This is the accessible text file for GAO report number GAO-11-146
entitled 'Employment Verification: Federal Agencies Have Taken Steps
to Improve E-Verify, but Significant Challenges Remain' which was
released on January 18, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Report to the Subcommittee on Social Security, Committee on Ways and
Means, House of Representatives:
December 2010:
Employment Verification:
Federal Agencies Have Taken Steps to Improve E-Verify, but Significant
Challenges Remain:
GAO-11-146:
GAO Highlights:
Highlights of GAO-11-146, a report to the Subcommittee on Social
Security, Committee on Ways and Means, House of Representatives.
Why GAO Did This Study:
E-Verify is a system to electronically verify work eligibility and
operated by the Department of Homeland Security’s (DHS) U.S.
Citizenship and Immigration Services (USCIS) and the Social Security
Administration (SSA). GAO testified in June 2008 that ensuring
accuracy and combating fraud were challenges facing E-Verify. As
requested, GAO examined the extent to which USCIS and SSA took efforts
to (1) reduce tentative nonconfirmations (TNC) and E-Verify’s
vulnerability to fraud, (2) safeguard employee personal information,
and (3) prepare for possible mandatory use by all employers
nationwide. GAO reviewed key policy and procedural documents,
interviewed relevant DHS and SSA officials, and conducted site visits
to three states selected, in part, based on employer types.
What GAO Found:
Since GAO last testified in June 2008, USCIS has taken several steps
to improve the accuracy of the E-Verify system, including expanding
the number of databases queried through E-Verify and instituting
quality control procedures. As a result, USCIS data indicate that E-
Verify immediately confirmed about 97.4 percent of almost 8.2 million
newly hired employees as work authorized during fiscal year 2009,
compared to 92 percent from fiscal year 2006 to the second quarter of
fiscal year 2007. However, E-Verify errors persist. Also, if an
authorized employee’s name is recorded differently on various
authorizing documents, the E-Verify system is to issue a TNC for the
employee. Because such TNCs are more likely to affect foreign-born
employees, they can lead to the appearance of discrimination. USCIS
has not disseminated information to employees advising them of the
importance of consistently recording their names on documentation
provided to employers, and doing so could help USCIS reach its goal to
ensure data accuracy. Furthermore, E-Verify remains vulnerable to
identity theft and employer fraud. Resolving these issues will be
important in combating fraud in the employment verification process.
USCIS has taken steps to minimize risks to the privacy of personal
information for new employees who are processed through E-Verify by,
among other things, publishing privacy notices for the E-Verify
program. However, employees are limited in their ability to identify
the source of and how to correct information in DHS databases that may
have led to an erroneous TNC. To identify and access the source of the
incorrect data, employees must use methods such as Privacy Act
requests, which, in fiscal year 2009, took on average 104 days. DHS
officials acknowledged that the current process for employees to
correct their personal records could be improved and said they are
discussing ways to provide employees with better access to relevant
information. By developing procedures that could enable employees to
effectively correct any inaccurate personal information, DHS
components could help employees avoid receiving erroneous TNCs.
USCIS and SSA have taken actions to prepare for possible mandatory
implementation of E-Verify for all employers nationwide by addressing
key practices for effectively managing E-Verify system capacity and
availability and coordinating with each other in operating E-Verify.
However, USCIS’s lifecycle cost estimates for E-Verify do not reliably
depict current costs (i.e., do not include all costs associated with
maintaining and operating E-Verify) and SSA’s estimates do not
consider the risk associated with changes in SSA’s E-Verify workload.
Without DHS developing reliable life cycle cost estimates for E-
Verify, and SSA assessing the risk associated with its E-Verify
workload, the agencies are at increased risk of not securing
sufficient resources to effectively execute program plans in the
future.
What GAO Recommends:
GAO recommends, among other things, that USCIS disseminate information
to employees on the importance of consistently recording their names,
DHS components develop procedures to help employees correct inaccurate
personal information, USCIS develop reliable cost estimates for E-
Verify, and SSA assess risks associated with its E-Verify workload
costs. DHS and SSA generally agreed with most of GAO’s
recommendations. SSA disagreed that it should assess risks associated
with its workload costs because it believes it already does so. GAO
believes the recommendation is valid because SSA’s risk estimate has
limitations as discussed in the report.
View [hyperlink, http://www.gao.gov/products/GAO-11-146] or key
components. For more information, contact Richard M. Stana at (202)
512-8777 or stanar@gao.gov.
[End of section]
[Refer to PDF for image]
[End of figure]
Contents:
Letter:
Background:
USCIS and SSA Reduced TNCs, but the Accuracy of E-Verify Continues to
Be Limited by Inconsistent Recording of Both Employees' Names and
Fraud:
USCIS Has Taken Several Actions to Address Employer Noncompliance but
Remains Limited in Its Ability to Identify and Prevent Employer Misuse:
DHS Has Instituted Employee Privacy Protections for E-Verify, but
Resolving Erroneous TNCs and FNCs and Combating Discrimination Can Be
Challenging:
USCIS and SSA Have Taken Actions to Prepare for Mandatory
Implementation of E-Verify by Adopting Practices for Effectively
Managing E-Verify System Capacity, but They Face Challenges in
Estimating Costs:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: The Fair Information Practice Principles:
Appendix III: Comments from the Department of Homeland Security:
Appendix IV: Comments from the Social Security Administration:
Appendix V: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: USCIS Initiatives to Reduce TNCs:
Table 2: Effective Practices for Capacity Management and Planning and
the Extent to Which USCIS and SSA Have Addressed Each Practice:
Table 3: GAO's Characteristics of a Reliable Cost Estimate:
Table 4: Fair Information Practice Principles:
Figures:
Figure 1: The E-Verify Process for Employees Attesting to Be U.S.
Citizens on the Form I-9:
Figure 2: The E-Verify Process for Employees Attesting to Be Non-U.S.
Citizens on the Form I-9:
Figure 3: E-Verify Results for Fiscal Year 2009:
Abbreviations:
CBP: U.S. Customs and Border Protection:
CRCL: Office for Civil Rights and Civil Liberties:
DHS: Department of Homeland Security:
FNC: final nonconfirmation:
ICE: U.S. Immigrations and Customs Enforcement:
IRCA: Immigration Reform and Control Act of 1986:
IT: information technology:
MOU: memorandum of understanding:
Numident: Numerical Identification File:
OIG: Office of the Inspector General:
OMB: Office of Management and Budget:
OSC: Office of Special Counsel for Immigration-Related Unfair
Employment Practices:
SSA: Social Security Administration:
TNC: tentative nonconfirmation:
USCIS: U.S. Citizenship and Immigration Services:
VIS: Verification Information System:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
December 17, 2010:
The Honorable Earl Pomeroy:
Acting Chairman:
The Honorable Sam Johnson:
Ranking Member:
Subcommittee on Social Security:
Committee on Ways and Means:
House of Representatives:
The opportunity for employment is one of the most powerful magnets
attracting immigrants to the United States. There were approximately
an estimated 11 million unauthorized immigrants living in the country
in early 2009, and an estimated 7.8 million of them, or about 70
percent, were in the labor force, according to the Pew Hispanic
Center. Congress, the administration, and states have taken various
actions to better ensure that those who work here have appropriate
work authorization and to safeguard jobs for authorized employees.
Nonetheless, opportunities remain for unscrupulous employers to hire
unauthorized workers and for unauthorized workers to fraudulently
obtain employment even when employers seek to hire an authorized
workforce. Immigration experts believe that as long as opportunities
for employment exist, the incentive to enter the United States
illegally or to overstay visas will persist and efforts to prevent
illegal entry at U.S. borders will be undermined. Immigration experts
have noted that deterring illegal immigration requires, among other
things, a more reliable employment eligibility verification process
and a more robust worksite enforcement capacity.
To enhance efforts to verify employment eligibility, an electronic
employment authorization system now known as E-Verify was created in
1997 by the former U.S. Immigration and Naturalization Service as the
result of statutory direction. E-Verify is a free, largely voluntary,
Internet-based system operated by the Verification Division of U.S.
Citizenship and Immigration Services (USCIS), a component within the
Department of Homeland Security (DHS), in conjunction with the Social
Security Administration (SSA).[Footnote 1] E-Verify provides employers
a tool for detecting common types of fraudulent identity documents.
The goals of E-Verify are to (1) reduce the employment of individuals
unauthorized to work, (2) reduce discrimination, (3) protect employee
civil liberties and privacy, and (4) prevent undue burden on
employers. Pursuant to a 2007 Office of Management Budget (OMB)
directive, all federal agencies are required to use E-Verify on their
new hires and, as of September 8, 2009, certain federal contractors
and subcontractors are required to use E-Verify for both newly hired
employees working in the United States as well as existing employees
working directly under the contract.[Footnote 2] In addition, a number
of states have enacted laws or issued executive orders mandating that
some or all employers within the state use E-Verify on new hires. From
October 2009 through August 2010, E-Verify processed approximately
14.9 million queries from nearly 222,000 participating employers.
In August 2005, we reported that E-Verify was unable to detect
identity fraud and ensure employer compliance with the program's
rules.[Footnote 3] In June 2008, we testified that USCIS and SSA had
taken actions to enhance the E-Verify program but continued to face
challenges.[Footnote 4] One challenge was related to USCIS's ability
to reduce instances in which work authorized employees are not
automatically confirmed by E-Verify. This situation could occur for
several reasons, such as employees not updating their naturalization
status in SSA databases in a timely manner or not informing SSA of a
change in name. For the purposes of this report, we collectively refer
to these situations--as well as those in which employers inadvertently
make errors in data entry when making E-Verify queries, in which
employees provide inconsistent personal information to government
agencies, and in which government databases contain errors unrelated
to an employer's or employee's action--as erroneous tentative
nonconfirmations (TNC).[Footnote 5] Another challenge was related to
USCIS's ability to detect the use of fraudulent and stolen identity
documents, and identify and curb employer fraud and misuse of the
program. We also testified that mandatory implementation of E-Verify
would place increased demands on USCIS's and SSA's resources. An
evaluation report issued by the Westat Corporation (Westat) in
December 2009 stated, among other things, that E-Verify could not
detect identity fraud in the majority of cases where unauthorized
workers presented their employers with valid documents that were
stolen or borrowed.[Footnote 6] To address these and other issues,
legislators and immigration experts have proposed a variety of
potential solutions, including the creation and implementation of an
alternative employment eligibility system to replace E-Verify. Other
proposals have included adding biometric information or personal
identity numbers to E-Verify to prevent identity fraud, and creating a
database that would enable individuals to self-verify their employment
eligibility prior to obtaining or changing employment.
In response to your request that we review the E-Verify program, we
examined the progress that USCIS and SSA have made since we testified
in June 2008. Specifically, we examined the extent to which:
* USCIS has reduced the incidence of TNCs and E-Verify's vulnerability
to fraud,
* USCIS has improved its ability to monitor and ensure employer
compliance with E-Verify program policies and procedures,
* USCIS has provided safeguards for employees' personal information in
E-Verify and enabled employees to correct inaccurate information, and:
* USCIS and SSA have taken steps to prepare for mandatory E-Verify
implementation.
To address our first objective, we analyzed our previous reports on E-
Verify, as well as reports by other federal agencies and immigration
policy organizations. We interviewed senior officials at the State
Department and the American Association of Motor Vehicle
Administrators regarding sharing information with USCIS. We reviewed
videos developed by USCIS's Verification Division, the division
overseeing the E-Verify program, and DHS's Office for Civil Rights and
Civil Liberties (CRCL) that explain how to resolve TNCs, and SSA
documentation intended to assist employees with name and citizenship
changes. We analyzed data on the results of E-Verify cases for fiscal
year 2009. We interviewed senior E-Verify program officials at USCIS's
Verification Division and SSA officials about their procedures for
ensuring data quality in the E-Verify transaction database and
Numerical Identification File (Numident), respectively.[Footnote 7]
Based on our analysis, we determined that these data were sufficiently
reliable for the purposes of our report. We also reviewed an E-Verify
evaluation released by Westat in December 2009. Although the data were
subject to various sources of error, which Westat acknowledged, we
believe Westat's approach was appropriate and produced credible
estimates of the accuracy of E-Verify.
To address our second objective, we analyzed E-Verify standard
operating procedures, the E-Verify tutorial and mastery test,
documentation on E-Verify educational activities, and USCIS's staffing
model and training plan for its Monitoring and Compliance Branch. We
conducted interviews with senior DHS officials in USCIS, U.S.
Immigration and Customs Enforcement (ICE), and CRCL, as well as in the
Office of Special Counsel for Immigration-Related Unfair Employment
Practices (OSC) within the Department of Justice's Civil Rights
Division to determine what procedures were in place to address and
sanction employer noncompliance with E-Verify program rules, and the
extent to which the agencies were coordinating with one another to
address employer noncompliance. We also analyzed an interagency
agreement between USCIS and ICE, and reviewed previous GAO reports
that discussed practices for evaluating the effectiveness of training
and development programs.
To address our third objective, we analyzed documentation from USCIS,
including procedures for resolving DHS-related TNCs. We conducted
interviews with privacy officials at USCIS to determine what, if any,
challenges exist in resolving these TNCs. We assessed the extent to
which USCIS's privacy policies and documents for the E-Verify program
were consistent with DHS's Fair Information Practice Principles. We
reviewed SSA's processes for resolving TNCs and SSA staff's use of the
automated response system for TNCs (EV-STAR) to determine how they
affect employment authorization decisions. We also analyzed an
interagency agreement between USCIS and OSC to determine the extent to
which the agencies are coordinating to address discrimination issues
related to employer use of E-Verify. We interviewed officials from
DHS's Privacy Office and CRCL and from OSC to discuss their roles and
responsibilities for assisting employees in dealing with issues
related to civil rights and civil liberties, specifically privacy and
discrimination, and their efforts to coordinate with USCIS on E-Verify
issues. We also interviewed senior officials at SSA to discuss SSA's
processes for resolving TNCs and recording decisions into E-Verify.
To address our fourth objective, we assessed USCIS's and SSA's
existing system capacity requirements and life cycle cost estimates
and SSA's workload estimates. We compared documentation on the
agencies' processes and procedures for managing and planning system
capacity and availability with widely accepted industry practices.
[Footnote 8] To determine the reliability of USCIS's and SSA's cost
estimates, and their ability to predict future costs in the case of
mandatory implementation, we interviewed senior program officials at
both agencies and analyzed the derivation of the cost estimates
relative to four characteristics of a reliable cost estimate as
defined in our Cost Estimating and Assessment Guide.[Footnote 9] For
each characteristic, we computed an average score that indicated the
extent to which the agencies met that characteristic of a reliable
cost estimate. We also performed analyses on SSA's TNC database to
determine the validity of SSA's calculations for its workload
estimates, and determined that the calculations were valid.
To gain a better understanding of how E-Verify is implemented in some
states and of users' experiences with E-Verify, we conducted site
visits to three states with E-Verify laws--Colorado, North Carolina,
and Arizona. We selected these states based on the length of time each
state's E-Verify law had been in effect, the range of employer types
covered by the law, and geographic dispersion. On these site visits,
we interviewed state officials responsible for overseeing
implementation of the state E-Verify law, representatives and
employers from eight industry associations and four state and local
chambers of commerce, representatives from eight immigrant advocacy
groups, and E-Verify users from two state universities[Footnote 10].
While the views provided are not generalizable, they provided us with
additional perspectives on the benefits and challenges associated with
the E-Verify program. In each state, we also interviewed selected (1)
SSA regional and field office representatives to obtain information on
the effect of use of E-Verify in that state on SSA field office
workloads and (2) ICE regional and field office representatives to
determine ICE's role in assisting USCIS with E-Verify education,
outreach, and employer compliance. (See appendix I for additional
details on our scope and methodology.)
We conducted this performance audit from June 2009 through December
2010 in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives.
Background:
Legislative History:
The Immigration Reform and Control Act of 1986 (IRCA) made it illegal
for employers to knowingly hire immigrants who were unauthorized to
work in the United States.[Footnote 11] IRCA established an employment
verification process--the Form I-9 process--that required employers to
review documents presented by new employees to establish their
identity and employment eligibility.[Footnote 12] Employers are
required to certify that they have reviewed the documents presented by
their employees and that the documents reasonably appear genuine and
relate to the individual presenting them. Like all employers,
employers participating in E-Verify are required to retain Form I-9s
for all newly hired employees in accordance with IRCA. IRCA provides
penalties or sanctions against employers that knowingly violate the
law. ICE is responsible for enforcing IRCA's employer sanctions
provisions. IRCA also prohibits employers from discriminating against
employees based on their citizenship or immigration status or national
origin. OSC is responsible for enforcing IRCA's antidiscrimination
provisions.
Employer Use of E-Verify:
To participate in E-Verify, employers are required to have access to
basic office equipment, including a computer and printer, as well as
Internet access with a secure Web browser. To use E-Verify, an
employer is required to register as a user and sign a Memorandum of
Understanding (MOU) with DHS agreeing to follow the program's rules.
[Footnote 13] By signing the MOU, the employer agrees, among other
things, to use the system only for new hires--or, in the case of
federal contractors, to use the system both for new hires and for
existing employees assigned to a federal contract--post a notification
that the employer is an E-Verify participant, and verify the
employment eligibility of new hires within 3 business days after the
employee begins work.[Footnote 14] The MOU also requires employers to
comply with antidiscrimination requirements and prohibits employers
from prescreening job applicants through E-Verify prior to hiring
them, selectively choosing to verify or not verify new hires based on
their citizenship status or national origin, or taking any adverse
action against employees who choose to contest a TNC. Employers who
register with E-Verify are required to take the E-Verify tutorial and
pass the mastery test before submitting information into the system.
Employers participating in E-Verify are required to enter information
from the employee's Form I-9 into E-Verify, which is a secure, USCIS-
run Web-based interface. E-Verify is then to route the information to
the appropriate data sources to determine employment eligibility. All
information related to E-Verify transactions is stored in the
Verification Information System (VIS), USCIS's centralized database
for E-Verify.
For citizens, information from the employee's Form I-9 is first
checked against SSA's Numident database.[Footnote 15] If there is a
match, the system is to instantly notify the employer that the
employee is eligible to work. If there is no match, the system is
designed to instantly request that the employer check for possible
input errors and, if the employer makes no changes, the system is to
automatically check USCIS's naturalization databases to verify the
employee's citizenship status. For employees who present a United
States passport as identification for the Form I-9, E-Verify is to
automatically check the TECS database, which is operated by DHS's U.S.
Customs and Border Protection (CBP).[Footnote 16] TECS is a law
enforcement database that among other things, stores information on
U.S. passport holders. If the passport data in TECS and the
information recorded on the employee's passport do not match, the
system is to issue a TNC for the employee. If the employee provides
identity information other than that from a passport--such as a
driver's license--and this information does not match either SSA's or
DHS's data, then the system is also to issue a TNC. In both instances,
the system is to transmit the TNC finding to the employer, which
notifies the employee of the TNC. An employer is required to inform
the employee of the TNC in writing by providing a system-generated
notice of the finding and the employee's right to contest it.
Employees can choose whether to contest a TNC, and if an employee
decides to contest it, the employer must electronically refer the TNC
case in E-Verify to either SSA or DHS and provide the employee with an
additional system-generated referral letter, indicating the specific
agency--SSA or DHS---the employee should contact to contest the TNC.
Once the employer refers the case to the appropriate agency, the
employee has 8 federal working days to initiate contact with the
agency. Employees who do not initiate contact with SSA or DHS to
resolve their TNC within 8 federal business days are to receive a
final nonconfirmation (FNC). The E-Verify process for those attesting
to be U.S. citizens on their Form I-9s is depicted in figure 1.
Figure 1: The E-Verify Process for Employees Attesting to Be U.S.
Citizens on the Form I-9:
[Refer to PDF for image: illustration]
1) Employer enters new employee information from the Form I-9 into the
E-Verify Web interface.
2) System attempts to match Form I-9 data with SSA database. Is there
a match?
If yes, go to #4;
If no, go to #3.
3) SSA Pre-TNC check conducted. Is there a match?
If yes, go to #4;
If no, go to #7.
4) Based on Form I-9 data, can citizenship status be verified?
If yes, go to #6;
If no, go to #5.
5) USCIS naturalization databases automatically checked. Is
citizenship status verified?
If yes, go to #6;
If no, and passport is not presented with Form I-9, go to #8.
If no, and passport is presented with Form I-9 and pastport data, go
to #7.
6) Confirmed work authorized.
7) CBP database with U.S. passport information is automatically
checked. Is citizenship status verified?
If yes, go to #6.
If no, go to #8.
8) TNC issued. Does employee resolve TNC with SSA?
If yes, go to #6.
If no, go to #9.
9) If U.S. citizenship status is not confirmed, employee given option
to call DHS. Does employee contact DHS?
If yes, go to #10;
If no, go to #12.
10) USCIS management program analyst compares employee data with
various data sources. Is citizenship status verified?
If yes, go to #6;
If no, go to #11.
11) Case referred back to SSA.
Go to #8.
12) SSA final nonconfirmation.
Sources: GAO analysis of E-Verify’s procedures for verifying work
authorization for U.S. citizens; and Art Explosion (clipart).
[End of figure]
For noncitizens, information from the employee's Form I-9 is first
checked against SSA's Numident database and, if there is a match, E-
Verify is to route the information to DHS databases to determine if
DHS granted employment authorization to the employee.[Footnote 17] If
DHS data verify the employee's information, then E-Verify is to
instantly notify the employer that the employee is eligible to work.
For noncitizens who show a Permanent Resident ("green") card or
employment authorization document as proof of identity and employment
eligibility, the system is to transmit a digitally stored photograph
of the employee to the employer.[Footnote 18] It is the employer's
responsibility to determine whether the photograph provided by the
employee matches the electronic photograph provided by E-Verify. If
the employer determines that the photograph on the document provided
by the employee matches the electronic photograph transmitted by E-
Verify, then the employer is to input this decision into E-Verify, and
E-Verify is to issue an employment authorized finding. If the employer
determines that the photographs do not match, the employer is to input
this decision into E-Verify, and the system is to issue a TNC. If
DHS's data (for example, the employee's name) do not match the
employee information that the employer entered into E-Verify, E-Verify
is to instantly request that the employer check for possible input
errors. If the employer makes no changes to the information previously
submitted, the information is sent to a USCIS management program
analyst to manually query other DHS databases and determine if the
employee is eligible to work. If the analyst cannot confirm the
employee's work eligibility, E-Verify is to issue a TNC and transmit
the TNC finding to the employer. An employer is required to inform the
employee in writing by providing a system-generated notice of the TNC
finding and the employee's right to contest it. As stated above,
employees can choose whether to contest the TNC, and if an employee
decides to contest it, the employer must electronically refer the TNC
case in E-Verify to SSA or DHS and provide the employee with an
additional system-generated referral letter that indicates the
specific agency the employee should contact to contest the TNC. Once
the employer electronically refers the case to the appropriate agency
in E-Verify, employees have 8 federal working days to initiate contact
with either agency. Employees who do not initiate contact with either
SSA or DHS to resolve their TNC with SSA within 8 business days are to
receive a FNC.[Footnote 19] The E-Verify process for those attesting
to be non-U.S. citizens on Form I-9 is depicted in figure 2.
Figure 2: The E-Verify Process for Employees Attesting to Be Non-U.S.
Citizens on the Form I-9:
[Refer to PDF for image: illustration]
1) Employer enters new employee information from the Form I-9 into the
E-Verify Web interface.
2) SSA: System attempts to match Form I-9 data with SSA database. Is
there a match?
If yes, go to #3;
If no, go to #7.
3) UCSIS: System compares Form I-9 data with DHS databases. Is there a
match?
If yes, go to #4;
If no, go to #9.
4) USCIS: Eligible for photo matching.
If yes, go to #5;
If no, go to #6.
5) USCIS: Is there a photo match?
If yes, go to #6;
If no, go to #11.
6) USCIS: Confirmed work authorized.
7) SSA: SSA pre-TNC check conducted. Is there a match?
If yes, go to #3;
If no, ho to #8.
8) SSA: SSA TNC issued. Does employee resolve TNC with SSA?
If yes, go to #3;
If no, go to #12.
9) USCIS: DHS Pre-TNC check conducted. Is there a match?
If yes, go to #4;
If no, go to #10.
10) USCIS: USCIS management program analyst checks other DHS
databases. Is there a match?
If yes, go to #6;
If no, go to #11.
11) USCIS: DHS TNC issued. Does employee resolve TNC with USCIS?
If yes, go to #6;
If no go to #12.
12) Final nonconfirmation.
Sources: GAO analysis of E-Verify’s procedures for verifying work
authorization for non-U.S. citizens; Art Explosion (clipart).
[End of figure]
For an employee who does not initiate contact with SSA or DHS within
the 8 federal working days allowed for resolving a TNC, the system is
to issue a FNC and the employer is expected to promptly terminate the
employee's employment. Employers may not take any adverse action
against an employee on the basis of a TNC, such as limiting work
assignments or pay or terminating the employee while the employee is
attempting to resolve any inaccuracies in his or her records.
USCIS and SSA Coordination for E-Verify Operation:
The fiscal year 2010 DHS Appropriations Act reauthorized the E-Verify
program through September 30, 2012, and provided USCIS $137 million
for program operations.[Footnote 20] Pursuant to a reimbursable
agreement, at the beginning of each fiscal year, USCIS pays SSA the
costs for maintaining its system operations, as well as the projected
costs for assisting employees with resolving TNCs. At the end of each
fiscal year, SSA and USCIS reconcile any differences between actual
costs and estimates, and SSA is to return any unspent funds to USCIS.
USCIS provides SSA estimates of anticipated transaction volumes to
help SSA estimate its future costs for operating E-Verify. In fiscal
year 2009, USCIS reimbursed SSA approximately $21.6 million for
operating E-Verify, $14 million of which was for SSA developing a new
operating environment specifically designed for use by E-Verify. This
system, known as the Isolated Environment, processes E-Verify
transactions against a copy of SSA's Numident database, and allows SSA
to isolate its processing of E-Verify cases from its mission-critical
workloads, such as processing disability or retirement claims.
Recent Studies on E-Verify:
Since our June 2008 testimony, USCIS contracted with Westat for an
independent evaluation of E-Verify, which was issued in December 2009.
[Footnote 21] Westat analyzed E-Verify transaction data for April
through June 2008 to determine how many employees were authorized to
work, received a TNC, or received an FNC. Westat concluded that USCIS
had decreased the time for employers to process cases through E-Verify
and reduced the percentage of erroneous TNCs.[Footnote 22] However,
USCIS continued to face challenges in detecting most cases of identity
fraud, especially for unauthorized employees who used the legitimate
documentation of employment-authorized persons, and in ensuring
employer compliance with E-Verify procedures.
In January 2010, the SSA Office of the Inspector General (OIG)
reported on SSA's use of E-Verify.[Footnote 23] Based on 9,311 new
hires for fiscal year 2008 through March 31, 2009, the OIG reported
that SSA did not use E-Verify to confirm the employment eligibility of
1,767 (19 percent) of the new hires, 54 of which were new hires who
transferred from other federal agencies with no break in federal
employment, and according to SSA staff, were not required to be
verified through E-Verify. Of the 7,544 new hires processed through E-
Verify, SSA did not comply with the 3-day time requirement for
verifying all new hires' employment eligibility. The OIG also reported
that SSA verified the employment eligibility of 26 employees who were
not new hires but had applied for new positions within the agency, 31
volunteers who were not federal employees, and 18 job applicants who
SSA did not hire. All of these practices are prohibited by the MOU
that employers sign when registering for E-Verify. To help SSA better
comply with E-Verify procedures, the OIG recommended, among other
things, that SSA confirm the employment eligibility of the 1,713 new
hires through E-Verify and establish guidance to remind staff of the
requirements of the E-Verify MOU. SSA told us that the agency has
taken steps to address the OIG's recommendations. First, SSA personnel
offices verified those employees not initially verified under E-Verify
to ensure that the agency was in compliance with applicable policies
[Footnote 24]. In March 2010, SSA also sent guidance to each regional
SSA field office to remind staff to follow E-Verify policy regarding
verifying all new hires, conducting verification queries within 3
business days, and prohibiting the verification of existing SSA
employees and SSA volunteers. SSA also provided its regional field
offices with two E-Verify videos developed by DHS to provide a variety
of scenarios regarding information on employer responsibilities and
workers' rights related to the Form I-9 and the use of E-Verify.
USCIS and SSA Reduced TNCs, but the Accuracy of E-Verify Continues to
Be Limited by Inconsistent Recording of Both Employees' Names and
Fraud:
USCIS has reduced TNCs from 8 percent during the time period June 2004
through March 2007 to almost 2.6 percent in fiscal year 2009 by
expanding the number of databases queried through E-Verify and
instituting quality control procedures to address data entry errors.
However, erroneous TNCs related to name inconsistencies, such as
employees' names recorded differently on various authorizing
documents, remain an issue. Erroneous TNCs resulting from such
inconsistencies can create the appearance of discrimination because of
their disparate impact on certain cultural groups. USCIS has taken
some actions to address cases of document fraud, but E-Verify
continues to remain vulnerable to identity theft and employer fraud.
USCIS Has Reduced the Number of TNCs and Enhanced System Efficiencies
to Better Allow Employees to Resolve TNCs:
USCIS has reduced TNCs from 8 percent during the time period June 2004
through March 2007 to almost 2.6 percent in fiscal year 2009. USCIS
data indicate that about 97.4 percent of almost 8.2 million newly
hired employees were immediately confirmed as work authorized by E-
Verify during fiscal year 2009, compared to 92 percent during June
2004 through March 2007. This represents a 5.4 percentage point
increase in immediate confirmations and, in turn, a 5.4 percentage
point decrease in TNCs. As shown in figure 3, in fiscal year 2009,
about 2.6 percent or over 211,000 of newly hired employees received
either a SSA or USCIS TNC, including about 0.3 percent who were
determined to be work eligible after they contested a TNC and resolved
errors or inaccuracies in their records, and about 2.3 percent, or
about 189,000, received an FNC because their employment eligibility
status remained unresolved. The approximately 2.3 percent who received
an FNC consisted of both unauthorized employees and authorized
employees who chose not to contest their TNCs, among others. However,
USCIS was unable to determine how many of these employees (1) were
authorized employees who did not take action to resolve a TNC because
they were not informed by their employers of their right to contest
the TNC, (2) independently decided not to contest the TNC, or (3) were
not eligible to work.
Figure 3: E-Verify Results for Fiscal Year 2009:
[Refer to PDF for image: pie-chart]
Percentage of employees automatically confirmed as work authorized:
97.4%;
Percentage of employees receiving final nonconfirmations: 2.3%;
Percentage of employees who receive TNCs later confirmed as work
authorized: 0.3%.
Source: GAO analysis of DHS data.
[End of figure]
USCIS has reduced TNCs and increased E-Verify accuracy by expanding
the number of databases that E-Verify can query and instituting
quality control procedures to screen for data entry errors. For
example, as we testified in June 2008, USCIS implemented the
Naturalization Phase I enhancement, which automatically checks USCIS
naturalization databases before E-Verify issues an SSA TNC because of
a citizenship status mismatch. According to USCIS, this reduced the
number of SSA TNCs for naturalized citizens by about 35 percent in
fiscal year 2009.[Footnote 25] In addition to what we reported in our
June 2008 testimony, USCIS has undertaken three other initiatives to
reduce the number of erroneous TNCs. Table 1 presents information on
the nature and the results of these initiatives.
Table 1: USCIS Initiatives to Reduce TNCs:
Initiative: Pre-TNC check;
Description: In September 2007, USCIS released an enhancement to E-
Verify that automatically requires employers to double check their
entry of employee information into E-Verify if the system determines
that the employee is not work authorized;
Results reported by USCIS[A]: Reduced TNCs by 36 percent from October
2007 to August 2010.
Initiative: Passport data;
Description: In December 2008, USCIS and the State Department signed
an MOU to reduce SSA mismatches because of citizenship status for
employees who present their U.S. passports as evidence of employment
eligibility. If employees present their passport as identification for
the Form I-9, E-Verify will automatically check their passports
against passport records to determine citizenship status. USCIS began
using passport data to reduce citizenship mismatches in February 2009;
Results reported by USCIS[A]: Prevented about 65,426 erroneous TNCs
from occurring from February 2009 through August 2010.
Initiative: Record matching initiative;
Description: In December 2009, USCIS added a quality control
capability that enables E-Verify to recognize European date format and
common clerical errors of transposed visa and passport numbers;
Results reported by USCIS[A]: Prevented about 1,914 erroneous TNCs
from occurring from December 2009 through August 2010.
Source: USCIS.
[A] We reviewed USCIS's E-Verify transaction database from which USCIS
generated these statistics and found the data sufficiently reliable
for reporting purposes.
[End of table]
USCIS and SSA have taken additional actions to try to increase the
accuracy of the E-Verify system. For example:
* In fiscal year 2009, working with USCIS, SSA added language to
USCIS's A Guide to Naturalization, a booklet that is given to
individuals at the naturalization ceremony, to emphasize the
importance of visiting the local SSA office to report a change in
citizenship status. Among other things, the booklet notes the
importance of updating citizenship status for employment authorization
purposes, as well as updating any name changes.[Footnote 26]
* DHS is in the planning stages of developing a data-sharing
initiative, called DHS Autocards, to update SSA's Numident database
with information from DHS databases on foreign-born individuals who
change citizenship status. Through DHS Autocards, it is anticipated
that USCIS will electronically transmit data (including immigration
status updates) to SSA for individuals who apply for immigration
benefits at offices within the United States. This transmittal is to
be done only with an individual's consent. According to SSA, DHS
Autocards should reduce visits to SSA field offices and improve the
integrity of SSA's replacement card process by sending information
directly to SSA from USCIS.
Inaccuracies and Inconsistencies in Recording Employees' Names
Continue to Produce Erroneous TNCs:
Erroneous TNCs occur, in part, because of inaccuracies and
inconsistencies in how personal information is recorded on employee
documents, in government databases, or both. For example, personal
information in employee documents may differ from that in government
databases if, for example, employees naturalize or marry or divorce
and change their names without informing SSA or DHS of the name
change. Additionally, employees' personal information may be
inaccurate if the first or last name is incorrectly spelled in
government databases or on identification documents. Further,
individuals from certain cultural groups, such as those of Hispanic or
Arab origin, may have multiple surnames that are recorded differently
on their naturalization documents than on their Social Security cards.
Such names could be recorded in a different order on the two
documents, or one document may contain all the surnames while the
other document may contain an abbreviated version of the surnames.
Erroneous TNCs resulting from such inconsistencies can create the
appearance of discrimination because of their disparate impact on
certain cultural groups. According to USCIS, of 22,512 TNCs resulting
from name mismatches in fiscal year 2009, approximately 76 percent, or
17,098, were for citizens, and approximately 24 percent, or 5,414,
were for noncitizens. Using USCIS's and SSA's estimates that about 60
million queries would be generated annually under E-Verify if the
program were made mandatory for new hires nationwide, about 164,000
citizens and noncitizens would receive a name-related TNC each year.
However, this number would greatly increase if E-Verify were made
mandatory for all employees nationwide and not just new hires[Footnote
27]. USCIS reported that it has contracted with Westat to conduct a
study on the effect of complex names, name order, and hyphenated names
on E-Verify TNCs. [Footnote 28]
In our site visits, 5 of 25 employers commented that TNCs are more
likely to occur in situations where Hispanic employees have hyphenated
or multiple surnames.[Footnote 29] In these situations, employers are
sometimes uncertain which name to enter into the E-Verify fields
calling for an employee's first name, last name, and maiden name.
USCIS has included information on its Web site to help employers enter
hyphenated names to reduce the incidence of erroneous TNCs.
Senior E-Verify program officials stated that providing information to
employees about how name-related TNCs occur and how to prevent them
may help decrease the incidence of these types of erroneous TNCs. They
stated that they may consider addressing this issue as they move
forward with the E-Verify program, but did not specify how they would
do this. USCIS has some mechanisms in place to help employees with the
work authorization process, such as guidance on the E-Verify Web site,
but the agency does not provide information on how to prevent a name-
related TNC. USCIS and DHS's CRCL, the organization responsible for
providing policy advice to DHS leadership on civil rights and civil
liberties issues, developed a video that provides information to
employees about how to resolve a name-related TNC. The video also
provides viewers with some reasons for why TNCs occur, such as a name
change due to marriage or errors in government databases, but does not
specifically discuss ways to prevent them.[Footnote 30] In addition,
DHS's A Guide to Naturalization makes clear that name changes have an
effect on employment authorization, but it does not specify how name
changes specifically relate to the E-Verify process. Furthermore,
according to SSA officials, some SSA field office staff attend
naturalization ceremonies to help newly naturalized citizens update
their information in SSA databases, including citizenship status or
name changes, but presence at these ceremonies is not required.
Standards for Internal Control in the Federal Government states that
agency management should ensure that there are adequate means of
communicating with external stakeholders that may have a significant
impact on the agency's goals.[Footnote 31] USCIS could better position
employees to avoid an erroneous TNC if USCIS disseminated information
to employees on the importance of providing consistent name
information to employers, SSA, and DHS and on how to record their
names consistently. Information could be disseminated, for example,
through efforts such as (1) conducting outreach through CRCL's
instructional video for employees, (2) incorporating language into
DHS's A Guide to Naturalization, and (3) disseminating information at
naturalization ceremonies. Disseminating information could also help
to increase system accuracy consistent with USCIS's goal, by reducing
erroneous TNCs.[Footnote 32]
E-Verify Remains Vulnerable to Fraud, but USCIS Has Taken Steps to
Reduce It:
Despite USCIS and SSA's efforts to reduce erroneous TNCs, identity
fraud remains a challenge in part because employers may not be able to
determine if employees are presenting genuine identity and employment
eligibility documents that are borrowed or stolen.[Footnote 33] E-
Verify is to confirm all employees as employment authorized as long as
the information entered into E-Verify matches DHS and SSA records. E-
Verify also cannot detect cases in which an unscrupulous employer
assists unauthorized employees by, for example, providing them with
legitimate documents or ignoring a mismatch between the photograph
that appears on the employee's permanent resident card and DHS's
digital photograph of that individual. Of the 97.4 percent of
employees who were confirmed as work authorized by E-Verify in fiscal
year 2009, USCIS is unable to determine how many employees E-Verify
incorrectly confirmed as authorized to work in the United States.
Based on statistical models of E-Verify data for the period covering
April through June 2008, Westat estimated that 6.2 percent of
employees were not authorized to work in the United States, and that
slightly over half of these employees were incorrectly confirmed by E-
Verify. This may indicate identity theft, employer fraud, or both.
USCIS has taken actions to address fraud, most notably with the fiscal
year 2007 implementation of the photo matching tool, which seeks to
reduce fraud associated with the use of genuine documents in which the
original photograph is substituted for another. The photo matching
tool places the burden on employers to determine whether the
photograph on the employee's permanent resident card or employment
authorization document matches the digitally stored photograph within
DHS databases. If the employer determines that the photos do not
match, E-Verify rules require that the employer indicate in the system
that the photographs do not match, the employee is to receive a TNC,
and the employee is to be provided with an opportunity to contest the
TNC. According to USCIS, from October 2009 to August 2010, there were
393,574 cases that initiated E-Verify's photo matching tool. Of these
cases, employers indicated that 1,569 employees' photos did not match.
These nonmatch cases resulted in one contested TNC. USCIS told us that
it is unable to determine what percentage of the 1,569 cases involves
identity fraud because some individuals may not contest their TNC and
USCIS does not have additional information on these cases.
However, ICE officials in Arizona told us that unscrupulous employers
have learned that the photo matching tool accepts only two documents--
permanent resident cards and employment authorization documents, which
are heavily protected from tampering and counterfeiting--and,
therefore, employers ask employees whom they believe are not work
authorized to provide other identity documents that will not trigger
the photo matching tool. Senior ICE officials told us that while ICE
does not track statistics on documents used to satisfy the Form I-9
requirements, they believe because of the small number of security
features on most state driver's licenses, they are becoming
increasingly popular for use as documentation for the Form I-9. While
employers are not permitted to ask employees to provide specific types
of documents for E-Verify under federal law, the ICE officials said
that they know of instances in which employers directed employees to
provide driver's licenses or other acceptable forms of identification.
They said this has led to an increase in the fraudulent use of other
documents, which are not part of the photo matching tool. Based on
site visit data for October 2007 through June 2008, Westat's 2009
report indicated that driver's licenses were presented as one form of
identification in 53 percent of the cases resulting in TNCs.
USCIS incorporated passport photographs and seeks to incorporate
driver's licenses into the E-Verify database to help address the issue
of identity fraud. In September 2010, pursuant to a signed agreement
with the State Department, USCIS gained access to photographs of
passport holders in State Department records and incorporated these
into E-Verify. USCIS has also been negotiating with the Motor Vehicle
Association in one state to pilot the use of driver's license data for
E-Verify. USCIS reported that this pilot will begin in 2011.[Footnote
34] Because of individual state privacy laws, USCIS said that it has
been unable to negotiate with additional states to share driver's
license data or photographs. USCIS has also identified additional
tools to help combat identity theft. For example, USCIS is planning to
develop a program that would allow victims of identity theft to "lock"
their Social Security numbers within E-Verify until they need them to
obtain employment authorization.[Footnote 35] According to USCIS, this
program remains in the planning stages and is expected to be completed
from fiscal years 2011 through 2012.
Despite these efforts, identity fraud continues to be a challenge for
E-Verify as well as for current employment verification processes. We
have previously reported that weaknesses in the Form I-9 system, such
as difficulty in detecting document and identity fraud and the large
number of acceptable documents for proving work eligibility, have
undermined the effectiveness of the employment verification process.
[Footnote 36] Because E-Verify is an automated system based on the
Form I-9, it possesses the same inherent weaknesses. One example of
this was demonstrated in an enforcement action taken in December 2006
by ICE against a meat processing plant that participated in E-Verify.
During this investigation, ICE found that approximately 1,340
employees--all of whom ICE believes were processed through E-Verify--
were not authorized to work in the United States. Of the 1,340
unauthorized workers, 274 were charged with identity theft, including
the use of valid Social Security numbers belonging to others to get
jobs. ICE arrested one individual with immigration violation charges
related to document fraud through this investigation.
To help combat identity fraud, the use of biometrics has been included
in proposed legislation before Congress as an element of comprehensive
immigration reform. Leading biometric technologies include facial
recognition, fingerprint recognition, hand geometry, and iris
recognition. These technologies help to create a verifiable link
between identity and authorizing documents and supplement the
employer's review of documents on the Form I-9. However, implementing
a biometric system has its own set of challenges. For example, the
costs of biometric technology include the engineering efforts to
design, develop, test, and implement the system, as well as the costs
to employers for purchasing and maintaining the hardware and software.
In some cases employers might not have access to the necessary office
equipment to use such technology. In addition, according to CRCL,
representatives of civil liberties groups, privacy experts, and
government agencies have expressed concerns about issues such as the
adequacy of protections for the use of biometric data. These are
important issues that policymakers are currently considering.
Resolving these issues will be important if this technology is to be
effectively implemented in combating identity fraud in the employment
verification process.
USCIS Has Taken Several Actions to Address Employer Noncompliance but
Remains Limited in Its Ability to Identify and Prevent Employer Misuse:
Since our June 2008 testimony, USCIS has increased the number of staff
for conducting monitoring and compliance activities, but does not yet
have the technology to analyze the E-Verify transaction data in a way
that would enable USCIS to discern complex patterns in the data that
could be indicative of employer misuse. The Monitoring and Compliance
Branch expects to implement an advanced data analysis system to
support program activities in fiscal year 2012. USCIS's compliance
efforts include educational activities designed to assist employers in
complying with E-Verify policies and procedures; however, USCIS could
take additional actions to determine whether its efforts are effective
in reducing employer noncompliance. Furthermore, USCIS does not have
the authority to sanction employers for intentional misuse of E-
Verify, other than terminating their participation in the program.
USCIS is therefore limited in its ability to ensure compliance with E-
Verify policies and procedures.
Monitoring and Compliance Staffing Has Increased, but the Branch's
Data Analytic Capability Is Limited:
Since our June 2008 testimony, USCIS has more than doubled the number
of monitoring and compliance staff overseeing employers' use of E-
Verify. USCIS increased E-Verify monitoring and compliance staff from
21 in April 2008 to 52 in November 2009, and opened a regional office
in Buffalo, New York, to house the additional staff. Of this total, 20
staff in headquarters are responsible for identifying behaviors and
activities that could be indicative of employer misuse, and 32 staff
in the field are responsible for monitoring employers and conducting
compliance activities. USCIS's fiscal year 2010 budget provided
funding for USCIS to hire an additional 44 E-Verify monitoring and
compliance analyst staff during fiscal years 2010 and 2011 to monitor
employer use and help ensure employer compliance with E-Verify.
According to USCIS's Verification Division Deputy Division Chief,
USCIS hired 22 of the 44 analyst staff budgeted for in fiscal year
2010 and plans to hire the additional 22 staff in fiscal year 2011.
According to senior E-Verify program officials, plans are underway to
open a second regional office in Lincoln, Nebraska, to house the 22
staff budgeted for in fiscal year 2011, as well an additional 58 staff
to provide outreach and customer support for E-Verify's monitoring and
compliance activities. USCIS has begun to interview candidates for
these positions in anticipation of opening the office this fiscal year.
Staff in the Monitoring and Compliance Branch's monitoring section are
tasked with identifying trends in employer use of E-Verify that may
indicate noncompliance with E-Verify. They examine employer behavior
by manually reviewing E-Verify transaction data stored in VIS. To
identify incidents of noncompliance, monitoring analysts are to look
for six employer behaviors.[Footnote 37] Staff in the branch's
compliance section are tasked with, among other things, educating
noncompliant employers about proper E-Verify use and addressing this
noncompliance by sending employers a letter, calling employers,
auditing employers' E-Verify documentation, or making visits to
employers' worksites. USCIS's fiscal year 2010 goal was to contact 2
percent (or 15,874) of the 793,706 worksites participating in E-Verify
to address issues related to employer noncompliance.[Footnote 38]
According to senior E-Verify program officials, compliance staff have
contacted 16,125 employers in fiscal year 2010, exceeding USCIS's
target by 251 contacts. E-Verify program officials reported that the
agency has started to measure the number of employers that have
adjusted their behavior after receiving a compliance letter or
telephone call. They told us that as of August 2010, about 80 percent
of these employers had adjusted their behavior in response to a
compliance letter or telephone call. However, USCIS was not able to
provide us with data to support the estimate. USCIS expects E-Verify
compliance activities to increase as USCIS augments its technology for
the Monitoring and Compliance Branch because the majority of the
monitoring workload will be automated, allowing staff to focus their
attention on addressing employer noncompliance.
Because the transaction data currently require manual review by
monitoring staff, senior E-Verify program officials reported that the
Monitoring and Compliance Branch is limited in its ability to fully
identify patterns and trends in the data that could signal employers'
noncompliance with all of the E-Verify rules. According to senior E-
Verify program officials, the branch will have the technical
infrastructure to support intended program activities by fiscal year
2012, when improved technology enabling automated analysis of E-Verify
transaction data is expected to be implemented.[Footnote 39]
Specifically, USCIS is depending on the implementation of an estimated
$6 million advanced data system to gain the capability to conduct
complex analyses of E-Verify data. USCIS expects this system, known as
the Data Analysis System, to automate about 80 percent of the
Monitoring and Compliance Branch's workload. USCIS's plans state that
the Data Analysis System is to employ algorithms and statistical
techniques to identify complex patterns of employer behaviors, such as
discrimination and fraud, while automating the detection of simple
behaviors. The plans also indicate that the system is to automatically
generate contacts with employers, such as e-mails and letters, and
record and store these contacts in a central database to maintain
auditable data on instances of system misuse.
USCIS's Compliance Efforts Include Employer Education, but the
Effectiveness of the Efforts Has Not Been Fully Assessed:
USCIS conducts educational activities to facilitate employers'
compliance with the E-Verify program. However, the agency has not
fully assessed the effectiveness of its efforts and therefore is not
in the position to know if they have achieved their intended purpose.
E-Verify compliance activities are designed to assist employers in
better understanding E-Verify procedures and deter them from improper
system use and protect employees against related discriminatory
practices. The E-Verify tutorial, which all new E-Verify users are
required to complete prior to performing any verification, is USCIS's
primary educational tool for registered users of E-Verify. Other USCIS
mechanisms for educating employers include presentations to interested
groups around the country, webinars (online educational sessions), a
customer service line to assist employers, publications, and guidance
posted on the E-Verify Web site.[Footnote 40] In addition, as noted
earlier, USCIS considers compliance actions, such as placing phone
calls and sending letters to noncompliant employers, to be educational
efforts.
USCIS has taken some actions to collect and use information about its
E-Verify educational activities. For example, as stated above, USCIS
has started to measure the number of employers that have adjusted
their behavior after receiving a compliance letter or telephone call.
Senior E-Verify program officials also noted that among other things,
USCIS's policy branch collects data from E-Verify users by conducting
surveys and uses the feedback to make updates, such as editing E-
Verify hotline call scripts and modifying E-Verify messages on the Web
site. They said that USCIS also tracks the number and types of calls
related to the tutorial, and adjusts information posted on the E-
Verify Web site to address the questions raised in these calls. Such
efforts to collect information can help USCIS improve its approach to
educating users about E-Verify and help users become more compliant
with E-Verify rules.
However, USCIS has not evaluated the extent to which employers
understand the information provided in the E-Verify tutorial and
therefore is not in the position to make improvements to the tutorial
based on systematic information.[Footnote 41] USCIS administers the
mastery test to newly registered users who have completed the E-Verify
tutorial and stores data on each correct and incorrect response on the
test. However, USCIS has not analyzed the test data to determine if
there are patterns in the data indicating that users did not
understand certain topics in the tutorial. The tutorial provides
information on a variety of topics, including how to initiate and
close a case, protect employees' personal information, and properly
verify employee eligibility through E-Verify, and on the potential
consequences associated with discriminatory behavior and other misuse
of E-Verify. Users who fail to achieve a passing grade of 70 percent
on the multiple choice mastery test are required to review the
tutorial and retake the test until they pass. According to senior E-
Verify program officials, as of October 2010, USCIS had not analyzed
the responses to the mastery test to determine if there were any
questions or topic areas that may be consistently problematic to test
takers, and whether the tutorial, the mastery test, or both may
benefit from revision. USCIS has not done this because, according to
senior E-Verify program officials, the computer program used to
analyze responses to the test was not able to generate retrievable
information on how test takers responded to individual questions.
We previously reported that evaluation is an integral part of training
and development efforts, and that agencies need to systematically plan
for and evaluate the effectiveness of training.[Footnote 42] Employing
systematic monitoring and feedback processes can help determine if
there are areas in the E-Verify training or the mastery test that
warrant revision. Senior E-Verify program officials told us that in
response to our raising this issue, they have met with and directed
contractor staff to take steps to ensure that information on each
response to each test question is retained and analyzed. According to
senior E-Verify program officials, USCIS expects analysis of E-Verify
test data to begin in fiscal year 2011 because, by then, there will be
sufficient historical data for analysis. However, E-Verify program
officials reported that they have not yet identified an approach for
analyzing the test data or using the analysis results, for example,
what statistical analyses will be conducted on the test data and how
will USCIS determine what, if any, test questions and tutorial content
should be revised. By developing an analysis plan for the mastery
test, and using the analysis results to make fact-based decisions
about whether and how to revise the test, the tutorial, or both, USCIS
would be able to better target its education efforts and ensure
employer compliance with the E-Verify program.
Agencies Are Likely to Continue to Face Challenges in Ensuring E-
Verify Compliance, Including Challenges in Investigating and
Sanctioning Noncompliant Employers:
Several factors could continue to make it challenging for USCIS to
attain its goal of ensuring employer compliance with E-Verify
requirements even after USCIS implements the planned improvements to
its monitoring and compliance capability. First, although USCIS has
instituted measures to validate the authenticity of registered E-
Verify users, the E-Verify transaction data do not allow USCIS to
determine whether the individuals who process queries through E-Verify
are the same individuals as those certified as E-Verify users.
[Footnote 43] This is because individuals who have not completed the
tutorial and mastery test are able to borrow the user names and
passwords of certified coworkers to gain access to the system.
[Footnote 44] These individuals may use the system incorrectly, in a
manner that leads to wrongful adverse action against authorized
workers who receive erroneous TNCs, or for fraudulent purposes such as
running different Social Security numbers and names to see what
combinations generate a work authorized decision.
Second, USCIS cannot monitor the extent to which employers follow
certain program rules as required by the E-Verify MOU because
interactions between employers and employees generally occur privately
in workplaces where USCIS does not have a presence. For example, USCIS
is generally not in the position to determine whether employers carry
out activities required by E-Verify, such as posting notice of their
participation in the E-Verify program, providing employees the letter
informing them of TNC findings, or referring employees to the
appropriate agency to resolve the TNC. Similarly, USCIS is generally
not in the position to determine whether employers engage in
activities prohibited by E-Verify, such as limiting the pay of or
terminating employees who receive TNCs, using E-Verify to prescreen
job applicants, or screening employees who are not new hires. USCIS
may be able to detect some of these noncompliant behaviors in visits
to worksites.[Footnote 45] However, workers who are wrongly terminated
or suffer other adverse employment consequences because employers fail
to follow the MOU receive no protection or remedies under federal law.
Third, if employers do not respond or remedy noncompliant behavior
after a contact from USCIS compliance staff, USCIS has minimal avenue
for recourse because it has limited authority to investigate employer
misuse and no authority to impose penalties against such employers.
USCIS can terminate an employer's access to E-Verify if USCIS
determines that the employer knowingly used the system for an
unauthorized purpose. However, this does not ensure that employers are
hiring legal workforces. To date, USCIS has not terminated any
employers for misuse of E-Verify. For enforcement action for
violations of immigration laws, USCIS must rely on ICE to investigate,
sanction, and prosecute employers.[Footnote 46]
However, ICE has reported that it has limited resources for
investigating and sanctioning employers that knowingly hire
unauthorized workers or those that knowingly violate E-Verify program
rules, and overall, ICE has expended relatively few resources on
carrying out such activities. To maximize the impact of limited
resources against the most significant threats and violators, senior
ICE officials reported that ICE agents apply risk assessment
principles to worksite enforcement cases by focusing on detecting and
removing unauthorized workers from critical infrastructure sites, such
as airports and nuclear power plants, and targeting egregious
employers that violate criminal statutes. In fiscal year 2009, ICE
spent 5.2 percent of its 10.4 million agent reported workload hours on
worksite enforcement, issued 52 fines as a result of Form I-9 audits,
and made 444 criminal and 1,654 administrative worksite enforcement
arrests.[Footnote 47] We reported in 2005 that worksite enforcement
was a relatively low priority under both the U.S. Immigration and
Naturalization Service and ICE, and that since fiscal year 1999, a
relatively small portion of overall agent resources have been
dedicated to the worksite enforcement program. In response, senior ICE
officials cited the need to devote their limited resources to what
they believe to be higher priorities. In addition to worksite
enforcement, ICE is responsible for investigating potential violations
of a wide range of federal criminal laws, including international drug
smuggling, illegal import and export of drugs and weapons, alien
smuggling, intellectual property violations, and money laundering.
In December 2008, ICE and USCIS signed a memorandum of agreement that
outlined the processes that the agencies are to use for sharing E-
Verify program information. Under the agreement, USCIS is to refer
significant E-Verify cases to ICE for investigative consideration,
with significant cases being those in which USCIS suspects employers
of (1) misuse, abuse, and fraudulent use of E-Verify at critical
infrastructure sites; (2) violations regarding the employment of
unauthorized aliens; (3) criminal activity; (4) failing to use E-
Verify for all employees as required by the E-Verify MOU; and (5)
retaining employees after receiving FNCs. The agreement also specifies
procedures for ICE to request E-Verify transaction data in support of
ongoing investigations.
Out of the employers that USCIS identified from December 2008 to
August 2010 as not complying with E-Verify rules and requiring further
action from ICE, USCIS referred 3 cases to ICE for investigation and
responded to 19 requests for E-Verify transaction data from ICE.
According to senior ICE officials, the cases referred by USCIS were
not significant threats or egregious violations and therefore did not
warrant a full investigation.[Footnote 48] They stated that referrals
from USCIS could be of more assistance if they were more closely
aligned with ICE's worksite enforcement priorities. Senior E-Verify
program officials told us that USCIS plans to start applying risk
assessment principles to its monitoring and compliance activities
after USCIS completes developing its technology for the Monitoring and
Compliance Branch. Both senior USCIS and ICE officials reported that
they are currently coordinating to help USCIS better target its
monitoring efforts. Specifically, senior E-Verify program officials
said that USCIS is part of a monitoring and compliance task force--
which includes other agencies and subject matter experts--to develop
and build requirements for how to use E-Verify transaction data to
better target and address the needs of stakeholders, including ICE.
An effective employment authorization system requires a credible
worksite enforcement program to ensure employer compliance with
applicable immigration laws. However, given ICE's existing priorities
and resource constraints, ICE is limited in its ability to investigate
and sanction employer noncompliance with immigration laws. Senior ICE
officials acknowledged that the same limitations would exist if E-
Verify became mandatory nationwide. Policy decisions about how to
effect a credible worksite enforcement program using E-Verify,
including the resources required for it, have yet to be made. The
success of the E-Verify program will ultimately be affected by these
decisions.
DHS Has Instituted Employee Privacy Protections for E-Verify, but
Resolving Erroneous TNCs and FNCs and Combating Discrimination Can Be
Challenging:
USCIS has taken actions to institute safeguards for the privacy of
personal information for employees who are processed through E-Verify,
but has not established mechanisms for employees to identify and
access personal information maintained by DHS that may lead to an
erroneous TNC or FNC, or for E-Verify staff to correct such
information. USCIS has also not developed policies and procedures for
E-Verify management program analysts to document the basis for their
work authorization decisions. USCIS has taken actions to mitigate the
civil rights and civil liberties risks associated with E-Verify by
holding interagency meetings with SSA, CRCL, and OSC. USCIS is
coordinating with OSC and CRCL to help reduce incidents of
discrimination by helping employees better understand their rights and
educating employers about their responsibilities under E-Verify.
USCIS Has Taken Actions to Protect the Privacy of Personal Information
of Employees Processed through E-Verify:
USCIS has taken actions to minimize risks to the privacy of personal
information of employees who are processed through E-Verify. The Fair
Information Practice Principles, adopted in a 2008 memorandum from
DHS's Chief Privacy Officer, are the basis for DHS's privacy policy.
These principles include Transparency, Individual Participation,
Purpose Specification, Data Minimization, Use Limitation, Data Quality
and Integrity, Security, and Accountability and Auditing (see appendix
II for additional information on these principles).[Footnote 49] USCIS
has generally addressed these principles within the E-Verify program.
For example, USCIS has addressed the Transparency principle by
publishing privacy notices in 2009 and 2010 that defined parameters,
including setting limits on DHS's collection and use of personal
information, for the E-Verify program and the Compliance Tracking and
Monitoring System.[Footnote 50] These privacy notices defined
parameters, including setting limits on DHS's collection and use of
personal information residing within E-Verify. USCIS has also
published public notices regarding privacy protections on the E-Verify
Web site. In addition, the USCIS Verification Division created a
Privacy Branch Chief position in January 2007, which DHS Privacy
Office officials stated has improved communication between the two
offices. USCIS has addressed the data minimization principle by
designing E-Verify to collect and share very little personal
information about individual employees. Specifically, E-Verify does
not require employers to collect any more information on employees
than has already been recorded on the Form I-9, and employers do not
have access to any of the underlying personal information used by E-
Verify to determine an employee's work eligibility. As a result, USCIS
has limited the amount of personally identifiable information
available to employers through the design of E-Verify. USCIS has
addressed the use limitation principle by limiting how management
program analysts can access and use information when searching the
available databases to confirm citizenship or work authorization
status. For example, management program analysts' access is limited to
the information that is applicable to the cases that are assigned to
them.
Employees and E-Verify Staff Face Challenges Resolving Erroneous TNCs
and FNCs:
Employees Have Limited Ability to Identify, Access, and Correct
Information That Causes Erroneous TNCs:
Employees are limited in their ability to identify, access, and
correct personal information maintained by DHS that may have led to an
erroneous TNC. If an employee chooses to contest a TNC, the employer
is required to provide the employee a referral letter that identifies
which agency an employee needs to visit or call to resolve the TNC and
close the case.
The process for resolving DHS-related TNCs can be difficult because
the E-Verify program does not have a process in place for employees to
identify and access personal information that was the source of the
erroneous TNCs. Currently, employees are not informed of which
specific records are the sources of an erroneous TNC. To identify and
access these records, employees must use a Privacy Act request.
Privacy Act requests allow individuals to gain access to their
personal records (unless the requested records are exempted from
disclosure) and to seek correction or amendment of federally
maintained records that are inaccurate, incomplete, untimely, or
irrelevant. An employee wishing to determine which specific records
led to the erroneous TNC may need to make separate Privacy Act
requests to several DHS components that may have been the source of
information involved in making the determination, because each DHS
component maintains its own data and has an independent office in
charge of responding to Privacy Act requests. According to senior
officials in DHS's Privacy Office, if there is an error in a DHS
database, individuals face formidable challenges in getting the
inaccuracy or inconsistency corrected because, among other things,
they have little information about what database led to the decision.
DHS processes Privacy Act and Freedom of Information Act requests in
the same manner, and the average response time for these requests in
fiscal year 2009 was approximately 104 days.[Footnote 51]
DHS's Privacy Office guidance calls for DHS components to adhere to
the Individual Participation Principle by providing mechanisms for
appropriate access, correction, and redress regarding DHS's use of
personally identifiable information.[Footnote 52] Privacy Office
officials acknowledged that the current process for employees to
access their personal records could be improved, and they said they
are discussing with senior E-Verify program officials ways to provide
employees with better access to relevant information.[Footnote 53] For
example, USCIS could inform employees about which types of records
were consulted to make an employment eligibility determination, which
could shorten the time and reduce the complexity of locating
information because employees could then directly contact the
appropriate DHS component to correct the information that led to an
erroneous TNC. Developing procedures that enable employees to
effectively access their personal information and have inaccuracies or
inconsistencies in that information corrected could help DHS minimize
the potential for employees receiving repeated erroneous TNCs.
In addition to the difficulties employees may experience in accessing
their personal information maintained by DHS, some employees might
also face challenges in understanding how to contest erroneous TNCs,
which is key to their ability to correct inaccurate information about
themselves. For example, officials from OSC and CRCL stated that
employees have expressed difficulty understanding TNC notification
letters and the procedures for requesting reversal of a TNC that they
believed to be in error.[Footnote 54] OSC officials stated that
employees believe that USCIS should simplify the TNC letters so that
people with limited literacy and English proficiency can better
understand the process. In June 2010, USCIS released updated versions
of both the TNC and referral notices, which include language that
according to USCIS can be more easily understood. E-Verify program
officials reported that they intend to further simplify the current
TNC letters in fiscal year 2012, and combine them with an updated
referral letter, so that employees will receive one letter notifying
them of both the TNC and the appropriate agency to contact to resolve
the TNC.[Footnote 55] USCIS reported that this initiative is a major
procedural change and will require revision of current E-Verify
processes as well as development of new procedures.
Limitations in USCIS's Ability to Correct Employee Information:
USCIS has taken actions to improve its ability to correct the personal
information that led to erroneous TNCs; however the agency has not
established mechanisms for its management program analysts to correct
errors in employees' personal information that is obtained from other
DHS components' databases. Instead, because it is not the owner of the
information, USCIS must contact the component that controls the
information and describe the error. Officials at the other DHS
components may then decide what steps, if any, to take to correct
their records.
According to DHS Privacy Office guidance, DHS agencies should, to the
extent practicable, adhere to the Data Quality and Integrity Principle
by ensuring that personally identifiable information is accurate,
relevant, timely, and complete.[Footnote 56] In addition, leading
practices call for agencies that routinely work together to establish
compatible policies and procedures, including those related to the use
of data systems, to effectively operate across agency boundaries.
[Footnote 57] DHS could increase the effectiveness of E-Verify in
producing accurate results--a stated goal--by ensuring that the
department's component agencies have procedures for ensuring that
personal information in their records and systems that led to an
erroneous TNC is corrected. Doing so could help ensure that the same
problems do not recur when individuals take new jobs and are again
processed through E-Verify. E-Verify program officials stated that
they recently created a Data Integrity Unit that will be tasked with
documenting errors in DHS databases and will work with other DHS
components, including CBP and ICE, to correct erroneous information
contained in their respective databases. This is an important first
step but by itself cannot ensure that inaccuracies or inconsistencies
are corrected when they are found. Specifically, USCIS, as one
component of DHS, may not be in a position to direct other components,
such as CBP and ICE, to adopt policies and procedures facilitating the
correction of errors. Establishing departmentwide procedures to ensure
that all components that own information involved in making work
authorization decisions collaborate in correcting inaccuracies or
inconsistencies could better position DHS to reduce the number of
erroneous TNCs. This is because unresolved inaccuracies or
inconsistencies in personal information put employees in the position
of facing repeated erroneous TNCs when applying for jobs.
E-Verify Staff's Decision-Making Process in Resolving Contested TNCs
Is Not Documented, Limiting USCIS's Ability to Ensure Consistent
Decisions:
USCIS does not require management program analysts to document the
process they used to resolve TNCs that were contested by employees.
According to Standards for Internal Control in the Federal Government,
to be effective, agencies need to clearly document all transactions in
a timely manner to ensure that they are making appropriately informed
decisions. Moreover, the standards call for clear documentation of
policies and procedures that is readily available for examination.
Without documentation of the process used to resolve TNCs that were
contested by employees, there is no institutional record of the
office's actions. Therefore, it may be difficult to review and
validate the decision-making process for effective management
oversight. Effective management oversight is important for ensuring
sound stewardship. Moreover, without documentation of the process used
to resolve TNCs that were contested by employees, E-Verify may not be
able to ensure that its staff consistently apply criteria it has
established, implement procedures as intended, or sustain those
efforts over time.
E-Verify program officials stated that there is a comment box in the
system used by management program analysts to document the actions
taken to resolve a TNC, in which they can note additional information
related to the resolution of a case. Such a box could be used to
document the basis for an analyst's resolution of a case. However,
according to E-Verify program officials, management program analysts
do not usually put any information in the comment boxes when resolving
a TNC because USCIS does not require them to enter this information
into the system. E-Verify program officials stated that while these
procedures are not currently required, they recognize the importance
of making and documenting accurate decisions, and plan to revise the
standard operating procedures to require this of management program
analysts. As of October 2010, USCIS had not set a timeline for
revising and implementing the procedures. By developing procedures for
management program analysts to document the basis for their work
authorization decisions, USCIS could help employees obtain information
about which types of records were consulted in making decisions about
contested TNCs and help minimize the potential for recurring erroneous
nonconfirmations. In March 2010, USCIS also established the Quality
Assurance unit that is intended, among other things, to monitor the
accuracy with which management program analysts resolve contested TNCs
and ensure that verifications are performed efficiently without
compromising accuracy.
SSA Has Implemented Controls to Reduce the Number of Erroneous FNCs:
According to senior SSA officials, some employees have received
erroneous SSA FNCs when they did not notify SSA field office staff
that they were attempting to resolve a TNC during a visit to a SSA
field office, and when SSA field office staff did not take the
appropriate steps to document the status and resolution of TNC cases.
SSA reported that the agency is taking steps to address this issue. EV-
STAR, an electronic communications link between SSA and the employer
that stores information on the status of cases on workers referred to
SSA for a TNC, requires SSA employees to note information about a
pending TNC resolution in the system. This is an important step
because when an employer refers an employee to SSA through E-Verify,
an 8-day clock starts. The employee must visit an SSA field office
during that time (8 federal workdays) to try to resolve the TNC. The
only way to extend the 8 days is for an SSA field office staff member
to access EV-STAR. If the employee's information is not verified
within this time frame, E-Verify will automatically notify the
employer of the FNC. In certain cases, these FNCs can be erroneous
because the employee is actually authorized to work but did not have
his or her information verified within the specified time frame. SSA
field office staff can extend the amount of time for an employee to
resolve a TNC to up to 120 days at 30-day intervals, but can only do
so if they make a notation in EV-STAR that the case is pending a TNC
resolution. However, SSA field office staff are not always aware that
the employee is attempting to resolve a TNC, either because the
individual does not notify staff that he or she is there for E-Verify
reasons or does not provide field office staff with a copy of the TNC
referral letter. As a result, staff may not make a notation in EV-STAR
to extend the case beyond 8 federal working days. Thus, if an employee
does not return with the required documentation within 8 federal
working days, the system will send an FNC response to the employer. In
addition, even when SSA staff know that an employee is attempting to
resolve a TNC, the staff do not always access EV-STAR to update cases
as pending because, according to senior SSA officials, EV-STAR is a
DHS system that requires staff to log into the system separately
outside of the SSA system they regularly use. Furthermore, senior SSA
officials told us that staff may also forget to update EV-STAR because
of field office workload demands.
Senior SSA officials stated that they cannot quantify how frequently
erroneous FNCs occur because of incorrect EV-STAR use, but noted that
the agency has worked with USCIS and OSC to address this problem.
Senior OSC officials noted that while SSA is taking steps to address
this issue, there is no formal appeals process for employees who
receive FNCs in error, and no mechanism for compensating employees who
are laid off or terminated as a result of receiving an erroneous FNC.
Senior SSA officials reported that SSA has implemented five actions to
address the issue of erroneous FNCs:
* SSA has created and distributed to its regional offices EV-STAR
usage reports that track the number of times field office staff access
EV-STAR. SSA reported that it created this report to enhance awareness
of E-Verify and EV-STAR by its regional and field offices.
* In October 2010, SSA modified its operating system to add a direct
link to EV-STAR. SSA told us that this modification will make it
easier for field office staff to access EV-STAR.
* SSA has created three alerts within its operating system to notify
field office staff when a Social Security number is associated with an
SSA TNC. These alerts have been designed to remind staff to access and
take appropriate action in EV-STAR. SSA told us that these alerts will
be deployed during fiscal year 2011.
* SSA has added a slide in its televised broadcast in field offices,
and is developing a poster, to advise individuals who are there to
resolve a TNC to let the field office staff know that their cases are
related to E-Verify.
* SSA has developed training for field office staff regarding the use
of EV-STAR.
While these actions could address the causes leading to employees
receiving erroneous FNCs because of SSA field office use of EV-STAR,
it is too soon to know if these actions will fully address the problem.
USCIS Has Taken Some Actions to Identify and Mitigate Civil Rights and
Civil Liberties Risks Associated with E-Verify and Faces Challenges in
Combating Employer Discrimination:
DHS Relies on Interagency Meetings to Identify and Mitigate Civil
Rights and Civil Liberties Risks:
Senior USCIS E-Verify program officials and CRCL officials said they
address issues related to employees' civil rights and civil liberties
risks in interagency meetings. Westat's 2009 report stated that the
erroneous TNC rate for employees who were eventually found to be
eligible to work was approximately 20 times higher for foreign-born
employees than for U.S.-born employees (2.6 percent versus 0.1
percent) from April through June 2008. Based on statistical
information provided us by USCIS for fiscal year 2009, the likelihood
of noncitizens receiving erroneous TNCs was greater than that for
citizens.[Footnote 58] As discussed earlier, employees may also face
challenges in understanding TNC letters and how to contest erroneous
TNCs. Given this, and USCIS's limited mechanisms for correcting errors
in personal information that have caused erroneous TNCs or FNCs,
increased potential exists for an adverse impact on individuals' civil
rights and civil liberties.
Assessing the risks posed by a program to civil rights and civil
liberties is intended to determine the extent to which programs,
policies, regulations, and guidelines comply with and safeguard civil
rights and civil liberties. Formal assessments, such as civil
liberties impact assessments, can offer assurance to the public that
individuals' rights are being protected. They are typically conducted
in instances when, for example, programs may have a direct impact on
certain racial or ethnic groups, or require or authorize the federal
government to collect personal information about private citizens.
[Footnote 59] According to a senior CRCL official, CRCL's approach to
addressing civil rights and civil liberties risks related to E-Verify
is to hold routine interagency meetings with USCIS to discuss
potential risks and recommend improvements to mitigate these risks.
The official noted that if E-Verify were to become mandatory, a more
formal assessment of civil rights and civil liberties issues could
address those issues that may have an impact on civil rights and civil
liberties.
Challenges to Combating Discrimination:
Employees may be vulnerable to discrimination under E-Verify if, for
example, employers engage in practices prohibited by E-Verify, such as
limiting the pay of or terminating employees who receive TNCs, or
prescreening job applicants. In 2009, Westat reported that some
employers who responded to its survey acknowledged engaging in such
practices. Specifically, of 2,320 survey respondents, 17.1 percent
(397) reported restricting work assignments until employment
authorization was confirmed; 15.4 percent (357) reported delaying
training until employment authorization was confirmed; and 2.4 percent
(56) reported reducing pay during the verification process. Westat
also reported that employers prescreened job applicants more often
than they self-reported. For example, in its employee interviews,
Westat found that of 396 workers who reported on their employment
status at the time their work authorization was determined through E-
Verify, 114 claimed to be job applicants rather than new hires. To
investigate job discrimination related to individuals' citizenship
status or national origin, USCIS must refer suspected cases of
discrimination to OSC.
Attempting to identify discrimination within E-Verify is challenging
because the E-Verify transaction database does not capture certain
employer behaviors that are indicative of discrimination, such as
denying employment based on citizenship status or national origin.
According to USCIS, its transaction database contains information on
two employer behaviors that may serve as indicators of discrimination:
(1) terminating an employee who receives a TNC and (2) processing
employees who are not new hires through E-Verify. E-Verify program
officials stated that these indicators could be used in combination
with other information, such as information obtained through a law
enforcement request, to pursue charges of discrimination against an
employer. Senior E-Verify program officials reported that they have
worked with OSC and subject matter experts on a task force to
determine how best to extract information from the E-Verify
transaction database to target issues such as discrimination.
According to USCIS, as it improves its E-Verify technical capability,
the agency will be better positioned to identify trends in
discrimination. To facilitate the exchange of information between
USCIS and OSC, in March 2010, USCIS signed a memorandum of agreement
with OSC. According to the agreement, USCIS is to refer to OSC all
cases of suspected discrimination that USCIS identifies. The agreement
also states that OSC is to refer cases of suspected nondiscriminatory
abuse or misuse of E-Verify to USCIS. From March 2010 to August 31,
2010, USCIS responded to approximately 78 requests for E-Verify
transaction data from OSC. Of these requests, 50 were requests for
technical assistance, and 28 were requests for enforcement purposes.
OSC has referred approximately 39 instances of nondiscriminatory
employer misuse of E-Verify from March 2010 to August 31,
2010.[Footnote 60] According to OSC, since the two agencies have
signed the agreement, USCIS has referred no cases of potential
discrimination to OSC.
To help employees better understand their rights, USCIS, OSC, and CRCL
have taken several actions. First, OSC's "Know Your Rights" poster for
employees includes, among other things, notice to employees that it is
illegal for employers to deny an employee the right to work based on
citizenship status or national origin and provides employees with the
contact information for OSC. While this poster was not created
specifically for the E-Verify program, employers participating in E-
Verify are required under the employer MOU to display the poster in a
visible location in both English and Spanish. Second, CRCL developed a
"You Should Know Your Rights and Responsibilities Under E-Verify"
brochure for employees--available on USCIS's Web site and in different
languages--to help employees better understand their rights and
responsibilities under E-Verify. Third, in March 2010, USCIS and CRCL
developed a video for employees that explains E-Verify rules and
policies, stresses the rights of employees, and reminds employees that
employers may not use E-Verify to discriminate against or prescreen
employees. Fourth, in April 2010, USCIS implemented an E-Verify help
line to handle complaints about employer misuse of the E-Verify
program and refer to OSC complaints about possible discrimination.
USCIS, OSC, and CRCL have also taken actions to better educate
employers on E-Verify rules and policies to help prevent both knowing
and inadvertent discrimination. For example, OSC has created a set of
"E-Verify Dos and Don'ts" to provide a quick reference guide for
participating employers on their responsibilities under E-Verify.
Through its hotlines for employers and employees, OSC also provides
general guidance and handles complaints on a variety issues, including
E-Verify issues.[Footnote 61] Lastly, USCIS and CRCL have developed an
employer video to stress the importance of following E-Verify
procedures to safeguard employee rights. Among other things, the video
advises employers that E-Verify requires them to permit workers to
contest TNCs with no adverse employment consequences, avoid using the
system on job applicants, and protect employee privacy.
USCIS and SSA Have Taken Actions to Prepare for Mandatory
Implementation of E-Verify by Adopting Practices for Effectively
Managing E-Verify System Capacity, but They Face Challenges in
Estimating Costs:
USCIS and SSA have taken actions to prepare for possible mandatory
implementation of E-Verify by addressing widely accepted industry
practices for effectively managing E-Verify system capacity and
availability and working together to coordinate the shared operation
of E-Verify. USCIS and SSA are in the process of developing an
agreement to define acceptable and unacceptable levels of service
required to support the E-Verify program, but have not established a
written service-level agreement to help ensure that SSA will be able
to meet E-Verify capacity demands and provide USCIS continuous service
in the future, or provided timeframes for when the agreement will be
completed. Additionally, in order to ensure that sound decisions are
made about future resource needs for E-Verify, USCIS and SSA have
developed life cycle cost estimates for the current E-Verify program.
However, USCIS's cost estimates do not reliably depict current E-
Verify cost and resource needs or cost and resource needs for
mandatory implementation. While SSA's cost estimates substantially
depict current E-Verify costs and resource needs, SSA has not fully
assessed the extent to which its workload costs may change in the
future.
USCIS and SSA Have Met Five of the Six Capacity Management Practices
for E-Verify Operations but Have Not Documented System Requirements
for Meeting Future Demands:
To manage current E-Verify system capacity and plan for future system
capacity needs, USCIS and SSA have met five of six practices
identified by the Software Engineering Institute as best practices for
establishing and maintaining capacity and availability of system
components. These key practices are integral to effective information
technology (IT) planning and are widely accepted by IT experts. Table
2 provides examples of how USCIS and SSA have addressed each of the
Software Engineering Institute's best practices for capacity
management.[Footnote 62]
Table 2: Effective Practices for Capacity Management and Planning and
the Extent to Which USCIS and SSA Have Addressed Each Practice:
Practices for effective capacity management and planning: 1. Establish
strategy for managing capacity and availability that defines, among
other things, service and resource requirements and availability and
system constraints;
Met.
How USCIS and SSA have addressed each practice: USCIS and SSA
developed a project management plan that defines staff resources
needed to support E-Verify. USCIS also developed a document that
discusses system constraints, such as requirements to meet security
standards and use external systems for sources of data.
Practices for effective capacity management and planning: 2. Select
measures, such as response time and reliability, and analytic
techniques to be used in managing the capacity and availability of E-
Verify;
Met.
How USCIS and SSA have addressed each practice: With input from SSA,
USCIS defined performance requirements for E-Verify, such as system
capacity and availability, along with system reliability and response
time requirements for notifying participating employers of
verification results.
Practices for effective capacity management and planning: 3. Monitor,
analyze, and report on current and future demands for system
performance;
Met.
How USCIS and SSA have addressed each practice: USCIS and SSA
routinely measure and monitor E-Verify system availability, system
response time, and continuity of service based on USCIS service
requirements of 99.5 percent system availability and an average
response time of 2 seconds per case and on performance reports.
Practices for effective capacity management and planning: 4. Establish
and maintain system representations, such as simulations of
transaction arrival rates and load testing, to provide insight into
how a system will work given specific work volumes and resources;
Met.
How USCIS and SSA have addressed each practice: USCIS and SSA
conducted simulations and load tests to confirm that their systems
will complete critical functions in a high transaction volume
environment without performance delays. E-Verify program officials
said that in 2007, USCIS successfully simulated an operational
transaction load commensurate with an annual rate of 240 million
queries per year--the higher estimate of the number of queries
expected to be generated by a mandatory E-Verify program.
Practices for effective capacity management and planning: 5. Identify
services to be delivered and levels of acceptable and unacceptable
service to be provided by an organization to support another
organization's business programs;
Met.
How USCIS and SSA have addressed each practice: According to senior E-
Verify program and SSA officials, USCIS and SSA have agreed to
proposed performance measures in regards to system availability,
average response time, and transaction volumes. Each fiscal year,
USCIS provides SSA an annual estimate of E-Verify transaction volumes
for the next fiscal year and anticipated volumes beyond that year to
help measure performance.
Practices for effective capacity management and planning: 6. Define
and document the requirements listed above in a service-level
agreement;
Not met.
How USCIS and SSA have addressed each practice: The agencies have not
established a written service-level agreement that describes
acceptable and unacceptable SSA service levels required to support the
E-Verify program.
Source: GAO analysis of the actions USCIS and SSA have taken to
establish and maintain capacity and availability of system components
for E-Verify operations.
[End of table]
We previously reported that capacity management is one of the most
critical responsibilities in the management of an IT environment.
[Footnote 63] It provides a structure for agencies to measure and
evaluate system performance to prevent or correct problems and to plan
for future capacity requirements based on estimated workloads. By
using capacity planning tools to prepare for how IT components and
resources should be configured to adequately support anticipated
future workloads, agencies can avoid interruptions in services and be
better prepared to effectively meet future demands. The capacity
management actions that USCIS and SSA have taken, as shown in table 2,
will enhance the agencies' ability to support future workload demands
in the event that E-Verify becomes mandatory nationwide.
As of October 2010, USCIS and SSA actions to address E-Verify system
capacity and availability issues had not included documenting system
requirements in a service-level agreement. Such an agreement could
help ensure that the agencies have a common understanding of how to
meet current and future E-Verify system demands. As shown in table 2,
defining and documenting system requirements in a service-level
agreement is the sixth practice for effective planning for
establishing and maintaining capacity and availability of system
components. This practice involves organizations identifying the
levels of acceptable and unacceptable service that one organization is
to provide another to support that organization's business programs.
In 2008, an independent contractor recommended that USCIS engage in a
service-level agreement with SSA to ensure that SSA understands and
agrees to the service levels for current and future needs of the E-
Verify program.[Footnote 64] According to USCIS, it has developed a
draft service-level agreement and provided it to SSA for its review.
Senior SSA officials told us that SSA is reviewing the agreement, but
they were unable to identify a date for when the agreement would be
reviewed and approved by both agencies. SSA reported that a service-
level agreement between SSA and USCIS for E-Verify would help
guarantee high availability and continuity of service for the program
and prevent issues with SSA's operation of E-Verify. SSA reported that
it currently monitors E-Verify volume and alerts USCIS of any
potential increases in the transaction volumes, but acknowledged that
without an agreement that sets forth parameters for system
availability and continuity of service, its other workload demands,
such as disability and retirement processing, could take precedence
over its E-Verify workload and disrupt E-Verify service. E-Verify
program officials reported that they are continuing to work with SSA
to incorporate additional performance parameters into the agreement,
including performance criteria for system availability, data security,
and system capacity. They noted, however, that the timeframe for
completing the agreement has not yet been worked out. SSA and USCIS
reported that the agreement needs to reviewed, negotiated, and
approved before it can be included in a future reimbursable agreement.
Standards for program management require that the specific steps
needed to complete a project be identified and documented, and that
milestones and time frames be established for completing projects.
[Footnote 65] Until USCIS and SSA document the terms of the service-
level agreement, including the steps needed to complete the agreement
in a manner that is acceptable to both parties and a time frame with
milestones for its completion, USCIS may not have reasonable assurance
that SSA will be able to provide continuous service for E-Verify
operations and meet the increased demands for system capacity in the
future.
USCIS and SSA Face Challenges in Accurately Estimating E-Verify Costs:
Sound Decisions about Future Resource Needs to Ensure the Success of E-
Verify Program Implementation Depend on USCIS and SSA Developing
Reliable Cost Estimates:
A reliable cost estimation process provides a sound basis for making
accurate and well-informed decisions about resource investments,
budget formulation, measurement of progress, and accountability for
results, and is critical to the success of any program. According to
OMB,[Footnote 66] federal agencies must maintain current and well-
documented estimates of program costs, and these estimates must
encompass the program's full life cycle. Among other things, OMB has
stated that a reliable life cycle cost estimate is critical to the
capital planning and investment control process. Without such an
estimate, agencies are at increased risk of making poorly informed
investment decisions, securing insufficient resources to effectively
execute defined program plans and schedules, and thus experiencing
program cost and schedule overruns and performance shortfalls.
Our research has determined that a reliable cost estimate possesses
four characteristics, which are summarized in table 3.
Table 3: GAO's Characteristics of a Reliable Cost Estimate:
Characteristic: Comprehensive;
Description: A comprehensive cost estimate should include all
government and contractor costs over the program's full life cycle,
provide sufficient detail to ensure that cost elements are neither
omitted nor double counted, and document all cost-influencing ground
rules and assumptions.
Characteristic: Well-documented;
Description: A well-documented cost estimate should capture in writing
such things as the source and significance of the data used, the
calculations performed and their results, and the rationale for
choosing a particular estimating method or reference. A well-
documented estimate can be easily reconstructed by an outside source
and should be reviewed and accepted by management.
Characteristic: Accurate;
Description: An accurate cost estimate should be, among other things,
based on historical data reflecting most likely costs, adjusted
properly for inflation, and validated against an independent cost
estimate. An accurate estimate should be updated regularly to reflect
material changes in the program and actual cost experience on the
program, and steps should be taken to minimize mathematical mistakes.
Characteristic: Credible;
Description: A credible cost estimate should discuss any limitations
in the analysis caused by uncertainty or biases surrounding the data
and assumptions. Major assumptions should be varied, and other
outcomes computed to determine how sensitive the estimate is to
changes in the assumptions. Risk and uncertainty inherent in the
estimate should be assessed and disclosed.
Source: GAO Cost Estimating and Assessment Guide.
[End of table]
We reviewed USCIS's and SSA's cost estimates for E-Verify, compared
them against the above four characteristics, and assessed the extent
to which the agencies met the characteristics of a reliable cost
estimate. A reliable cost estimate consists of 12 best practices that
can be grouped into four characteristics. We determined that the
characteristic was (1) not met if the agency provided no evidence that
satisfied any portion of the criterion, (2) minimally met if the
agency provided evidence that satisfied less than one-half of the
criterion, (3) partially met if the agency provided evidence that
satisfied about one-half of the criterion, (4) substantially met if
the agency provided evidence that satisfied more than one-half of the
criterion, and (5) met if the agency provided complete evidence that
satisfied the entire criterion. We assigned a value ranging from 1 to
5 indicating the extent to which the agencies met each best practice,
and averaged the values for the practices that were associated with
each characteristic. (See appendix I for a list of the 12 best
practices.)
USCIS Has Partially Met Three of Four Characteristics of a Reliable
Cost Estimate:
Our analysis showed that USCIS's E-Verify estimates partially met
three of four characteristics of a reliable cost estimate and
minimally met one characteristic. In December 2009, USCIS provided us
a life cycle cost estimate of $508 million for funding E-Verify as a
nonmandatory program through fiscal year 2020, at which time USCIS
expects that E-Verify will need to be replaced. The $508 million
includes $16 million for planning, $182 million for acquisition, $261
million for operations and maintenance, $17 million for security, and
$32 million for government full-time employees.
USCIS's cost estimate was:
* Partially comprehensive because it was developed by in-house
personnel with assistance from subject matter experts, and outlined a
schedule for completing the work and the approach for developing the
estimate. The cost estimate is not fully comprehensive because USCIS's
estimation of E-Verify development costs did not break E-Verify down
into its smaller specific components. For instance, USCIS provided
high-level cost estimates for both government and contractor efforts
associated with developments and enhancements but lacked estimates for
detailed system requirements. E-Verify program officials stated that
the large number of ongoing enhancements to E-Verify prohibited it
from doing a more in-depth analysis sufficient to ensure that all
costs have been considered. By breaking costs down into small
components, an agency positions itself to more precisely identify
which components cause cost or schedule overruns so that root causes
can be readily determined if needed. USCIS's cost estimate also did
not include detailed E-Verify system requirements, historical cost
data, or full life cycle costs.
* Partially documented because USCIS briefings and other documents
together describe program requirements, purpose, technical
characteristics, acquisition strategy, and operational plan. USCIS has
not, however, prepared a development plan and identified program risks
in accordance with best practices. USCIS's cost estimate also does not
include the supporting documentation and calculations that would allow
someone unfamiliar with the cost estimate to easily re-create it.
* Partially accurate because USCIS used historical data and cost
performance reports to help predict future costs. The cost estimate is
not fully accurate, however, because it was not validated against an
independent cost estimate--a required best practice--and does not
include all applicable life cycle costs, as stated above. Moreover,
USCIS's and SSA's cost estimates are incongruent, with USCIS' estimate
being 15 percent lower than SSA's. In contrast to SSA's detailed cost
estimates, USCIS's estimates for SSA were not explained or supported
by backup data.
* Minimally credible because while USCIS assessed E-Verify's ability
to meet the requirements of the current voluntary program, a potential
mandated program, and growth under both scenarios with the help of
subject matter experts, it did not carry out other activities. For
example, the agency did not (1) perform an independent cost estimate
on E-Verify, (2) perform a sensitivity analysis to determine which
factors could affect the cost estimate, or (3) identify the risks
associated with changes in the projected number of E-Verify cases or
SSA's E-Verify workload. Projected case volumes can fluctuate for
various reasons, such as state legislation or policy changes, and case
volumes directly affect SSA's workload. Given that USCIS reimburses
SSA for its costs for operating E-Verify, determining these risks
would allow USCIS to better predict future costs under different
scenarios.
USCIS acknowledged the limitations in its cost estimates for E-
Verify, and attributed the limitations in the comprehensiveness,
documentation, accuracy, and credibility of its estimates to a range
of factors, including competing program office priorities and USCIS's
limited cost-estimating capabilities. Senior E-Verify program
officials told us that since February 2010, USCIS has contracted with
a federally funded research and development center to perform a
comprehensive analysis of E-Verify's technical infrastructure--VIS--
including developing an independent cost estimate of the life cycle
costs of E-Verify in an effort to better comply with our cost-
estimating guidance. Senior E-Verify program officials also told us
that the agency is working with USCIS's Office of Information
Technology's Cost Estimate Section to review and evaluate the cost
estimates for VIS's contract re-compete effort, and stated that in
June 2010 it launched an initiative to regularly report risks related
to VIS and system costs to DHS. However, until it generates a reliable
life cycle cost estimate for E-Verify, USCIS is at increased risk of
not making informed investment decisions, understanding system
affordability, and developing justifiable budget requests for future E-
Verify use and potential mandatory implementation.
SSA Has Substantially Met Three of Four Characteristics of a Reliable
Cost Estimate, but Challenges Exist with Predicting E-Verify Workload:
Our analysis showed that SSA's E-Verify estimates substantially met
three of four characteristics of a reliable cost estimate and
partially met the fourth characteristic. SSA's life cycle cost
estimate for fiscal years 2010 through 2015 of almost $66 million
includes approximately $14 million in costs that have already been
incurred for developing the Isolated Environment, which was designed
for dedicated use by E-Verify, $18 million for fiscal years 2010
through 2013 to maintain this system; and $34 million for fiscal years
2010 through 2015 to provide administrative support to SSA field
offices and a toll-free number to respond to TNC inquiries. SSA's cost
estimate was:
* Substantially comprehensive because SSA accounted for both
government-and contractor-related cost elements for E-Verify. SSA's
ability to develop cost estimates for operating and supporting E-
Verify was enhanced by the availability of information on the actual
costs of developing E-Verify, as SSA had already developed and
deployed the Isolated Environment. SSA's cost estimate was detailed in
that costs were neither omitted nor double counted. For example, all
development resources and associated cost elements required to
develop, produce, deploy, and sustain E-Verify have been accounted
for, as required by best practices. In addition, SSA provided detailed
assumptions about such things as the skill level of software
programmers, level of user involvement, and field office workload,
which are important cost drivers of E-Verify development and support
costs. Like USCIS, however, SSA did not break E-Verify development
costs into its smaller specific components as suggested by best
practices.
* Substantially well-documented because SSA's estimate addressed many
of the best practices we assessed. For example, USCIS gathered data on
historical actual costs and from program and technical sources, such
as blanket purchase agreements and actual invoices for hardware such
as mainframes, and software development data from similar projects.
Moreover, based on the documentation SSA provided to us regarding
operating and support costs, we were able to easily re-create SSA's
cost estimate. SSA's development cost estimate did not fully provide
the supporting documentation and calculations, as required under best
practices, but since SSA has completed the development effort, it now
has a spreadsheet of actual costs that override the initial estimate.
* Substantially accurate because, as noted above, SSA has actual costs
for its development effort which enabled it to update its estimate
with actual development costs. SSA's operating and support cost
estimates were supported by data on labor hours and a detailed list of
the hardware and software necessary for E-Verify operation. SSA also
identified the inflation indexes it used to estimate costs and relied
on actual data from its cost accounting systems, as well as earned
value management data, to collect actual costs. The cost estimate did
not fully meet best practices because it was not validated against an
independent cost estimate and did not include all costs associated
with maintaining the system.
* Partially credible because SSA identified as key cost drivers the
costs associated with system hardware, storage, and labor, and also
estimated the costs for administrative operations, such as the number
of E-Verify cases and SSA E-Verify workload. In addition, SSA
conducted a sensitivity analysis to determine which communication
technology would best allow SSA field staff to address phone
inquiries. Further, there is less risk to SSA's estimates going
forward because development efforts for the Isolated Environment are
now complete. Regarding operations and support cost estimates, which
constituted nearly 80 percent of the cost estimate, however, SSA did
not adequately address the inherent risk and uncertainty within the
estimate or the limitations associated with the assumptions used to
create it. Although SSA stated that it routinely assesses the risk and
uncertainty in developing its estimate of E-Verify costs, it does not
use statistical models to quantitatively determine the extent of
variability around its cost estimate. For example, SSA did not
identify the risks associated with changes in the projected number of
E-Verify cases or SSA's E-Verify workload, or document and assess the
risks of these assumptions varying. Changing the number of projected E-
Verify cases can affect SSA's workload projections, and would result
in changes to SSA's final cost estimate. We performed our own analysis
and found that increasing either the number of cases or SSA's workload
projections by 10 percent would increase SSA's total cost by almost
$0.5 million.
SSA officials attributed the limitations of SSA's documentation of its
life cycle cost estimates to the fact that OMB does not require SSA to
develop life cycle cost estimates outside of its 5-year window. SSA
officials told us that SSA develops costs estimates for only 5 years
to better control for changes in system costs, such as hardware
upgrades, as these costs tend to be less stable than other costs. SSA
officials told us that they have developed system cost estimates
through fiscal year 2020 because of the variability associated with
the costs involved. SSA officials also attributed the limitations
associated with credibility in its cost estimates to its ability to
recoup all actual costs for E-Verify system maintenance and operations
pursuant to its reimbursable agreement with USCIS. Therefore,
according to SSA, SSA will incur more operational work if E-Verify
transaction volume increases, but will bear no additional costs
because USCIS must reimburse SSA for all expenses. While there is no
risk for SSA if cost overruns occur, there is risk to USCIS because it
has to pay for all costs incurred by SSA for operating E-Verify and
resolving TNCs. For example, SSA's workload increased from processing
85,869 TNC cases in fiscal year 2007 to processing 88,235 TNC cases in
fiscal year 2009. However, the extent to which SSA's workload may
either increase or decrease in the future is not known. According to
cost estimating best practices, a credible cost estimate should
discuss any limitations in the analysis caused by uncertainty or
biases surrounding the data and assumptions. By not assessing the
inherent risk and uncertainty within its estimate or the limitations
associated with the assumptions used to create it, SSA will not be
able to reliably determine the extent to which its workload costs may
change if the projected, or estimated, number of E-Verify cases is
greater or less than expected, and may not be able to provide
assurance to USCIS that it can provide the required level of support
for E-Verify operations if it experiences cost overruns within any one
fiscal year.[Footnote 67]
Conclusions:
E-Verify is a widely used employment verification system in the United
States and may become a key part of federal efforts to reform the
immigration system. Since we last testified in June 2008, USCIS and
SSA have taken actions that have helped improve the accuracy of E-
Verify and reduce opportunities for unauthorized workers to use
fraudulent documents to gain employment. These efforts
notwithstanding, the government's ability to ensure an authorized
workforce is limited because E-Verify, like the Form I-9 process on
which it is based, is vulnerable to identity fraud. Identity fraud can
allow E-Verify to erroneously verify individuals who fraudulently use
the valid documents of others to gain employment. Documents with
enhanced security features, such as biometrics, may help to resolve
some of these weaknesses, but they may be costly and generate privacy
concerns. Further, worksite enforcement is an integral part of an
effective employment authorization system, but resource limitations
have impeded ICE from investigating and sanctioning all but the most
egregious employer violators of worksite immigration laws. If E-Verify
became mandatory and worksite enforcement resources continued to be
limited to egregious employer violators, more unscrupulous employers
could have the opportunity to hire unauthorized workers without much
risk of detection.
USCIS's actions to improve the accuracy of E-Verify have included
adding tools to help identify fraudulent documents, expanding the
number of databases queried through E-Verify, and instituting quality
control procedures to screen for data entry errors. However, USCIS can
further improve the accuracy of E-Verify by taking additional actions
to help prevent erroneous TNCs attributable to name mismatches,
particularly for individuals--often foreign-born, naturalized, or
both--who have multiple or hyphenated surnames. Disseminating
information to employees on the importance of providing consistent
name information to employers, SSA, and DHS can help better ensure
data accuracy and reduce the appearance of discrimination toward
certain cultural groups because of the disparate impact of these kinds
of erroneous TNCs on such groups.
With respect to monitoring and compliance, USCIS has increased the
size of its staff but remains limited in its ability to ensure
employer compliance with E-Verify policies and procedures. As part of
its efforts to help employers understand E-Verify rules so that they
can better comply with them, USCIS developed an E-Verify tutorial and
requires that employers pass a mastery test before they use E-Verify.
By developing an analysis plan for the mastery test, analyzing test
response data, and using the results of that analysis to revise the
test, the tutorial, or both, USCIS would be able to better target its
education efforts and ensure employer compliance with the E-Verify
program.
Regarding privacy protections, USCIS has taken actions to minimize
risks to the privacy of personal information for new employees.
However, employees are limited in their ability to identify, access,
and correct information in DHS databases that has led to erroneous
TNCs. Developing procedures that enable employees to effectively
access their personal information and have inaccuracies or
inconsistencies in that information corrected could help DHS minimize
the potential for employees to receive repeated erroneous TNCs. In
addition, establishing departmentwide procedures to ensure that all
components that own information involved in making work authorization
decisions collaborate in correcting inaccuracies or inconsistencies
could better position DHS to reduce the number of erroneous TNCs and
help to increase the effectiveness of E-Verify by enhancing accuracy.
Moreover, because management program analysts are not required to
document the actions taken to resolve a TNC, it will be difficult for
USCIS to have a basis for ensuring that decisions will be made
consistently and obtain reasonable assurance that erroneous TNCs will
not continue to occur if the resolution of such TNCs has not been
documented. By developing procedures for management program analysts
to document the basis for their work authorization decisions, USCIS
could help inform employees about which types of records were
consulted in making decisions about contested TNCs and help minimize
the potential for recurring erroneous nonconfirmations.
USCIS and SSA have taken actions to prepare for a possible mandatory E-
Verify implementation, but they could be better positioned to ensure
that SSA will be able to provide continuous E-Verify service and meet
increased demands for system capacity in the future by developing a
written service-level agreement. Further, by developing a life cycle
cost estimate for E-Verify using the four characteristics of a
reliable estimate, USCIS would be better positioned to make informed
investment decisions, understand system affordability, and develop
justifiable budget requests for future E-Verify use and potential
mandatory implementation. Finally, by assessing the risk and
uncertainty within SSA's E-Verify workload estimate, as well as the
limitations associated with the assumptions used to create it, in
accordance with best practices, SSA will be able to provide assurance
to USCIS that it can provide the required level of support for E-
Verify operations.
Recommendations for Executive Action:
We are making the following eight recommendations:
To reduce the likelihood of name-related erroneous TNCs for employees
with multiple or hyphenated surnames, we recommend that the Director
of USCIS disseminate information to employees, for example, through
CRCL's instructional videos for employees, in DHS's A Guide to
Naturalization, and at naturalization ceremonies, on the potential for
name mismatches and how to record their names consistently when
providing name information to employers, SSA, and DHS.
To better target USCIS's education efforts and ensure employer
compliance with the E-Verify program, we recommend that the Director
of USCIS develop an analysis plan for the mastery test and use the
analysis results to make fact-based decisions about whether and how to
revise the test, the tutorial, or both.
To ensure that employees have the ability to access and correct
inaccuracies or inconsistencies in personal information within DHS
databases that may have led to erroneous TNCs and minimize the
potential for employees receiving repeated erroneous TNCs, we
recommend that the Director of USCIS develop procedures that enable
employees to access personal information and correct inaccuracies or
inconsistent personal information in DHS databases.
To improve the accuracy of the source data used to make employment
eligibility decisions and decrease the potential for recurring
erroneous nonconfirmations, we recommend that the Secretary of
Homeland Security direct the heads of DHS components to coordinate
with one another to develop procedures to correct inaccurate or
inconsistent information in their records and systems that may have
led to erroneous TNCs or FNCs.
To decrease the potential for recurring erroneous nonconfirmations, we
recommend that the Director of USCIS develop procedures for management
program analysts to document the basis for their work authorization
decisions.
To help ensure that SSA will be able to meet the capacity demands of
the E-Verify program and provide USCIS with continuous service in the
future, we recommend that the Director of USCIS and the Commissioner
of SSA finalize the terms of the service-level agreement that defines
the requirements for SSA to establish and maintain the capacity and
availability of its system components for E-Verify, including the
steps needed to complete the agreement in a manner that is acceptable
to both parties and a timeframe and milestones for its completion.
To ensure that USCIS has a sound basis for making decisions about
resource investments for E-Verify and securing sufficient resources to
effectively execute defined program plans, we recommend that the
Director of USCIS ensure that a life cycle cost estimate for E-Verify
is developed in a manner that reflects the four characteristics of a
reliable estimate consistent with best practices--comprehensive, well-
documented, accurate, and credible.
To ensure that SSA can accurately project costs associated with its E-
Verify workload, as well as estimates for potential mandatory
implementation of E-Verify, we recommend that the Commissioner of SSA
assess the risk and uncertainty within SSA's E-Verify workload
estimate as well as the limitations associated with the assumptions
used to create it, in accordance with best practices, to ensure that
SSA can provide the required level of support to USCIS and E-Verify
operations.
Agency Comments and Our Evaluation:
We provided a draft of this report to DHS and SSA for their review and
comment. We received written comments from DHS, which are reprinted in
appendix III. DHS generally concurred with the recommendations in this
report and discussed actions it has underway or is planning to take in
response to these recommendations. However, it is not clear to what
extent these actions will fully address the intent of 3
recommendations. DHS also provided us technical comments, which we
incorporated as appropriate.
To address the first recommendation that USCIS disseminate information
to employees that name mismatches can result in erroneous TNCs and how
to record their names consistently, DHS stated that it concurred and
noted that on November 8, 2010, USCIS began to distribute the U.S.
Citizenship Welcome Packet at all naturalization ceremonies to advise
new citizens to update their records with SSA. As discussed in the
report, USCIS also issued a contract for a study on name-related TNCs
and included language in A Guide to Naturalization that advises newly
naturalized citizens to update their records with SSA. USCIS plans to
use the results from the study, expected in the third quarter of
fiscal year 2011, to enhance its name matching algorithms and provide
improved guidance to individuals who use the E-Verify system. These
are useful steps toward reducing the likelihood of name-related
erroneous TNCs, but do not fully address the intent of the
recommendation because they do not specifically provide information to
employees on how prevent a name-related TNC. Therefore, they still
leave open the possibility that employees with multiple or hyphenated
surnames will not consistently record their name on various
authorizing documents when updating their records. Thus, we continue
to encourage USCIS to provide information to employees on the
importance of recording their names consistently.
Regarding the second recommendation that USCIS develop an analysis
plan for the E-Verify mastery test and use the analysis results to
make decisions about whether and how to revise the test, the tutorial
or both, USCIS concurred and commented that it began to analyze the
mastery test results following a June 2010 mastery test revision,
although it did not specifically mention when the analysis began. As
discussed in the report, as of October 2010, USCIS officials reported
that USCIS had not yet begun to analyze the mastery test results.
Thus, since USCIS undertook this effort after we concluded our review
of this issue in October 2010, we have not examined the extent to
which USCIS's analytic approach fully addresses our recommendation.
Regarding the third recommendation that USCIS develop procedures to
enable employees to access personal information and correct
inaccuracies or inconsistencies in such information within DHS
databases, DHS stated that USCIS concurred. DHS stated that USCIS is
piloting a process whereby USCIS staff assist employees who receive
TNCs by submitting an electronic application to request a records
update. USCIS's Verification Division Deputy Division Chief explained
in a follow-up discussion that this pilot process is limited to a
small number of individuals who contact USCIS regarding a TNC and also
have a current application for an immigration benefit (such as an
application for permanent residency). Therefore, employees receiving a
DHS TNC who are not in the immigration benefit application process
would not receive this type of assistance. USCIS also commented that
individuals who call USCIS to resolve a DHS TNC are referred to local
USCIS or CBP offices, and ports of entry, to correct records when
inconsistent or inaccurate information is identified. Although such
referrals provide employees the ability to access agencies that
maintain personal information on them, USCIS does not have operating
procedures in place for management program analysts to explain to
employees what personal information produced the TNC or what specific
steps they should take to correct the information. As noted in the
report, DHS also stated that USCIS is developing an E-Verify Self-
Check program which will allow individuals to check their own work
authorization status against SSA and DHS databases prior to applying
for a job. While this should help individuals avoid receiving an
erroneous TNC when they are hired for a job, it will not benefit newly
hired employees who have already received such a TNC. We encourage
USCIS to continue its efforts to develop procedures enabling employees
to access and correct inaccurate and inconsistent personal information
in DHS databases.
Regarding the fourth recommendation that DHS components coordinate
with one another to develop procedures to correct inaccurate or
inconsistent information in their records and systems that may have
led to erroneous TNCs or FNCs, DHS concurred. DHS noted, as stated in
the report, that it will continue to work with its components to
ensure that E-Verify provides the most accurate and up-to-date
information on immigration status and that inaccuracies in various
systems' source data are corrected.
Regarding the fifth recommendation that USCIS develop procedures for
documenting the basis for work authorization decisions, DHS concurred
and stated, as noted in the report, that it plans to modify its
standard operating procedures in fiscal year 2011 and its Status
Verification System in fiscal year 2013 to facilitate documentation of
work authorization decisions. Such action is consistent with the
intent of the recommendation and should help decrease the potential
for recurring erroneous nonconfirmations.
To address the sixth recommendation that USCIS and SSA finalize the
terms of the service-level agreement to help ensure that SSA will be
able to meet the capacity demands of the E-Verify program and provide
USCIS with continuous service, DHS stated that USCIS concurred and
has, as noted in the report, drafted a service-level agreement that is
under review at SSA.
To address the seventh recommendation that USCIS ensure a life cycle
cost estimate for the E-Verify program is developed in a manner that
reflects the characteristics of a reliable cost estimate consistent
with best practices, DHS stated that USCIS concurred and is in the
process of finalizing a new life cycle cost estimate that meets such
criteria. Such action should help ensure that DHS has a sound basis
for making decisions about its E-Verify resource investment.
We also received written comments from SSA, which are reprinted in
appendix IV. SSA also agreed with the sixth recommendation that it
complete a service-level agreement with USCIS and stated that it plans
to have such an agreement in place by March 2011. However, SSA did not
agree with the eighth recommendation that it assess the risk and
uncertainty within its E-Verify workload estimates to ensure that SSA
can provide the required level of support to USCIS and E-Verify
operations. SSA stated that it routinely assesses the risk and
uncertainty when developing assumptions for E-Verify workload
estimates and administrative costs related to proposed legislation.
SSA also stated that if E-Verify were to become mandatory, SSA would
adapt its budget models and recalculate estimated costs based on the
new projected workload volume. As discussed in the report, SSA does
not conduct a risk and uncertainty analysis that uses statistical
models to quantitatively determine the extent of variability around
its cost estimate or identify the limitations associated with the
assumptions used to create the estimate. As a result, we continue to
believe that SSA should adopt this best practice for estimating risks
to help it reduce the potential for experiencing cost overruns for E-
Verify. SSA also provided us technical comments, which we incorporated
as appropriate.
We also provided a copy of this draft to CRCL, OSC, ICE, and the
Department of State. CRCL and OSC provided technical comments, which
we incorporated as appropriate. ICE and the Department of State
informed us that they had no comments.
As agreed with your offices, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days
from the report date. At that time, we will send copies to the
Secretary of Homeland Security, the Commissioner of the Social
Security Administration, and other interested parties. The report also
will be available at no charge on the GAO Web site at [hyperlink,
http://www.gao.gov].
If you or your staff members have any questions about this report,
please contact me at (202) 512-8777 or stanar@gao.gov. Contact points
for our Offices of Congressional Relations and Public Affairs may be
found on the last page of this report. GAO staff who made major
contributions to this report are listed in appendix V.
Signed by:
Richard M. Stana:
Director, Homeland Security and Justice Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
You requested that we examine the Department of Homeland Security's
(DHS) U.S. Citizenship and Immigration Services (USCIS) and the Social
Security Administration's (SSA) operation of the E-Verify program and
their efforts to address previously reported concerns. For this
review, we examined the progress that USCIS and SSA have made since we
last testified in June 2008. Specifically, we examined the extent to
which:
* USCIS has reduced the incidence of tentative nonconfirmations (TNC)
and E-Verify's vulnerability to fraud,
* USCIS has improved its ability to monitor employer noncompliance and
ensure compliance with E-Verify program policies and procedures,
* USCIS has provided safeguards for employees' personal information in
E-Verify and enabled employees to correct inaccurate information, and:
* USCIS and SSA have taken steps to prepare for mandatory E-Verify
implementation.
To determine the extent to which USCIS has reduced the incidence of
TNCs and E-Verify's vulnerability to fraud, we analyzed reports on E-
Verify issued by SSA's Office of the Inspector General, the Westat
Corporation (Westat), USCIS's Ombudsman, and public policy think
tanks, such as the Migration Policy Institute and the Center for
Immigration Studies. We analyzed relevant legislation pertaining to E-
Verify, USCIS and SSA program documentation on enhancements made to
the E-Verify program since we testified in June 2008, E-Verify
standard operating procedures, indicators and goals for reducing both
the TNC rate and identity fraud, performance measures for assessing
system accuracy, statistics quantifying the reduction in TNCs and
identity fraud as a result of enhancements made, and interagency
agreements. We reviewed videos developed jointly by USCIS's
Verification Division, the division overseeing the E-Verify program,
and DHS's Office for Civil Rights and Civil Liberties (CRCL) on
employee rights, and SSA documentation on its initiatives to assist
employees with name and citizenship changes. We analyzed data on the
results of E-Verify queries for fiscal year 2009. To determine whether
the data were reliable, we interviewed senior E-Verify program
officials from USCIS's Verification Division about their procedures
for ensuring data quality in the transaction database, which stores E-
Verify queries, and senior SSA officials about their procedures for
ensuring data quality in the Numerical Identification System
(Numident), which stores information on all individuals in the United
States with Social Security numbers. We questioned E-Verify program
and SSA officials about the sources of the data and policies and
procedures used to maintain the integrity of these data. We also
analyzed the SSA's Office of the Inspector General's report on
Numident data accuracy, and determined that its review provided
sufficient assurance of the quality of those variables used in the E-
Verify process.[Footnote 68] Based on our analysis of the information
obtained, we determined that USCIS's and SSA's E-Verify data were
sufficiently reliable for reporting purposes. We interviewed senior
officials from the State Department to discuss the agency's efforts to
coordinate with USCIS on implementation of the photo matching tool and
associated challenges with incorporating passport photographs into E-
Verify. We interviewed officials from the American Association of
Motor Vehicle Administrators to determine the extent to which USCIS
has made progress in coordinating with the association to incorporate
driver's license data and photographs into E-Verify and what
challenges remain. We also reviewed the E-Verify evaluation conducted
by Westat in December 2009, including Westat's methodology for
collecting data from employers using E-Verify, and for estimating the
percentage of unauthorized employees that E-Verify incorrectly
confirmed as work eligible. Although the data were subject to various
sources of error, which Westat acknowledged in its report, we believe
Westat's approach was appropriate and produced a credible estimate
given the limitations of the data.
To determine the extent to which USCIS has improved its ability to
monitor employer noncompliance and ensure compliance with E-Verify
program policies and procedures, we analyzed E-Verify program
documentation on enhancements made to the Monitoring and Compliance
Branch since we testified in June 2008, including USCIS's efforts to
develop new technology to assist the branch in better identifying
trends in employer noncompliance and open additional regional offices
to help oversee employer compliance with the program. We analyzed the
branch's standard operating procedures for identifying employer
noncompliance, its training plan for its monitoring and compliance
analysts, and its plan for contacting noncompliant employers to
address incidents of noncompliance with E-Verify policies and
procedures. We reviewed USCIS's staffing model for the branch, as well
as cost estimates for staffing the branch in fiscal years 2010 and
2011. We analyzed the E-Verify tutorial that USCIS requires employers
to complete before participating in E-Verify and the tutorial mastery
test, as well as practices for evaluating the effectiveness of
training and development programs. We reviewed documentation on other
E-Verify educational activities available through the E-Verify Web
site that USCIS conducts to assist employers with E-Verify compliance.
We conducted interviews with senior E-Verify program officials at
USCIS, senior officials at U.S. Immigration and Customs Enforcement
(ICE), and senior officials at the Department of Justice's Office of
Special Counsel for Immigration-Related Unfair Employment Practices
(OSC) to determine what procedures have been put in place to address
and sanction employer noncompliance with E-Verify program rules and
the extent to which the agencies were coordinating with one another to
address employer noncompliance. We also analyzed an interagency
agreement between USCIS and ICE to determine the extent to which the
agencies are coordinating to address noncompliance issues related to E-
Verify.
To determine the extent to which USCIS provides safeguards for
employees' personal information in E-Verify and enables employees to
identify, access, and correct information in personal records that is
incorrect or inconsistent, we reviewed the Fair Information Practice
Principles adopted by the DHS Chief Privacy Officer and assessed the
extent to which USCIS has addressed relevant principles within in E-
Verify program. The principles we identified as relevant to E-Verify
were Transparency, Individual Participation, Purpose Specification,
Data Minimization, Use Limitation, Data Quality and Integrity,
Security, and Accountability and Auditing. We analyzed USCIS's
standard operating procedures for resolving DHS-related TNCs, and
conducted interviews with privacy officials at USCIS to determine
what, if any, limitations exist in resolving these TNCs. We analyzed
USCIS's privacy impact assessments that were required by the E-
Government Act of 2002 and a system of records notice that was
required by the Privacy Act of 1974. We analyzed SSA's processes for
resolving TNCs and SSA's EV-STAR procedures to determine the impact
these processes had employee nonconfirmations. We also interviewed
senior officials at SSA to discuss SSA's processes for resolving TNCs
and recording decisions in E-Verify. We analyzed an interagency
agreement between USCIS and OSC to determine the extent to which the
agencies are coordinating to address discrimination issues related to
employer use of E-Verify. We reviewed educational and outreach
resources provided to employees by OSC, USCIS, and CRCL to help them
better understand their rights. We also interviewed officials from
DHS's Privacy Office and CRCL and from OSC to discuss their roles and
responsibilities for assisting employees in dealing with issues
related to civil rights and civil liberties--specifically privacy and
discrimination--and their efforts to coordinate with USCIS on these
issues.
To determine what steps USCIS and SSA have taken to prepare for
mandatory E-Verify implementation, we reviewed and assessed USCIS's
and SSA's system capacity requirements and life cycle cost estimates.
To assess USCIS's and SSA's efforts to ensure that their information
technology (IT) infrastructures are capable of supporting increased
transaction volumes expected from a mandated E-Verify program, we
obtained agency documentation that describes processes and procedures
for managing and planning system capacity and availability, and
compared these processes and procedures with widely accepted industry
practices identified by the Software Engineering Institute.[Footnote
69] We collected results of interagency tests of the E-Verify IT
infrastructure, such as those that tested the workload expected if the
use of E-Verify is mandated, to validate that both SSA's and the
Verification Division's E-Verify systems were scalable to meet
performance requirements for increased transaction volumes. We
assessed the results of these tests to verify that the agencies were
taking steps to ensure that their systems could successfully process
increases in IT infrastructure demands. To ensure the reliability of
the information we collected, we interviewed senior DHS and SSA
officials who were knowledgeable about the E-Verify program and
supporting IT infrastructure and discussed with them the agencies'
capacity management and planning efforts.
To determine the reliability of USCIS's and SSA's cost estimates, we
analyzed the derivation of each cost estimate relative to 12 best
practices as defined in our Cost Estimating and Assessment Guide.
[Footnote 70] The 12 best practices are (1) define the estimate's
purpose, (2) develop the estimating plan, (3) define the program's
characteristics, (4) determine the estimating structure, (5) identify
ground rules and assumptions, (6) obtain the data, (7) develop the
point estimate and compare it to an independent cost estimate, (8)
conduct sensitivity analysis, (9) conduct risk and uncertainty
analysis, (10) document the estimate, (11) present the estimate to
management for approval, and (12) update the estimate to reflect
actual cost and changes. Our research has determined that these 12
practices can be grouped into the following four characteristics:
comprehensive, well-documented, accurate, and credible, and involve an
assessment of the methodologies, assumptions, and source data used for
the estimate. One analyst reviewed USCIS's and SSA's cost estimates to
determine whether the characteristic was (1) not met if the agency
provided no evidence that satisfied any portion of the criterion, (2)
minimally met if the agency provided evidence that satisfied less than
one-half of the criterion, (3) partially met if the agency provided
evidence that satisfied about one-half of the criterion, (4)
substantially met if the agency provided evidence that satisfied more
than one-half of the criterion, and (5) met if the agency provided
complete evidence that satisfied the entire criterion. That analyst
assigned a value ranging from 1 to 5 indicating the extent to which
the agencies met each best practice and averaged the values for the
practices that were associated with each characteristic.[Footnote 71]
A second analyst independently verified the results. We also
interviewed program officials from both agencies responsible for the
cost estimate about the estimate's derivation.
We also reviewed SSA's E-Verify workload estimates, known as the
fallout rate, and workload cost estimates to determine the impact of E-
Verify on SSA's current and future workloads. In doing so, we reviewed
USCIS's and SSA's reimbursable agreement for SSA's operation of E-
Verify, which outlines SSA's responsibilities for operating E-Verify.
To determine whether SSA's workload calculations were accurate and
reliable, we interviewed senior SSA officials about their procedures
for ensuring data quality in the SSA TNC database, which stores all
SSA-related TNCs, and SSA's methodology for determining its workload
based on data in the TNC database. We performed validation testing to
determine that the records in this file contained adequate information
to support SSA's calculations for its workload estimates. Based on our
review, we determined that SSA's E-Verify workload estimates were
sufficiently reliable for reporting purposes.
To gain a better understanding of how E-Verify is being implemented at
the state level and what users' experiences have been with
implementing and operating E-Verify, we conducted site visits to
Colorado, North Carolina, and Arizona. We chose these three states
based on the length of time each state's E-Verify law had been in
effect, the range of employer types covered by the law, and geographic
dispersion.[Footnote 72] On these site visits we interviewed state
officials responsible for operating E-Verify within their respective
state and overseeing implementation of the state's E-Verify law. We
interviewed representatives and employers from eight industry
associations, representatives from eight immigrant advocacy groups,
employers and representatives from four state and local chambers of
commerce, and E-Verify users from two state universities to determine
what opportunities and challenges exist with operating E-Verify and to
gain their insight into some of the issues employers face in
attempting to verify employment authorization. Because Arizona law
makes local county attorneys partially responsible for overseeing and
enforcing Arizona E-Verify laws, we met with officials from the
Maricopa County Attorney's and Sheriff's Offices. We conducted in-
person and telephone interviews with local SSA regional and field
office representatives in each state to learn about the effects of E-
Verify on SSA's field office workload. We conducted in-person and
telephone interviews with ICE regional and field office staff to
determine ICE's role in assisting USCIS with E-Verify education,
outreach, and compliance. In Arizona, we met with local USCIS
officials to discuss their efforts and coordination with ICE in
helping the state implement its E-Verify law. We selected these
offices based on several factors, including their proximity to the
metropolitan areas we visited, the amount of time SSA field offices
spent resolving E-Verify cases, and coordination between ICE and USCIS
on outreach efforts. We selected the industry associations
representing employers for interviews based on a mix of criteria, such
as the type of industry and member use of E-Verify. We selected
immigrant advocacy groups to interview based on recommendations
obtained from the DHS's CRCL, the National Immigration Law Center, the
National Council of La Raza, and the Service Employees International
Union. While the views expressed by the representatives in these three
states cannot be generalized to all states, industry associations,
advocacy groups, and employers, they provided us with additional
perspectives on the benefits and challenges associated with E-Verify
program.
We conducted this performance audit from June 2009 through December
2010 in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives.
Appendix II: The Fair Information Practice Principles:
Based on the Privacy Act of 1974, the Fair Information Practice
Principles are a framework adopted by the DHS Privacy Office that is
used to govern the protection of personally identifiable information
(PII) throughout DHS. Table 4 outlines the characteristics of each of
the eight principles.
Table 4: Fair Information Practice Principles:
Principle: Transparency;
Description: DHS should be transparent and provide notice to the
individual regarding its collection, use, dissemination, and
maintenance of PII.
Principle: Individual Participation;
Description: DHS should, to the extent practical, seek individual
consent for the collection, use, dissemination, and maintenance of PII
and should provide mechanisms for appropriate access, correction, and
redress regarding DHS's use of PII.
Principle: Purpose Specification;
Description: DHS should specifically articulate the authority that
permits the collection of PII and specifically articulate the purpose
or purposes for which the PII is intended to be used.
Principle: Data Minimization;
Description: DHS should only collect PII that is directly relevant and
necessary to accomplish the specified purpose(s) and only retain PII
for as long as is necessary to fulfill the specified purpose(s).
Principle: Use Limitation;
Description: DHS should use PII solely for the purpose(s) specified in
the notice. Sharing PII outside the department should be for a purpose
compatible with the purpose for which the PII was collected.
Principle: Data Quality and Integrity;
Description: DHS should, to the extent practical, ensure that PII is
accurate, relevant, timely, and complete, within the context of each
use of the PII.
Principle: Security;
Description: DHS should protect PII (in all forms) through appropriate
security safeguards against risks such as loss, unauthorized access or
use, destruction, modification, or unintended or inappropriate
disclosure.
Principle: Accountability and Auditing;
Description: DHS should be accountable for complying with these
principles, providing training to all employees and contractors who
use PII, and auditing the actual use of PII to demonstrate compliance
with these principles and all applicable privacy protection
requirements.
Source: DHS.
[End of table]
[End of section]
Appendix III: Comments from the Department of Homeland Security:
US. Department of Homeland Security:
Washington, DC 20528:
December 8, 2010:
Mr. Richard M. Stana:
Director, Homeland Security and Justice:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, DC 20548:
RE: Draft Report GA0-11-146: Employment Verification: Federal Agencies
Have Taken Steps to Improve E-Verify, but Significant Challenges
Remain, (Job Code 440799):
The Department of Homeland Security appreciates the opportunity to
review and respond to the Government Accountability Office (GAO)
subject report. We are encouraged by GAO's positive findings on the E-
Verify Program, particularly our gains in the following areas:
* U.S. Citizenship and Immigration Services (USCIS) has reduced the
incidence of Tentative Nonconfirmations (TNCs) and E-Verify's
vulnerability to fraud. There was a 5.4 percentage point decrease in
TNCs between fiscal year (FY) 2007 and FY 2009.
* USCIS has improved its ability to monitor and ensure employer
compliance with E-Verify Program policies and procedures. Since GAO's
testimony in 2008, USCIS has increased staffing levels for monitoring
and compliance functions of E-Verify, including expansion into a field
office in Buffalo, NY, and, in FY 2011, the opening of a second field
office in Lincoln, NE. In FY 2010, USCIS monitored and provided E-
Verify compliance assistance to more than 16,000 employers suspected
of noncompliance. This exceeded the FY 2010 target for contacting 2
percent of all enrolled employers.
* USCIS has provided safeguards for employees' personal information in
E-Verify and enabled employees to correct inaccurate information.
USCIS Verification Division has its own Privacy Branch dedicated to
privacy issues. In June 2010, USCIS updated E-Verify to mask Social
Security Numbers (SSNs) when entered into E-Verify. USCIS provides
information to employers on safe handling of Personally Identifiable
Information (PII). The responsibility to safely handle PII is covered
in both the mandatory online tutorial and E-Verify user manual. The E-
Verify Web site [hyperlink, http://www.dhs.gov/E-Verify] has a section
on privacy principles and provides an overview in eight foreign
languages on how an individual's PII is used and stored in E-Verify.
In spring 2011, USCIS plans to launch a Self Check feature that
enables individuals to check their work authorization status online
and provides them with instructions on how to update their records. In
FY 2010, USCIS launched a number of employee rights initiatives
including an employee hotline and multilingual videos on employee
rights and responsibilities produced in partnership with the DHS
Office of Civil Rights and Civil Liberties. Furthermore. USCIS signed
a Memorandum of Agreement with the Department of Justice's Office of
Special Counsel for Unfair Immigration-Related Employment Practices to
establish procedures for discrimination case referrals.
* USCIS and SSA have taken steps to prepare for mandatory E-Verify
implementation. In partnership with SSA, USCIS has used widely
accepted industry practices to effectively manage the E-Verify System
capacity and availability. USCIS is also in the process of developing
a written service-level agreement with SSA.
USCIS recognizes there are still opportunities for continued success
as the E-Verify Program continues to expand and grow. USCIS concurs
with all of GAO's recommendations and can also report that it is
taking significant steps toward addressing each of them. USCIS's
response follows:
Recommendation 1: To reduce the likelihood of name-related erroneous
TNCs for employees with multiple or hyphenated surnames, we recommend
that the Director of USCIS disseminate information to employees, DHS's
Naturalization Guide, and naturalization ceremonies, on the potential
for name mismatches and how to record names consistently when
providing name information to employers, SSA and DHS.
Response: USCIS concurs with this recommendation. USCIS is working
with an independent research and evaluation firm to conduct a special
study on name-related TNCs. The study, "Evaluation of the Accuracy of
E-Verify Findings" will be completed in the 3" quarter of FY 2011 and
is focusing on the impact of name and date of birth mismatches on
TNCs. USCIS plans to use the study's findings to develop better name
matching algorithms and provide enhanced helper text for users.
USCIS has included language in the Guide to Naturalization
recommending that newly-naturalized citizens update their records with
SSA. Page 39 states, "We strongly recommend that you go to your
nearest Social Security Administration (SSA) office to update your
Social Security record soon after your naturalization ceremony. This
is important because your Social Security record will be used to
establish eligibility for benefits and to demonstrate authorization to
work. The nearest SSA office can be found by calling 1-800-772-1213 or
at [hyperlink, http://www.socialsecurity.gov]." The Guide to
Naturalization also advises a newly-naturalized citizen to visit SSA
if he or she changed his or her name at the oath ceremony and the
Certificate of Naturalization does not show their old and new names.
Furthermore, it recommends which documents the new citizen needs to
present to SSA to complete the name change.
In addition, on November 8, 2010, USCIS began an initiative to
distribute the U.S. Citizenship Welcome Packet to newly-naturalized
citizens at all naturalization ceremonies (both administrative and
judicial). This packet specifically advises that each new citizen go
to a local SSA office to update his or her Social Security record soon
after the naturalization ceremony.
Recommendation 2: To better target USCIS's education efforts and
ensure employer compliance with the E-Verify Program, we recommend
that the Director of USCIS develop an analysis plan for the mastery
test and use the analysis results to make fact-based decisions about
whether and how to revise the test, the tutorial, or both.
Response: USCIS concurs with this recommendation. The E-Verify mastery
test is required for all new employers after they have completed the
mandatory online tutorial. USCIS began analyzing the mastery test
results following a June 2010 mastery test revision to assess what
questions may need revision and to determine what concepts may require
greater explanation. USCIS identified three questions needing revision
and plans to make corresponding changes in E-Verify release 6.0.
scheduled for 2011. The analysis will be an ongoing effort, and we
will continue to monitor reports to determine changes for future
releases.
Recommendation 3: To ensure that employees have the ability to access
and correct inaccuracies or inconsistencies in personal information
within DHS databases that may have led to erroneous TNCs and minimize
the potential for employees receiving repeated erroneous TNCs, we
recommend that the Director of USCIS develop procedures that enable
employees to access personal information and correct inaccuracies or
inconsistent personal information in DHS databases.
Response: USCIS concurs with this recommendation. As noted in the
report, USCIS and other DHS Components have regulatory processes
available for the review and correction of personal information under
the Privacy Act. However, USCIS recognizes that these processes may
need to be supplemented by methods specifically designed for the needs
of E-Verify users. USCIS is developing the E-Verify Self Check service
that addresses the recommendation made by GAO. E-Verify Self Check
will be a free, Web-based service that allows individuals to check
their own work authorization status against SSA and DHS databases. If
a mismatch occurs the user will be notified of the mismatch and given
directions on how to rectify the issue (e.g., visit an SSA field
office, contact DHS). To conduct a "self check," users will be
required to first go through an identity assurance process to ensure
that the correct person is accessing his or her work authorization
status.
USCIS plans to deploy E-Verify Self Check in spring 2011 through a
phased pilot implementation process. Based on the results of the
pilot, USCIS will consider expanding E-Verify Self Check to more users
as early as 2013.
In addition to the future Self Check feature, employees with TNCs who
contact USICS are referred to local USCIS offices, Customs and Border
Protection (CBP) offices, and Ports of Entry to correct records when
they identify errors or inconsistencies. For USCIS system
inconsistencies, employees may make an appointment via the Infopass
system to visit the local office and have their records reviewed and
updated, if appropriate. Additionally, we are currently piloting a
process whereby USCIS staff assist employees who receive TNCs by
submitting an electronic application through the "Service Request
Management Tool" (SRMT) to request a records update.
Finally, USCIS will work with internal and external stakeholders to
improve quality assurance on the source data that USCIS uses to
determine employment authorizations.
Recommendation 4: To improve the accuracy of the source data used to
make employment eligibility decisions and decrease the potential for
recurring erroneous nonconfirmations, we recommend that the Secretary
of Homeland Security direct the heads of DHS components to coordinate
with one another to develop procedures to correct inaccurate or
inconsistent information in their records and systems that may have
led to an erroneous TNCs of FNCs.
Response: DHS concurs with this recommendation and will continue to
work with the components to ensure that data is transmitted or made
available to the E-Verify program that provides the most accurate and
up-to-date information on immigration status. As noted in the report,
the E-Verify program has created a Database Integrity Unit that is
tasked with identifying and facilitating the correction of erroneous
information contained in DHS component databases. Additionally. The
DHS Office of Policy, Screening Coordination Office (SCO) works with
USCIS, CBP, and US-VISIT to establish links between the Verification
Information System (VIS) and Arrival Departure Information System
(ADIS) and I-94W automated systems to provide real time arrival data
to USCIS. DHS/SCO has also been working with USCIS and ICE on the
upgrades to the Student and Exchange Visitor Information System
(SEVIS) data which when completed will provide more accurate
information to USCIS on student status. DHS will continue to work
closely with the components to ensure that correct and accurate
information is transmitted or made available to the E-Verify program
and that inaccuracies in the various systems are corrected.
Recommendation 5: To decrease the potential for recurring erroneous
nonconfirmations, we recommend that the Director of USCIS develop
procedures for management program analysts to document the basis for
their work authorization decisions.
Response: USCIS concurs with this recommendation. USCIS plans to re-
engineer our Status Verification System (SVS), which is used to track
and manage TNCs, so that Status Verifiers can document the basis for
their work authorization decisions. SVS's re-engineering
implementation will occur in FY 2013. As noted by GAO, USCIS will
implement procedures to address this through the use of a comment box
and will update Standard Operating Procedures (SOPs) to require this
documentation by the second quarter of FY 2011.
Recommendation 6: To help ensure that SSA will be able to meet the
capacity demands of the E-Verify Program and provide USCIS with
continuous service in the future, we recommend that the Director of
USCIS and the Commissioner of SSA finalize the terms of the service-
level agreement that defines the requirements for SSA to establish and
maintain the capacity and availability of its system components for E-
Verify, including the steps needed to complete the agreement in a
manner that is acceptable to both parties and a timeframe and
milestones for its completion.
Response: USCIS concurs with this recommendation and has drafted a
service-level agreement that is under review at SSA.
Recommendation 7: To ensure that USCIS has a sound basis for making
decisions about resource investments for E-Verify and securing
sufficient resources to effectively execute defined program plans, we
recommend that the Director of USCIS ensure that a life cycle cost
estimate for the E-Verify is developed in a manner that reflects the
four characteristics of a reliable estimate consistent with best
practices-comprehensive, well-documented, accurate, and credible.
Response: USCIS concurs with this recommendation. The current Life
Cycle Cost Estimate (LCCE) met three of four characteristics of a
reliable cost estimate and partially met one characteristic. USCIS is
in the process of finalizing a new Life Cycle Cost Estimate (LCCE)
that meets GAO criteria and is based on the Systems Engineering
Lifecycle (SELC) process.
The Department appreciates the opportunity to comment on the draft
report. In addition to this response, technical comments have been
provided under a separate cover.
Sincerely,
Signed by:
H. W. Couch, Jr.
Deputy Director:
Departmental GAO/OIG Liaison Office:
[End of section]
Appendix IV: Comments from the Social Security Administration:
Social Security:
Social Security Administration:
Baltimore, MD 21235-0001:
December 10, 2010:
Mr. Richard M. Stana:
Government Accountability Office:
Director, Homeland Security and Justice:
441 G. Street, N.W.
Washington. D.C. 20548:
Dear Mr. Stana:
Thank you for the opportunity to review the Government Accountability
Office (GAO) draft report, "Employment Verification: Federal Agencies
Have Taken Steps to Improve E-Verify. But Significant Challenges
Remain" (GAO-1 1-146). Our comments on the report are enclosed.
If you have any questions, please contact me or have your staff
contact Rebecca Tothero, Acting Director. Audit Management and Liaison
Staff at (410) 966-6975.
Sincerely,
Signed by:
Dean S. Landis:
Deputy Chief of Staff:
Enclosure:
[End of letter]
Comments On The Government Accountability Office (GAO) Draft Report.
"Employment Verification: Federal Agencies Have Taken Steps To Improve
&Verify, But Significant Challenges Remain" (GA0-11-146):
Thank you for the opportunity to review the subject report. We offer
the following responses to your recommendations and technical comments.
Recommendation:
"To help ensure that SSA will be able to meet the capacity demands of
the E-Verify program and provide USCIS with continuous service in the
future, we recommend that the Director of the USCIS and the
Commissioner of SSA finalize the terms of the service-level agreement
that defines the requirements for SSA to establish and maintain the
capacity and availability of its system components for E-Verify,
including the steps needed to complete the agreement in a manner that
is acceptable to both parties and a timeframe and milestones for its
completion."
Response:
We agree. We are developing an E-Verify service-level agreement with
the United States Citizenship and Immigration Services (USCIS) and
expect to have it in place by March 2011.
Recommendation:
"To ensure that SSA can accurately project costs associated with its E-
Verify workload, as well as estimates for potential mandatory
implementation of E-Verify, we recommend that the Commissioner of SSA
assess the risk and uncertainty within SSA's E-Verify workload
estimate as well as the limitations associated with the assumptions
used to create it, in accordance with best practices, to ensure that
SSA can provide the required level of support to USCIS and E-Verify
operations."
Response:
We disagree with the implication that we do not assess the risk and
uncertainty within our E-Verify workload estimates. We routinely
assess the risk and uncertainty when developing assumptions for E-
Verify workload estimates and administrative cost estimates related to
proposed legislation. We understand that E-Verify workloads may grow
and that they would grow substantially with mandatory implementation
of E-Verify. If there is mandatory implementation of E-Verify, USCIS
would provide us with revised estimated workloads. We would adapt our
budget models quickly and re-calculate estimated costs based on the
new projected volume.
[End of section]
Appendix V: GAO Contact and Staff Acknowledgments:
GAO Contact:
Richard M. Stana, (202) 512-8777 or stanar@gao.gov:
Staff Acknowledgments:
In addition to the contact named above, Evi Rezmovic, Assistant
Director, and Sara Margraf, Analyst-in-Charge, managed this
assignment. Blake Ainsworth, David Alexander, Tonia Brown, Frances
Cook, Marisol Cruz, John de Ferrari, Julian King, Linda Miller,
Danielle Pakdaman, David Plocher, Karen Richey, Robert Robinson,
Douglas Sloane, Stacey Steele, Desiree Thorp, Vanessa Taylor, Teresa
Tucker, and Ashley Vaughan made significant contributions to the
report.
[End of section]
Footnotes:
[1] The Illegal Immigration Reform and Immigrant Responsibility Act,
as amended, Pub. L. No. 104-208, div. C, §§ 401-404, 110 Stat. 3009-
546, 3009-655 to -665 (1996),required the former U.S. Immigration and
Naturalization Service (whose E-Verify responsibilities were taken
over by USCIS) and SSA to operate E-Verify allowing employers to
electronically verify an employee's eligibility to work.
[2] See Federal Acquisition Regulation (FAR) subpt. 22.18. As of
September 8, 2009, with certain exceptions, federal contracting
officers are to include the E-Verify requirements in federal prime
contracts above $100,000 and require such prime contractors to include
the E-Verify requirements in certain subcontracts. The FAR employment
eligibility verification contract clause (FAR § 52.222-54) also
includes specified exceptions, such as one permitting institutions of
higher education and state and local governments to verify only new
hires working directly under the contract.
[3] GAO, Immigration Enforcement: Weaknesses Hinder Employment
Verification and Worksite Enforcement Efforts, [hyperlink,
http://www.gao.gov/products/GAO-05-813] (Washington, D.C.: Aug. 31,
2005).
[4] GAO, Employment Verification: Challenges Exist in Implementing a
Mandatory Electronic Employment Verification System, [hyperlink,
http://www.gao.gov/products/GAO-08-895T] (Washington, D.C.: June 10,
2008).
[5] A TNC occurs when an employee's information is compared
electronically to government records, and SSA cannot match this
information to confirm that the employee is eligible for work in the
United States. Employees who believe their TNCs were errors must
contact either SSA or USCIS to resolve the situation if they wish to
continue their employment.
[6] Westat Corporation, Findings of the E-Verify Program Evaluation
(Rockville, Md., December 2009).
[7] USCIS's transaction database stores information on E-Verify
transactions and SSA's Numident stores information on individuals with
Social Security numbers.
[8] Software Engineering Institute, CMMI for Services, Version 1.2
(Pittsburgh, Pa., February 2009). The Software Engineering Institute
is a nationally recognized, federally funded research and development
center established at Carnegie Mellon University to address software
engineering practices.
[9] GAO, GAO Cost Estimating and Assessment Guide: Best Practices for
Developing and Managing Capital Program Costs, [hyperlink,
http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March
2009), 8-13.
[10] We selected the eight associations and four chambers of commerce
based on industry type and members' use of E-Verify, the eight
immigrant advocacy groups based on recommendations obtained from
several governmental and nongovernmental organizations, and the two
state universities based on their use of E-Verify and proximity to the
metropolitan areas we visited.
[11] Pub. L. No. 99-603, § 101(a)(1), 100 Stat. 3359, 3360-72
(codified as amended at 8 U.S.C. § 1324a).
[12] There are 26 documents that are acceptable for the employment
verification process. Six of these documents establish both identity
and employment eligibility (e.g., U.S. passport or permanent resident
card); 12 documents establish identity only (e.g., driver's license);
and 8 documents establish employment eligibility only (e.g., Social
Security card without the legend "Not Valid for Employment"). For
verification purposes, employees may present either a single document
from the first category or a combination of two documents, one from
the identity category and one from the employment eligibility
category. Employers who participate in E-Verify, however, must agree
that if an employee presents a document from the identity-only
category, they only will accept such a document if it contains a
photograph.
[13] Employers may choose to register for E-Verify by deciding to use
E-Verify at individual worksites or by limiting the use of E-Verify to
certain locations, such as a company's headquarters. Employers may
also contract the use of E-Verify to an independent designated agent,
to act on their behalf to verify the employment eligibility of their
newly hired employees. Companies have the option to extract
information from their existing human resources or payroll systems and
transmit those data to E-Verify to verify employment authorization.
[14] Federal contractors have 90 days from the date they enroll with E-
Verify to initiate verification queries on all newly hired employees
and existing employees assigned to a federal contract. After this 90-
day phase-in period, federal contractors are required to initiate
verification of each newly hired employee within 3 business days after
the employee's start date.
[15] Numident is a repository of personal information on individuals
who have a Social Security number. This information includes the
number holder's name, date of birth, place of birth, parents' names,
citizenship status as recorded by SSA, date of death (if applicable),
and the office where the Social Security number application was
processed and approved.
[16] TECS is an updated and modified version of the former Treasury
Enforcement Communications System.
[17] USCIS is the agency responsible for reviewing and approving or
denying applications for lawful employment in the United States as
well as applications for U.S. citizenship.
[18] Noncitizens who are not permanent residents but still eligible to
work in the United States, such as holders of certain kinds of visas
that include employment eligibility, generally need to obtain an
employment authorization document from USCIS prior to seeking
employment.
[19] A TNC may take some time to resolve after the employee has
initiated contact with SSA or DHS. An employee is not to receive a FNC
or be terminated from employment until SSA or DHS respond to the TNC
inquiry.
[20] Department of Homeland Security Appropriations Act of 2010, Pub.
L. No. 111-83, § 547, 123 Stat. 2142, 2164-65, 2177 (2009).
[21] Westat collected information via Web and onsite surveys of
employers, in-person surveys of employees processed through the E-
Verify system, a stakeholder conference, and interviews with federal
employees and contractors.
[22] To determine that USCIS had reduced its erroneous TNC rate,
Westat compared data in the transaction database from April through
June 2005 with data from April through June 2008.
[23] Social Security Administration, Office of the Inspector General,
The Social Security Administration's Implementation of the E-Verify
Program for New Hires, A-03-09-29154 (Baltimore, Md., Jan. 6, 2010).
[24] According to SSA, of the 1,713 new hires identified by the OIG as
requiring verification through E-Verify, not all were required to be
verified per E-Verify policy, specifically, those transfers from other
federal agencies, reemployed annuitants, returning students, and
military hires. According to SSA, after deducting these hires from the
1,713, only 1,314 required verification. SSA reported that it verified
the 1,314 employees in March 2010.
[25] USCIS has also taken steps to help naturalized citizens better
resolve TNCs. For example, in May 2008, USCIS developed a process to
allow naturalized citizens to directly resolve their SSA TNCs with
DHS. Almost 94 percent of employees who received an SSA TNC for a
citizenship mismatch from October 2009 through August 31, 2010, have
chosen to resolve their TNC by calling DHS. USCIS reported that 94
percent of employees who called USCIS after receiving an SSA TNC were
determined to be work eligible.
[26] According to OSC, it has also worked with USCIS to help educate
new citizens about the need to update their information with SSA.
[27] E-Verify program officials stated that the 60 million projection
is based on the approximate number of individuals that U.S. employers
hire each year.
[28] E-Verify program officials told us that the agency contracted
with Westat in 2008 to conduct a study on the impact of complex names
on the name-matching process to determine the frequency of erroneous
TNCs attributable to name mismatches and whether they constituted a
serious problem and, if so, to identify possible corrective actions.
USCIS expects to receive Westat's final report in fiscal year 2011.
[29] We did not specifically inquire about name-related TNCs in all of
our meetings with employers and therefore do not know how many, if
any, of the remaining 20 employers also believed that TNCs were more
likely to occur with certain Hispanic employees.
[30] According to CRCL, the E-Verify videos are distributed through a
variety of sources, including by CRCL during community engagement and
speaking events; USCIS through its Web site, during outreach events,
and upon request from the public; and OSC upon request from the public
and during outreach events. CRCL has drafted a plan to further
distribute these videos to a variety of stakeholders, including
private sector groups and nongovernmental organizations, but did not
provide a time frame for when it will start distribution.
[31] GAO, Standards for Internal Control in the Federal Government,
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]
(Washington, D.C.: November 1999).
[32] USCIS has established a goal to strengthen the security and
integrity of the E-Verify program by ensuring data accuracy.
[33] GAO has previously reported on the risks associated with the use
of fraudulent documents and agencies actions to address them. See GAO,
Border Security: Better Usage of Electronic Passport Security Features
Could Improve Fraud Detection, [hyperlink,
http://www.gao.gov/products/GAO-10-96] (Washington, D.C.: Jan. 22,
2010), and State Department: Undercover Tests Show Passport Issuance
Process Remains Vulnerable to Fraud, [hyperlink,
http://www.gao.gov/products/GAO-10-922T] (Washington, D.C.: July 29,
2010).
[34] According to officials at the American Association of Motor
Vehicle Administrators, this pilot automates motor vehicle document
verification between motor vehicle agencies and the E-Verify user.
This pilot does not include the use of driver's license photographs.
The program is designed to allow E-Verify employers to verify a new
employee's driver's license, permit, or state-issued identification
card directly with the issuing agency, and E-Verify is to send
information back to the employer on whether the submitted information
matches the motor vehicle agency's data.
[35] According to USCIS, a locked Social Security number would halt
any attempt by participating E-Verify employers to verify an
employee's Social Security number through E-Verify if the employee
notifies USCIS that his or her identity has been stolen and can
provide supporting documentation to USCIS.
[36] [hyperlink, http://www.gao.gov/products/GAO-05-813].
[37] The six behaviors are (1) multiple use of the same Social
Security number across all E-Verify transactions, including use of the
same Social Security numbers to fraudulently obtain information using
various biographic information; (2) employer failure to use E-Verify
after registering with the program; (3) employer termination of an
employee who receives a TNC; (4) employer failure to perform
verification within 3 business days of hire; (5) employer verification
of existing employees; and (6) employer verification of employees
hired prior to 1986. USCIS identified employer discrimination based on
citizenship as a seventh behavior for Monitoring and Compliance Branch
staff to examine, but this has not yet been implemented.
[38] Since we reported in June 2008, USCIS has adjusted its goal from
contacting 6 percent of registered employers to contacting 2 percent
of worksites. E-Verify program officials said that monitoring
worksites rather than employers enables USCIS to focus on the actual
users of E-Verify, because an employer can have multiple worksites,
and responsibility for running new hires through E-Verify could be
decentralized such that individual worksites are responsible for
verifying the employment eligibility of their own employees.
[39] In June 2009, USCIS deployed the Compliance Tracking and
Management System to serve as its central repository of information
about incidents of noncompliant employer behavior.
[40] This guidance includes, among other things, the E-Verify User
Manual, E-Verify Quick Reference Guide, E-Verify User Manual for
Federal Contractors, and the E-Verify MOU. USCIS has also developed an
E-Verify compliance and self-audit tool to assist participating
employers in better understanding and complying with E-Verify user
requirements.
[41] In 2007 Westat made 10 recommendations to USCIS to revise the
tutorial, and 8 recommendations to USCIS to enhance the user
friendliness of its E-Verify employer educational materials. USCIS
reported that it has addressed 10 recommendations, 4 of these
recommendations with the release of the new E-Verify tutorial in June
2010, and 3 of these recommendations by simplifying and streamlining E-
Verify data entry, system navigation, and the process by which
employers resolve cases. USCIS reported that it has plans in place to
address 3 recommendations from 2011 through 2012 and does not have a
timeline for addressing the 4 additional recommendations.
[42] GAO, Aviation Security: Efforts to Validate TSA's Passenger
Screening Behavior Detection Program Underway, but Opportunities Exist
to Strengthen Validation and Address Operational Challenges,
[hyperlink, http://www.gao.gov/products/GAO-10-763] (Washington, D.C.:
May 20, 2010), and Human Capital: A Guide for Assessing Strategic
Training and Development Efforts in the Federal Government,
[hyperlink, http://www.gao.gov/products/GAO-04-546G] (Washington,
D.C.: March 2004).
[43] In June 2010, USCIS completed its Registration Re-engineering
Initiative, an effort designed to validate the authenticity of E-
Verify users by comparing employer information provided during the
registration process with employer information in a commercial
database.
[44] Westat cited this as an issue, reporting that approximately 16
percent of surveyed employers in 2006 and 10 percent of surveyed
employers in 2008 indicated that they had E-Verify system users on
staff who had not completed the tutorial.
[45] As of August 31, 2010, USCIS reported that it had completed one
site visit.
[46] USCIS must rely on OSC to investigate, sanction, and prosecute
employers that violate the antidiscrimination provision of IRCA.
[47] Of the 444 criminal arrests in fiscal year 2009, 114 were arrests
of employers and management officials and 330 were arrests of workers.
As of August 30, 2010, ICE had made 397 criminal arrests--165 of
employers and management officials and 232 of workers--and obtained
270 indictments as a result of worksite enforcement-related
investigations.
[48] ICE officials said they opened an investigation in one case, but
lacked sufficient evidence to prove wrongdoing. ICE officials said
that ICE decided not to open investigations for the other two cases
because each was limited to a single incident of document fraud.
[49] The Fair Information Practice Principles adopted by DHS are a
revision of principles, called the Fair Information Practices, first
proposed by a U.S. government advisory committee. See Department of
Health, Education, and Welfare, Records, Computers and the Rights of
Citizens: Report of the Secretary's Advisory Committee on Automated
Personal Data Systems (July 1973).
[50] The privacy notices included several privacy impact assessments,
which are required by the E-Government Act of 2002 and system of
records notices, which are required by the Privacy Act of 1974.
[51] Department of Homeland Security, 2009 Annual Freedom of
Information Act Report to the Attorney General of the United States,
October 1, 2008-September 30, 2009 (Washington, D.C., February 2010).
[52] Department of Homeland Security, Privacy Policy Guidance
Memorandum 2008-01 (Dec. 29, 2008).
[53] USCIS reported that it plans to deploy a self-check initiative in
spring 2011 to provide individuals a tool for verifying their
employment eligibility outside of the hiring process and an
opportunity to proactively correct outdated or incorrect information
in SSA or DHS databases prior to applying for a job.
[54] OSC is the office responsible for enforcing the
antidiscrimination provision of the Immigration and Nationality Act,
which prohibits discrimination in hiring, firing, recruitment or
referral for a fee based on citizenship or immigration status or
national origin, along with discriminatory practices in the employment
eligibility verification process and retaliation.
[55] According to USCIS, it has TNC letters in Spanish, Haitian-
Creole, Japanese, Korean, Chinese, Vietnamese, Russian, and Tagalog.
[56] Department of Homeland Security, Privacy Policy Guidance
Memorandum 2008-01.
[57] GAO, Results-Oriented Government: Practices That Can Help Enhance
and Sustain Collaboration among Federal Agencies, [hyperlink,
http://www.gao.gov/products/GAO-06-15] (Washington, D.C.: Oct. 21,
2005).
[58] The USCIS data did not break out the number of TNCs for foreign-
born versus U.S-born employees. Therefore, we were unable to determine
the extent to which foreign-born employees were more likely to receive
erroneous TNCs compared to U.S.-born employees.
[59] Senior CRCL officials told us that CRCL is now referring to these
assessments as civil rights and civil liberties impact assessments
because their review addresses concerns related both civil rights and
civil liberties.
[60] From October 2009 through February 2010, OSC reported that it had
referred 17 instances of nondiscriminatory employer misuse of E-Verify
to USCIS.
[61] According to OSC, in fiscal year 2010, it handled 992 E-Verify-
related hotline calls (or 14 percent of total hotline calls).
[62] There are additional established practices for maintaining system
capacity and availability. We identified the six practices discussed
above by obtaining agency documentation that describes USCIS and SSA
processes and procedures for managing and planning system capacity and
availability and compared them with the practices established by the
Software Engineering Institute.
[63] GAO, Computer Operations: FAA Needs to Implement an Effective
Capacity Management Program, [hyperlink,
http://www.gao.gov/products/GAO/IMTEC-92-2] (Washington, D.C.: Nov.
27, 1991).
[64] Booz Allen/Hamilton, Independent Assessment of the E-Verify
Architecture (Washington, D.C., Feb. 8, 2008).
[65] The Project Management Institute, The Standard for Program
Management© (Newton Square, Pa., 2006).
[66] OMB Circular No. A-11, Preparation, Submission, and Execution of
the Budget; OMB Circular No. A-130 Revised, Management of Federal
Information Resources (Nov. 28, 2000); and Office of Management and
Budget, Capital Programming Guide: Supplement to Circular A-11, Part
7, Preparation, Submission, and Execution of the Budget (Washington,
D.C., June 2006).
[67] If this were to occur, either USCIS would be responsible for
providing additional funds for SSA to continue E-Verify operations or
SSA would have to limit the amount of service its provides to USCIS
until a new reimbursable agreement is developed or additional funds
become available.
[68] Social Security Administration, Office of the Inspector General,
Accuracy of the Social Security's Numident File, A-08-06-26100
(Baltimore, Md., Dec. 8, 2006).
[69] Software Engineering Institute, CMMI for Services, Version 1.2
(Pittsburgh, Pa., February 2009). The Software Engineering Institute
is a nationally recognized, federally funded research and development
center established at Carnegie Mellon University to address software
engineering practices.
[70] [hyperlink, http://www.gao.gov/products/GAO-09-3SP], 8-13.
[71] We scored best practice on a scale from 1 to 5 where not met
equaled 1, minimally met equaled 2, partially met equaled 3,
substantially met equaled 4, and met equaled 5.
[72]In Colorado, state law requires state contractors to certify that
they will use E-Verify or a state operated Department Program as an
alternative to E-Verify for new hires performing work under a state
contract for services. In North Carolina, state law requires state
agencies, institutions, colleges, and local education agencies to use
E-Verify on all employees hired on or after January 1, 2007 (or March
1, 2007, in the case of local education agencies). In Arizona, state
law requires all employers, whether public or private, to use E-Verify
to verify new hires.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: