This is the accessible text file for GAO report number GAO-14-726 entitled 'Inspectors General: DHS OIG's Structure, Policies, and Procedures Are Consistent with Standards, but Areas for Improvement Exist' which was released on September 24, 2014. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Committees: September 2014: Inspectors General: DHS OIG's Structure, Policies, and Procedures Are Consistent with Standards, but Areas for Improvement Exist: GAO-14-726: GAO Highlights: Highlights of GAO-14-726, a report to congressional committees. Why GAO Did This Study: The DHS OIG plays a critical role in strengthening accountability throughout DHS. The OIG received about $141 million in fiscal year 2013 appropriations to carry out this oversight. The joint explanatory statement to the Department of Homeland Security Appropriations Act, 2013, directed GAO to review the OIG and its organizational structure for meeting independence standards. This report examines (1) the coverage the OIG's audits and inspections provided of DHS's component agencies, management challenges, and high- risk areas; (2) the extent to which the OIG's organizational structure, roles, and responsibilities were consistent with the IG Act; and (3) the extent to which the design of the OIG's policies and procedures was consistent with applicable independence standards. To address these objectives, GAO obtained relevant documentation, such as selected reports and OIG policies and procedures, and compared this information to the IG Act and independence standards. GAO also interviewed officials from the OIG, DHS components, and the FBI. What GAO Found: During fiscal years 2012 and 2013, the Department of Homeland Security's (DHS) Office of Inspector General (OIG) issued 361 audit and inspection reports that collectively cover key components, management challenges identified by the OIG, and relevant high-risk areas identified by GAO. Of the 361 reports, 200 pertained solely to the Federal Emergency Management Agency (FEMA)-—the DHS component with the largest budget. Of those FEMA reports, 118 reports involved audits of disaster assistance grants. The OIG's organizational structure, roles, and responsibilities are generally consistent with the Inspector General (IG) Act of 1978, as amended (IG Act). In 2013, the OIG made changes to its structure to enhance independence and oversight, including establishing an Office of Integrity and Quality Oversight. However, areas for improvement exist for the OIG to better meet its responsibilities. * The OIG has not reached agreement with the Federal Bureau of Investigation (FBI) on coordinating and sharing border corruption information. The IG Act requires OIGs to recommend policies for and to conduct, supervise, or coordinate relationships with other federal agencies regarding cases of fraud or abuse. The Senate Appropriations Committee directed DHS to report jointly with the OIG and other DHS components on plans for working with the FBI. * The OIG lacks adequate controls to protect identities of employees filing complaints because its process for recording complaints involves significant manual procedures, without review, that can be subject to human error. The IG Act requires that OIGs not disclose the identity of an employee filing a complaint without the employee's consent unless such disclosure is unavoidable during the course of an investigation. The OIG is aware of these issues and is developing standard operating procedures. * The OIG does not have a policy for obtaining legal advice from its own counsel or guidelines specifying when it is appropriate to consult with the department's counsel. The former Acting IG requested legal help from a counsel at the department for 4 months, and it was not clear if this request was for appropriate matters. The IG Act requires the IG to obtain legal advice from a counsel reporting directly to the IG or another IG. The OIG Deputy Counsel has asked a working group to draft guidelines on consultations with the department's counsel. The OIG's policies and procedures are consistent with independence standards. However, OIG senior executives did not always comply with the policy to annually complete certificates of independence. Because the OIG does not centrally maintain the certifications, management's ability to monitor compliance is hindered. For example, no certificate of independence could be found for the former Acting IG. As a result of an impairment to the former Acting IG's independence that was not identified in a timely manner, the OIG had to reissue six reports for fiscal year 2012 to add an explanatory statement about the impairment. External peer reviews of the OIG's audit function, completed in 2009 and 2012, also found that OIG staff, including senior executives, had not documented their independence as required. What GAO Recommends: GAO is making three recommendations for improving controls over processing complaints, obtaining legal advice, and monitoring compliance with independence standards. The IG concurred with GAO's recommendations and described actions being taken to address them. View [hyperlink, http://www.gao.gov/products/GAO-14-726]. For more information, contact Asif A. Khan at (202) 512-9869 or khana@gao.gov. [End of section] Contents: Letter: Background: DHS OIG's Audit and Inspection Reports Provided Coverage of Key Component Agencies, Management Challenges, and High-Risk Areas: Structure of DHS OIG Is Consistent with the IG Act, but Certain Policies and Procedures Could Be Improved: DHS OIG's Policies and Procedures Were Consistent with Applicable Independence Standards, but Effective Implementation Is Key: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Inspector General Quality and Independence Standards: Appendix III: DHS OIG's Policies and Procedures to Address Selected IG Act Requirements: Appendix IV: Comments from the Department of Homeland Security Office of Inspector General: Appendix V: GAO Contact and Staff Acknowledgments: Tables: Table 1: Department of Homeland Security (DHS) Components as of Fiscal Year 2013: Table 2: Department of Homeland Security (DHS) Office of Inspector General (OIG) Office Descriptions as of July 2014: Table 3: Office of Inspector General (OIG) Audit and Inspection Coverage of Department of Homeland Security (DHS) Components for Fiscal Years 2012 and 2013: Table 4: Office of Inspector General (OIG) Coverage of Department of Homeland Security (DHS) Management Challenges for Fiscal Years 2012 and 2013: Table 5: Department of Homeland Security (DHS) Office of Inspector General (OIG) Coverage of High-Risk Areas for Fiscal Years 2012 and 2013: Table 6: Department of Homeland Security (DHS) Office of Inspector General (OIG) Procedures to Address Selected Inspector General (IG) Act of 1978, as Amended (IG Act) Requirements: Figure: Figure 1: Department of Homeland Security (DHS) Office of Inspector General (OIG) Organization Chart (as of July 2014): Abbreviations: AIG: Assistant Inspector General: BCTF: border corruption task force: CBP: U.S. Customs and Border Protection: CIGIE: Council of the Inspectors General on Integrity and Efficiency: DHS: Department of Homeland Security: FBI: Federal Bureau of Investigation: FEMA: Federal Emergency Management Agency: GAGAS: generally accepted government auditing standards: ICE: U.S. Immigration and Customs Enforcement: IG: Inspector General: IG Act: Inspector General Act of 1978, as amended: IQO: Office of Integrity and Quality Oversight: MOU: memorandum of understanding: OIG: Office of Inspector General: [End of section] United States Government Accountability Office: GAO: 441 G St. N.W. Washington, DC 20548: September 24, 2014: Congressional Committees: The Department of Homeland Security's (DHS) Office of Inspector General (OIG) has a critical role in strengthening accountability throughout DHS and a responsibility to provide independent and objective oversight of the department's $91 billion in budgetary resources. To fulfill its accountability and oversight responsibilities, the DHS OIG conducts audits, inspections, and investigations of the department's programs and operations.[Footnote 1] The Department of Homeland Security Appropriations Act, 2013, provided DHS OIG approximately $145 million in fiscal year 2013 appropriations to fund these activities.[Footnote 2] To help ensure that the OIG's work is impartial and is viewed as such by DHS components, Congress, and the public, it is vital that the OIG maintain its independence, in fact and appearance. Moreover, the Inspector General (IG) Act of 1978, as amended (IG Act),[Footnote 3] requires that the OIG be independent and that it comply with Government Auditing Standards,[Footnote 4] which includes specific standards on independence. The joint explanatory statement accompanying the 2013 Department of Homeland Security Appropriations Act directed GAO to review the OIG's organizational structure and whether its audit, inspection, and investigation functions are organizationally structured to ensure that independence standards are met.[Footnote 5] To meet the committees' time frames, on November 8, 2013, we briefed your committee staffs on our preliminary observations. This report provides the results of our review to determine (1) the coverage that the OIG's audits and inspections provided of DHS's key component agencies, management challenges, and high-risk areas; (2) the extent to which the OIG's organizational structure, roles, and responsibilities were consistent with the IG Act; and (3) the extent to which the design of the OIG's policies and procedures for planning, reviewing, and reporting on audit, inspection, and investigation results were consistent with applicable independence standards. To address our objectives, we reviewed the DHS agency financial report for fiscal years 2012 and 2013; the OIG's annual performance plans and semiannual reports for fiscal years 2012 and 2013, including major management challenges identified; and GAO's High-Risk Series for 2013. [Footnote 6] We compared the subjects of DHS OIG reports issued during fiscal years 2012 and 2013 with the department's key component agencies as well as with the management challenges and high-risk areas that were identified for the department. We reviewed the DHS OIG's organization charts, written policies and procedures, and internal inspection and peer review reports.[Footnote 7] We compared the OIG's organizational structure, roles, and responsibilities with selected IG Act requirements. We also compared the OIG's written policies and procedures with independence standards promulgated by Government Auditing Standards and the Council of the Inspectors General on Integrity and Efficiency (CIGIE).[Footnote 8] We interviewed officials from the OIG, DHS components, and the Federal Bureau of Investigation (FBI). We conducted this performance audit from June 2013 to September 2014 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. A more detailed explanation of our objectives, scope, and methodology can be found in appendix I. Background: On November 25, 2002, President Bush signed the Homeland Security Act of 2002, as amended, officially establishing DHS, with the primary mission of protecting the American homeland.[Footnote 9] DHS became operational on January 24, 2003. On March 1, 2003, under the President's reorganization plan, 22 agencies and approximately 181,000 employees were transferred to the new department. DHS is currently organized into the components shown in table 1, seven of which are referred to as key operational components.[Footnote 10] Table 1: Department of Homeland Security (DHS) Components as of Fiscal Year 2013: Key operational components: Federal Emergency Management Agency; Other components: Domestic Nuclear Detection Office; Other components: Office of Inspector General. Key operational components: Transportation Security Administration; Other components: Federal Law Enforcement Training Center; Other components: Office of Intelligence and Analysis. Key operational components: U.S. Citizenship and Immigration Services; Other components: Management Directorate; Other components: Office of Legislative Affairs. Key operational components: U.S. Coast Guard; Other components: National Protection and Programs Directorate; Other components: Office of Operations Coordination and Planning. Key operational components: U.S. Customs and Border Protection; Other components: Office for Civil Rights and Civil Liberties; Other components: Office of Policy. Key operational components: U.S. Immigration and Customs Enforcement; Other components: Office of General Counsel; Other components: Privacy Office. Key operational components: U.S. Secret Service; Other components: Office of Health Affairs; Other components: Science and Technology Directorate. Source: DHS. GAO-14-726. [End of table] According to DHS, the seven key operational components lead the department's frontline activities to protect the nation. The other remaining DHS components provide resources, analysis, equipment, research, policy development, and support to ensure that the frontline organizations have the tools and resources to accomplish the DHS mission. The department's five key mission areas are (1) preventing terrorism and enhancing security, (2) securing and managing the nation's borders, (3) enforcing and administering the nation's immigration laws, (4) safeguarding and securing cyberspace, and (5) ensuring resilience to disasters. In fiscal year 2013, DHS had about 226,000 full-time equivalent staff, and its budgetary resources totaled approximately $91 billion. DHS Office of Inspector General: Over three decades ago, Congress established independent IG offices throughout the federal government as a result of growing reports of serious and widespread internal control breakdowns resulting in monetary losses and reduced effectiveness or efficiency in federal activities. The IG Act established IG offices at major departments and agencies, including DHS, to prevent and detect fraud, waste, abuse, and mismanagement in their agencies' programs and operations; to conduct and supervise audits, inspections, and investigations; and to recommend policies to promote economy, efficiency, and effectiveness. As required by the IG Act, the DHS IG is presidentially appointed and confirmed by the Senate.[Footnote 11] The DHS OIG consists of several different component offices, as described in table 2. Table 2: Department of Homeland Security (DHS) Office of Inspector General (OIG) Office Descriptions as of July 2014: OIG office: Executive Office; Description: Consists of the Inspector General (IG), the Deputy IG, Chief of Staff, and a Special Assistant. It provides executive leadership to the OIG. From March 2013 through July 2014, it also included a Chief Operating Officer. OIG office: Office of Counsel; Description: Provides legal advice to the IG and OIG officials. OIG office: Office of Management; Description: Provides a complete array of administrative support functions to the OIG, including budget, personnel, and information technology. The office also prepares the OIG's annual performance plan and semiannual reports to Congress. OIG office: Office of Integrity and Quality Oversight (IQO); Description: Aims to improve the OIG's operations and enhance support of the DHS mission, programs, and operations. IQO manages the Hotline, Whistleblower Protection, and Ombudsman programs; compliance and quality assurance; and audit and inspection report quality. OIG office: Office of Audits; Description: Conducts and coordinates audits and program evaluations of the management and financial operations of DHS. OIG office: Office of Emergency Management Oversight; Description: Conducts audits to ensure that disaster relief funds are spent appropriately, while identifying fraud, waste, and abuse as early as possible. The office's focus is weighted heavily toward prevention, including reviewing internal controls, and monitoring and advising DHS and Federal Emergency Management Agency officials on contracts, grants, and purchase transactions before they are approved. OIG office: Office of Information Technology Audits; Description: Conducts audits and evaluations of DHS's information technology management, cyber infrastructure, systems integration, and systems privacy activities protections. OIG office: Office of Inspections; Description: Analyzes programs quickly to evaluate operational efficiency, effectiveness, and vulnerability. This work includes special reviews of sensitive issues that can arise suddenly and congressional requests for studies that require immediate attention. OIG office: Office of Investigations; Description: Investigates allegations of criminal, civil, and administrative misconduct involving DHS employees, contractors, grantees, and programs. These investigations can result in criminal prosecutions, fines, civil monetary penalties, administrative sanctions, and personnel actions. Source: DHS OIG. GAO-14-726. [End of table] IG Independence Requirements: The IG Act provides specific protections to IG independence that are necessary largely because of the unusual reporting requirements of the IGs, who are subject to the general supervision and budget processes of the agencies they audit while at the same time being expected to provide independent reports of their work to Congress. Protections to IG independence include a prohibition on the ability of the agency head to prevent or prohibit the IG from initiating, carrying out, or completing any audit or investigation. This prohibition is directed at helping to protect the OIG from external forces that could compromise its independence. Although these protections apply to the DHS OIG, exceptions exist for the Secretary of DHS when certain sensitive information or situations are involved.[Footnote 12] The IG's personal independence and the need to appear independent to knowledgeable third parties is also critical when the IG makes decisions related to the nature and scope of audit and investigative work performed by the OIG. An independent and reliable OIG structure firmly established at federal agencies is important for ensuring effective oversight of programs and operations. Auditors who work for OIGs are required to adhere to independence standards included in Government Auditing Standards, also known as generally accepted government auditing standards.[Footnote 13] Government Auditing Standards states that an audit organization and individual auditor must be free from impairments to independence and must avoid the appearance of an impairment. Auditors and audit organizations must maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and be viewed as impartial by objective third parties with knowledge of the relevant information. This requires staff to act with integrity, exercise objectivity and professional skepticism, and avoid circumstances or threats to independence that would cause a reasonable and informed third party to believe that an OIG's work had been compromised. In addition, to the extent legally permitted and not inconsistent with Government Auditing Standards, federal OIGs are required, as appropriate, to adhere to the quality standards promulgated by CIGIE. [Footnote 14] These standards include requirements for OIGs, including OIG employees who work on investigations and inspections, to maintain their independence. For additional information on quality and independence standards for OIGs, see appendix II. DHS OIG's Audit and Inspection Reports Provided Coverage of Key Component Agencies, Management Challenges, and High-Risk Areas: During fiscal years 2012 and 2013, the DHS OIG issued 361 audit and inspection reports.[Footnote 15] These reports provided coverage of all DHS key operational components, management challenges, and high- risk areas. According to the OIG, the majority of its audits and inspections were performed in response to congressional mandates or requests, while others were planned by the OIG based on factors such as the department's strategic plan, which identifies strategic missions and priorities, and by the OIG's annual performance plan and major management challenges identified for the department. OIG Reports Covered All DHS Key Components: Our review of issues addressed in the DHS OIG's audit and inspection reports issued during fiscal years 2012 and 2013 found that the OIG provided oversight of all components that DHS has identified as its key operational components. In addition, several OIG reports covered other DHS components, multiple components, and department-wide issues, as shown in table 3. Table 3: Office of Inspector General (OIG) Audit and Inspection Coverage of Department of Homeland Security (DHS) Components for Fiscal Years 2012 and 2013: Key operational components: DHS component: Federal Emergency Management Agency; Number of audit reports[A]: 200; Number of inspection reports: 0; Total: 200. DHS component: Transportation Security Administration; Number of audit reports[A]: 25; Number of inspection reports: 9; Total: 34. DHS component: U.S. Customs and Border Protection; Number of audit reports[A]: 26; Number of inspection reports: 1; Total: 27. DHS component: U.S. Coast Guard; Number of audit reports[A]: 16; Number of inspection reports: 0; Total: 16. DHS component: U.S. Immigration and Customs Enforcement; Number of audit reports[A]: 11; Number of inspection reports: 4; Total: 15. DHS component: U.S. Citizenship and Immigration Service; Number of audit reports[A]: 9; Number of inspection reports: 2; Total: 11. DHS component: U.S. Secret Service; Number of audit reports[A]: 1; Number of inspection reports: 1; Total: 2. DHS component: Other components; Number of audit reports[A]: 18; Number of inspection reports: 6; Total: 24. DHS component: Multiple component reports; Number of audit reports[A]: 18; Number of inspection reports: 3; Total: 21. DHS component: Departmental/department-wide issues; Number of audit reports[A]: 11; Number of inspection reports: 0; Total: 11. DHS component: Total; Number of audit reports[A]: 335; Number of inspection reports: 26; Total: 361. Source: GAO analysis of DHS OIG reports issued in fiscal years 2012 and 2013. GAO-14-726. [A] Audit reports include reports from the OIG Offices of Audits, Information Technology Audits, and Emergency Management Oversight. [End of table] As table 3 illustrates, the majority of the OIG's audit and inspection reports issued in fiscal years 2012 and 2013 addressed issues at the Federal Emergency Management Agency (FEMA). Specifically, 200 of these reports (55 percent) pertained solely to FEMA. Of these 200 reports, 166 reports involved audits of FEMA grants, including 118 reports on Disaster Assistance Grants. According to OIG officials, the large number of FEMA audits can be attributed to a number of factors. For example, the OIG has a statutory mandate to annually conduct audits of a sample of states and high-risk urban areas that receive grants administered by DHS to prevent, prepare for, protect against, or respond to natural disasters, acts of terrorism, and other disasters. [Footnote 16] In addition, FEMA's programs are considered to have a higher financial risk than those of other DHS components because it distributes disaster relief funds to so many communities nationwide-- for example, as of May 2014, over 135,000 applicants (e.g., local governments and nonprofit organizations to which public assistance funds are awarded) were receiving disaster assistance. Moreover, FEMA has the largest budget of all DHS components, with total budgetary resources of over $36 billion for fiscal year 2013, or about 38 percent of the department's total budget. In addition, the OIG received $27 million from the Disaster Relief Fund in fiscal year 2013 specifically for conducting audits and investigations related to disasters.[Footnote 17] OIG Reports Covered All Reported DHS Management Challenges and High- Risk Areas: Of the 361 audit and inspection reports issued during fiscal years 2012 and 2013, we found that 355 OIG reports pertained to the department's management challenges reported by the OIG. OIGs began annually identifying management challenges (i.e., what the IG considers to be the most serious management and performance challenges facing the agency) for their respective departments or agencies in 1997 at the request of Congress and continue to do so based on requirements of the Reports Consolidation Act of 2000.[Footnote 18] The act requires executive agencies to include their IGs' lists of significant management challenges in their annual performance and accountability reports to the President, the Office of Management and Budget, and Congress. DHS reports this information in its annual agency financial report. As shown in table 4, the OIG reports issued during fiscal years 2012 and 2013 covered all nine management challenges identified for that time period. Table 4: Office of Inspector General (OIG) Coverage of Department of Homeland Security (DHS) Management Challenges for Fiscal Years 2012 and 2013: Management challenge: Grants Management[B]; Number of audit reports[A]: 177; Number of: inspection reports: 0; Total: 177. Management challenge: Financial Management; Number of audit reports[A]: 73; Number of: inspection reports: 0; Total: 73. Management challenge: Information Technology Management; Number of audit reports[A]: 28; Number of: inspection reports: 0; Total: 28. Management challenge: Border Security; Number of audit reports[A]: 13; Number of: inspection reports: 8; Total: 21. Management challenge: Transportation Security; Number of audit reports[A]: 9; Number of: inspection reports: 9; Total: 18. Management challenge: Emergency Management; Number of audit reports[A]: 16; Number of: inspection reports: 1; Total: 17. Management challenge: Acquisition Management; Number of audit reports[A]: 15; Number of: inspection reports: 1; Total: 16. Management challenge: Trade Operations and Security; Number of audit reports[A]: 3; Number of: inspection reports: 0; Total: 3. Management challenge: Infrastructure Protection; Number of audit reports[A]: 0; Number of: inspection reports: 2; Total: 2. Management challenge: Total; Number of audit reports[A]: 334; Number of: inspection reports: 21; Total: 355. Source: GAO analysis of DHS OIG reports issued in fiscal years 2012 and 2013. GAO-14-726. [A] Audit reports include reports from the OIG Offices of Audits, Information Technology Audits, and Emergency Management Oversight. [B] The 177 reports related to grants management include 166 related to Federal Emergency Management Agency (FEMA) grants and whether grantees or subgrantees accounted for and expended FEMA funds according to federal regulations and FEMA guidelines. [End of table] As shown in table 4, other than reports on FEMA grants, the majority of DHS OIG reports covered Financial Management and Information Technology Management. Reports in these subject areas made up over half of all the non-FEMA reports released by the OIG in fiscal years 2012 and 2013. Conversely, Trade Operations and Security and Infrastructure Protection received the least coverage. An OIG official noted that resource constraints, mandatory workload, and requested work affect the schedule and completion of work. We also compared the subjects of the 361 audit and inspection reports issued during fiscal years 2012 and 2013 to the high-risk areas reported by GAO. Since 1990, GAO has periodically reported on government operations that we have designated as high risk because of their greater vulnerabilities to fraud, waste, abuse, and mismanagement. In February 2013, we reported two high-risk areas that apply specifically to DHS and two other high-risk areas that pertain to DHS and other federal agencies and departments.[Footnote 19] As shown in table 5, we found that 177 OIG reports pertained to at least one of these four high-risk areas. Table 5: Department of Homeland Security (DHS) Office of Inspector General (OIG) Coverage of High-Risk Areas for Fiscal Years 2012 and 2013: GAO high-risk area: Strengthening DHS Management Functions; Number of audit reports[A]: 109; Number of inspection reports: 10; Total: 119. GAO high-risk area: Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland; Number of audit reports[A]: 36; Number of inspection reports: 13; Total: 49. GAO high-risk area: Protecting the Federal Government's Information Systems and the Nation's Cyber Critical Infrastructures; Number of audit reports[A]: 6; Number of inspection reports: 1; Total: 7. GAO high-risk area: National Flood Insurance Program; Number of audit reports[A]: 2; Number of inspection reports: 0; Total: 2. GAO high-risk areas: Total; Number of audit reports[A]: 153; Number of inspection reports: 24; Total: 177. Source: GAO analysis of DHS OIG reports issued in fiscal years 2012 and 2013. GAO-14-726. [A] Audit reports include reports from the OIG Offices of Audits, Information Technology Audits, and Emergency Management Oversight. [End of table] According to these data, the high-risk area of Strengthening DHS Management Functions received the most coverage in DHS OIG reports issued in fiscal years 2012 and 2013. This issue, which has been on the high-risk list since the department was established in 2003, encompasses a wide range of functions, including acquisition, information technology, financial and human capital management, and management integration.[Footnote 20] The other high-risk issue that pertains solely to DHS, the National Flood Insurance Program, has been on the high-risk list since 2006. According to OIG officials, the coverage of this issue has been limited because GAO has performed a significant body of work and issued a number of reports in this area over the last decade and the OIG did not want to duplicate efforts. [Footnote 21] The two high-risk issues that pertain to other federal agencies in addition to DHS--(1) Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland and (2) Protecting the Federal Government's Information Systems and the Nation's Cyber Critical Infrastructures--have been on the high-risk list since 2005 and 1997, respectively. Structure of DHS OIG Is Consistent with the IG Act, but Certain Policies and Procedures Could Be Improved: The DHS OIG's organizational structure includes all of the positions required by the IG Act, as well as several nonstatutory positions that help the OIG carry out its responsibilities. According to the OIG, changes to the OIG's structure made during fiscal year 2013 were intended to help further strengthen its organizational independence. The OIG also has policies and procedures designed to carry out most of the responsibilities required by the IG Act. However, we identified three areas--coordinating with the FBI, protecting employees' identities, and obtaining legal advice--in which the OIG's policies and procedures could be improved to better meet its responsibilities. DHS OIG Organizational Structure Is Consistent with Provisions of the IG Act: The IG Act requires that each OIG have certain specific positions in its organization. First, for cabinet departments and certain major agencies, it requires that each OIG be headed by an IG appointed by the President and confirmed by the Senate.[Footnote 22] The act also requires that each IG appoint or designate certain other positions, including: * an Assistant IG (AIG) for Audits, * an AIG for Investigations, and: * a Whistleblower Protection Ombudsman.[Footnote 23] The IG Act also requires that each IG obtain legal advice from a counsel either reporting directly to the IG or to another IG. In addition, a special provision for the DHS OIG requires the IG to designate a senior official to carry out responsibilities related to receiving and investigating complaints that allege abuses of civil rights or civil liberties. The DHS OIG has all of the positions required by the IG Act, which are highlighted in the OIG's organization chart in figure 1. Figure 1: Department of Homeland Security (DHS) Office of Inspector General (OIG) Organization Chart (as of July 2014): [Refer to PDF for image: Organization Chart] Top level: Inspector General[C]; * Chief of Staff; * Counsel[C]; * Deputy Inspector General: - Chief Operating Officer (March 2013-July 2014). Second level, reporting upward: Assistant Inspectors General: * Audits[C]; * Emergency Management Oversight; * Information Technology Audits; * Inspections; * Integrity and Quality Oversight[A]; * Investigations[B][C]; * Management. Source: DHS OIG. GAO-14-726. [A] The Whistleblower Protection Ombudsman, required by the Inspector General Act of 1978, as amended (IG Act), is a position within the Office of Integrity and Quality Oversight. [B] The Assistant Inspector General for Investigations has also been designated as the senior official having responsibilities related to allegations of civil rights and civil liberties abuses, a position required by the IG Act. [End of figure] For example, the DHS OIG has its own Office of Counsel, which is currently headed by a Deputy Counsel to the IG. Furthermore, in January 2012, the OIG issued a policy directive that designated the position of the AIG for Investigations as the Civil Rights and Civil Liberties Coordinator for investigative matters. In November 2012, the former Acting IG designated an individual within the Office of Investigations as the acting Whistleblower Protection Ombudsman with a goal of improving the availability of whistleblower protection information to employees throughout the department. In August 2013, after this function was transferred to the Office of Integrity and Quality Oversight (IQO), the same person became the permanent Whistleblower Protection Ombudsman. The DHS OIG has created several other senior positions in addition to those required by the IG Act, which are also shown in figure 1. As of July 2014, these positions include the Deputy IG and Chief of Staff within the OIG executive office, who provide executive leadership to the OIG. In addition, the OIG has AIGs to lead its Offices of Emergency Management Oversight, Information Technology Audits, Inspections, Integrity and Quality Oversight, and Management. As discussed further below, the Deputy IG position has been vacant since December 2013 and all of the AIGs report directly to the IG as of July 2014. Several Key OIG Positions Had Extended Vacancies: While the OIG's organizational structure appears reasonable and includes the positions required by the IG Act, at the time of our audit, several of its key positions had not been filled with permanent employees for extended periods of time or had only recently been filled. In November 2013, the Senate held a hearing related to this issue in which the Ranking Member of the Subcommittee on Efficiency and Effectiveness of Federal Programs and the Federal Workforce, Committee on Homeland Security and Governmental Affairs noted that vacancies in the IG and several key OIG positions left the agency without proper leadership.[Footnote 24] For example, the IG position was either occupied by an acting IG or vacant from February 27, 2011, through March 5, 2014. Specifically, with the former IG's resignation in February 2011, the Secretary designated the Deputy IG as the Acting IG who served in that position until January 2013, when he reached the statutory time limit for serving as an acting officer.[Footnote 25] At that point, the Acting IG reverted back to the title of Deputy IG, while still remaining the de facto head of the OIG. Because the Deputy IG was the head of the organization during that time, a Chief Operating Officer position was created in March 2013 to assume the functions that would otherwise be carried out by the Deputy IG when the IG position was filled. The Deputy IG once again became Acting IG in November 2013, when an IG was nominated, until his resignation in December 2013. Upon the Acting IG's resignation, the Chief Operating Officer served as the head of the OIG until a new IG was confirmed by the Senate on March 6, 2014, and assumed the post on March 10, 2014. The Chief Operating Officer retired in April 2014 and the position was eliminated in July 2014. Other executive positions within the OIG were also filled by acting staff for extended periods, including the following: * The Counsel to the IG had been vacant and filled by an Acting Counsel since December 2012 and remained so as of September 2014. * The AIG for Investigations was acting for 1 year before becoming permanent in May 2013. * The Office of Inspections has had an Acting or vacant AIG position since August 2012, except for approximately 2-½ months in early 2013 when it had an AIG.[Footnote 26] Changes to Organizational Structure Are Intended to Improve OIG Independence: In January 2013, the OIG's Office of Management evaluated the organizational structure of the OIG in regard to critical issues it was facing, including two situations that occurred in 2011 and 2012 that potentially threatened the credibility and independence of the OIG. One incident, which is detailed later in this report, arose from a conflict of interest with the former Acting IG, who had a family member who worked for a DHS unit associated with six audits or inspections, and required the reissuance of the associated reports. As a result of the OIG's Office of Management's study of this incident, the Chief Operating Officer position was created, as previously mentioned, to take on the normal duties of the second-in-command while either the Deputy IG or IG position was vacant. This included reviewing reports from which the former Acting IG had recused himself in order to avoid future conflicts of interest and to improve OIG independence. The second incident resulted from a lack of independence of an inspection team from the Office of Investigations that was conducting an internal inspection of an Office of Investigations field office in September 2011. The Department of Justice subsequently investigated this incident, and a grand jury issued an indictment in April 2013 against two employees in the Office of Investigations field office. The defendants were accused of falsifying documents prior to the internal inspection in order to impede, obstruct, and influence the inspection and conceal from the inspectors severe lapses in the field office's compliance with the OIG's investigative standards and internal policies. In March 2014, a federal court found one of the employees guilty of conspiracy and five counts of falsifying government documents. As a result of the OIG's Office of Management's study related to this incident, the DHS OIG established IQO in the summer of 2013 to enhance its organizational independence and oversight of its operations. According to OIG officials, this office was established to foster a more efficient and responsive OIG, revitalize oversight efforts, and better serve employees. At the time of our review, IQO was taking over various quality control functions previously carried out by other OIG offices. Specifically, IQO was given responsibility for the following functions: * Internal inspections of the OIG's audit, inspection, and investigation offices, which were previously conducted by the Offices of Management and Investigations. * Quality review of draft audit and inspection reports, which was previously done primarily by a report reviewer in the executive office. The same individual will continue reviewing reports but is now part of IQO. * Complaint intake, including the OIG hotline and whistleblower protection functions, which was previously conducted by the Office of Investigations. * Ombudsman for OIG employees, which was also previously under the Office of Investigations and at that time was only set up to address concerns of Office of Investigations personnel. OIG officials indicated that the Hotline and Whistleblower Protection functions would be in a better position to protect confidentiality and have better visibility if they were separate from the Office of Investigations as is the case in many similar organizations. In addition, IQO officials said that they were taking steps to strengthen both the Ombudsman and Whistleblower Protection functions by developing formal policies for these positions and providing training about these functions to the entire department. The establishment of IQO is a positive step toward improving the OIG's organizational independence for the reasons cited by the OIG and because it provides a separation of duties where independence problems previously existed. DHS OIG's Roles and Responsibilities Are Generally in Accordance with the IG Act: The DHS OIG's policies and procedures contained in its manuals and directives indicate that the OIG's roles and responsibilities are generally consistent with selected requirements of the IG Act. Provisions of the IG Act include requirements that IGs carry out the following responsibilities, among others: [Footnote 27] * Conduct audits and investigations related to department programs and operations. * Receive and investigate complaints or information from DHS employees regarding possible violations of law, rules, or regulations, or mismanagement, waste, abuse, or substantial danger to public health and safety. * Maintain oversight responsibility for internal investigations performed by DHS components, such as the U.S. Secret Service, U.S. Immigration and Customs Enforcement (ICE), and U.S. Customs and Border Protection (CBP). * Establish and maintain a direct link on the home page of the OIG website for individuals to report fraud, waste, and abuse. * Recommend policies for, and conduct, supervise, or coordinate activities for, promoting economy, efficiency, and effectiveness in the administration of the department's programs and operations or preventing and detecting fraud and abuse. * Report expeditiously to the Attorney General whenever the IG has reasonable grounds to believe there has been a violation of federal criminal law. As discussed further in appendix III, we found that the DHS OIG had established policies and procedures to carry out these and other selected requirements of the IG Act. Specifically, the OIG had manuals containing detailed policies and procedures to follow in carrying out its audits, inspections, and investigations. For example, the manual for the Office of Investigations--the Special Agent Handbook--included policies and procedures for receiving and investigating complaints. While most of the OIG's roles and responsibilities are consistent with the IG Act, we identified three areas--coordinating with the FBI, protecting employees' identities, and obtaining legal advice--in which the OIG could improve its policies and procedures to be more effective in meeting the OIG's mission objectives. OIG Lacks Agreement with the FBI for Coordination on Border Corruption Investigations: Although the OIG has a policy for notifying the FBI of any criminal investigations that it or another DHS component opens, it does not have an agreement with the FBI for sharing other information or otherwise coordinating efforts with the FBI on tips or allegations related to border corruption that are not under investigation. [Footnote 28] The IG Act requires OIGs to recommend policies for, and to conduct, supervise, or coordinate relationships between, the OIG and other federal agencies with respect to the identification and prosecution of participants in fraud or abuse. According to Attorney General Guidelines, OIGs have primary responsibility for preventing and detecting waste and abuse and concurrent responsibility with the FBI for preventing and detecting fraud and other criminal activity within their agencies and their agencies' programs.[Footnote 29] Congress has repeatedly expressed concern about border corruption and has held hearings on this issue. For example, in June 2011, the Senate held a hearing on CBP and the OIG's collaboration in the fight to prevent border corruption.[Footnote 30] The hearing included a discussion of OIG efforts to work with the FBI as well as CBP in preventing corruption among federal employees involved in protecting the U.S. borders. To investigate corruption among employees of agencies involved in protecting the U.S. border, the FBI has established several local border corruption task forces (BCTF), many of which operate along the southwest border. The OIG participates in local BCTFs both in the southwest and other locations. In addition, the FBI established the National BCTF to help provide guidance and oversight of the local BCTFs. To facilitate the operation of the National BCTF, in 2010, the FBI signed a memorandum of understanding (MOU) with CBP and the Transportation Security Administration. Although the OIG has agents assigned to the BCTFs, OIG officials stated that they did not sign this MOU because the ongoing dialogue has not yielded an agreement that recognizes the OIG's statutory authority and adequately delineates the roles and responsibilities of all parties involved, including the DHS components. OIG officials also stated that they could not reach agreement on sharing information with the FBI because, in their view, the proposed agreement was not sufficient to ensure mutual information sharing between the OIG and the FBI. Since at least 2010, the OIG and FBI have been working to reach agreement on an MOU to describe how the parties would work together, along with other DHS components, on the National BCTF. OIG officials told us that since a permanent AIG for Investigations was designated in May 2013, he has been making efforts to improve relationships. For example, the AIG for Investigations has had more meetings with the FBI and DHS components involved in the National BCTF, such as CBP and ICE, to discuss coordination and information-sharing efforts as well as ways to reach agreement on a BCTF MOU. The AIG for Investigations is also in support of the National BCTF and is working diligently with the FBI to reach an agreement, but stated that he believes that the information to be shared needs to be clearly defined and that the FBI must also agree to share information. Until the OIG and FBI reach agreement on working collaboratively, they are at risk of duplicating efforts or missing opportunities for taking effective action against border corruption. Recognizing this risk, the Senate Committee on Appropriations report for the DHS appropriations bill, 2014, directed the DHS Deputy Secretary--jointly with the OIG, CBP, and ICE--to report not later than March 17, 2014, on specific steps being taken to further address the process for investigating cases of corruption and the plan to work as a unified DHS with the FBI's BCTF.[Footnote 31] In addition, the Senate Committee on Appropriations report for the DHS appropriations bill, 2015, directed the DHS Deputy Secretary--jointly with the OIG, CBP, and ICE--to submit a status update report on the same issues no later than 60 days after the enactment of the DHS Appropriation Act, 2015.[Footnote 32] OIG Lacks Adequate Controls to Protect Identities of Employees Filing Complaints: The OIG receives and reviews complaints filed by DHS employees and the public regarding allegations of misconduct, including criminal misconduct, by DHS employees. It receives these complaints both directly from employees as well as through DHS components, where some complaints are initially filed. However, the OIG's process for handling complaints that it receives directly from employees does not include adequate internal controls to provide reasonable assurance that the identities of employees who file complaints and request confidentiality will be protected. The IG Act requires that IGs shall not, after receipt of a complaint or information from an employee, disclose the identity of the employee without his or her consent unless the IG determines that such disclosure is unavoidable during the course of an investigation. Consistent with the IG Act, OIG policy requires not disclosing the identities of employees who file complaints. However, the OIG's process for recording complaints and forwarding them to DHS components when necessary involves certain manual procedures usually carried out by only one OIG complaint intake employee per complaint without supervisory review. This process can be subject to human error; consequently, the OIG is at higher risk of not being able to ensure that employees' identities will be protected. During fiscal year 2013, according to OIG data provided to us, about 50 percent of the complaints received by the OIG came through the Joint Intake Center run by CBP and ICE and another 6 percent were received from other DHS components. The rest of the complaints were received directly from complainants through the OIG's website or by e- mail, fax, or phone. Complaints received through the website (about 15 percent) are automatically recorded into the OIG's complaint database, the Enforcement Data System, while complaints received through all other means, including those from the Joint Intake Center, must be manually recorded in the Enforcement Data System. Although the transfer of complaint information from the OIG's website into the Enforcement Data System is more automated than complaints from other sources, the website lacks certain controls that could result in the inadvertent disclosure of employees' identities. For example, when filing a complaint on the website, if an employee does not want to allow full disclosure of his or her identity, an employee can choose to be (1) anonymous or (2) confidential. However, the website lacks certain controls over these two categories. For example, see the following: * The anonymous category is intended to mean that the complainant does not have to supply any identifying information. To select anonymous, a complainant can check a box on the website. However, after complainants make this selection, the website still allows complainants to provide their names and other personal information, which could potentially be disclosed. * The confidential category is intended to mean the employee provides identifying information but does not want it released outside of the OIG. If an employee wants confidentiality rather than anonymity, the employee must write in the request for confidentiality on the website form because the website does not have a box to check for this type of complaint. As a result, even though the Enforcement Data System includes a "complaint confidential" box, a request for confidentiality on the website does not automatically record this request in the Enforcement Data System. Therefore, requests for confidentiality depend on the analyst who subsequently reviews the complaint manually marking the correct box in the system. Regardless of how a complaint is received, when a complaint is recorded in the Enforcement Data System, it is initially reviewed by a complaint intake analyst who determines if the complaint should be forwarded to a field office of the OIG Office of Investigations in the complainant's jurisdiction. If it is forwarded, an OIG investigator in that office reviews the complaint and decides whether to open an investigation on it. If the OIG decides not to investigate the complaint, and the complaint was received through the Joint Intake Center or another DHS component, a complaint intake analyst will usually send it back to the component without first notifying the complainant since the component has already had access to the complaint information. However, if the complaint was received directly from an employee rather than through a DHS component (e.g., OIG website, e-mail, fax, or phone), the intake analyst will send an e- mail to the employee requesting his or her consent to forward the complaint to the DHS component. If the employee provides consent, the analyst forwards the complaint to the component via e-mail. If an employee does not provide consent, the complaint may still be sent to the component but without any identifying information. However, there is no secondary check of this manual process, such as a supervisory review. As a result, the protection of an employee's identity depends on the accuracy and integrity of the individual processing the complaint. Without additional controls, the OIG could inadvertently disclose employees' identities without their consent. Such disclosure can put employees at risk of retaliation by the DHS components in which they work and could discourage other employees from filing complaints. Officials in IQO said that they were aware of these issues and that they were developing standard operating procedures and considering improvements to the website and the Enforcement Data System to better protect employees' identities, but they did not indicate when these would be complete. OIG Lacks Guidelines for Obtaining Legal Advice: While the OIG has its own Office of Counsel, it sometimes also obtains advice or discusses legal issues with the department's counsel. As previously discussed, the IG Act requires that an IG obtain legal advice from either a counsel reporting directly to the IG or a counsel reporting to another IG. However, the act does not preclude an IG from obtaining advice from its respective department's counsel if appropriate. For example, it may be appropriate for the IG to consult the department's counsel for legal advice regarding certain personnel practices if the OIG is subject to the human capital laws or regulations of the department or regarding ethics issues if the designated ethics official is a department employee. In its recent report on an investigation into allegations of misconduct by the former Acting IG, the Subcommittee on Financial and Contracting Oversight, Senate Committee on Homeland Security and Governmental Affairs, reported that the former Acting IG inappropriately sought advice from the department's counsel, according to former OIG officials.[Footnote 33] We interviewed former and current OIG officials and reviewed various e-mails provided that indicated the former Acting IG sought legal advice from a counsel at the department on several occasions. In general, we found the consultations were likely acceptable and appropriate as the legal matter appeared to be under the department's purview. However, in one e-mail the former Acting IG stated that he had lost confidence in his counsel and wanted legal help from a counsel at the department for the next 4 months. Because the former Acting IG's request did not specify the type of legal assistance needed, it was not clear whether his request or any subsequent legal assistance received was for appropriate matters. The OIG did not have a policy stating the legal requirement for the IG to obtain legal advice from either the IG's counsel or from counsel reporting to another IG, nor did it have any guidelines specifying the circumstances in which it would be appropriate for the OIG to consult with the department's counsel. Having such a policy and guidelines could help avoid any potential impairment to independence when seeking legal advice. The OIG's Deputy Counsel stated that he was considering whether to develop a policy and that he has asked a working group to draft guidelines on consultations between the OIG and the department's counsel. DHS OIG's Policies and Procedures Were Consistent with Applicable Independence Standards, but Effective Implementation Is Key: Independence is one of the most important elements of a strong OIG function as it helps to ensure that an IG's work is viewed as impartial by agency personnel, Congress, and the public. The DHS OIG's policies and procedures indicated that the OIG staff were expected to comply with both generally accepted government auditing standards (GAGAS) and CIGIE independence standards. Each of the OIG's oversight functions--audits, inspections, and investigations--had its own manual of policies and procedures that was consistent with applicable independence standards. However, the procedures for ensuring compliance with these standards varied among the different functions. Audit Policies and Procedures Were Consistent with Independence Standards but Have Not Been Consistently Followed: Three offices within the DHS OIG conduct audits--the Offices of Audits, Information Technology Audits, and Emergency Management Oversight. Officials from each of these offices said that their operations are guided by DHS's OIG Audit Manual, which refers to GAGAS and CIGIE independence standards and provides guidance consistent with these standards. In addition, each of their audit reports includes a statement about the audit's compliance with GAGAS. The OIG Audit Manual describes the OIG's quality assurance and control system that, according to the manual, provides the controls necessary to ensure that GAGAS audits are conducted in accordance with applicable auditing standards and internal policies and guidance. For example, the manual requires supervisory and management reviews of audit documentation and resulting reports prior to issuance. The manual states that the AIG for each audit office is responsible for ensuring implementation of these controls. Other parts of the OIG's quality control system described in the manual include annual internal quality control reviews of audit offices and reports, as well as external peer reviews of audit operations by an independent federal OIG at least once every 3 years. The OIG Audit Manual describes how OIG audit staff should document their independence. For auditors at the director level and below, the manual requires staff to document their independence biweekly in the OIG's Time and Tracking System. For senior executives, including the IG, Deputy IG, Chief of Staff, AIGs, and others involved in reviewing audit reports, the manual requires documentation of their independence once a year when they complete ethics training and financial disclosure forms.[Footnote 34] The manual further states that each office will maintain these annual certifications of independence, but does not require the certifications to be centrally maintained and monitored for compliance. Procedures for each of the three audit offices regarding annual certificates varied. For example, the Office of Audits said that it maintained annual independence certificates for its division directors as well as senior executives, while the Office of Emergency Management Oversight only maintained them for its senior executives (the AIG and Deputy AIG). The Office of Information Technology Audits said that instead of signing annual certifications, its senior executives sign independence certifications for every audit they work on, consistent with procedures for its audit staff. While the audit offices told us they maintained independence certificates centrally within each office, the OIG executive office, which consisted of four senior executives at the time of our audit, indicated that it did not do so. In response to our February 2014 request for copies of certificates for the senior executives in the front office, an OIG official gathered certificates from the individuals. Two of the certificates were signed after we requested them, and according to the official, a certificate could not be found for the Acting IG who had recently left the OIG. Similarly, both the internal quality reviews and peer reviews conducted from 2009 through 2012 identified instances in which employees, including some senior executives, had not documented their independence in accordance with the OIG Audit Manual, although these instances were not deemed significant enough to prevent the audit offices from passing these reviews. If senior officials do not comply with the OIG Audit Manual requirement to sign annual certificates of independence or maintain them centrally in order to monitor compliance, they might not be aware of potential threats to independence or be as familiar with GAGAS or CIGIE independence requirements as they should be. For example, as a result of an impairment to the former Acting IG's independence that was not identified in a timely manner, several audits and inspections were affected in fiscal year 2012. Specifically, a total of six reports from the Offices of Audits, Information Technology Audits, and Inspections were reissued to include a statement about an impairment of independence in appearance resulting from a family member of the former Acting IG being employed by an entity within DHS associated with these audits and inspections. In addition, because of the same impairment, one other audit was terminated without a report being issued. According to audit staff, they inadvertently became aware of the former Acting IG's impairment in July 2012 as a result of an audit official hearing about the employment of the family member from a source outside of the OIG. In addition, a number of other allegations of abuse of power and misconduct were made against the former Acting IG, including failure to uphold the independence and integrity of the DHS OIG office. These issues, among others, were to be the subject of a Subcommittee on Financial and Contracting Oversight, Senate Committee on Homeland Security and Governmental Affairs, hearing scheduled for December 2013 that was canceled after the former Acting IG resigned on December 16, 2013, and transferred to another office within DHS. In April 2014, the subcommittee issued a report on its investigation into the allegations of misconduct by the former Acting IG.[Footnote 35] This investigative report detailed the subcommittee's findings of its investigation into the allegations, including some actions that it said jeopardized OIG independence. For example, the subcommittee found that the former Acting IG had directed the alteration or delay of some reports at the request of senior DHS officials and that he did not obtain independent legal advice. Subsequent to the issuance of the subcommittee report, the new DHS Secretary put the former Acting IG on administrative leave pending other investigations. While signing a certificate of independence might not have prevented these independence issues, it could nevertheless serve as a reminder of individual responsibilities and potential threats to independence. Further, because certificates of independence are not maintained centrally, management's ability to monitor compliance with independence requirements and obtain reasonable assurance that controls are in place and operating as intended is hindered. However, as stated in Standards for Internal Control in the Federal Government, no matter how well designed and operated, internal control cannot provide absolute assurance that all agency objectives will be met.[Footnote 36] Factors outside the control or influence of management, such as human error or acts of collusion to circumvent controls, can render policies and procedures ineffective. Inspection Policies and Procedures Were Consistent with Independence Standards: According to OIG officials, the DHS OIG's Office of Inspections follows guidance in CIGIE's Quality Standards for Inspection and Evaluation. In addition, DHS's OIG Inspections Manual states that inspectors are expected to be knowledgeable of, and to abide by, the performance standards, including independence, described in CIGIE's quality standards. The OIG Inspections Manual includes guidance on independence that is consistent with CIGIE standards although not as detailed. For example, the manual states that while conducting an inspection, all team members have a responsibility to maintain independence so that opinions, conclusions, judgments, and recommendations will be impartial and viewed as such by knowledgeable third parties. Neither CIGIE's quality standards nor the OIG Inspections Manual requires external peer reviews of OIG inspection activities. However, CIGIE's quality standards states that an OIG should have quality control mechanisms that provide an independent assessment of inspection processes and work. To help assess the inspection processes and work, in 2006, the AIG for Inspections requested an independent external review of three inspections. Each inspection was reviewed by a different OIG, and the reviews focused on the quality of work performed for each inspection. None of the reports from these external reviews identified any independence concerns. More recently, in February 2014, the OIG completed its first internal quality review of the Office of Inspections. The resulting report indicated that the Office of Inspections materially complied with CIGIE's quality standards, and the report did not identify any issues with respect to independence. Investigation Policies and Procedures Were Consistent with Independence Standards: According to DHS OIG officials, OIG investigations are conducted in accordance with CIGIE's Quality Standards for Investigations. In addition, the Office of Investigations has its own manual--the Special Agent Handbook--which states that investigations will be conducted in accordance with CIGIE's standards as well as Attorney General Guidelines for OIGs. CIGIE standards for investigations include requirements on independence that are similar to those for audits. The Special Agent Handbook includes guidance on ethical conduct and conflicts of interest, specifically stating that if a special agent suspects that a conflict of interest exists or that there might be an appearance of a conflict of interest, the agent should notify the Special Agent in Charge as soon as possible. The DHS OIG Office of Investigations passed peer reviews by the Social Security Administration OIG and the Department of Defense OIG in 2009 and 2013, respectively. Neither of these peer reviews included any issues regarding independence or conflicts of interest. In addition, the Office of Investigations conducted its own internal inspections in the past. None of the internal inspection reports from fiscal years 2011 and 2012 identified any issues with respect to independence. However, because of serious concerns about the independence of the internal inspection function carried out by the Office of Investigations as previously discussed, the OIG decided to create IQO in 2013 and move this function to that office. OIG officials told us that the Special Agent Handbook is being updated, in part, as a result of the transfer of some functions, such as complaint intake, to IQO. Conclusions: The DHS OIG's organizational structure has the positions required by the IG Act to carry out its various responsibilities. However, the lack of an appointed IG for 3 years may have contributed to a number of other senior positions being filled with "acting" individuals for extended periods of time. The OIG has made some meaningful changes to its structure to try to address concerns about the integrity and independence of the OIG. The establishment of IQO is intended to enhance the OIG's ability to carry out functions such as complaint intake and whistleblower protection, including helping to ensure that these functions maintain their independence. However, the DHS OIG process for recording and referring complaints received directly from DHS employees does not provide reasonable assurance that employees' identities are protected, as required by the IG Act. In addition, the important role that the OIG plays in receiving and investigating allegations of criminal activity within the department can be enhanced through better coordination and information sharing with the FBI. OIG officials intend to continue working toward improved coordination with the FBI and provided input to a DHS report with their plans, as directed by the Senate. In light of the congressional direction to DHS, we are not making a recommendation on this matter at this time. Furthermore, although the IG has its own counsel as required by the IG Act, the OIG did not have a policy to address the legal requirements related to obtaining advice from legal counsel. While the DHS OIG has appropriate policies and procedures in place to comply with independence standards, even the best control procedures cannot always guarantee that standards are being met. Although the former Acting IG was required to sign an annual certificate of independence reminding him of independence requirements, the OIG did not have a policy that these certificates be collected and maintained centrally, which would improve management's ability to monitor compliance with independence requirements. Recommendations for Executive Action: We recommend that the OIG take the following three actions: * To improve its intake and complaint processing function, we recommend that the OIG design and implement additional controls, which may include additional automated controls and supervisory review, to provide reasonable assurance that employees' identities are not disclosed without their consent when forwarding complaints to DHS components. * To help avoid any impairment to independence when seeking legal advice, we recommend that the OIG develop a policy for obtaining legal advice from counsel reporting either directly to the IG or another IG and work with the IG's counsel to establish guidelines for when it would be appropriate for the OIG to consult with the department's counsel. * To help ensure that senior executives are aware of independence requirements so that they are able to identify and mitigate any threats to their independence, we recommend that the OIG revise its guidance in the OIG Audit Manual to require signed annual certificates of independence to be collected and maintained centrally in order to monitor compliance. Agency Comments and Our Evaluation: We provided a draft of this report to the DHS Inspector General for review and comment. In written comments, which are reprinted in appendix IV, the OIG generally agreed with our conclusions and concurred with all of our recommendations. In addition, the OIG provided technical comments that we incorporated into the report as appropriate. We also provided the FBI with an excerpt of the draft report related to its coordination with the OIG on border corruption investigations. The FBI did not have any comments. The OIG described actions planned and under way to address each of our recommendations. Specifically, the OIG stated that it is revising its online allegation form to (1) ensure complainants do not inadvertently provide personal data when their intent was to remain anonymous and (2) simplify and clarify to complainants the distinctions between filing an anonymous complaint versus filing a confidential complaint. The OIG anticipates completing the changes to the online allegation form within 90 days of its letter. According to the OIG, it has also implemented supervisory controls to provide oversight and quality control of intake analysts' work, including the movement or referral of complaints to DHS components. The OIG also stated that it plans to develop policy and guidelines within 90 days of its letter to describe the circumstances under which the IG can obtain legal advice from DHS's Office of Legal Counsel. In addition, the OIG plans to revise its audit manual by October 31, 2014, to require the Office of Integrity and Quality Oversight to collect and maintain senior executives' signed annual independence statements. If implemented effectively, the OIG's planned actions should address the intent of our recommendations. We are sending copies of this report to appropriate congressional committees, the Secretary of Homeland Security, and the DHS Inspector General. In addition, the report is available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staffs have any questions about this report, please contact me at (202) 512-9869 or khana@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff members who made key contributions to this report are listed in appendix V. Signed by: Asif A. Khan: Director Financial Management and Assurance: List of Committees: The Honorable Mary L. Landrieu: Chairwoman: The Honorable Dan Coats: Ranking Member: Subcommittee on Homeland Security: Committee on Appropriations: United States Senate: The Honorable John R. Carter: Chairman: The Honorable David E. Price: Ranking Member: Subcommittee on Homeland Security: Committee on Appropriations: House of Representatives: [End of section] Appendix I: Objectives, Scope, and Methodology: The joint explanatory statement accompanying the Department of Homeland Security (DHS) Appropriations Act, 2013, directed GAO to review the Office of Inspector General's (OIG) organizational structure and whether its audit, investigation, and inspection functions are organizationally structured to ensure that independence standards are met.[Footnote 37] To meet the committee's time frames established in the explanatory statement, we briefed committee staffs on our preliminary observations in November 2013. This report provides the results of our review to determine (1) the coverage that the OIG's audits and inspections provided of DHS's key component agencies, management challenges, and high-risk areas; (2) the extent to which the OIG's organizational structure and roles and responsibilities were consistent with the Inspector General Act of 1978, as amended (IG Act); and (3) the extent to which the design of OIG's policies and procedures for planning, reviewing, and reporting on audit, inspection, and investigation results was consistent with applicable independence standards. To determine the coverage that DHS OIG's audits and inspections provided of DHS's key component agencies, management challenges, and high-risk areas, we reviewed the DHS agency financial reports for fiscal years 2012 and 2013 to identify DHS's key operational components. To identify the department's management challenges, we reviewed the OIG's annual performance plans for fiscal years 2012 and 2013. To identify the high-risk areas for DHS, we reviewed GAO's High- Risk Series for 2013. To identify DHS OIG reports issued during fiscal years 2012 and 2013 and the subjects covered in those reports, we reviewed DHS OIG's semiannual reports. In conducting our analysis, we did not review the coverage provided by investigations because they are generally conducted based on specific allegations of misconduct received and are not planned in advance as audits and inspections are. We compared the agencies and subjects covered in these audit and inspection reports with DHS's key component agencies, management challenges, and high-risk areas to determine DHS OIG's oversight coverage of DHS. We also interviewed knowledgeable DHS OIG officials to obtain their comments about the results of our analysis. To determine the extent to which the organizational structure, roles, and responsibilities of the DHS OIG were consistent with the IG Act, we reviewed DHS OIG's organization chart, office descriptions, policies related to its roles and responsibilities, memorandums of understanding, and other relevant documents. We also interviewed former and current DHS OIG officials, as well as officials from DHS components, including officials from U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement, and the Federal Emergency Management Agency, and officials from the Federal Bureau of Investigation (FBI). We analyzed the information from interviews and documentation to determine whether there were any inconsistencies between the information and the applicable IG Act requirements and the reasons for any such inconsistencies. Our review focused primarily on OIG documentation and discussions with OIG officials to assess the design of the OIG's stated roles and responsibilities. For the most part, we did not review the implementation of these roles and responsibilities except for certain issues that came to our attention- -specifically, the lack of a memorandum of understanding with the FBI, the procedures for protecting employee confidentiality, and the nature of OIG consultations with the department's legal counsel. To determine the extent to which the design of DHS OIG's policies and procedures for planning, reviewing, and reporting on audit, inspection, and investigation results was consistent with applicable independence standards, we interviewed DHS OIG officials and reviewed applicable policy, procedure, and planning documents, such as the OIG Audit Manual, OIG Inspections Manual, and Special Agent Handbook. We also reviewed peer review reports of audit and investigative operations as well as reports of internal inspections of investigative activities. We assessed the design of the DHS OIG's policies and procedures for planning, reviewing, and reporting on audit, investigation, and inspection results and determined whether the design was consistent with applicable independence standards found in Government Auditing Standards and the standards published by the Council of the Inspectors General on Integrity and Efficiency that include Quality Standards for Federal Offices of Inspector General, Quality Standards for Inspection and Evaluation, and Quality Standards for Investigations. We also requested information about which employees signed annual certifications of independence and requested copies of these certifications for selected staff. We conducted this performance audit from June 2013 to September 2014 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Inspector General Quality and Independence Standards: Quality Standards: Federal inspectors general (IG) have various quality standards to which their offices must adhere in performing their work. The Quality Standards for Federal Offices of Inspector General (referred to as the Silver Book), adopted by Council of the Inspectors General on Integrity and Efficiency (CIGIE), provides the overall quality framework for managing, operating, and conducting the work of offices of inspector general (OIG) and covers critical topics such as independence, ethics, and confidentiality.[Footnote 38] These quality standards also address planning and coordinating work, maintaining quality assurance, and ensuring internal control.[Footnote 39] In addition to the Silver Book, federal OIGs have standards for specific types of work. For audits, the Inspector General Act of 1978, as amended requires IGs to carry out work in accordance with generally accepted government auditing standards published in Government Auditing Standards.[Footnote 40] For investigations and inspections, CIGIE has developed additional standards: Quality Standards for Investigations[Footnote 41] and Quality Standards for Inspection and Evaluation.[Footnote 42] Independence Standards: Government Auditing Standards and CIGIE standards contain provisions covering independence. Government Auditing Standards establishes a conceptual framework that can be used to identify, evaluate, and apply safeguards (such as removing an individual from an audit team or consulting an independent third party) to eliminate the threats to independence or reduce them to an acceptable level. Under Government Auditing Standards, IGs should evaluate the following broad categories of threats to independence: 1. Self-interest: The threat that a financial or other interest will inappropriately influence an auditor's judgment or behavior. 2. Self-review: The threat that an OIG employee or OIG that has provided nonaudit services will not appropriately evaluate the results of previous judgments made or services performed as part of the nonaudit services when forming a judgment significant to an audit. 3. Bias: The threat that an OIG employee will, as a result of political, ideological, social, or other convictions, take a position that is not objective. 4. Familiarity: The threat that aspects of a relationship with management or personnel of an audited entity, such as a close or long relationship or that of an immediate or close family member, will lead an OIG employee to take a position that is not objective. 5. Undue influence: The threat that external influences or pressures will affect an OIG employee's ability to make independent and objective judgments. 6. Management participation: The threat that results from an auditor's taking on the role of management or otherwise performing management functions on behalf of the entity undergoing an audit. 7. Structural: The threat that an OIG's placement within a government entity, in combination with the structure of the government entity being audited, will affect the OIG's ability to perform work and report results objectively. CIGIE's Quality Standards for Federal Offices of Inspector General closely mirrors the independence language in Government Auditing Standards. For example, it states that IGs and their staffs must be free both in fact and in appearance from personal, external, and organizational impairments to their independence. Further, the IGs and their staffs have a responsibility to maintain independence so that opinions, conclusions, judgments, and recommendations will be impartial and viewed as impartial by knowledgeable third parties. CIGIE also addresses the same seven categories of threats to independence as Government Auditing Standards. CIGIE's standards specifically for investigations and inspections also include language about the importance of independence; however, they contain far less detail about independence than the overall standards. [End of section] Appendix III: DHS OIG's Policies and Procedures to Address Selected IG Act Requirements: The Inspector General (IG) Act of 1978, as amended requires the independent IGs at major departments and agencies, including Department of Homeland Security (DHS), to carry out specific roles and responsibilities.[Footnote 43] Table 6 summarizes selected requirements and the DHS Office of Inspector General's (OIG) procedures for carrying out these requirements. Table 6: Department of Homeland Security (DHS) Office of Inspector General (OIG) Procedures to Address Selected Inspector General (IG) Act of 1978, as Amended (IG Act) Requirements: IG Act requirement: IG must report to head of establishment (i.e., DHS). [Section 3(a)]; DHS OIG policies or procedures: The DHS OIG has an IG position that reports to the Secretary of DHS[A]. IG Act requirement: Appointment of Assistant IG for Auditing. [Section 3(d)(1)(A)]; DHS OIG policies or procedures: The DHS OIG has an Assistant IG for Audits[A]. IG Act requirement: Appointment of Assistant IG for Investigations. [Section 3(d)(1)(B)]; DHS OIG policies or procedures: The DHS OIG has an Assistant IG for Investigations[A]. IG Act requirement: Appointment of Whistleblower Protection Ombudsman. [Section 3(d)(1)(C)]; DHS OIG policies or procedures: The DHS OIG has a Whistleblower Protection Ombudsman[A]. IG Act requirement: Obtain legal advice from counsel reporting to an IG. [Section 3(g)]; DHS OIG policies or procedures: The DHS OIG obtains legal advice from its Office of Counsel[A]. IG Act requirement: Provide policy direction for, and conduct, supervise, and coordinate audits and investigations relating to, the programs and operations of such establishment. [Section 4(a)(1)]; DHS OIG policies or procedures: The DHS OIG's Office of Management is responsible for developing audit policy and directives. The DHS OIG's Offices of Audits and Investigations are responsible for conducting, supervising, and coordinating audits and investigations.[A] The DHS OIG Audit Manual and Special Agent Handbook assist these offices with their responsibilities. IG Act requirement: Make recommendations in semiannual reports regarding the impact of existing and proposed legislation and regulations on programs and operations of such establishment. [Section 4(a)(2)]; DHS OIG policies or procedures: The DHS OIG has a Planning and Compliance Division responsible for reviewing legislation and regulations as well as managing the semiannual report process. See the DHS OIG's website for its semiannual reports. IG Act requirement: Promote economy, efficiency, and effectiveness in preventing and detecting fraud and abuse in its programs and operations. [Section 4(a)(3)]; DHS OIG policies or procedures: Six of the DHS OIG's offices--the Offices of Audits, Emergency Management Oversight, Information Technology Audits, Inspections, Integrity and Quality Oversight, and Investigations--support its mission to improve, or prevent and detect fraud and abuse in, DHS programs and operations[A]. IG Act requirement: Coordinate relationships between the establishment and other federal agencies, state and local governmental agencies, and nongovernmental entities with respect to (A) all matters relating to the promotion of economy and efficiency in the prevention and detection of fraud and abuse in, programs and operations administered or financed by such establishment, or (B) the identification and prosecution of participants in such fraud or abuse. [Section 4(a)(4)]; DHS OIG policies or procedures: The DHS OIG has memorandums of understanding with other DHS investigative components in order to coordinate responsibilities and relationships regarding the matters discussed in section 4(a)(4) of the IG Act. IG Act requirement: Report to the head of the establishment and Congress on fraud and other serious issues relating to the establishment's administration of programs and operations, recommended corrective actions, and progress made in implementing corrective actions. [Section 4(a)(5)]; DHS OIG policies or procedures: DHS Management Directive 0810.1 states that the OIG is authorized to inform the Secretary, Deputy Secretary, and Congress about any problems and deficiencies relating to the administration of any DHS program or operation and the need for, and progress of, corrective action. It also states that the OIG is to prepare semiannual reports to the Secretary and Congress in accordance with the IG Act. IG Act requirement: Comply with standards established by the Comptroller General of the United States for audits of federal establishments, organizations, programs, activities, and functions. [Section 4(b)(1)(A)]; DHS OIG policies or procedures: According to OIG officials, the Offices of Audits, Information Technology Audits, and Emergency Management Oversight all follow the DHS OIG Audit Manual. The manual refers to and builds upon government auditing standards. IG Act requirement: Establish guidelines for determining when to use non-federal auditors and assure that any work performed by non-federal auditors complies with government auditing standards. [Section 4(b)(1)(B-C)]; DHS OIG policies or procedures: The DHS OIG Audit Manual provides policy and guidance and delineates responsibilities for the engagement and oversight of federal and nonfederal contract auditors (i.e., outside auditors) performing audits of DHS on the DHS OIG's behalf. IG Act requirement: Quality control and peer reviews of the OIG shall be performed exclusively by an IG appointed pursuant to the IG Act, the Government Accountability Office (GAO) or certain limited federal audit entities. [Section 4(b)(2)]; DHS OIG policies or procedures: The organization chart and mission statement for the DHS OIG's Office of Integrity and Quality Oversight state that it is responsible for quality control compliance and will facilitate the peer review process going forward. This office will also ensure that quality requirements for investigative, audit, and inspection reports are fulfilled. IG Act requirement: Effectively coordinate with GAO to avoid duplication and ensure effective coordination and cooperation. [Section 4(c)]; DHS OIG policies or procedures: According to the DHS OIG's Audit Process Handbook, audit teams will coordinate with GAO and other OIG offices to identify any prior or ongoing work in the area to be audited. IG Act requirement: Report to the Attorney General whenever the IG has reasonable grounds to believe there has been a violation of federal criminal law. [Section 4(d)]; DHS OIG policies or procedures: The Special Agent Handbook requires the DHS OIG to report violations of federal criminal law to the Attorney General through the Federal Bureau of Investigation (FBI). In cases of concurrent jurisdiction, the OIG must promptly notify the FBI in writing upon the initiation of any criminal investigation. IG Act requirement: Prepare semiannual reports summarizing the activities of the office during the immediately preceding six-month periods ending March 31 and September 30. [Section 5]; DHS OIG policies or procedures: The DHS OIG publishes semiannual reports as described in section 5. See the DHS OIG's website for copies of these reports. IG Act requirement: Require by subpoena the production of all documentary evidence and other data in any medium necessary in the performance of the functions assigned by this act. [Section 6(a)(4)]; DHS OIG policies or procedures: The DHS OIG's Strategic Plan states that the OIG's Office of Counsel furnishes attorney services for the issuance and enforcement of OIG subpoenas. IG Act requirement: Take from any person an oath, affirmation, or affidavit, whenever necessary in the performance of the functions assigned by this act, which will have the same effect as if taken by a sealed officer. [Section 6(a)(5)]; DHS OIG policies or procedures: The Special Agent Handbook states that the DHS OIG's Office of Investigations is tasked with taking oaths, affirmations, and affidavits. IG Act requirement: Employ officers and employees as necessary for carrying out the functions, powers, and duties of the office. [Section 6(a)(7)]; DHS OIG policies or procedures: The DHS OIG's Strategic Plan states that the OIG's Office of Management provides critical administrative support functions, including personnel services. IG Act requirement: Whenever information or assistance requested is unreasonably refused or not provided, the IG shall report the circumstances to the head of the establishment involved. [Section 6(b)(2)]; DHS OIG policies or procedures: The DHS OIG's Strategic Plan states that the OIG is required to inform the Secretary of serious problems, including when a request for information is unreasonably refused or information is not provided. IG Act requirement: For each fiscal year, an IG shall transmit a budget estimate and request to the head of the establishment to which the IG reports. [Section 6(f)(1)]; DHS OIG policies or procedures: The DHS OIG's Strategic Plan states that the OIG's Office of Management is responsible for budget formulation and execution. IG Act requirement: The IG may receive and investigate complaints or information from an employee concerning possible violations of law, rules, or regulations, or mismanagement, gross waste of funds, abuse of authority or a substantial and specific danger to the public health and safety. [Section 7(a)]; DHS OIG policies or procedures: The DHS OIG administers a complaint hotline and also receives complaints from other DHS components. The OIG reviews each complaint and decides whether to open an investigation. The Special Agent Handbook describes this process. IG Act requirement: The IG shall not disclose the identity of an employee who submitted a complaint or other information without the consent of the employee, unless the IG determines such disclosure is unavoidable during the course of the investigation. [Section 7(b)]; DHS OIG policies or procedures: The Special Agent Handbook cites the IG Act and requires that the OIG not disclose a complainant's name without his/her permission unless the IG determines such disclosure is unavoidable. IG Act requirement: Any employee who has authority to take, direct others to take, recommend, or approve any personnel action, shall not, with respect to such authority, take or threaten to take any action against any employee as a reprisal for making a complaint or disclosing information to an IG, unless the complaint was made or the information disclosed with the knowledge that it was false or with willful disregard for its truth or falsity. [Section 7(c)]; DHS OIG policies or procedures: The Special Agent Handbook includes excerpts from both the IG Act and Whistleblower Protection Act regarding this issue. IG Act requirement: Within 30 days of notice from the Secretary exercising the right to prohibit the IG from completing any audit or investigation, the IG shall transmit to the President of the Senate, the Speaker of the House of Representatives, and appropriate committees and subcommittees of Congress (A) a copy of such notice and (B) a written response agreeing or disagreeing with such exercise and the reasons for any disagreement. [Section 8I(a)(3)(A-B)]; DHS OIG policies or procedures: The DHS OIG's Strategic Plan states that the OIG is required to inform Congress of serious problems. While the OIG does not have a specific written policy regarding this requirement, an OIG official stated that the IG Act serves as the OIG's policy for this type of situation. Further, the official said that this type of situation has not occurred in at least the past 7 years. IG Act requirement: Subject to special provisions concerning DHS, the DHS OIG may initiate, conduct, and supervise such audits and investigations in DHS as the IG considers appropriate. [Section 8I(c)]; DHS OIG policies or procedures: The DHS OIG has three offices responsible for conducting audits and one office responsible for investigations. The OIG Audit Manual and Special Agent Handbook provide guidance on these responsibilities. IG Act requirement: DHS OIG has oversight responsibility for internal investigations performed by the Office of Internal Affairs of the United States Customs Service, the Office of Inspections of the United States Secret Service, the Bureau of Border Security, and the Bureau of Citizenship and Immigration Services. The head of each office or bureau shall promptly report to the IG the significant activities being carried out. [Section 8I(e)]; DHS OIG policies or procedures: The DHS OIG's Strategic Plan and a management directive state that the Office of Investigations provides oversight and monitors the investigations of DHS's various internal affairs offices. IG Act requirement: The DHS IG shall designate a senior official within the OIG to coordinate OIG activities regarding the OIG's investigations of abuses of civil rights or civil liberties. [Section 8I(f)(1-2)]; DHS OIG policies or procedures: A management directive designates the Assistant IG for Investigations as having responsibilities related to allegations of civil rights and civil liberties abuses. Also, the DHS OIG Strategic Plan states that the Office of Investigations has responsibilities for investigating and reporting civil rights and civil liberties abuses. IG Act requirement: No later than 3 days after any report or audit (or portion of any report or audit) is made publicly available, the IG of each agency shall (A) post that report or audit (or portion thereof) on the OIG's website; and (B) ensure that any posted report (i) is easily accessible from a direct link on the OIG's website homepage; (ii) includes a summary of the IG's findings; and (iii) is in a format that (I) is searchable and downloadable; and (II) facilitates printing by those accessing the website. [Section 8M(b)(1)(A-B)]; DHS OIG policies or procedures: The DHS OIG's Strategic Plan states that the Office of Management is responsible for posting reports to the DHS OIG's public website. Per DHS OIG guidance, reports are posted to the website within 3 days of being made publicly available. IG Act requirement: Maintain a direct link on the homepage of the website of the OIG for individuals to report fraud, waste, and abuse without being required to provide personally identifying information. [Section 8M(b)(2)(A)]; DHS OIG policies or procedures: The DHS OIG has a link on its website for reporting fraud, waste, and abuse, which is managed by its Office of Integrity and Quality Oversight. Source: GAO analysis of DHS policies and procedures compared to selected IG Act requirements. GAO-14-726. [A] See organization chart in figure 1 of this report. [End of table] [End of section] Appendix IV: Comments from the Department of Homeland Security Office of Inspector General: Office of Inspector General: Department of Homeland Security: Washington, DC 20528: [hyperlink, http://www.oig.dhs.gov] September 8, 2014: Mr. Asif A. Khan: Director, Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Khan: We have reviewed your draft report Inspectors General: DHS OIG's Structure, Policies and Procedures Are Consistent with Standards, but Areas for Improvement Exist (GAO-14-726). We are pleased that you have found that our office's policies and procedures are consistent with established quality and independence standards, and that we have made recent changes to even further enhance independence and oversight, such as establishing an Office of Integrity and Quality Oversight. We also note that you have correctly concluded that our reports cover all of the DHS management challenges and high risk areas. We have provided technical comments separately. We appreciate your consideration to these matters. In addition, before responding to your recommendations, I have a few overarching comments that would be important for you to consider before completing your report. * Few organizations are static, and that is especially true of DHS OIG in the last six months. Many of your observations involve the former Acting IG/Deputy IG (an individual who is no longer a DHS OIG employee), and the criminal conduct committed by former employees in our McAllen, Texas field office (who have been criminally prosecuted and likewise no longer employed by DHS OIG). The threats to our independence, as reflected in those episodes, were not a result of a structural deficiency, but a failure of leadership at the highest level. The significant vacancies you noted, present at my arrival, are either filled or in the process of being filled. We are a far different organization than we were last year. * Independence and integrity are the sine qua non of the Inspector General; without independence in fact and appearance, every audit, every inspection and every investigation will be suspect. Our conduct must be beyond reproach. Since my nomination and confirmation in March of this year, I have stressed to my employees — in office visits, in town hall meetings, in my internal written communication, and in my public statements and testimony — the necessity to relentlessly scrutinize and jealously guard against threats to our independence. The events of the last several years have seared into our organizational culture the perils of losing the perception of independence. I have spoken with hundreds of OIG employees since my arrival, and I am confident that my leadership on the issue in the last six months has driven the point home. * While not related to the issue of organizational independence, and not incorporated into a recommendation, the report notes we lack a national-level agreement with the FBI to coordinate investigations of border corruption. I was disappointed that your report fails to note the joint cases DHS OIG currently conducts in partnership with the FBI along the Southwest border, and OIG's participation in the Border Corruption Task Forces in Buffalo, Detroit, Houston, Newark, the Rio Grande Valley, Laredo, Tucson, Yuma, Sierra Vista, and San Diego. Clearly, the lack of a national-level agreement is not preventing us from working cases together. Nevertheless, we will continue to work with the FBI towards a written national-level agreement. We will also continue to notify the FBI of every investigation we open, as the Inspector General Act requires. Our independent Office of Integrity and Quality Oversight assures field office compliance with this requirement. Unfortunately, the FBI currently does not notify us of investigations of DHS employees suspected of corruption, and has resisted our suggestion that it do so. This lack of reciprocity makes negotiating a coordination agreement challenging, and could ultimately place agents from both Departments at physical risk. Lastly, here is our formal response to your recommendations: Recommendation 1: To improve its intake and complaint processing function, GAO recommends that the IG design and implement additional controls, which may include additional automated controls and supervisory review, to provide reasonable assurance that employee's identities are not disclosed without their consent when forwarding complaints back to DHS components. Concur. We are currently improving our online allegation form to ensure complainants do not inadvertently provide personal data when their intent was to remain anonymous. Likewise, we are currently improving the online allegation form to simplify and clarify to complainants the distinctions between filing an anonymous complaint versus filing a confidential complaint. We have implemented supervisory controls to provide oversight and quality control of intake analysts' work product, including the movement or referral of complaints. We will complete the changes to our online allegation form within 90 days. Recommendation 2: To help avoid any impairment to independence when seeking legal advice, we recommend that the OIG develop a policy for obtaining legal advice from counsel reporting either directly to the IG or another IG and work with the IG's counsel to establish guidelines for when it would be appropriate for the OIG to consult with the department's counsel. Concur. Within 90 days, we will develop policy and guidelines in which we describe the circumstances under which the Inspector General can obtain legal advice from the Department's Office of Legal Counsel rather than the Counsel to the DHS Inspector General, or another Inspector General's office. Recommendation 3: To help ensure that senior executives are aware of independence requirements so that they are able to identify and mitigate any threats to their independence, we recommend that the OIG revise its guidance in the Audit Manual to require signed annual certificates of independence to be collected and maintained centrally in order to monitor compliance. Concur. We will revise the audit manual to require senior executives signed annual independence statements will be collected and maintained by the Office of Integrity and Quality Oversight. We plan to publish a revised audit manual by October 31, 2014. Sincerely, Signed by: John Roth: Inspector General: [End of section] Appendix V: GAO Contact and Staff Acknowledgments: GAO Contact: Asif A. Khan, (202) 512-9869 or khana@gao.gov: Staff Acknowledgments: In addition to the contact named above, Michael LaForge (Assistant Director), Fred Evans, Latasha Freeman, Maxine Hattery, Colleen Heywood, Jackson Hufnagle, Kristi Karls, and Laura Pacheco made significant contributions to this work. Kathryn Bernet, Jacquelyn Hamilton, and Helina Wong also contributed to this report. [End of section] Footnotes: [1] Audits are independent, objective assessments of the stewardship, performance, or cost of an agency's policies, programs, or operations. Inspections are evaluations, inquiries, and similar types of reviews that do not constitute an audit or an investigation, and provide the benefits of a flexible mechanism for optimizing resources, expanding agency coverage, and using alternate review methods and techniques. Investigations can involve allegations of criminal, civil, or administrative misconduct, and can result in criminal prosecutions, fines, civil monetary penalties, administrative sanctions, and personnel actions. [2] Pub. L. No. 113-6, § 2, Div. D, 127 Stat. 342, 344 and 360 (Mar. 26, 2013). According to OIG officials, this amount was reduced to $141 million after sequestration. [3] Pub. L. No. 95-452, 92 Stat. 1101 (Oct. 12, 1978) codified, as amended, at 5 U.S.C. App. [4] GAO, Government Auditing Standards: 2011 Revision, [hyperlink, http://www.gao.gov/products/GAO-12-331G] (Washington, D.C.: December 2011). [5] Joint Explanatory Statement, 159 Cong. Rec. S1275, 1548 (daily ed., Mar. 11, 2013), to the Department of Homeland Security Appropriations Act, 2013, contained in Division D of the Consolidated and Further Continuing Appropriations Act, 2013, Pub. L. No. 113-6 (Mar. 26, 2013). [6] GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-13-283] (Washington, D.C.: February 2013). [7] A peer review, also known as an external quality control review, is required by Government Auditing Standards to be performed at least once every 3 years by an organization independent of the organization being reviewed. The objective is to provide a reasonable basis for determining whether, for the period under review, the reviewed audit organization's system of quality control was suitably designed and whether the audit organization is complying with its quality control system in order to provide the audit organization with reasonable assurance of conforming with applicable professional standards. [8] CIGIE was established by the Inspector General Reform Act of 2008 (Pub. L. No. 110-409, 122 Stat. 4302 (Oct. 14, 2008)) and consists mainly of IGs. [9] Pub. L. No. 107-296, 116 Stat. 2135 (Nov. 25, 2002). [10] Department of Homeland Security, U.S. Department of Homeland Security Agency Financial Report Fiscal Year 2013 (Washington, D.C.: Dec. 11, 2013). [11] The IG Act Amendments of 1988 established additional IGs who are appointed by their respective entity heads in designated federal entities--generally smaller agencies and other types of federal organizations--identified by the act. [12] The IG Act includes a special provision for DHS that allows the Secretary of Homeland Security to prohibit the IG from carrying out or completing any audit or investigation, or from issuing any subpoena, if the Secretary determines that such prohibition is necessary (1) to prevent the disclosure of sensitive information, (2) to preserve national security, or (3) to prevent a significant impairment to the interests of the United States. [13] [hyperlink, http://www.gao.gov/products/GAO-12-331G]. [14] Council of the Inspectors General on Integrity and Efficiency, Quality Standards for Federal Offices of Inspector General (Washington, D.C.: August 2012). See also 5 U.S.C. App. § 11(c)(2). [15] The 361 reports do not include capping reports and annual reports that summarize individual audits and inspections. Further, we did not include investigations in our review of the OIG's oversight coverage because most investigations are reactive--based on allegations of misconduct--rather than planned in advance as audits and inspections are. [16] 6 U.S.C. § 612(a)(3)(A). Grants audited under this section are referred to by the OIG as hazard grants and do not include Disaster Assistance Grants provided under section 203, title IV, or title V of the Robert T. Stafford Disaster Relief and Emergency Assistance Act. [17] The Disaster Relief Fund is an appropriation against which FEMA can direct, coordinate, manage, and fund eligible response and recovery efforts associated with domestic major disasters and emergencies to supplement state resources pursuant to the Robert T. Stafford Relief and Emergency Assistance Act. [18] Pub. L. No. 106-531, 114 Stat. 2537 (Nov. 22, 2000). [19] [hyperlink, http://www.gao.gov/products/GAO-13-283]. [20] In 2013, GAO changed the name of this high-risk area from "Implementing and Transforming" to "Strengthening DHS Management Functions" to recognize DHS's progress in its implementation and transformation since its creation, as well as to focus on its remaining challenges in strengthening its management functions and integrating those functions across the department. [21] See list of related GAO reports on the National Flood Insurance Program included in GAO, Overview of GAO's Past Work on the National Flood Insurance Program, [hyperlink, http://www.gao.gov/products/GAO-14-297R] (Washington, D.C.: Apr. 9, 2014). [22] 5 U.S.C. App. § 3. [23] The Whistleblower Protection Ombudsman is to educate agency employees about their rights if they make a "protected disclosure," including protections against retaliation for making such a disclosure. The IG Act states that any employee who has authority to take, direct others to take, recommend, or approve any personnel action shall not, with respect to such authority, take or threaten to take any action against any employee as a reprisal for making a complaint or disclosing information to an IG unless the complaint was made or the information disclosed with the knowledge that it was false or with willful disregard for its truth or falsity. [24] Strengthening Government Oversight: Examining the Roles and Effectiveness of Oversight Positions within the Federal Workforce, Before the Senate Homeland Security and Governmental Affairs Subcommittee on Efficiency and Effectiveness of Federal Programs and the Federal Workforce, 113th Cong. (Nov. 19, 2013). [25] The Federal Vacancies Reform Act of 1998 limits the time that a person can serve as an acting officer in a position that requires presidential appointment and Senate confirmation. This time limit is 210 days beginning on the date the vacancy occurs, but an acting official may continue to serve for 210 days after a first (or second) nomination is rejected, withdrawn, or returned. See 5 U.S.C. § 3346. The first acting IG term was extended because of a first nomination of an IG, resulting in the acting period going from February 27, 2011, until January 3, 2013. [26] Although a new AIG was assigned to the Office of Inspections in June 2013, that individual was detailed to another agency and continued to be as of September 2014. As a result, the office has continued to be led by an Acting AIG. [27] See app. III for a description of other selected IG Act provisions applicable to the DHS OIG and how they are being met. [28] The Special Agent Handbook requires that criminal investigations be reported expeditiously in accordance with Attorney General Guidelines. These guidelines require that when a case involves concurrent jurisdiction between the FBI and an OIG, each agency must notify the other in writing promptly--generally defined as within 30 days--of initiating a criminal investigation. See also Pub. L. No. 95- 452, §4(a)(4), 92 Stat. 1101 (Oct. 12, 1978) (codified, as amended, at 5 U.S.C. App.). [29] Attorney General Guidelines for Offices of Inspector General with Statutory Law Enforcement Authority (Dec. 8, 2003) (implementing 5 U.S.C. App. § 4(d)). [30] Border Corruption: Assessing Customs and Border Protection and the Department of Homeland Security Inspector General's Office Collaboration in the Fight to Prevent Corruption, Before the Senate Ad Hoc Subcommittee on Disaster Recovery and Intergovernmental Affairs of the Committee on Homeland Security and Governmental Affairs, 112th Cong. (June 9, 2011). [31] S. Rep. No. 113-77, at 13 (July 18, 2013). Subsequent to our review, DHS issued its report on September 10, 2014. [32] S. Rep. No. 113-198, at 17 (June 26, 2014). [33] U.S. Senate Committee on Homeland Security and Governmental Affairs, Subcommittee on Financial and Contracting Oversight, Investigation into Allegations of Misconduct by the Former Acting and Deputy Inspector General of the Department of Homeland Security, Staff Report (Washington, D.C.: Apr. 24, 2014). [34] OIG officials said that the OIG Office of Counsel coordinates and conducts annual ethics training for all OIG filers of confidential and public financial disclosure reports. [35] U.S. Senate Committee on Homeland Security and Governmental Affairs, Subcommittee on Financial and Contracting Oversight, Investigation into Allegations of Misconduct by the Former Acting and Deputy Inspector General of the Department of Homeland Security. [36] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [37] Joint Explanatory Statement, 159 Cong. Rec. S1275, 1548 (daily ed., Mar. 11, 2013), to the Department of Homeland Security Appropriations Act, 2013, contained in Division D of the Consolidated and Further Continuing Appropriations Act, 2013, Pub. L. No. 113-6 (Mar. 26, 2013). [38] Council of the Inspectors General on Integrity and Efficiency, Quality Standards for Federal Offices of Inspector General (Washington, D.C.: August 2012). These quality standards also address operational aspects of a federal IG office, including maintaining human capital and receiving and reviewing allegations. [39] In its August 2012 version of the Silver Book, there is a reference to GAO's Standards for Internal Control in the Federal Government issued in November 1999. [40] GAO, Government Auditing Standards: 2011 Revision, [hyperlink, http://www.gao.gov/products/GAO-12-331G] (Washington, D.C.: December 2011). [41] Council of the Inspectors General on Integrity and Efficiency, Quality Standards for Investigations (Washington, D.C.: November 2011). [42] Council of the Inspectors General on Integrity and Efficiency, Quality Standards for Inspection and Evaluation (Washington, D.C.: January 2012). [43] Pub. L. No. 95-452, 92 Stat. 1101 (Oct. 12, 1978) codified, as amended, at 5 U.S.C. App. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]