[Audit Report on Personnel and Payroll Processing Policies and Procedures, National Business Center/Products and Services, Office of the Secretary, Department of the Interior
]
[From the U.S. Government Printing Office, www.gpo.gov]
Report No. 01-I-131
Title: Audit Report on Personnel and Payroll Processing Policies
and Procedures, National Business Center/Products and Services,
Office of the Secretary, Department of the Interior
Date: January 22, 2001
**********DISCLAIMER**********
This file contains an ASCII representation of an OIG report. No attempt has been made to
display graphic images or illustrations. Some tables may be included, but may not resemble
those in the printed version. A printed copy of this report may be obtained by referring to the
PDF file or by calling the Office of Inspector General, Division of Acquisition and
Management Operations at (202) 219-3841.
******************************
U.S. Department of the Interior Office of Inspector General
EXECUTIVE SUMMARY
Personnel and Payroll Processing Policies and Procedures,
National Business Center/Products and Services,
Office of the Secretary, Department of the Interior
Report No. 01-I-131
January 2001
The Department of the Interior's National Business Center/ Products and Services (NBC/PS),
located in Lakewood, Colorado, implemented the Department's Federal Personnel Payroll
System (FPPS) at the end of 1998. NBC/PS provides automated personnel and payroll
services for its clients, the Department of the Interior and its bureaus and other Federal
agencies, such as the Department of Education and the Social Security Administration.
During 1999, NBC/PS processed payroll of approximately $8 billion for approximately
175,000 Federal employees. NBC/PS receives funding through the Department of the
Interior's working capital fund and through direct charges to client appropriations. During
fiscal year 1999, NBC/PS charged its clients about $29 million.
The objective of the audit was to determine whether NBC/PS's policies and procedures
provided reasonable assurance that personnel and payroll transactions were processed and
reported accurately and timely and were in compliance with applicable Federal laws and
regulations.
We concluded that NBC/PS's policies and procedures generally provided for accurate and
timely processing of personnel and payroll transactions in compliance with applicable
personnel and payroll laws and regulations. In addition, we found that there may be
opportunities to operate NBC/PS personnel and payroll processing and reporting functions
more efficiently and to decrease the risk of unauthorized access to, modification of, and
disclosure of personnel and payroll data and of critical systems not being recovered in the
event of a disaster or a system failure. Based on our audit, NBC/PS began or completed
developing a strategic plan for its operations, programing all required functions in FPPS,
instituting all necessary security policies, and maintaining sufficient internal controls over
software change management and separation of duties.
We made 12 recommendations for improving operations.
AUDITEE COMMENTS AND OFFICE OF INSPECTOR GENERAL EVALUATION
Based on NBC/PS's response to the recommendations, we considered seven
recommendations resolved and implemented and five recommendations resolved but not
implemented.
A-IN-OSS-001-99-M
January 22, 2001
AUDIT REPORT
Memorandum
To: Director, National Business Center, Office of the Secretary
From: Roger La Rouche
Acting Assistant Inspector General for Audits
Subject: Audit Report on Personnel and Payroll Processing Policies and Procedures,
National Business Center/Products and Services, Office of the Secretary,
Department of the Interior (No. 01-I-131)
INTRODUCTION
This report presents the results of our audit of personnel and payroll processing policies and
procedures at the Department of the Interior's National Business Center/Products and
Services (NBC/PS). The objective of this audit was to determine whether NBC/PS's policies
and procedures provided reasonable assurance that personnel and payroll transactions were
processed and reported accurately and timely, were in compliance with applicable Federal
laws and regulations, and were processed efficiently. We performed this audit to support the
Office of Inspector General's opinions on the annual financial statements of the Department
of the Interior and its bureaus and offices.
BACKGROUND
During 1990, NBC/PS (formerly known as the Bureau of Reclamation's Denver
Administrative Service Center), located in Lakewood, Colorado, began to develop the
Federal Personnel Payroll System (FPPS) to replace the Department of the Interior's payroll
and personnel system, PAY/PERS. By the end of 1998, NBC/PS had fully implemented
FPPS.
FPPS, which resides on an IBM mainframe computer, was developed by the Bureau of
Reclamation using Natural programming language with ADABAS as the database
management system. The enhanced features of FPPS include increased management
information; paperless processing of personnel and payroll actions through on-line approvals;
and immediate responses to on-line editing, updating, and query requests.
NBC/PS provides automated personnel and payroll services for its clients, the Department
of the Interior and its bureaus, and other Federal agencies (see Appendix 1). Offices within
NBC/PS that have responsibilities related to personnel and payroll processing are as follows:
- The ADP Services Division is responsible for managing the computer center
where the IBM mainframe computer is located and for ensuring that telecommunications are
operational and secure.
- The Payroll Operations Division (POD) is responsible for developing,
implementing, operating, and maintaining the FPPS general support system, known as the
Automated Payroll System (APS), which resides on a Digital Alpha server. The APS
includes the applications of Health Benefits Reporting, Thrift Lost Earnings, Debt
Management, and Check Collection. POD is also responsible for reporting accurate payroll
data to the clients and other Federal agencies, such as the Office of Personnel Management
and the Department of the Treasury.
- The Applications Management Office's FPPS Program Management Division is
responsible for developing, implementing, operating, and maintaining FPPS.
- The Management and Technical Service Division's Planning and Performance
Support Branch is responsible for providing training for NBC/PS clients.
During 1999, NBC/PS processed payroll of approximately $8 billion for approximately
175,000 Federal employees. NBC/PS receives funding through the Department of the
Interior's working capital fund and through direct charges to client appropriations. During
fiscal year 1999, NBC/PS charged its clients about $29 million (about $160 per account).
SCOPE OF AUDIT
To accomplish our objective, we reviewed and tested policies and procedures that were in
place during fiscal year 1999 for personnel and payroll processing at NBC/PS. We also
interviewed NBC/PS personnel and NBC/PS contractor personnel, reviewed application and
system documentation, analyzed network security, and evaluated service continuity
procedures and testing. We did not review the internal controls over input that updates FPPS
personnel data or the internal controls over data entry functions for time and attendance.
We also used Internet Scanner software developed by Internet Security Systems to identify
vulnerabilities in NBC/PS's network. A list of the vulnerabilities identified by the Internet
Scanner software was provided to NBC/PS management. For the vulnerabilities identified,
NBC/PS management made appropriate changes to improve the security of its network.
Our audit was made in accordance with the "Government Auditing Standards," issued by the
Comptroller General of the United States. Accordingly, we included such tests of records
and other auditing procedures that were considered necessary under the circumstances.
PRIOR AUDIT COVERAGE
During the past 5 years, neither the Office of Inspector General nor the General Accounting
Office has not issued any audit reports related to FPPS.
RESULTS OF AUDIT
We concluded that NBC/PS's policies and procedures generally provided for the accurate
and timely processing of personnel and payroll transactions in compliance with applicable
personnel and payroll laws and regulations. However, we identified areas needing
improvement. Specifically, NBC/PS did not develop a strategic plan for NBC/PS operations,
program all required functions in FPPS, institute all necessary security policies, and maintain
sufficient internal controls over software change management and separation of duties. As
a result, there may be opportunities to operate NBC/PS personnel and payroll processing and
reporting functions more efficiently and to decrease the risk of unauthorized access to,
modification of, and disclosure of personnel and payroll data and of critical systems not
being recovered in the event of a disaster or a system failure.
Strategic Plan
NBC/PS management had not developed a strategic plan for NBC/PS operations. A strategic
plan is needed to establish an agency's goals and match activities to mission and objectives,
and it should include information on how to set priorities and allocate resources. Office of
Management and Budget Circular A-123, "Management Accountability and Control," states,
"Developing a written strategy for internal agency use may help ensure that appropriate
action is taken throughout the year to meet the objectives of the Integrity Act."
NBC/PS management said that they did not believe a strategic plan was necessary at the
NBC/PS organizational level because it would be more appropriate to develop an NBC
strategic plan that would include all services that NBC provides. We believe that without
a strategic plan, NBC/PS is at risk of developing and implementing system enhancements
using information technology that may not improve business processes and meet user
requirements. Information technology that could be developed and implemented in system
enhancements which would improve personnel and payroll processing includes distributed
processing, use of electronic commerce applications, and a personnel and payroll system that
integrates seamlessly with financial and management information systems.
Workarounds
To ensure that employees who were paid by FPPS were paid correctly and payroll
information was reported accurately, NBC/PS personnel developed "workarounds." The
purpose of the workarounds was to perform payroll functions that were required but were not
part of FPPS. Additionally, applications such as Health Benefits Reporting and Thrift Lost
Earnings were developed to operate on APS rather than FPPS, and these systems were not
integrated. Further, spreadsheets were developed and used to correct payroll errors and to
perform reconciliations. Examples of workarounds are as follows:
- A workaround was developed to ensure that variances were reconciled between
the POD 200 report (a report of personnel costs created from four FPPS interface files) and
the FPPS Labor Cost File (a file of personnel costs by program or activity as defined by each
client that is interfaced with the clients' financial systems). Because the information for the
POD 200 report and the FPPS Labor Cost File are generated from the same system, FPPS,
the variances generated and the need for reconciling the variances may indicate that there are
potential problems with data integrity or with programming.
- A workaround was developed to ensure that income taxes were consolidated and
paid to appropriate state and local governments. NBC/PS staff who performed this
consolidation effort said that the workaround takes approximately 40 hours of personnel time
per biweekly pay period to complete. In comparison, this same function took about 1 hour
of personnel time to complete as part of PAY/PERS, the replaced system.
- A workaround was developed to ensure that the Supplemental Semiannual
Headcount Report submitted to the Office of Personnel Management was accurate. One field
in this report is a count of all employees in an agency. FPPS was not programmed to
calculate this field correctly; therefore, NBC/PS personnel had to manually determine the
number of employees and correct a paper copy of the report. We found, however, that the
headcount information for the Department of the Interior reported to the Office of Personnel
Management for August1999 was incorrect.
Office of Management and Budget Circular A-127, "Financial Management Systems,"
describes a "mixed system" (such as FPPS) as an "information system that supports both
financial and non-financial functions of the Federal government or components thereof."
The Circular further states that "financial management systems must be in place to process
and record financial events effectively and efficiently, and to provide complete, timely,
reliable and consistent information." NBC/PS management said, however, that there were
no plans for the immediate future to program functions in FPPS that are performed through
workarounds because this may not be cost effective. We were not provided documentation
to support that it was not cost effective to implement these FPPS changes. As a result, there
was an increased risk that NBC/PS was not processing payroll transactions efficiently and
effectively and may therefore not have been in compliance with Office of Management and
Budget Circular A-127. There was also an increased risk that NBC/PS was not reporting
accurate data.
Security Policies
NBC/PS management had not developed all the security policies necessary for FPPS and
APS. Specifically, security policies had not been developed to adequately protect the
NBC/PS telecommunications networks, sensitive data sent through electronic mail, and
spreadsheets that support adjustments to FPPS data. In addition, security policies did not
include an incident response plan and team, adequate preparation to recover critical functions
and processes in the event of a disaster or a system failure, and assurance that risks were
adequately assessed and managed. Further, system certifications, which certify that adequate
security safeguards have been installed and imply the acceptance of risk, were not adequate,
and system security plans had not been developed. Areas needing improvement in
NBC/PS's security policies, plans, and practices are described as follows:
- Although NBC/PS had an informal firewall policy, which helped to ensure that
its telecommunications networks were secure from probes and attacks from unauthorized
users, NBC/PS did not have an overall site security policy. National Institute of Standards
and Technology Special Publication 800-10, "Keeping Your Site Comfortably Secure: An
Introduction to Internet Firewalls," states that a stand-alone policy "concerning only the
firewall is not effective" because what is needed is a "strong site security policy."
NBC/PS management did not ensure that a site security policy was developed and
implemented. Without a site security policy, there was an increased risk that NBC/PS
telecommunications networks would not be adequately protected from unapproved access,
misuse, or denial of service.
- NBC/PS did not have an adequate electronic mail usage policy for its employees
and contractors to ensure that proprietary data, such as bank account and social security
numbers, were sent to and accessed only by authorized individuals. Request for Comments
1244, "Site Security Handbook," referred to in National Institute of Standards and
Technology Publication 800-10, states:
There may be levels of responsibility associated with a policy on computer
security. At one level, each user of a computing resource may have a
responsibility to protect his account. A user who allows his account to be
compromised increases the chances of compromising other accounts or
resources. . . . If the people you grant privileges to are not accountable, you
run the risk of losing control of your system and will have difficulty
managing a compromise in security.
Additionally, Office of Management and Budget Circular A-130, "Management of Federal
Information Resources," states that agencies will "consider the effects of their actions on the
privacy rights of individuals, and ensure that appropriate legal and technical safeguards are
implemented." Although an electronic mail usage policy had not been developed, NBC/PS
management said that a policy would be developed. By not having an adequate electronic
mail usage policy, there was an increased risk that in the event of a security violation,
NBC/PS management would not be able to show that their policy had been violated and
therefore would have no recourse against the employees commensurate with the violation.
- NBC/PS had no security policies to adequately protect the data in spreadsheets
used to support adjustments to FPPS data. Spreadsheets were developed to ensure that, on
a case-by-case basis, Federal employees were paid correctly. We found that spreadsheet
formulas, which were complex, were not protected from unauthorized changes; a
management official was not held responsible for maintaining and updating the spreadsheets;
spreadsheet formulas were not certified by managers responsible for ensuring data accuracy;
and resultant payroll corrections were not approved prior to updating FPPS. National
Institute of Standards and Technology Special Publication 500-171, "Computer User's Guide
to the Protection of Information Resources," states, "In some cases, data is far more sensitive
to accidental errors or omissions that compromise accuracy, integrity, or availability."
Because formulas could become obsolete and data entry errors could be made and not be
detected timely, there was an increased risk that employees could be paid incorrectly.
During our review, NBC/PS management implemented policies and procedures that
protected spreadsheet formulas from unauthorized changes, that established a process for
revising and developing spreadsheets, and that provided for a third-party review of data
being entered into FFS.
- NBC/PS did not have an incident response plan and a team to respond timely and
efficiently to information system security incidents if an incident was caused by a computer
virus, other malicious code, or a system intruder (either an authorized user performing an
unauthorized act or an unauthorized user). Appendix III, "Security of Federal Automated
Information Resources," of Office of Management and Budget Circular A-130 states:
When faced with a security incident, an agency should be able to respond in
a manner that both protects its own information and helps to protect the
information of others who might be affected by the incident. To address this
concern, agencies should establish formal incident response mechanisms.
NBC/PS management did not ensure that an incident response plan and a team were in place.
Without an incident response plan and a team, there was an increased risk that security
incidents would not be identified and, if identified, would not be addressed quickly and
efficiently.
- NBC/PS management did not have an adequate disaster recovery plan for APS
processing in the event of a disaster or a system failure. Appendix III of Office of
Management and Budget Circular A-130 requires agencies to establish a comprehensive
contingency plan and periodically test the capability to continue providing services and
perform an agency function. Also, the Department of the Interior's "Automated Information
Systems Security Handbook" mandates off-site storage for "all AIS [automated information
systems] installations providing critical support to the organization's mission." We found
that a disaster recovery plan was developed for APS; however, the plan did not reflect the
APS current environment, identify a specific location for APS to operate and connect to
FPPS, and include an off-site location that is at least 1 mile from NBC/PS. As a result, there
was an increased risk that all NBC/PS critical personnel and payroll processes supported by
APS would not continue in the event of a disaster or a system failure.
- NBC/PS had performed its most recent risk assessments for FPPS and APS during
fiscal year 1997. These risk assessments were not updated to reflect the current operational
environments. During fiscal years 1997 to 1999 (through July 1999), FPPS software had
been changed 13 times. The 1997 risk assessment for APS identified the system as a front-
end processor for PAY/PERS rather than as the current general support system of POD. The
risk assessments also did not address (1) all risks associated with FPPS and APS, (2) the
selection of safeguards to mitigate risks, and (3) the acceptance of residual risk.
Appendix III of Office of Management and Budget Circular A-130 states, "While formal risk
analyses need not be performed, the need to determine adequate security will require that a
risk-based approach be used." Appendix III further states, "The scope and frequency of the
review should be commensurate with the acceptable level of risk for the system." Also,
National Institute of Standards and Technology Special Publication 800-12, "An Introduction
to Computer Security: the NIST Handbook,"addresses the selection of safeguards to mitigate
risk and the acceptance of residual risk. Risk assessments had not been performed since
fiscal year 1997 because NBC/PS management stated that risk assessments are required only
every 3 years by Appendix III of Office of Management and Budget Circular A-130.
Without considering current operational environments and identifying all significant threats
and vulnerabilities, the risk was increased that the most appropriate and cost-effective
security measures needed to adequately protect the sensitive data maintained in FPPS and
APS would not be implemented.
- NBC/PS had system certifications for FPPS and APS; however, the certifications
were not signed by the appropriate responsible management official. NBC/PS had a
"Sensitive Computer System Security Certification," which was signed by the manager
responsible for development and maintenance of FPPS, and a "Sensitive AIS Security
Certification Statement" on file for APS, which was signed by the manager responsible for
APS daily operations. The Departmental Manual (375 DM 19) states that the management
official responsible for application and system certification has the authority to accept the
security safeguards and must possess authority to allocate the resources necessary to achieve
acceptable security and to remedy security deficiencies. NBC/PS management stated that
they believed the certifications were appropriate. However, we believe that the responsible
management official should be at a level that is not directly involved with system
development and maintenance or daily operations.
- NBC/PS did not have a system security plan for APS that was applicable to its
current operating environment as a stand-alone system residing on a server rather than a
front-end processor for PAY/PERS. A security plan is required by 5 U.S.C. � 552a to be
developed for each Federal computer system that contains sensitive information. Also,
National Institute of Standards and Technology Special Publication 800-18, "Guide for
Developing Security Plans for Information Technology Systems," states that a computer
security plan "is to provide an overview of the security requirements of the system and
describe the controls in place or planned for meeting those requirements" and is to be
designed to assist agencies in addressing the protection of systems to help ensure the
systems' integrity, availability, and confidentiality. NBC/PS management said that the
current version of the security plan was adequate. Without a security plan that is applicable
to the APS operating environment, NBC/PS had little assurance that the current plan would
address all of the management, operational, and technical controls necessary to protect the
sensitive APS data.
- During our review, we used Internet Scanner software to determine whether
NBC/PS's network had security vulnerabilities. Using the software, significant security
vulnerabilities within NBC/PS's network were identified. We provided NBC/PS
management with a list of the vulnerabilities, and NBC/PS management said that they would
correct the deficiencies. At the same time, NBC/PS was also reconfiguring its network to
improve security. Subsequent to NBC/PS's correcting its network deficiencies and
reconfiguring its network, NBC/PS requested that we reuse Internet Scanner software to
determine whether NBC/PS's network security had been improved. In reusing the software,
we found that NBC/PS's network vulnerabilities had been significantly reduced.
Internal Controls
NBC/PS did not ensure that controls over changes to FPPS and APS application software
were adequate and that duties were adequately separated for APS application programmers.
These internal control issues are discussed as follows:
- Change management controls over FPPS and APS application software were not
adequate. Specifically, NBC/PS management had not ensured that (1) controls were in place
over the FPPS emergency library, (2) controls were in place over FPPS and APS to ensure
that all changes were authorized and appropriate, (3) all users who requested changes to
FPPS were involved with testing to ensure that their requirements were met, and (4) adequate
testing was performed prior to implementing each FPPS change release. Although FPPS
personnel performed testing for each release of FPPS and had performed mini-regression
testing for the latest release, system testing had not been performed for FPPS releases.
Federal Information Processing Standards Publication 106 states:
Testing standards and procedures should define the degree and depth of
testing to be performed and the disposition of test materials upon successful
completion of the testing. Whenever possible, the test procedures and test
data should be developed by someone other than the person who performed
the actual maintenance of the system. Testing is a critical component of
software maintenance. As such the test procedures must be consistent and
based on sound principles. The test plan should define the expected output
and test for valid, invalid, expected, and unexpected cases. The test should
examine whether or not the program is doing what it is supposed to do.
Also, prudent business practices require that custom-developed software be coded, tested,
and accepted by users and management prior to moving the software into production. These
practices should include unit testing to ensure that the changed software works properly
when tested in isolation, systems testing to ensure that the changed software works when it
is integrated with the total system, and integration testing to ensure that the total system
works in the desired operating environment.
Without adequate controls over change management, there was an increased risk that critical
software changes would not be made and that the applications would not perform as required
by the users.
- NBC/PS management did not ensure that separation of duties was adequate for
APS. Specifically, application programmers responsible for developing and making code
changes to APS software were also responsible for moving these changes into production.
Appendix III of Office of Management and Budget Circular A-130 requires that security
controls of personnel include separation of duties. Appendix III and National Institute of
Standards and Technology Special Publication 800-12 define separation of duties as the
division of roles and responsibilities and of steps in a critical function so that no one
individual can undermine a critical process. Duties were not adequately separated because
NBC/PS management did not have policies and procedures to ensure that APS application
programmers' duties were adequately separated. As a result, there was an increased risk that
inappropriate actions by application programmers would not be detected timely and that
accidental or intentional actions by programmers could threaten the integrity of APS data and
could interrupt processing.
Recommendations
We recommend that the Director, NBC:
1. Develop, implement, and maintain a strategic plan for NBC that includes personnel
and payroll processing and operations.
2. Evaluate the necessity for workarounds that are used to supplement FPPS functions
and determine whether these workarounds are more cost effective than adding these required
functions to FPPS.
3. Develop, implement, and maintain a site security policy for NBC/PS.
4. Develop, implement, and maintain an electronic mail usage policy.
5. Document and maintain procedures to protect the data in spreadsheets and to review
results from the spreadsheets that are used to update FPPS data.
6. Develop, implement, and maintain a formal incident response plan and team.
7. Ensure that NBC/PS contingency planning addresses APS processing in the event
of a disaster or a system failure.
8. Perform risk assessments of FPPS and APS that represent the current operating
environments and ensure that all risks and vulnerabilities are identified, the risks are reduced
to an acceptable level, and any residual risks are accepted by senior-level management
officials.
9. Ensure that system certifications for FPPS and APS are signed by senior-level
management officials.
10. Develop an APS system security plan that reflects the current operating
environment.
11. Document and implement policies and procedures to ensure that changes to FPPS
and APS are authorized and appropriate and are adequately tested and that users are involved
in testing.
12. Develop and implement policies and procedures to ensure that duties are
adequately
separated for APS application programers.
NBC Response and Office of Inspector General Reply
In the September 1, 2000 response (Appendix 2) to the draft report from the Director of
NBC, NBC concurred with the 12 recommendations. Based on the response, we consider
Recommendations 5, 6, 8, 9, 10, 11, and 12 resolved and implemented and
Recommendations 1, 2, 3, 4, and 7 resolved but not implemented. Accordingly, the
unimplemented recommendations will be forwarded to the Assistant Secretary for Policy,
Management and Budget for tracking of implementation (see Appendix 3).
Additional Comments on Report
In its response, NBC also provided additional comments on the report. We incorporated
most of the changes as appropriate. However, our replies to NBC's specific comments on
workarounds and internal controls are discussed in the paragraphs that follow.
Workarounds. NBC stated that it did "not perceive the POD200 report to be a
'workaround' . . . but as a system assurance report to check data variances."
The draft report did not state that the POD 200 report was the workaround. The workaround
we discussed is the manual process to reconcile the POD 200 report to the Labor Cost File.
The manual reconciliation has to be performed following each pay period and involves not
only NBC/PS personnel but also NBC/PS's clients.
NBC also stated that it did not believe the facts in the draft audit report supported our
conclusion that because NBC/PS uses workarounds, it may not be processing payroll
transactions efficiently and effectively in accordance with Office of Management and Budget
Circular A-127 and it may not be reporting accurate data.
In our opinion, NBC/PS's using workarounds does not ensure that FPPS is working
efficiently and effectively to record financial events as required by Office of Management
and Budget Circular A-127 and does not ensure data accuracy. For example, we found that
for fiscal years 1998 and 1999, the Supplemental Semiannual Headcount Report submitted
to the Office of Personnel Management contained inaccurate data in spite of the manual
efforts to correct the Headcount Report.
Internal Controls. NBC said that we were "not accurate" in stating that system testing
for FPPS releases (changes to FPPS) had not been performed. NBC further said that it
believed the automated compares that were transferred to FPPS in 1999 when the
conversions of clients' data to FPPS were completed satisfied the need for system testing.
Although the automated compares were transferred to FPPS after being tested, we do not
believe that this process ensures that all FPPS releases have undergone system testing.
Since the report's recommendations are considered resolved, no further response to the
Office of Inspector General is required (see Appendix 3).
Section 5(a) of the Inspector General Act (5 U.S.C. app. 3) requires the Office of Inspector
General to list this report in its semiannual report to the Congress. In addition, the Office of
Inspector General provides audit reports to the Congress.
APPENDIX 1
CLIENTS OF THE
NATIONAL BUSINESS CENTER/PRODUCTS AND SERVICES
FOR PERSONNEL AND PAYROLL SERVICES
Department of the Interior:
Bureau of Indian Affairs
Bureau of Land Management
Bureau of Reclamation
U.S. Geological Survey
Minerals Management Service
National Park Service
Office of Aircraft Services
Office of Inspector General
Office of Surface Mining Reclamation and Enforcement
Office of the Secretary
U.S. Fish and Wildlife Service
Advisory Council on Historic Preservation
African Development Foundation
Commission of Fine Arts
Department of Education
Executive Residence/White House
Federal Labor Relations Authority
Federal Trade Commission
Harry S. Truman Scholarship Foundation
Inter-American Foundation
International Trade Commission
James Madison Memorial Fellowship Foundation
National Commission of Libraries & Information Science
National Education Goals Panel
Overseas Private Investment Corporation
Pension Benefit Guaranty Corporation
Presidio Trust
Securities and Exchange Commission
Selective Service System
Social Security Administration
Trade and Development Agency
U.S. Holocaust Memorial Council
Utah Reclamation Mitigation Conservation Commission