enhancements
  using information technology that may not improve business processes and meet user
  requirements.  Information technology that could be developed and implemented in system
  enhancements which would improve personnel and payroll processing includes distributed
  processing, use of electronic commerce applications, and a personnel and payroll system that
  integrates seamlessly with financial and management information systems.
  
  Workarounds 
  
  To ensure that employees who were paid by FPPS were paid correctly and payroll
  information was reported accurately,  NBC/PS personnel developed "workarounds." The
  purpose of the workarounds was to perform payroll functions that were required but were not
  part of FPPS.  Additionally, applications such as Health Benefits Reporting and Thrift Lost
  Earnings were developed to operate on APS rather than FPPS, and these systems were not
  integrated.  Further, spreadsheets were developed and used to correct payroll errors and to
  perform reconciliations.  Examples of workarounds are as follows:  
  
       - A workaround was developed to ensure that variances were reconciled between
  the POD 200 report (a report of personnel costs created from four FPPS interface files) and
  the FPPS Labor Cost File (a file of personnel costs by program or activity as defined by each
  client that is interfaced with the clients' financial systems).  Because the information for the
  POD 200 report and the FPPS Labor Cost File are generated from the same system, FPPS, 
  the variances generated and the need for reconciling the variances may indicate that there are 
  potential problems with data integrity or with programming.
  
       - A workaround was developed to ensure that income taxes were consolidated and
  paid to appropriate state and local governments.  NBC/PS staff who performed this
  consolidation effort said that the workaround takes approximately 40 hours of personnel time
  per biweekly pay period to complete.  In comparison, this same function took about 1 hour
  of personnel time to complete as  part of PAY/PERS, the replaced system.  
  
       - A workaround was developed to ensure that the Supplemental Semiannual
  Headcount Report submitted to the Office of Personnel Management was accurate.  One field
  in this report is a count of all employees in an agency.  FPPS was not programmed to
  calculate this field correctly; therefore, NBC/PS personnel had to manually determine the
  number of employees and correct a paper copy of the report.  We found, however, that the
  headcount information for the Department of the Interior reported to the Office of Personnel
  Management for August1999 was incorrect.  
  
  Office of Management and Budget Circular A-127, "Financial Management Systems,"
  describes a "mixed system" (such as FPPS) as an "information system that supports both
  financial and non-financial functions of the Federal government or components thereof." 
  The Circular further states that "financial management systems must be in place to process
  and record financial events effectively and efficiently, and to provide complete, timely,
  reliable and consistent information."  NBC/PS management said, however, that there were
  no plans for the immediate future to program functions in FPPS that are performed through
  workarounds because this may not be cost effective.  We were not provided documentation
  to support that it was not cost effective to implement these FPPS changes.  As a result, there
  was an increased risk that NBC/PS was not processing payroll transactions efficiently and
  effectively and may therefore not have been in compliance with Office of Management and
  Budget Circular A-127. There was also an increased risk that NBC/PS was not reporting
  accurate data.  
  
  Security Policies
  
  NBC/PS management had not developed all the security policies necessary for FPPS and
  APS. Specifically, security policies had not been developed to adequately protect the
  NBC/PS telecommunications networks, sensitive data sent through electronic mail, and
  spreadsheets that support adjustments to FPPS data.  In addition, security policies did not
  include an incident response plan and team, adequate preparation to recover critical functions
  and processes in the event of a disaster or a system failure, and assurance that risks were
  adequately assessed and managed.  Further, system certifications, which certify that adequate
  security safeguards have been installed and imply the acceptance of risk, were not adequate,
  and system security plans had not been developed.  Areas needing improvement in
  NBC/PS's security policies, plans, and practices are described as follows:
  
       - Although NBC/PS had an informal firewall policy, which helped to ensure that
  its telecommunications networks were secure from probes and attacks from unauthorized
  users, NBC/PS did not have an overall site security policy.  National Institute of Standards
  and Technology Special Publication 800-10, "Keeping Your Site Comfortably Secure: An
  Introduction to Internet Firewalls," states that a stand-alone policy "concerning only the
  firewall is not effective" because what is needed is a "strong site security policy."
  
  NBC/PS management did not ensure that a site security policy was developed and
  implemented.  Without a site security policy, there was an increased risk that NBC/PS
  telecommunications networks would not be adequately protected from unapproved access,
  misuse, or denial of service.  
  
       - NBC/PS did not have an adequate electronic mail usage policy for its employees
  and contractors to ensure that proprietary data, such as bank account and social security 
  numbers, were sent to and accessed only by authorized individuals.  Request for Comments
  1244, "Site Security Handbook," referred to in National Institute of Standards and
  Technology Publication 800-10, states:
  
            There may be levels of responsibility associated with a policy on computer
       security.  At one level, each user of a computing resource may have a
       responsibility to protect his account.  A user who allows his account to be
       compromised increases the chances of compromising other accounts or
       resources. . . . If the people you grant privileges to are not accountable, you
       run the risk of losing control of your system and will have difficulty
       managing a compromise in security.
  
  Additionally, Office of Management and Budget Circular A-130, "Management of Federal
  Information Resources," states that agencies will "consider the effects of their actions on the
  privacy rights of individuals, and ensure that appropriate legal and technical safeguards are
  implemented."  Although an electronic mail usage policy had not been developed, NBC/PS
  management said that a policy would be developed.  By not having an adequate electronic
  mail usage policy, there was an increased risk that in the event of a security violation,
  NBC/PS management would not be able to show that their policy had been violated and
  therefore would have no recourse against the employees commensurate with the violation. 
  
       - NBC/PS had no security policies to adequately protect the data in spreadsheets
  used to support adjustments to FPPS data.  Spreadsheets were developed to ensure that, on
  a case-by-case basis, Federal employees were paid correctly.  We found that spreadsheet
  formulas, which were complex, were not protected from unauthorized changes; a
  management official was not held responsible for maintaining and updating the spreadsheets;
  spreadsheet formulas were not certified by managers responsible for ensuring data accuracy;
  and resultant payroll corrections were not approved prior to updating FPPS.  National
  Institute of Standards and Technology Special Publication 500-171, "Computer User's Guide
  to the Protection of Information Resources," states, "In some cases, data is far more sensitive
  to accidental errors or omissions that compromise accuracy, integrity, or availability." 
  Because formulas could become obsolete and data entry errors could be made and not be
  detected timely, there was an increased risk that employees could be paid incorrectly. 
  During our review, NBC/PS management implemented policies and procedures that
  protected spreadsheet formulas from unauthorized changes, that established a process for
  revising and developing spreadsheets, and that provided for a third-party review of data
  being entered into FFS. 
  
       - NBC/PS did not have an incident response plan and a team to respond timely and
  efficiently to information system security incidents if an incident was caused by a computer
  virus, other malicious code, or a system intruder (either an authorized user performing an
  unauthorized act or an unauthorized user).  Appendix III, "Security of Federal Automated
  Information Resources," of Office of Management and Budget Circular A-130 states:
  
            When faced with a security incident, an agency should be able to respond in
       a manner that both protects its own information and helps to protect the
       information of others who might be affected by the incident.  To address this
       concern, agencies should establish formal incident response mechanisms.
  
  NBC/PS management did not ensure that an incident response plan and a team were in place. 
  Without an incident response plan and a team, there was an increased risk that security
  incidents would not be identified and, if identified, would not be addressed quickly and
  efficiently.
  
       - NBC/PS management did not have an adequate disaster recovery plan for APS
  processing in the event of a disaster or a system failure.  Appendix III of Office of
  Management and Budget Circular A-130 requires agencies to establish a comprehensive
  contingency plan and periodically test the capability to continue providing services and
  perform an agency function.  Also, the Department of the Interior's "Automated Information
  Systems Security Handbook" mandates off-site storage for "all AIS [automated information
  systems] installations providing critical support to the organization's mission."  We found
  that a disaster recovery plan was developed for APS; however, the plan did not reflect the
  APS current environment, identify a specific location for APS to operate and connect to
  FPPS, and include an off-site location that is at least 1 mile from NBC/PS.  As a result, there
  was an increased risk that all NBC/PS critical personnel and payroll processes supported by
  APS would not continue in the event of a disaster or a system failure. 
  
       - NBC/PS had performed its most recent risk assessments for FPPS and APS during
  fiscal year 1997.  These risk assessments were not updated to reflect the current operational
  environments.  During fiscal years 1997 to 1999 (through July 1999), FPPS software had
  been changed 13 times.  The 1997 risk assessment for APS identified the system as a front-
  end processor for PAY/PERS rather than as the current general support system of POD.  The
  risk assessments also did not address (1) all risks associated with FPPS and APS, (2) the
  selection of safeguards to mitigate risks, and (3) the acceptance of residual risk. 
  Appendix III of Office of Management and Budget Circular A-130 states, "While formal risk
  analyses need not be performed, the need to determine adequate security will require that a
  risk-based approach be used."  Appendix III further states, "The scope and frequency of the
  review should be commensurate with the acceptable level of risk for the system."  Also,
  National Institute of Standards and Technology Special Publication 800-12, "An Introduction
  to Computer Security:  the NIST Handbook,"addresses the selection of safeguards to mitigate
  risk and the acceptance of residual risk.  Risk assessments had not been performed since
  fiscal year 1997 because NBC/PS management stated that  risk assessments are required only
  every 3 years by Appendix III of Office of Management and Budget Circular A-130. 
  Without considering current operational environments and identifying all significant threats
  and vulnerabilities, the risk was increased that the most appropriate and cost-effective
  security measures needed to adequately protect the sensitive data maintained in FPPS and
  APS would not be implemented.
  
       - NBC/PS had  system certifications for FPPS and APS; however, the certifications
  were not signed by the appropriate responsible management official.  NBC/PS had a 
  "Sensitive Computer System Security Certification," which was signed by the manager
  responsible for  development and maintenance of FPPS, and a "Sensitive AIS Security
  Certification Statement" on file for APS, which was signed by the manager responsible for
  APS daily operations.  The Departmental Manual (375 DM 19) states that the management
  official responsible for application and system certification has the authority to accept the
  security safeguards and must possess authority to allocate the resources necessary to achieve
  acceptable security and to remedy security deficiencies.  NBC/PS management stated that
  they believed the certifications were appropriate.  However, we believe that the responsible
  management official should be at a level that is not directly involved with system
  development and maintenance or daily operations.
  
       - NBC/PS did not have a system security plan for APS that was applicable to its
  current operating environment as a stand-alone system residing on a server rather than a
  front-end processor for PAY/PERS.  A security plan is required by 5 U.S.C.  552a to be
  developed for each Federal computer system that contains sensitive information.  Also,
  National Institute of Standards and Technology Special Publication 800-18, "Guide for
  Developing Security Plans for Information Technology Systems," states that a computer
  security plan "is to provide an overview of the security requirements of the system and
  describe the controls in place or planned for meeting those requirements" and is to be
  designed to assist agencies in addressing the protection of systems to help ensure the
  systems' integrity, availability, and confidentiality.  NBC/PS management said that the
  current version of the security plan was adequate.  Without a security plan that is applicable
  to the APS operating environment, NBC/PS had little assurance that the current plan would
  address all of the management, operational, and technical controls necessary to protect the
  sensitive APS data.
  
       -  During our review, we used Internet Scanner software to determine whether
  NBC/PS's network had security vulnerabilities.  Using the software, significant security
  vulnerabilities within NBC/PS's network were identified.  We provided NBC/PS
  management with a list of the vulnerabilities, and NBC/PS management said that they would
  correct the deficiencies.  At the same time, NBC/PS was also reconfiguring its network to
  improve security.  Subsequent to NBC/PS's correcting its network deficiencies and
  reconfiguring its network, NBC/PS requested that we reuse Internet Scanner software to
  determine whether NBC/PS's network security had been improved.  In reusing the software,
  we found that NBC/PS's network vulnerabilities had been significantly reduced.  
  
  Internal Controls
  
  NBC/PS did not ensure that controls over changes to FPPS and APS application software
  were adequate and that duties were adequately separated for APS application programmers.
  These internal control issues are discussed as follows:
  
       - Change management controls over FPPS and APS application software were not
  adequate.  Specifically, NBC/PS management had not ensured that (1) controls were in place
  over the FPPS emergency library, (2) controls were in place over FPPS and APS to ensure
  that all changes were authorized and appropriate, (3) all users who requested changes to
  FPPS were involved with testing to ensure that their requirements were met, and (4) adequate
  testing was performed prior to implementing each FPPS change release.  Although FPPS
  personnel performed testing for each release of FPPS and had performed mini-regression
  testing for the latest release, system testing had not been performed for FPPS releases. 
  Federal Information Processing Standards Publication 106 states:  
  
            Testing standards and procedures should define the degree and depth of
       testing to be performed and the disposition of test materials upon successful
       completion of the testing.  Whenever possible, the test procedures and test
       data should be developed by someone other than the person who performed
       the actual maintenance of the system.  Testing is a critical component of
       software maintenance.  As such the test procedures must be consistent and
       based on sound principles.  The test plan should define the expected output
       and test for valid, invalid, expected, and unexpected cases.  The test should
       examine whether or not the program is doing what it is supposed to do. 
  
  Also, prudent business practices require that custom-developed software be coded, tested,
  and accepted by users and management prior to moving the software into production.  These
  practices should include unit testing to ensure that the changed software works properly
  when tested in isolation, systems testing to ensure that the changed software works when it
  is integrated with the total system, and integration testing to ensure that the total system
  works in the desired operating environment.   
  
  Without adequate controls over change management, there was an increased risk that critical
  software changes would not be made and that the applications would not perform as required
  by the users.  
  
       - NBC/PS management did not ensure that separation of duties was adequate for
  APS.  Specifically, application programmers responsible for developing and making code
  changes to APS software were also responsible for moving these changes into production. 
  Appendix III of Office of Management and Budget Circular A-130 requires that security
  controls of personnel include separation of duties.  Appendix III and National Institute of
  Standards and Technology Special Publication 800-12 define separation of duties as the
  division of roles and responsibilities and of steps in a critical function so that no one
  individual can undermine a critical process.  Duties were not adequately separated because
  NBC/PS management did not have policies and procedures to ensure that APS application
  programmers' duties were adequately separated.  As a result, there was an increased risk that
  inappropriate actions by application programmers would not be detected timely and that
  accidental or intentional actions by programmers could threaten the integrity of APS data and
  could interrupt processing.  
  
  Recommendations
  
  We recommend that the Director, NBC:  
  
     1. Develop, implement, and maintain a strategic plan for NBC that includes personnel
  and payroll processing and operations.
  
     2. Evaluate the necessity for workarounds that are used to supplement FPPS functions
  and determine whether these workarounds are more cost effective than adding these required
  functions to FPPS. 
  
     3. Develop, implement, and maintain a site security policy for NBC/PS.
  
     4. Develop, implement, and maintain an electronic mail usage policy.
  
     5. Document and maintain procedures to protect the data in spreadsheets and to review
  results from the spreadsheets that are used to update FPPS data.
  
     6. Develop, implement, and maintain a formal incident response plan and team.
  
     7. Ensure that NBC/PS contingency planning addresses APS processing in the event
  of a disaster or a system failure.
  
     8. Perform risk assessments of FPPS and APS that represent the current operating
  environments and ensure that all risks and vulnerabilities are identified, the risks are reduced
  to an acceptable level, and any residual risks are accepted by senior-level management
  officials.
  
     9. Ensure that system certifications for FPPS and APS are signed by senior-level 
  management officials.
  
     10.              Develop an APS system security plan that reflects the current operating
  environment.
  
     11.              Document and implement policies and procedures to ensure that changes to FPPS
  and APS are authorized and appropriate and are adequately tested and that users are involved
  in testing.
  
     12.              Develop and implement policies and procedures to ensure that duties are
adequately
  separated for APS application programers.
  
  NBC Response and Office of Inspector General Reply
  
  In the September 1, 2000  response (Appendix 2) to the draft report from the Director of
  NBC, NBC concurred with the 12 recommendations.  Based on the response, we consider
  Recommendations 5, 6, 8, 9, 10, 11, and 12 resolved and implemented and
  Recommendations 1, 2, 3, 4, and 7 resolved but not implemented.  Accordingly, the
  unimplemented recommendations will be forwarded to the Assistant Secretary for Policy,
  Management and Budget for tracking of implementation (see Appendix 3).  
  
  Additional Comments on Report
  
  In its response, NBC also provided additional comments on the report.  We incorporated
  most of the changes as appropriate.  However, our replies to NBC's specific comments on
  workarounds and internal controls are discussed in the paragraphs that follow.  
  
      Workarounds.  NBC stated that it did "not perceive the POD200 report to be a
  'workaround' . . . but as a system assurance report to check data variances."  
  
  The draft report did not state that the POD 200 report was the workaround.  The workaround
  we discussed is the manual process to reconcile the POD 200 report to the Labor Cost File. 
  The manual reconciliation has to be performed following each pay period and involves not
  only NBC/PS personnel but also NBC/PS's clients.
  
  NBC also stated that it did not believe the facts in the draft audit report supported our
  conclusion that because NBC/PS uses workarounds, it may not be processing payroll
  transactions efficiently and effectively in accordance with Office of Management and Budget
  Circular A-127 and it may not be reporting accurate data.  
  
  In our opinion, NBC/PS's using workarounds does not ensure that FPPS is working
  efficiently and effectively to record financial events as required by Office of Management
  and Budget Circular A-127 and does not ensure data accuracy.  For example, we found that
  for fiscal years 1998 and 1999, the Supplemental Semiannual Headcount Report submitted
  to the Office of Personnel Management contained inaccurate data in spite of the manual
  efforts to correct the Headcount Report.  
  
      Internal Controls.  NBC said that we were "not accurate" in stating that system testing
  for FPPS releases (changes to FPPS) had not been performed.  NBC further said that it
  believed the automated compares that were transferred to FPPS in 1999 when the
  conversions of clients' data to FPPS were completed satisfied the need for system testing. 
  
  Although the automated compares were transferred to FPPS after being tested, we do not
  believe that this process ensures that all FPPS releases have undergone system testing.
  
  Since the report's recommendations are considered resolved, no further response to the
  Office of Inspector General is required (see Appendix 3).  
  
  Section 5(a) of the Inspector General Act (5 U.S.C. app. 3) requires the Office of Inspector
  General to list this report in its semiannual report to the Congress.  In addition, the Office of
  Inspector General provides audit reports to the Congress.
                                                       APPENDIX 1 
  
                       CLIENTS OF THE
       NATIONAL BUSINESS CENTER/PRODUCTS AND SERVICES
             FOR PERSONNEL AND PAYROLL SERVICES
                              
  Department of the Interior:
  
                                     Bureau of Indian Affairs
                                     Bureau of Land Management
                                     Bureau of Reclamation
                                     U.S. Geological Survey
                                     Minerals Management Service
                                     National Park Service
                                     Office of Aircraft Services
                                     Office of Inspector General
                                     Office of Surface Mining Reclamation and Enforcement
                                     Office of the Secretary
                                     U.S. Fish and Wildlife Service
  
  Advisory Council on Historic Preservation
  African Development Foundation
  Commission of Fine Arts 
  Department of Education 
  Executive Residence/White House
  Federal Labor Relations Authority
  Federal Trade Commission
  Harry S. Truman Scholarship Foundation
  Inter-American Foundation
  International Trade Commission
  James Madison Memorial Fellowship Foundation
  National Commission of Libraries & Information Science
  National Education Goals Panel
  Overseas Private Investment Corporation
  Pension Benefit Guaranty Corporation
  Presidio Trust 
  Securities and Exchange Commission
  Selective Service System
  Social Security Administration
  Trade and Development Agency
  U.S. Holocaust Memorial Council
  Utah Reclamation Mitigation Conservation Commission