[Audit Report on the Automated Law Enforcement System, National Park Service]
[From the U.S. Government Printing Office, www.gpo.gov]

Report No. 97-I-908

Title: Audit Report on the Automated Law Enforcement System, National
       Park Service

Date: June 23, 1997

                  **********DISCLAIMER**********

This file contains an ASCII representation of an OIG report.  No attempt has been made to display
graphic images or illustrations.  Some tables may be included, but may not resemble those in the
printed version.

A printed copy of this report may be obtained by referring to the PDF file or by calling the Office
of Inspector General, Division of Acquisition and Management Operations at (202) 208-4599.
                  ******************************

United States Department of the Interior
OFFICE OF INSPECTOR GENERAL
Washington, D.C. 20240

MEMORANDUM

TO:                 The Secretary

FROM:               Wilma A. Lewis
                    Inspector General

SUBJECT SUMMARY:    Final Audit Report for Your Information - "Automated Law
                    Enforcement System, National Park Service" (No. 97-I-908)

Attached for your information is a copy of the subject final audit report. The objectives
of the audit were to: (1) determine whether the National Park Service's automated law
enforcement system, the Case Incident Reporting System (CIRS), met the law enforcement
reporting requirements of the Federal Bureau of Investigation and (2) provide information
to the Park Service that would assist it in implementing CIRS effectively.

We found that CIRS is capable of meeting the law enforcement requirements of the
Federal Bureau of Investigation and the operating needs of the Park Service. However,
the Park Service needs to enhance documentation, access, and procedural controls over
CIRS to ensure that CIRS, when it is filly implemented, operates effectively in the event
of personnel changes, system failures, or disasters. To correct these deficiencies, we
recommended that the Park Service: (1) establish written policies for CIRS; (2) develop
a process to collect data from remote locations for input into CIRS; (3) ensure that
adequate numbers of personnel are assigned to collect data; (4) ensure that user passwords
are securely stored; and (5) ensure that CIRS users have the required security clearances.

The Park Service's Audit Liaison Officer provided informal comments to our draft report
and said that, because the response was past due, we should consider these comments to
represent the Park Service's response. We requested that the Director, National Park
Service, provide a formal written response to this report. As a result, we considered the
five recommendations unresolved.

If you have any questions concerning this matter, please contact me at (202) 208-5745 or
Mr. Robert J. Williams, Assistant Inspector General for Audits, at (202) 208-4252.

Attachment
A-IN-NPS-O01-96
United States Department of the Interior
     OFFICE OF INSPECTOR GENERAL
         Washington, D.C. 20240

AUDIT REPORT

Memorandum

To:   Assistant Secretary for Fish and Wildlife and Parks

From:  Assistant Inspector General for Audits

Subject: Audit Report on the Automated Law Enforcement System, National Park Service
(No. 97-I-908)

INTRODUCTION

This report presents the results of our audit of the National Park Service's automated law
enforcement system, the Case Incident Reporting System (CIRS). Our audit was conducted
as part of our review of the Department of the Interior's automated law etiorcement systems.
The audit objectives were to: (1) determine whether CIRS met the law enforcement reporting
requirements of the Federal Bureau of Investigation and (2) provide information to the Park
Service that would assist it in implementing CIRS effectively.

BACKGROUND

The Park Service's Associate Director for Park Operations and Education, through the
Ranger Activities Division and the U.S. Park Police, is responsible for ensuring safe and
secure park environments. Park Service Rangers, under the guidance of the Ranger
Activities Division, perform law enforcement and resource protection activities, including
drug enforcement, traffic control, watercrafl- and aircraft-supported enforcement activities,
criminal investigations, and wildlife enforcement activities. The Park Police, an urban-
oriented law enforcement organization within the Park Service, performs a fill range of law
enforcement functions at sites in the metropolitan areas of Washington, D. C.; New York,
New York; and San Francisco, California. The Park Police's responsibilities include visitor
and facility protection, emergency services, criminal investigations, special security and
protection duties, enforcement of drug and vice laws, and traffic and crowd control.

 Under the Uniform Federal Crime Reporting Act of 1988 (Public Law 100-690), which
became effective on January 1, 1989, the Congress mandated that all Federal agencies with
law enforcement responsibility report crime statistics. In response to the Act, the Federal
Bureau of Investigation requires that crime statistics be reported in a uniform computerized
format to its automated system, the National Incident Based Reporting System (NIBRS).
The NIBRS program, which also became effective on January 1, 1989, and is defined in
Volumes I-III of the "Uniform Crime Reporting, National Incident-Based Reporting System"
and in the "Supplemental Guidelines for Federal Participation," requires Federal agencies to
submit, on a monthly basis, information on 22 offense categories for each crime investigated
(the offense categories are in Appendix 1). The information to be reported includes the
following: location of the crime; race, sex, and age of the offenders; information about the
victims and property involved in the crime; and information on arrests, such as arrest date
and type of apprehension. At the time of our review, the Department was reporting all
criminal investigation data under the Uniform Crime Reporting Program instead of NIBRS.
The Program, which was the predecessor to NIBRS, requires summary information to be
submitted monthly to the Federal Bureau of Investigation on the number of crimes
investigated for only eight offense categories (see Appendix 1).

In 1989, the Park Service's Information and Data Systems Division, with guidance from the
Ranger Activities Division, began developing CIRS. The Park Service, in its plans for
developing and implementing CIRS, stated that CIRS would satisfi the Federal Bureau of
Investigation's mandated criminal reporting requirements; tremendously facilitate the data
collection for monthly, quarterly, and annual reports for a variety of disciplines; simplifi the
collection of management data from accident reports, incident reports, search and rescue
data, and emergency medical services data; and standardize offense/incident coding
throughout the Park Service, thereby improving the accuracy of statistical reports. The Park
Police in Washington, D. C., had a different system, which it has operated since 1984. The
Washington, D. C., Park Police will continue operating its system and transfer its NIBRS-
related data from its system to CIRS. The Park Service began to implement CIRS at park
units in January 1995, and by January 1997, almost 90 percent of the park units were using
CIRS.

SCOPE OF AUDIT

To accomplish our audit objectives, we reviewed the general and application controls and
system operations that had been implemented with CIRS. We also reviewed system
documentation, conducted interviews with the program manager and the Section Chief for
Programs, conducted site visits, and contacted system users at the sites listed in Appendix 2.
Since CIRS was intended to meet the Park Service's NIBRS reporting requirements, we did
not review the law enforcement system of the Washington, D. C., Park Police, which will
transfer NIBRS-related data to CIRS.

Our audit was conducted in accordance with the "Government Auditing Standards," issued
by the Comptroller General of the United States. Accordingly, we included such tests of
records and other auditing procedures that were considered necessary under the

2

 
circumstances. As part of our review, we evaluated the system of internal controls to the
extent that we considered necessary. The internal control weaknesses that we found are
discussed in the Results of Audit section of this report.  If implemented, our
recommendations should improve the internal controls.

We also reviewed the Department of the Interior's Annual Statement and Report, which is
required by the Federal Managers' Financial Integrity Act, for fiscal years 1994 and 1995
and determined that none of the reported weaknesses were directly related to the objectives
and scope of this audit.

PRIOR AUDIT COVERAGE

During the past 5 years, neither the General Accounting Office nor the Office of Inspector
General has issued any reports related to the scope of this review. However, in June 1989,
the Office of Inspector General issued the report "Law Enforcement Activities, National Park
Service" (No. 89-83), which stated that the Park Service had not planned, supervised, or
controlled investigative activities in accordance with the Departmental Manual. To address
the deficiencies noted in the report, we recommended that the Director, National Park
Service, in coordination with the Assistant Secretary for Policy, Budget and Administration
(now the Assistant Secretary for Policy, Management and Budget), establish a management
information system to track and provide uniform reports on cases and productivity. Based
on the Park Service's response, we considered the recommendation resolved, and the
development of CIRS implements the recommendation.

RESULTS OF AUDIT

We concluded that the National Park Service's Case Incident Reporting System (CIRS) is
capable of meeting the law enforcement reporting requirements of the Federal Bureau of
Investigation and functioning as an incident reporting system. The Park Service included,
in CIRS, internal controls such as edits to ensure that cases were reviewed and approved
before being reported and to prevent duplicate cases from being maintained.

However, we found weaknesses in the Park Service's general controls over CIRS. In that
regard, the Park Service needs to enhance documentation, access, and procedural controls
to ensure that CIRS, when it is fully implemented, operates effectively in the event of
personnel changes, system failures, or disasters. These weaknesses areas follows:

- The Park Service did not have written policies in the areas of a system user manual that
describes data input or modification procedures; data backup or archival requirements such
as storage and time frames; hardware and software security; descriptions of system
processes; and specific data submission procedures.

- Park Service officials said that the Park Service intends to rely on park unit employees
to transmit electronically incident data to the Park Service's central CIRS computer in
Atlanta, Georgia, rather than having CIRS retrieve data automatically from remote locations.

3

 
Thus, there is little assurance that the Park Service will be collecting and reporting all law
enforcement data from all of the park units.

- Only one Park Service employee was responsible for collecting all of the data from
park unit employees and reporting monthly and annually to NIBRS, Park Service managers,
and non-Park Service activities such as the Congress. Thus, if the one employee is
unavailable or leaves the Park Service, the Park Service has little assurance that NIBRS data
will be collected and reported accurately and timely.

- The Park Service established passwords for CIRS users to restrict access to CIRS data;
however, the passwords were stored in an easily accessed database file. As a result, sensitive
law enforcement data were at risk of unauthorized access.

- Because CIRS data are sensitive and are subject to the Privacy Act, users are required
by the Departmental Manual (446 DM 14.4C) and the Park Service Manual (NPS 9) to have
security clearances. However, at the one park unit we visited, CIRS users who were seasonal
employees had not received the appropriate security clearances until after their appointments
had expired. As such, there was a risk for unauthorized access to sensitive data.

Recommendations

We recommend that the Director, National Park Service, ensure that:

1. Written policies are established for CIRS, including a system user manual and
requirements for security, data backup and archival, data maintenance, system processes, and
data submission.

2. A process is developed that automatically collects all park unit data into the Park
Service's central CIRS computer.

3. At least one alternate employee is designated within the Ranger Activities Division
to collect and distribute Park Service law enforcement data.

4. Controls are established so that passwords of CIRS users cannot be stored in alternate
databases and cannot be accessed.

5. CIRS users have the required security clearances before they access CIRS data.

National Park Service Response and Office of Inspector General
Comments

We requested that the National Park Service provide, in accordance with the Departmental
Manual (360 DM 5.3), written comments to the draft report by March 24, 1997. Since
comments were not received by the due date, we informed the Park Service on April 11,
1997, that the response was overdue. On April 16, 1997, the Audit Liaison Officer sent us

4

 


an electronic mail message that included separate comments to the draft report from three
Park Service employees who were responsible for developing and implementing the Park
Service's automated law enforcement system. The Audit Liaison Officer said that, because
the response was past due, we should consider these comments to represent the Park
Service's response. However, we request that the Park Service submit a formal written
response on each of the audit recommendations, as required by the Departmental Manual
(360 DM 5.3). Therefore, we are requesting that the Director, National Park Service, provide
a written response to this report by July 30, 1997. The response should provide the
information requested in Appendix 3.

The legislation, as amended, creating the Office of Inspector General requires semiannual
reporting to the Congress on all audit reports issued, actions taken to implement audit
recommendations, and identification of each significant recommendation on which corrective
action has not been taken.

We appreciate the assistance of National Park Service personnel in the conduct of our audit.

 


                    APPENDIX 1

REPORTABLE OFFENSE CATEGORIES

National Incident Based Reporting System
1. Homicide Offenses
  Murder and nonnegligent manslaughter
  Negligent manslaughter
  Justifiable homicide
2. Sex Offenses, Forcible
  Forcible rape
  Forcible sodomy
  Sexual assault with an object
  Forcible fondling
3. Robbery
4. Assault Offenses

5.
6.








7.
8.
9.
10.
11.
12.

13.
14.
15.




16.



17.
18,
19.


20.


21.
22.

Aggravated assault
Simple assault
Intimidation
Burglary/Breaking and Entering
Larceny/Theft Offenses
Pocket-picking
Purse-snatching
Shoplifting
Then from building
Theft from coin-operated machine or device
Theft from motor vehicle
Thefi of motor vehicle parts or accessories
All other larceny
Motor Vehicle Theft
Arson
Bribery
Counter feitingiForgery
Destruction/Damage/Vandalism of Property
Drug/Narcotic Offenses
Drug/narcotic violations
Drug equipment violations
Embezzlement
Extortion/Blackmail
Fraud Offenses
False pretenseslswindlelcon fidence game
Credit card/automatic teller
Machine fraud
Impersonation
Welfare
Wire fraud
Gambling Offenses
Betting/wagering
Operating/promoting/assisting gambling
Gambling equipment violations
Sports tampering
Kidnaping/Abduction
Pornography/Obscene Material
Prostitution Offenses
Prostitution
Assisting or promoting prostitution
Sex Offenses, Nonforcible
Incest
Statutory rape
Stolen Property Offenses (receiving, etc.)
Weapon Law Offenses

Uniform Crime Reporting Program
1. Homicide
   Murder and nonnegligent manslaughter
   Manslaughter by negligence
2. Forcible Rape
   Rape by force
   Attempts to commit forcible rape
3. Robbery
   Firearm
   Knife or cutting instrument
   Strong-arm, hands, fists, feet, etc.
   Other dangerous weapons
4. Aggravated Assault
   Firearm
   Knife or cutting instrument
   Other dangerous weapons
   Hands, fist, feet, etc.
5. Burglary
   Forcible entry
   Unlawful entry
   Attempted forcible entry
6. Larceny - Thefl (except motor vehicle)
7. Motor Vehicle Theft
   Autos
   Trucks and buses
   Other vehicles
8. Arson
   Structural
   Mobile
   Other

6

 
APPENDIX 2

SITES VISITED OR CONTACTED

Sites Visited

Information and Data Systems Division
National Park Police Headquarters
Education and Visitor Services
Atlantic Coast System Support Office
Rocky Mountain National Park
Dispatch Office

Sites Contacted

   Location

Washington, D.C.
Washington, D.C.

Atlanta, Georgia

Estes Park, Colorado

Location

Canyonlands National Park*
Dinosaur National Monument*
Florissant Fossil Beds National Monument*
Glacier National Park*
Golden Gate National Recreation Area*
Grand Canyon National Park*
Rocky Mountain National Park*
Salinas Pueblo Missions National Monument*
Colorado Plateau and Rocky Mountain
System Support Office

Moab, Utah
Dinosaur, Colorado
Florissant, Colorado
West Glacier, Montana
San Francisco, California
Grand Canyon, Arizona
Estes Park, Colorado
Mountainair, New Mexico

Denver, Colorado

a-
Employees were contacted during a 2-day CIRS training class held on March 24-25, 1996, in
Denver,
Colorado.

7

 


APPENDIX 3

STATUS OF AUDIT REPORT RECOMMENDATIONS

Finding/Recommendation
  Reference      Status        Action Required

1,2,3,4, and5    Unresolved  Provide a response to the recommendations.
              If concurrence is indicated provide a plan
              identifying actions to be taken, including
              target dates and titles of officials
              responsible for implementation. If
              nonconcurrence is indicated, provide
              specific reasons for the nonconcurrence.

8

 
ILLEGAL OR WASTEFUL ACTMTIES
    SHOULD BE REPORTED TO
THE OFFICE OF INSPECTOR GENERAL BY

Sending written documents to:              Calling:

Within the Continental United States

U.S. Department of the Interior             Our 24-hour
Office of Inspector General            Telephone HOTLINE
1849 C Street, N.W.                  1-800-424-5081 or
Mail Stop 5341                 (202) 208-5300
Washington, D.C. 20240

TDD for hearing impaired
(202) 208-2420 or
1-800-354-0996

Outside the Continental United States

Caribbean Region

U.S. Department of the Interior          (703) 235-9221
Office of Inspector General
Eastern Division- Investigations
1550 Wilson Boulevard
Suite 410
Arlington, Virginia 22209

North Pacific Region

U.S. Department of the Interior          (700) 550-7428 or
Office of Inspector General               COMM 9-011-671-472-7279
North Pacific Region
238 Archbishop F.C. Flores Street
Suite 807, PDN Building
Agana, Guam 96910

 
w

Toil Free Numbers:
1-800-424-5081        E m
TDD 1-800-354-0996     =
             s
iTS/Commercial Numbers:    s
(202) 208-5300
TDD (202) 208-2420     E m

HOTUNE ;

1849 C Street N.W.      E
Mail Stop 5341        E
Washington, D.C. 20240 .;