GAO/OIG-09-5, Office of Inspector General: Semiannual Report: October 1, 2008

This is the accessible text file for GAO report number GAO/OIG-09-5
entitled 'Office of Inspector General: Semiannual Report: 
October 1, 2008 — March 31, 2009' which was released on June 9, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

May 2009: 

Office of Inspector General:  

Semiannual Report: 
October 1, 2008 — March 31, 2009: 

GAO/OIG-09-5: 

Office of the Inspector General: 
United States Government Accountability Office: 

Memorandum: 

Date: May 8, 2009: 

To: Acting Comptroller General – Gene L. Dodaro: 

From: [Signed by] Inspector General – Frances Garcia: 

Subject: Semiannual Report – October 1, 2008, through March 31, 2009: 

In accordance with Section 5 of the Government Accountability Office 
Act of 2008 (GAO Act), I am submitting my semiannual report for the 
first half of fiscal year 2009 for your comments and its transmission 
to the Congress. 

During this period, the Office of the Inspector General (OIG) undertook 
a number of actions to implement requirements in the GAO Act and 
selected provisions in the Inspector General Reform Act of 2008. These 
actions included drafting a new GAO order and policies and procedures, 
to emphasize the statutory role and responsibilities of the OIG; 
establishing a page on GAO’s Web site to make the OIG’s products 
readily available to the Congress and the public; hiring an attorney to
provide independent legal advice and counsel; and actively  
participating in the newly established Council of Inspectors General on 
Integrity and Efficiency. 

In addition, we issued one report with recommendations—our fiscal year 
2008 evaluation of GAO’s voluntary compliance with the information 
security program and practices required by the Federal Information 
Security Management Act of 2002. (See attachment for a summary of this 
report and GAO actions to address its recommendations.) Further, we 
monitored the agency’s efforts to assess and report on internal 
controls consistent with guidance provided by the Office of Management
and Budget in its Circular No. A-123, Management’s Responsibility for 
Internal Control, and initiated an audit risk assessment of GAO to aid 
in our development of risk-based audit work plans. Our ongoing work 
included reviews of GAO performance measures for three areas—human 
capital management, product timeliness, and GAO testimonies. 

Regarding our efforts to identify potential fraud, waste, or abuse 
within GAO, we received 28 inquiries and allegations this reporting 
period through our hotline and other sources. Twelve concerned matters 
related to other federal agencies, so they were closed with a referral 
to GAO’s FraudNet—a mechanism that anyone may use to report allegations 
of fraud, waste, abuse, or mismanagement of federal funds—or the 
appropriate agency Office of Inspector General. Four were closed due to 
insufficient factual information that would warrant further 
investigation; three others were closed with a referral to the 
appropriate GAO office because they involved personnel and security 
matters. Regarding the other nine cases, we completed action on four,
including one where an employee resigned as a result of the 
investigation. At the end of the reporting period, five cases remained 
open. 

Finally, in response to recommendations made in a prior report, 
Diversity at GAO: Sustained Attention Needed to Build on Gains in SES 
and Managers (GAO-08-10 Sept. 10, 2008), GAO has incorporated diversity 
goals in Senior Executive performance appraisals and established 
procedures to better ensure the completeness and accuracy of its 
publicly reported discrimination data. In addition, the agency has 
drafted an order to establish a requirement for an annual Workforce
Diversity Plan and to revise its discrimination complaint process to 
clarify responsibilities and procedures when a complaint involves staff 
within GAO’s Office of Opportunity and Inclusiveness. GAO expects the 
revised order to be published for agencywide comment soon and made 
final shortly thereafter. In addition, the agency has implemented and 
strengthened internal controls for tracking, reviewing, and reporting 
complaint data.

Attachment: 

cc: 

Ms. Harper, Chief Administrative Officer: 
Mr. Gordon, Acting General Counsel: 

[End of section] 

Attachment: 

Summary of OIG Reports and GAO Actions: 

Reports Issued October 1, 2008 - March 31, 2009: 

Independent Evaluation of GAO’s Information Security Program and 
Practices—Fiscal Year 2008, GAO/OIG-09-1 (Oct. 2, 2008). 

Findings: 

In this report, the OIG concludes that GAO has generally established an 
information security program consistent with the requirements of the 
Federal Information Security Management Act of 2002 (FISMA) and 
guidance issued by the Office of Management and Budget and the National 
Institute of Standards and Technology, but that GAO has not fully 
implemented several information security and privacy-related 
requirements. 

Recommendations and GAO Actions: 

The report includes six recommendations to improve GAO’s information 
security practices and its Privacy Program. GAO management concurred 
with each of the recommendations and in response has conducted an 
assessment of the agency’s systems and applications to update its 
systems inventory, established a process for incorporating specific 
security language as appropriate in information technology 
acquisitions, begun identifying additional content for its information 
security awareness training, and continued negotiations with other 
agency service providers to help GAO better monitor the remediation of 
security weaknesses identified for providers’ systems. In addition, GAO 
has drafted privacy policy, developed a Privacy Impact Assessment 
process and template, and plans to conduct assessments during fiscal 
year 2009 for 20 major systems that contain personally identifiable 
information. 

[End of attachment]